Hacker News new | past | comments | ask | show | jobs | submit login
What is the most secure FOSS operating system with Internet access?
10 points by nicecars 4 months ago | hide | past | favorite | 23 comments
Random people say Arch Linux, OpenBSD or Qubes, but it is true that Arch Linux is secure to an extent if it is fully hardened, but not as secure as OpenBSD, so is OpenBSD secure? Qubes is a good approach to an OS, but it's Xen security, not OS security, and I'd rather run a secure OS other than Fedora or Debian on Qubes. And I've heard that Chrome OS/Chromium OS has the highest security of any Linux OS, but it's not more secure, it's just more limited. But that, like Qubes, goes back to the drawing board. So which OS is the most secure? Maybe Multics (better protection rings than Linux, OSX or Windows)? I use the most aggressive attackers as my threat model.

I have also heard that the Windows NT kernel design, although not FOSS, is better than Linux, BSD and OSX because it is based on OpenVMS knowledge.




The safest OS is the one you don't run. In other words if you want a perfect OS then don't use a computer.

Now I'm guessing you want to use a computer, probably to run programs. So your choice of programs will limit your choice of OS.

For example, DOS is likely the most secure (since it contains neither networking or USB support.) But I'm guessing the programs you likely want to run don't work on DOS.

A computer disconnected from any network has fewer attack points than one that is. A computer behind a firewall which blocks incoming connections is more secure than one that isn't.

your question is thus inadequately defined for a useful answer. You need to better describe your context - what you plan to use the computer for, whether the boot drive is read-only, and so on.


The safest OS is an OS that got hit by Crowdstrike and hasn't gotten fixed yet.


So what if it is simply used for browsing (GUI) only? I'm thinking in this case Kiosk or Chrome.


You are asking about the most unsafe use case "only". So no option is safe, all of them are insecure. Obviously without knowing more, Apple and Windows devices are less secure than Linux just for the fact that they are more targetted by criminals (among other things)


> I use the most aggressive attackers as my threat model.

Is that what you chose out of interest, or do you actually need it? I will assume the former, because that's how your question sounds.

My answer in that case would be: you need to work on your threat model. It is tempting to say "I want the best security, therefore I will define my threat model as 'the most aggressive one'". But that is a fallacy: the best security model is the one that fits your use-case best, not the one that defends against most attackers.

Security is always a tradeoff. Remember that you need security fundamentally because what you want to do has some inherent risk (small or high). The whole point is to decide what risk you can afford and find a security model that is acceptable under those conditions. If you say "I can't take any risk at all", then the answer is always "don't do anything at all".

But if you say "I am making a connected fridge for my home and I really want to make sure that the NSA won't be able to shut it down remotely", then the answer is most likely that your threat model is wrong. Because you actually don't really care about the NSA shutting down your fridge: you can probably live with that risk.

To go back more concretely on your specific question ("which OS should I use against the most aggressive attacker?"), it means that you are probably simply not competent to defend against the most aggressive attacker. There is no such thing as "the most secure OS" if you don't know how to configure and use it properly, and there is arguably no such thing as "security against the most aggressive attacker".

If that's out of interest, I would suggest you pick a realistic threat model and try to reason about it. If you have an actual need (e.g. you need to contact a journalist or something), then try to be more specific than "the most aggressive attacker".


Sorry for the uninformed question. I asked this question out of interest. The most aggressive attacker is because I recall that there used to be a criterion on Wikipedia (I don't remember which page, but I heard it was cancelled when the criterion could no longer be met) where the NSA or another US government agency had a kernel of resistance for the most aggressive attacker.


> Sorry for the uninformed question

Don't be! It's good to think about security :-).

But keep in mind that "the most aggressive attacker" is a bit of a poor threat model. It sounds like a shortcut for not having to think about it, and therefore it misses the point.

For instance:

- Could it be the case that someone points a gun to your head and asks you to give access to your OS? Probably not => that's a first step in defining your threat model, where you can assume that nobody will force you to give up your password.

