written in 2022 by a security researcher who believes Linux is inferior to Mac and Windows. He starts with his premise:
“Linux being secure is a common misconception in the security and privacy realm. Linux is thought to be secure primarily because of its source model, popular usage in servers, small userbase and confusion about its security features. This article is intended to debunk these misunderstandings by demonstrating the lack of various, important security mechanisms found in other desktop operating systems and identifying critical security problems within Linux’s security model, across both user space and the kernel. Overall, other operating systems have a much stronger focus on security and have made many innovations in defensive security technologies, whereas Linux has fallen far behind.”
but very convincing well-researched article ^^.
He pairs this article with the most insane elaborate linux hardening article I ever read: https://madaidans-insecurities.github.io/guides/linux-hardening.html
It’s premise:
" Linux is not a secure operating system](https://madaidans-insecurities.github.io/linux.html). However, there are steps you can take to improve it. This guide aims to explain how to harden Linux as much as possible for security and privacy. This guide attempts to be distribution-agnostic and is not tied to any specific one."
What follow here is a mix between smart and next-level tinfoil with detailed instructions.
Between two articles, by the same guy, I spent about 1 hour (read each article twice) and it was rewarding reading. I’m not sure I bought it all (lots of systemd hate and the linux inferior argument semi-convincing).
I’d hate to assign you all a 1/2 hr to 1 hr of reading but it is a fresh perspective told very intelligently and logically.
–ok I’m out
edit=formatting
For those who are not aware about his hardening and criticism targets - he’s being uber-tin-foil about specific security problems:
Escaping VMs
Escaping Sandboxing
Which is very valid, given that he’s working on Whonix / GrapheneOS and many users of this software like whistleblowers, journalists or opposition politics would end up jailed or dead if there is some oopsie-doopsie or fucky-wucky going on in security department.
Although i would personally argue that privacy aspect is as important for such task.
Never has he said such an abomination, he have pointed that out about some key areas of very specific security problems mentioned above, and he has said it as per “by-default”, because hardening of Linux is definitely possible to do and is outlined.
Don’t forget for example that those guys are working on some insane stuff like hardened-malloc for Linux, to significantly reduce attack surface and get rid of whole classes of vulnerabilities.
I interpret this article very differently, more specifically as a call to improve by-default aspects of Linux security model, as now it’s anarchy and kinda hard to maintain.
Well deserved, for it’s insane attack surface and soy code
I could be 100% wrong, but is that the same team of people (the devs of hardened_malloc) Linus belittled at some point for trying to upstream changes that brake everything? (essentially saying they don’t care about Linux as a whole because they don’t care if or what their commits break but rather just care that their commits get included)
I’m pretty sure I’ve read that fact, just very unsure if the people in question are the same.
Also not sure if that was before or after Linus’ “behavioral reform”
@drunkenvicar their comparison of Firefox and Chromium models I’ve also found interesting in the past, just in case you wanna kill some time reading more.
I got that from the article too. It wasn’t linux-hate it was a call to seal up all the loose cracks.
I use his words "Overall, other operating systems have a much stronger focus on security and have made many innovations in defensive security technologies, whereas Linux has fallen far behind.”–I should have added context: linux inferior in the security department. Forgive my hyperbole; I am prone.
yep, I’m glad you got to read it all. I found it fascinating as far all the stuff I did not know. I don’t think I’ll be making all those high-level moves. He was not only worried about attack vectors VM and Firejail/Bubble/general sandboxing, he considered the entire kernel a vulnerability too.
He also mentioned something I was not aware of. He gave kudos to arch, who bundled a “pre-hardened” kernel its updates–something I never knew. I appreciate your input.
yeah it’s probably true, you ever used qubes? those security nutters don’t give a flying fuck about what works and doesn’t work so long as security is 10/10.
I use grapheneos though, it is fantastic. It’s only downside is that you gotta use a google pixel, i bought one specifically so i could use grapheneos even.
But honestly, where be my linux phone man?! why do all the linux phones suck ass?!!
Real life proof that Yapanese exists. This whole article is pure yapping. All this person cares about is “SecUrItY” even though linux does it considerably better than macos or windows.
one the articles was yappy, the other quite a mega-hardening tutorial. I noticed the irony as did you and @keybreak : for all the ‘evidence’ presented that we were way behind MS/MAC when it came to kernel protection, he missed the part where ms/mac both are keyloggers (one admits it) that they phone home and to strange servers on you 10,000 times per session so any kernel-hardening ‘advantage’ they have completely mitigated…
What I meant was collective buying power. Market. Individually you can always buy Pinephone or Librem 5. But since not many people actually interested in using it, the development is stunted.
I think it’s a catch 22, more users are needed to fund development, but the phones aren’t really usable for regular everyday use so nobody wants to buy them yet because they’re not good enough and since nobody buys them development isn’t funded so it doesn’t get better so there are no more users.
type of problem in terms of security / compatibility…
