Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Reasonable Linux distro that balances security, privacy and usability?
6 points by deafpolygon on Nov 8, 2022 | hide | past | favorite | 15 comments
One of the most common answers when asked about "How can I achieve more privacy and security with my OS?" is to switch to FOSS/Linux.

The biggest issues I have is that, when you search for privacy oriented Linux distros - they almost always boil down to the following: Qubes, Kodachi, Kali, Whonix, Tails, BlackArch, and variants.

My issue is that these are not very user-friendly or user-oriented distros. They are more or less distros for either security experts, the very paranoid, or penetration testers.

My thoughts on a private OS isn't necessarily one that's safe from a direct attack or something you need to secure spy-level intelligence, but one that does not leak private information, does good-enough encryption by default and offers great usability while allowing access to a good set of applications that are also privacy-oriented. Applications and the OS should not leak telemetry data by default (opt-in only) or have no private data leaked at all.

Obviously, a certain amount of data will inevitably be shared (DNS lookups, Google searches) but that kind of information should be communicated to the end-user as much as possible.

I'd love to see more discussion around this, because I think that this is a topic that will become ever so critical with the increase in "telemetry data" being collected.




Your goals aren't very clear. Your threat model matters a lot to answering the question. What is your threat model?

Your browser alone is probably 10 fold the threat to your privacy the operating system is, and a share of the telemetry is legitimate and very much directly useful for improving the product and responding to incidents.

Any linux distro probably won't hash/index all your files into a voice assistant, won't virus scan, and won't backup to a cloud, which is an immediate privacy and security win.

If you want to engage in the privacy mindset, you must first focus on observability. Specifically you should be thinking about how to set up a proxy/firewall between your daily driver and the raw internet to see what is accessed.

Without observability, you don't know what is doing what no matter what you use. You are forced to trust without understanding, and you wouldn't be able to answer your own question empirically. Without an off machine firewall, you can't prevent the behavior you want to prevent.

For a long time OpenBSD had the reputation for being most secure by default. I don't know if that's still true. Running some type of observability/firewall platform on that would probably be useful. I've never used mitmproxy, but I imagine that would be useful.


> What is your threat model?

That is why I'm asking HN. I'm the average citizen that wants privacy on by default while also providing as much convenience as a modern OS should allow. I am sure many people want this as well.

> a share of the telemetry is legitimate and very much directly useful for improving the product and responding to incidents

I don't agree with this statement. For example, I recently discovered in Microsoft Edge that:

- In order to get your recent history matches in the address bar, you need to enable a feature that sends your queries back to Microsoft. Disabling this gets an empty address bar when typing. We used to have this feature WITHOUT sending data to anyone, just based off our search history.

- Editor suggestions constantly send what you are typing in a text box, and provide you with suggestions to improve your spelling and grammar. I am not sure why this is necessary in this day and age, we've got the tools and software to do this directly on-device.

- There are more, and I am sure most of these features are also baked into Google Chrome but sent to Alphabet instead.

I don't agree that all of this telemetry is useful or even necessary. It smells like Microsoft is simply trying to bulk up its search engine business with a constant stream of user data.

> If you want to engage in the privacy mindset, you must first focus on observability.

I don't currently have the tools (much less the money or equipment to set up an off device firewall) right now to set this up. Even if I did, I'm not sure I would understand all of that without a lot of research. This is something the average person simply cannot do. Hell, this is difficult even for an IT person (such as myself) to muddle through.

I appreciate your answer, but to be frank, it is somewhat of a non-answer. The bulk of it is not-that-helpful, because it does not help the average person. I'd love to answer every question I have empirically, but I don't have the time or the knowledge (at least, currently - I can learn, given time).


Sadly, I am not sure you will find a default private environment. There are many things you can do to improve your privacy, but almost all of them require action rather than selection. "Hardening" is probably the right search term.

Given what you have said, I think any Linux environment will be fine for you and will result in immediate, significant privacy gains. All security is a trade off for convenience. If you want a more secure environment, you should expect a less convenient environment. I would choose a popular Linux environment. All of them are probably the right tradeoff.

That being said:

Without focusing on observability first, you end up with a lot of unknown unknowns. You might not think installing a home brew package on MacOS as something that violates your privacy, yet many will reach out to google for various artifacts, if not directly reporting analytics themselves.