- Will someone have physical access to your computer? If you have a laptop that you carry around, it may get lost/stolen and therefore you probably want encryption at rest (i.e. full disk encryption). Even if it is your desktop computer at home, one could imagine that it gets stolen. If it is a desktop computer at work, then employees may have access to it. If not encrypted, they could just read what's on the disk. Or they could plug a keylogger and read everything that you type on your keyboard, etc.

- Will your OS be exposed to the Internet? Will it expose ports or can it be completely hidden behind a firewall?

- Are you the only user, or is it possible that another user gets phished?

- etc.

Those are all questions (but it is not an exhaustive list) you need to ask to decide what is an acceptable security model. If all you do is browse the web, maybe you don't need QubesOS (because you don't have anything to compartmentalize). If you sometimes need to write an email anonymously, again maybe you don't need QubesOS but you could go with TailsOS. Depending on the threat model, maybe you will want a brand new computer just for the "sensitive" activity you have, and maybe you will only connect to the Internet from "outside" (i.e. not your personal WiFi). Etc.


Thank you! Now I understand that my threat model is not good! I remembered the NSA criteria, Separation Kernel Protection Profile


Based on my research, I would suggest seL4 microKernel running on ARM-64 hardware with Genode built variant of Linux.

AFAIK seL4 is the only formally security verified kernel for specific hardware. See their website for verification status of different hardware configurations.

The closest widely used system is Apple OSX which in turn was evolved from CMU Mach. The critical aspect is keeping the smallest possible attack surface, which is why capability based message-passing microkernels are more resilient than monolithic kernels.


Does running Linux on SEL4 only prevent attacks on the hardware or firmware level if Linux is compromised?


OS X doesn't use that much from Mach and doesn't have particularly impressive security.


I came here to suggest Genode as well. Default deny goes a long way toward stopping trouble.


> Qubes is a good approach to an OS, but it's Xen security, not OS security, and I'd rather run a secure OS other than Fedora or Debian on Qubes.

Not sure what you mean by "Xen security" in contrast with "OS security". Qubes is an OS. Though a lot depends on your threat model, if you have high security needs, Qubes is likely to be your best companion.

Anyway, another reasonable choice is Kicksecure. It's the debian-based OS underlying Whonix (Kicksecure is focused on security and Whonix adds its privacy/anonymity setup on top of it). You can use Kicksecure as a VM within Qubes, by the way.

https://www.kicksecure.com


  > I have also heard that the Windows NT kernel design, although not FOSS, is better than Linux, BSD and OSX because it is based on OpenVMS knowledge.
Former NT kernelspace programming dabbler here. That's very debatable. The NT kernel design is both functional and interesting, but it doesn't really matter in the context of your question, because there's many layers of OS above that with a long history of security vulnerabilities and questionable design.


Is there a structure like the NT kernel(openVMS) (in FOSS) that is more stable and less vulnerable than the NT kernel?


ReactOS is the only one I am aware of that might meet your criteria.

https://en.wikipedia.org/wiki/ReactOS


structure -> kernel


I would also look at Qubes. It basically reinstalls a new desktop vm every time you boot the computer, and allows, but has extra safe guards for using usb, cut-copy-paste, templates, support for tor etc. But it's slow for obvious reasons.

https://www.qubes-os.org/


"most aggressive attackers as my threat model"

So, government agency? My vote would go for live USB Tails on librebooted ThinkPad. Use only public wifi. Always consider if your actions can be correlated and lead back to you or hint at you.

P.s. consider using wokfi

Good luck, space cowboy!


If your threat model is “the most aggressive attackers” then your OS won’t matter much after you’ve been drugged and beaten with a wrench. (This is an xkcd joke from https://www.explainxkcd.com/wiki/index.php/538:_Security )


I don't get why this was downvoted, because it is true. It does suggest that the threat model is not properly defined.


The deep state down voted it because they want to keep their opinions open.

It's the same reason they discourage knowledge of capability based security.


I like it




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: