|
Hello everyone,
I'm currently looking into getting a Chromebook with an Intel Processor that's running Linux, and I'm wondering if it's substantially more secure than ChromeOS / OSX or Windows.
I realise that there are a lot of versions of Linux and that the security of each one of them may vary, but nevertheless, does the open source nature help at all?
I'm mainly concerned about the NS(D)A(P) and other American agencies putting their noses where they don't belong and targeted advertising via google services.
Having recently read an article that the NSA has infested SIM-cards, HDD firmware and even battery firmware, am I fighting a losing battle? Or can you get you insulate your Linux hardware against such encroachments?
|
Just because it's open source doesn't mean its not secure. People communicate with a certain american in russia using open source protocols.
Edit: Also most telecom infrastructure is run on linux/unix.
|
You know, I started to write something and it got longer and longer. There's a lot of stuff to think about and learn with regards to this. The upside is that everything that's normally bad about using Linux vs. using Windows doesn't really apply here because learning about security is a lot more work than learning how to live and work in Linux.
Getting what you are after could escalate into quite the battle. You should perhaps only look into it if you want to take it up as a serious hobby, like maybe even look into if there's workshops by the CCC or at a local Uni or something?
I say this because I'm wondering if just installing Linux is even improving anything. The system itself should be "better", but the issue is that inside your user account, you are normally still living like any Windows and Mac user. Something could infect that area and would know everything about you. The base system itself staying untouched wouldn't help you.
In 1983, the two creators of Unix won some price. At the event, one of them held this speech here... It's three pages and the last page is the interesting one:
https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
The guy was already disillusioned about your question over thirty years ago.
+ Show Spoiler [UNIX] +If you think about where Microsoft comes from, the idea of security was basically approached from a reversed direction compared to Unix. It started with DOS where the programs were supposed to be able to access literally everything by default, and then over time more and more stuff was getting locked to increase security. Meanwhile on Unix, they started out with thinking that everything should be forbidden by default and rights are only supposed to be added if there's a reason.
+ Show Spoiler [firmware] +It's sadly not possible to have every piece of code on the machine be open-source. The firmware for the hardware is the big thing that's breaking it. The various manufacturers have their own software running on the various controllers. I assume a lot of that is bought and even if they wanted to, they just cannot open-source it because parts of the code is not really their own.
There's a "coreboot" open-source project that tries to replace the BIOS, but it only runs on some rare (and mostly pretty old) motherboards and laptops. All of it is also something that needs a lot of obscure knowledge from you because you'd need to diagnose and work around problems with devices and power management and things like that. What's interesting is that (all?) ChromeBooks use coreboot, I think, so that's where you could get a laptop for Linux that can run it and already has a customized version of it installed.
Another thing to know about coreboot is that it's just the BIOS for the board. There's still controllers that have their own stuff running inside them.
+ Show Spoiler [drivers] +About Linux itself, drivers for pretty much everything is inside the kernel source code and all of that is open-source. Drivers that are closed are very rare and you normally just run into the closed AMD and NVIDIA driver at most, but those are not required for desktop graphics.
The AMD closed-source driver can be replaced by open-source stuff that is pretty close to having good performance. The open-source replacement for the NVIDIA driver has serious issues (though is good enough for just the desktop). The open-source Intel driver is great as Intel has disclosed everything needed about the hardware and also pays programmers to improve it.
+ Show Spoiler [encryption] +You might have heard the thing about TrueCrypt being discontinued by the group that was developing it, where its end seemed suspicious enough that you can build a nice conspiracy theory about them knowing that intelligence agencies hacked it. So what do you use now? On Windows, there's encryption for your drive by Microsoft, and there might be a way to get the hardware encryption of your SSD to work. Both of those options are closed-source. Linux is the only choice left if you want open-source encryption.
+ Show Spoiler [software] +On Linux, you typically don't just install random software or apps you find online like on Windows and Mac. You just use the stuff that you have in the package management system of your Linux distro even if you think it's crappy. That's a way of using the computer that should help a lot with security.
|
Computer security is like a blackhole, there might be a universe created inside, but unless you are really unsatisfied with the current universe you live in, be aware that once you are swallowed there is no way back, also even orbiting around that theme, seems to distord time and you will have an epic beard before you know it.
Might aswell write your own OS...there are laptops that are made of hardware with open specification...check the free software foundation and richard stallman...or decide life is precious to you after all.
|
If you aregenuinely concerned about security from the NSA then you're gonna need to do a hell of a lot more than installing a Linux distro. They can do stuff like install malware on an hdd that it literally impossible to remove.
For general usage my understanding is that Linux is more secure than windows and osx because most user activity is conducted outside of root so it is very difficult to install something nasty. Unlike say auto play in windows which I heard is still a trajectory for malware in some circumstances.
|
ChromeOS itself should be fairly secure I think. It's based on the Linux kernel (note: I have no idea the changes it implements as they would relate to security) and sandboxes most activity like Chrome does in my understanding. The more modular and restricted the access to the machine, the less vulnerabilities there will be.
|
Not sure how that security helps at all, when all you do is directly broadcasted to one of NSA's biggest collaborators.
Okay, so I get your message that this is too complicated for non-programmers and probably not worth the time investment even for programmers. That's disheartening, to say the least.
I've read the transcript of the speech, and if I really can't trust any software I haven't written myself, where does that leave things like Flash, Javascript, the HTML-portion of browsers, i. e. things that are ubiquituous in pretty much every computer?
Maybe I'm being naive, but even if any computer-software is potentially infested, even drivers and firmware, they still need to communicate the stolen information, right? So couldn't one just encrypt all outgoing data? Or can they work around that?
|
Johto4729 Posts
Of course you could go and encrypt all outgoing data, but the other side of the connection still needs to decrypt your data to understand what you want, and with a stolen key, everyone can decrypt it. Having real security is much more than just "encrypt everything".
|
So it comes down to finding a reliable VPN provider?
|
Johto4729 Posts
It comes down to not having any shady parts in your connection and hard/software. If any part of it is insecure, you could have just not done all the work. This also includes that the homepages you visit do not fool you btw.
|
It's mainly TL, Ultimate Guitar and GMail. One of them is owned by Google, one of them doesn't take personal data and the third is TL, that not only has my mail address, but also uses cookies. I'm just assuming that Google owns at least part of the infrastructure that handles TL's web traffic. So even if TL doesn't try to fool my, my data is subject to collection, if I understand it correctly.
This is all really depressing. I didn't suspect it would be easy for people on the CIA's terrorism watchlist to stay anonymous, but I had hoped it'd be less of a hassle for regular people...
|
On March 15 2015 20:14 SixStrings wrote: It's mainly TL, Ultimate Guitar and GMail. One of them is owned by Google, one of them doesn't take personal data and the third is TL, that not only has my mail address, but also uses cookies. I'm just assuming that Google owns at least part of the infrastructure that handles TL's web traffic. So even if TL doesn't try to fool my, my data is subject to collection, if I understand it correctly.
This is all really depressing. I didn't suspect it would be easy for people on the CIA's terrorism watchlist to stay anonymous, but I had hoped it'd be less of a hassle for regular people... I fear that terrorism has much less to do with it than all the juicy money you can make when you know people's data.
|
On March 15 2015 20:23 OtherWorld wrote:Show nested quote +On March 15 2015 20:14 SixStrings wrote: It's mainly TL, Ultimate Guitar and GMail. One of them is owned by Google, one of them doesn't take personal data and the third is TL, that not only has my mail address, but also uses cookies. I'm just assuming that Google owns at least part of the infrastructure that handles TL's web traffic. So even if TL doesn't try to fool my, my data is subject to collection, if I understand it correctly.
This is all really depressing. I didn't suspect it would be easy for people on the CIA's terrorism watchlist to stay anonymous, but I had hoped it'd be less of a hassle for regular people... I fear that terrorism has much less to do with it than all the juicy money you can make when you know people's data.
Well, of course. If you look at the real application of the Patriot Act, it's pretty obvious that protection of the American people from terrorism is pretty low on the list of priorities. That's not my point, though.
|
Imo, windows can be as secure as linux. Sure, by default Linux is more secure, but most of the stuff is down to the end user after all.
I've been on linux since 2007, and spent last year on win7. Had no security issues whatsoever on either OS. Bottom line is to pay attention to what you do and install.
|
One car can get a better Euro NCAP result than the other but no car alone can protect you from making accidents
|
Realize that many of the things you should be doing for security are either all features in all the popular OSes, or are independent and unrelated to the OSes.
For instance, regarding privacy, your primary concern would be to have a VPN. In addition if it's for low bandwidth applications you may want to run it though Tor afterwards as well. Lastly, you'd want to use encryption, force certain http parameters (like https), use something like NoScript on web browser, and one of the various non-track add-ons.
For other security, you might want to store your entire OS on an encrypted USB flash stick, for instance, run daily activities as a limited user, use a HIPS, use sandboxes/virtual machines, or even system restore applications (like Deep Freeze). I'm sure it would be a mess to all set up at first, but it can all be done.
None of any of this is OS-dependent. You're really secure on any of the OSes, it just depends what you do with them. Depending how much you know about these things, it could take a little or a lot of research and planning and trial and error, but would not really require any significant programming knowledge; you have to put a bit of trust into the methods or applications, but they are vetted to be effective when used properly.
I'd maybe feel like I was in a virtual prison if I had all the things I mentioned enabled at once (probably a lot of functionality/compatibility issues making a lot of things not work right), but I feel like it's practically an impenetrable defense if used properly.
|
I read what you guys are telling me, but somehow I'm still really drawn towards getting a cheap-ass Chromebook to fiddle with Linux.
+ Show Spoiler + None of any of this is OS-dependent.
So I could conceivably try out Linux, see how much of a hassle it is to implement all these security messures and if I don't feel it's worth the time investment, I have a great present for my parents this Christmas.
|
Johto4729 Posts
reinstalling ChromeOS might be a problem, i never did it, no idea how hard it is. Using and installing Linux is depending on the distribution you choose potantially even easier than installing Windows, shouldn't be that hard.
|
Disclaimer: I'm an IT student programming and administrating some linux servers.
As I understand, we have more than one angle here.
When you start talking about NSA spying and surveillance and you're concerned about your privacy it's one thing. As we have seen from the Snowden story, there are tools for safe communication. Reporters like Greenwald, movie makers like Laura Poitras + Show Spoiler +Citizen Four. EXCELLENT documentary, if you havent watched it yet GO DO IT! use stuff like GnuPG, TAILS and Tor for their jobs. Those open source tools are audited by math & crypto experts so users can be confident there are no backdoors or secrets built in. We will never have that with closed source software. If you want/need secure communication at all cost, you wouldn't use anything else than TAILS & GnuPG & Tor. The downside is, those things are not easy to handle. For everyday life they are really impractical.
Also, if you're really worried about privacy, you should read/think more about how you use Google/Facebook/Twitter, etc. Those companies probably know much more about you than *insert any government agency*, and they are much more likely to abuse that knowlegde.
To reduce that tracking, install browser plug-ins like Ghostery, µblock (more perfomant alternative to AdBlock Plus), etc. those are available for every OS.
Secondly, if you're mostly concerned about to be more save against Ad-/Malware/Viruses etc. it's mostly more about how you use the computer than what tools you use. Most of the times I was called to fix a Windows machine for friends or family members, they had some malicious browser plug-in or a "this will make your pc run faster (again)"-Tool which linked itself deep into the windows registry. It's really painful to remove that stuff and - as already mentioned in this thread - one can easily avoid such problems, e.g. not installing random tools.
Last summer I was able to convince a friend to replace his Windows 8 with Ubuntu. Generally he is a less advanced user who tended to to some not-so-smart things, but already used libre/open office for his work. At first he was pretty sceptical he could handle Linux. Though, over the last 9 months, he only called once for having a problem. We were able to fix it by me telling him some commands to enter into the terminal. No more complaints about anti-virus software showing strange alerts or his laptop becoming slower and slower.
This story gave me some confidence, that there are linux distributions which literally can be used by anyone. For novice users they may even be better and more secure, because its harder to mess upt your system by installing some malicous stuff. Let me tell you: I tend to fix windows machines much more often than helping out friends with using linux ;-)
For more secure connections, VPN was already mentioned. For my emails, I use Thunderbird with the enigmail-plugin. Both things should work on most OSes equally fine, but I felt setting everything up was much less hassle on my beloved Xubuntu. But that's from a DevOps perspective so your milage may vary. Oh right, and the hardest thing about getting email/chat encryption right is to convince & setup your communication partner.
edit: paragraphs are awesome!
|
Thanks for your thorough reply, Alaran.
As I understand it, NSA does two things:
1.) Do blanket surveillance on everyone. If that turns up something suspicious, 2.) Do targeted surveillance on that person through more sophisticated means.
Snowden, Greenwald and Assange probably fall under the second category, so their means of defense have to be more sophisticated. TAILS does indeed look like a nightmare for normal users, and I don't have enough time to deal with these things.
I just want to use Wikipedia, Coursera, Khan Academy, TL and various guitar sites without being treated like a criminal or terrorist by a government that isn't even my own. It's more about the principle than anything else.
Perhaps that sounds insane, but when I read about the extent of the NSA surveillance, about how they have hacked SIM-card-manufacturers, HDD firmware, battery firmware (I didn't even think about batteries HAVING firmware), I just get orwellian shivers running down my spine.
You're right about google. I was considering to move away from GMail and use the email provided by my university exlusively, but I don't know if I lose access to that once I leave. I don't use Facebook, Twitter, Instagram or Myspace, not because I'm paranoid, but because I'm just not interested in those.
Malware and Viruses have never been a problem for me in... 15 years of using Windows. Probably because I don't visit porn sites.
Which VPN should I use?
My internet connection is provided by my uni, and I use 'cisco anyconnect' to connect to them, as well as Tunnelblick Open VPN for OSX. Is your recommendation to ditch Safari for the TOR browser?
|
|
|
|