You will not get (good) privacy without a whitelist rather than blacklist environment.

Paradoxically, modifications you make to your environment or using more bespoke environments can make you more easily identifiable. Eff runs a great website breaking down how finger-printable your browser is:

https://coveryourtracks.eff.org/

As for priorities.

A good OS choice will help you most from nation-state actors. So if your threat model is a government (as opposed to capitalists or hackers or scammers etc.), then Linux is the best choice.

Tuned Firefox is probably the best browser choice. You will want to find a guide on how to "unfuck" the default settings. uBlock is non negotiable. PrivacyBadger and Decentraleyes are good plugins as well.

After Firefox setting up a PiHole will offer a lot of privacy protection for minimal investment by essentially being a DNS firewall.

A RaspberryPi is cheap and a fun tool. I totally recommend setting a RaspberryPi up with PiHole. After PiHole I imagine you could install MITMproxy on it or other interesting tools that would build in observability.

> I don't agree with this statement.

User data being used to power features is generally not what people would consider telemetry.

While you are absolutely correct about how search suggestions etc work, that is not what I would consider telemetry. Telemetry is specifically data like crash reports, which can and sometimes will upload memory dumps that can contain plain text passwords or private keys that were loaded into memory.

I promise you telemetry helps reduce downtime significantly. Telemetry itself is not evil, it is companies and how they use it that can be evil. If no one submitted telemetry it would make running stable services much harder. In a sense, the people who do submit telemetry are subsidizing you. I also almost universally shut off telemetry, but if everyone did that, it would definitely be problematic.

Siri (or alexa, etc.) learning from your apps, sucks in just about everything you do on your phone, letting siri run wild likely greatly breaks privacy. Your phone keyboard can remember things you've typed or proper nouns you've used. Spotlight (or other file search features) will open and "understand" every file on your computer then index them so they are searchable. Virus scanners hash every file on your computer, then check to see if the hash is in their "evil" database. It doesn't take much imagination to see how, for example russia's kaspersky virus scanner could abuse that (or any other).

> I don't currently have the tools (much less the money or equipment to set up an off device firewall)

Buy a RaspberryPi and set up a PiHole. Something like this:

https://www.adafruit.com/product/3775?src=raspberrypi

Amazon has kits that provide the power cords and a nice looking protective case for probably $50 usd.

It does not take much power at all to run firewalls/piholes/etc.

I am sure there are plenty of approachable guides.

> This is something the average person simply cannot do.

I think it will have challenging moments but ultimately be much easier than you expect.

Summary:

  Any linux distro, choose what feels best to use
  Firefox, follow a privacy guide to configure "about:config", install uBlock, PrivacyBadger, Decentraleyes
  Buy a RaspberryPi, set up PiHole
  (bonus) Set up a sane firewall on your linux machine or on a different machine
  (bonus) Consider setting up mitmproxy
  (bonus) Follow OpenSnitch (https://github.com/evilsocket/opensnitch) and consider trying it when you feel it is mature enough


> A good OS choice will help you most from nation-state actors. So if your threat model is a government (as opposed to capitalists or hackers or scammers etc.), then Linux is the best choice.

How does the threat model change looking at government vs capitalists, etc.?

Are either Windows 11 or MacOS acceptable when it comes to privacy considerations?

> setting up a PiHole

I might look into this- it seems simple enough and additional benefits (like ad-blocking), it looks like. It's a step in the right direction.

> Telemetry

I suppose that companies calling additional data that you don't consider telemetry, "telemetry", is what muddies the water. Telemetry with zero identifiable information is probably okay, if I'm informed and can opt-out.. but collecting data on what I have typed, or have installed, or which program I have launched.. I don't think is acceptable. Maybe my concerns are overblown, but...


Microsoft is pretty much a no win. Integrating ads directly into the operating system is quite gross and shows extreme negligence. Worse it shows an environment where business interests have absolute authority over engineering interests. No engineer that cares about security or maintainability would have let OS integrated ads happen.

Linux is probably better on all fronts, but a well configured MacOS is probably reasonably resistant to (non apple) capitalist threats. Apple is also doing considerable work on things like "secure enclaves" which I generally buy in to. They are also actively engineering systems to reduce passwords as a means of authentication. Apple is doing real innovative engineering and culture changing work that I generally consider forward thinking and society improving. I also believe that work has to be rewarded (with money spent) in order to convince other companies that it is something people actually care about. Companies will ask "what are our competitors doing," not "who stopped using our products/competitors products." Forcing companies to add privacy labels to their apps is something pretty much only Apple is capable of doing, and that is backed by the threat of direct monetary and potentially legal consequences.

Of course if all of the "Apple is getting into ads" press starts to ring true and Tim Apple goes full corruption, which is probably likely, I will likely have to begrudgingly move to Linux myself.

If I was worried about the government having access to my laptop, I would consider Apple's ecosystem a rather grave threat, but if I am generally not worried about governments, then I think the convenience of using MacOS exceeds the privacy values gained by choosing a more... ascetic environment. Since I use an iPhone apple already has extreme dominion over and insight into my digital life. Access to my laptop is a marginal loss of privacy compared to what apple gets from my phone anyway. Using an android phone is almost certainly worse and using a third party android OS involves trusting entities that have no form of real accountability.

Little Snitch is a pretty fantastic piece of software that I generally trust and gives what I consider an adequate level of observability into what my computer is doing.

You are going to have to go through and disable features like cloud backup, encryption keys in cloud, autocomplete suggestions, browser syncing, telemetry/crash logs, siri, spotlight indexing etc as well as install things like uBlock, PiHole and LittleSnitch. That kind of hardening would likely have to be done regardless of environment.

Linux seems to me like there is a good possibility of a serious supply chain hack in the next decade. If you ask "Who is trying to prevent this?" it's mildly scary to think there is probably some person with no authority, reputation, or responsibility volunteering their time to try to solve that problem because its the right thing to do.

As money gets involved in Linux it too can be corrupted. Here is a thread talking about canonical (ubuntu): https://www.reddit.com/r/privacy/comments/j4cl6t/should_i_tr...

They've shown a desire to push the line, while the ubuntu community has apparently mostly kept them within it. That article wasn't meant to be a source of truth so much as a starting point to find things to read about.

> I might look into this-

The nice thing is, is that once you set it up, you can tell your router to use the PiHole as a DNS server to hand out via DHCP, and it can even block your TV from contacting the manufacturer. Your router might even give it to your phone that connects to it and prevent a share of ads from showing up on your phone.

> Telemetry with zero identifiable information is probably okay,

Sadly, while they say there is no identifiable information, this is generally not a guaranteed property so much as a "we try to do the right thing" property. Crash logs don't need identifiable information because with 3 database tables in a data warehouse you can probably de-unidentify a log no problem. If any kind of memory is sampled, it is very possible to suck in information that shouldn't be there as well.

Microsoft, for example, has found inventors of viruses (and subsequently handed their info over to the FBI) because the crash logs the viruses caused got reported and they could turn that into an identity.

> Maybe my concerns are overblown

Nah, suggestions and features like that are shady. I do not like them one bit. I will say the more you understand, the more you realize privacy is dead. Privacy must be legislated. From a technical level it is an arms race, and if you try to run in the arms race, you'll just get exhausted and lose anyway. It's still probably a good idea to be a bit ahead of the curve or at least aware. Certainly a lot of people in Hong Kong in 2019 probably wish they were more versed in privacy.


Thanks, I'll have to take some time to digest the info. I suppose the only person who's winning the arms race here is Stallman.. lol


Any distro will do. It will be a big step ahead of MacOS or windows already in terms of privacy. Once you know more, you can always move towards more niche ones. I personally use Fedora on a ThinkPad T470/Dell Optiplex 7010, good mix of up to date software, stability and ease of use.


> Qubes, Kodachi, Kali, Whonix, Tails, BlackArch

- Qubes is overkill for my needs.

- Kodachi is shady as fuck and could have a backdoor.

- Kali has too much of an attack surface. It's bundled with thousands of software packages that can be leveraged in attacks.

- Whonix is certainly useful, but you need a beefy machine to run two VMs side-by-side. Also it may leave a forensic footprint if your Linux install dumps contents from RAM to disk (swap).

- Tails again is useful, but I found it's updated very frequently. A whole new flashed thumbdrive just to update Tor is insane. But I still use it for like 50% of my computing.


Plus none of them are truly privacy minded. They're security-minded (on one end, used for pen testing, and the other for locking up your computer).

Privacy != Security

And once someone has physical access to your device, all bets are off anyways.


Like, what’s the security or privacy problem with Ubuntu, or most distributions in fact?


What’s wrong with Debian or Fedora?


Debian stable has really old packages, for one thing.


Nothing - except, end-users don't know if they are private / secure by default.


Reasonable Linux distro that balances security, privacy and usability?

I would interpret that as a Linux distribution that is kept up to date, is easy to configure, does not have dial-home cruft and has decent documentation. This is just my own take but opinions will vary wildly for everything I will add here.

- Kept up to date would be all the popular distributions that are not niche focused such as the security/privacy distro's that you mentioned. They have a small user base and do not has as regular of a cadence of updates. So Arch, Alpine, Alma, Debian, CentOS/Redhat, Fedora, QubesOS, Rocky, Void, Ubuntu. Fedora and Ubuntu will have the most recent a.k.a. bleeding edge versions of upstream packages but most of the distributions are not far behind. The oldest and most battle hardened versions of software would be on CentOS/RHEL with back-ported bug and security fixes. I intentionally left out Gentoo and LinuxFromScratch as those are for people that love tinkering and troubleshooting.

- Not dialing home is devolving by the day but Alpine, Alma, Arch, Debian, CentOS, Qubues, Rocky, Void are not chatty. Fedora recently started dialing home quite heavily for desktop users and even mimic some Microsoft behavior in the latest Beta. Hopefully they will turn this off after Beta because blocking it breaks the desktop. Ubuntu had a few mis-steps in this area in the past but I do not know if Canonical curtailed the dialing home, this was some time ago. Something to keep an eye on in this area is systemd-resolvd as this is evolving and has the potential to get leaky but that is a topic in and of itself.

- Arch has incredible documentation. They are an outlier in this area. Behind them I would place Debian, CentOS, Fedora and Ubuntu. The others have hit-or-miss documentation that sometimes requires a search engine to fill the gaps, especially as it pertains to real world examples.

- Easiest to configure would be Ubuntu as it had heavy adoption early on by many developers, followed by Fedora. Both have a myriad of example configurations in their documentation and endless examples on StackExchange, Serverfault, etc...

Again, just my own opinions. I tried to not be biased. I am a pragmatic minimalist and do not like shiny or trendy things. I personally prefer Void and Qubes for desktop and Alpine for VM's, Routers, Firewalls, etc... Qubes should have a decent amount of memory, maybe 32GB+. Both have some minor annoyances that would frustrate people new to Linux. All of the popular distributions can be locked down to be less chatty using outbound firewall rules with the iptables "owner" module with exception to Fedora's Beta.

If you want to go beyond user-based+port-based rules then there is an open source project called OpenSnitch that mimics the behavior of LittleSnitch (mac). [1] Blocking the chatty behavior of Fedora will break it, especially their admin sub-domain. It is equivalent to Microsofts access sub-domain used heavily be the Home edition.

Beyond the basic hardening of an OS if one wanted to really lock things down and assuming they understand Linux networking principals, then QubesOS + a custom Firewall VM clone + Custom Whonix VM clone has the potential to leak the least data but this assumes that one already greatly understands networking, linux, all the internet services. There are no turn-key solutions for this that fill knowledge gaps, despite there being several that claim to do so. If going down this path, I suggest using a spare machine that you would not mind blowing away and re-configuring VM's as a matter of a learning exercise.

Reducing chatty'ness of user-space applications like Firefox would be user.js [2] and controlling what those applications can see or not see would be firejail available in some distro repos. [3]

Additional hardening can be implemented using one of the five security modules in the Linux kernel, with the most common being AppArmor and SELinux but one must really learn how these work to get the most out of them. Most applications in a Linux distro have existing MAC rules. Custom applications would need custom MAC rules to secure them. The default rules in AppArmor and SELinux are designed for a balance of security and usability rather than security+privacy.

All of the distributions can be stripped down to be as lean as you want.

[1] - https://github.com/evilsocket/opensnitch

[2] - https://github.com/arkenfox/user.js

[3] - https://github.com/netblue30/firejail


any Linux does

just be adept on it!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: