Hi there,
Win10 is soon not supported. Tbh Linux have been on my radar since I started to break from the US big tech.
But how is security handled in Linux? Linux is pretty open-source, or am I not understanding it correctly. So how can I as a new user make sure to have the most secure machine as possible?
- Set a decently good password (password is required frequently on Linux, so do go overboard with a 40-random-characters-long password, you will regret it)
- don’t install programs or run scripts from shady sources, prefer to install programs from the Software store (package manager and flatpak)
- setup a backup system to regularly copy all your files to a separate storage device. This is the way to protect yourself from ransomware but also user errors! Having the possibility to format your drive, reinstall and restore backup in a 1 hour time span is going to give you the peace of mine you need for exploring and experimenting with Linux
Currently my favorite passwords are song lyrics from my favorite songs. You can easily hit 60 characters, and they’re easy to remember!
Nothin, just install your favourite distro and don’t run random command/scripts/binaries you found on the internet
Like those ‘curl | sudo bash’ abominations that have become strangely popular lately.
So how can I as a new user make sure to have the most secure machine as possible?
That’s not what you want. You want a reasonable level of confidence that your system is secure.
The process is similar to Windows - keep it up-to-date, use good passwords, don’t run things as root (admin), and don’t install things that are questionable.
The package manager under linux is where you should start, and that varys by distro some. But generally speaking things installed from there are “safe” and will be updated by the package manager when you do updates.
Linux is always more secure than win10, so whatever your need, Linux is more secure. The biggest threat is almost always yourself, and what you open up, give away, and how easy you make the codes you use and so forth.
Keep your user account is user space.
Avoid unnecessary root access.
So how can I as a new user make sure to have the most secure machine as possible?
Shut the computer down. That’s it; computer as secure as possible.
Otherwise, if you actually want to use your computer, google for “threat model” first.
But generally: use an adblocker in your webbrowser, don’t execute random commands/tools from the internet before you know for sure what you’re doing, update stuff now and then and make backups.
Just make sure everything’s updated.
Microsoft do a good job of updating drivers and their applications, but Windows application updates vary so much.
For Linux - mostly - the distro maintainers handle all updates and just updating is usually enough.
After that it’s down to you… if you disable all the built-in protection and visit dodgy websites then any OS is going to struggle.
You can improve the out-of-box security by removing software you don’t use, improving default configurations (one size doesn’t fit all) and considering if you want additional security software - this applies to any OS.
So, to return to your question, choose a Linux distro which has regular updates and only contains applications that you use.
Visiting dodgy websites in itself isn’t as risky as you make it out to be. There are very few exploits in an updated version of Chrome or Firefox that would compromise your machine.
I think you’re agreeing with me then.
My first point is keeping everything updated - which would include the browser(s)
My later point was visiting dodgy sites with protections disabled.
There’s a lot of people with the idea that open source can’t be secure because people see the source code.
But imagine this. You have 2 locks, one that is completely viewable of the innerworkings, and another that is covered, both have been unbreakable, but could you imagine the balls on the guy that made the clear lock? Imagine feeling so confident that your lock was clearly the best, that you just expose it to any hacker ever and they still can’t get in.
Microsoft can barely get things working with their closed source code.
In reality, anything is exploitable and hackable eventually. With the open source community there are so many eyes on it that when someone notices that the program is running 2 seconds slower than it used to, they discover a vulnerability instead of just accepting it and saying “probably MS doing some BS” and dealing with it.
your analogy doesn’t quite work here tbh.
It’s not a transparent lock, a transparent lock would be easy to pick. It’s more of a usual lock, but everyone can see all the blueprints and changes done to them. You can make changes to the blueprints yourself, and if the locksmiths approve of it, the next iteration of the lock will have them included.
Everyone who’s in the set of users of OSS software can contribute, therefore the set of people in control of the software that want it to have no backdoors whatsoever is always larger than the set of people who want to let the backdoors in, unlike in closed source, where corporate can singlehandedly decide to include a backdoor on purpose, not to mention, lots of OSS projects have such a large quantities of different people working on them, corpos won’t be able to gather so much humanpower under a single project ever.
Security is an insanely broad topic. As an average desktop user, keep your system up to date, and don’t run random programs from untrusted sources (most of the internet). This will cover almost everyones needs. For laptops, I’d recommend enabling drive encryption during installation, though note that data recovery is harder with it enabled.
That is good advice, however sadly a lot of install scripts are basically: download this script from us, and pipe it to a root shell.
Install scripts for what exactly?
Majority of software is packaged natively.
i personally wouldn’t recommend encrypted drive for a beginner though
They should not us LUkS and instead use veracrypt for folders and files. That way if any repartitioning or modification is needed it’s simple in gparted or GNOME disks on mint.
Source is been there and done that. Luks partitions are not easily resized.
Why not? You (usually) just click the check box during install, and you have 1 extra password when you boot up your system. Doesn’t seem too hard but I might be missing something.
when you fuck shit up you can’t really easily boot in from a usb drive and learn the recovery process
It’s a few extra steps to start fixing, but it’s still definitely possible once you get the crypto device mapper.
Better to lose the data than have it stolen.
So long as you know that is the trade off, I would tend to agree with you, but knowing the standard desktop user, most will opt for the opposite of your statement.
It’s surprisingly annoying trying to configure LUKS full disk encryption. I had to look up instructions many times over on Mint.
Wait what? I don’t use mint, but with every other distro you just check the box at install and that is it.
Are you saying its hard to configure after you have already installed? I could imagine it might be, but why not export a list of programs you use and back up the home directory. Reinstall and check the box, restore home, and import your package list?
Firstly, LUKS is under “physical disk for encryption” which is a stupid and confusing name.
Secondly, if you want to dual-boot with LUKS you need to manually configure the partitions.
Thirdly, you need to seperately assign root to be installed on the “physical disk for encryption”, and they have multiple volumes for that in the list.
Fourthly, as with all LUKS encrypted Linux distros you need a seperate EFI, boot, and root partition.
Fifthly, all of this partitioning is on a really small window that can’t be resized.
I don’t dual boot, so I guess there is that. But everything else seems very confusing. All other installers say, do you want this encrypted? You click yes. And that’s it.
TBH I’ve installed Mint, Kubuntu, and OpenSUSE and I don’t remember which ones had which issues. I think they’re all Mint but maybe not.
Security is a rabbit hole.
You’re going to end up wasting a lot of time and effort on learning about something that in the end will not have a substantial impact on your computing experience.
It will make you look good in front of losers on the internet you’ll never meet, though.
There’s plethora of resources if you want to make your Linux install even more secure than the defaults (so-called “hardening”)
Microsoft being closed source hides their bugs and vulnerabilities. Even when security researchers have sent in reports MS has sat on them due to profit being motive not security, and not taking vulners seriously until the researchers say screw that and publish it.
Linux being open can have all eyes on it, and if there is an exploit, there is a community willing to help ASAP.
On many distros you may have weekly or even daily updates or patches coming through with fixes. A distro like OpenSUSE has various patch and list patch commands that show what security patches are avilailable, their status (critical, recommended) and if it’s needed on your system or not depending on what you have installed. You don’t get transparency on closed source systems.
If you are paranoid about security you can use AppArmor tools or SELinux. AppArmor can be set to learn his an app behaves, then you lock it so the app can’t do new things.
SELinux you set rules for files and folders, so even with remote access an attacker can’t access data if rules don’t allow file listing over SSH etc
I would argue that Linux is inherently much more secure than windoze, simply because of how it handles user space vs. System (root access vs. User access). Also by how transparent its configuration is and how much information is readily accessible detailing how it works and how to adjust things.
However, when talking security for anything above the average user’s browsing needs, it can get very complicated depending on what you are trying to achieve.
Think of it like building something to keep out honest people vs. to keep out hardened, knowledgeable, clever thieves. Obviously the latter is going to take more time and resources to achieve, while the need to keep out more sophisticated bad actors would probably only be needed if you have something they might want.
Here are some suggestions for searching if actual security is your goal. Others can chime in with more things if they want. This is just some topics/programs you can read about to dip your toes in.
- nftables/Firewalld (common firewalls)
- wireguard/openvpn (vpn protocols)
- rootless containers (podman)
Best of luck!
When my kids were in their teens they had windows machines.
They had windows machines, because all their friends had windows machines.
you know what kids are like, click on every thing. oblivious to danger.
malware, viruses, the lot. of course, good old idiot dad had to sort it out. spending hours running anti-virus programs and malwarebytes etc
I got really annoyed one day and while they were at school. I totally removed windows and installed linux mint xfce on both their machines.
Set everything up for them exactly how I used my linux machine.
Once they were online, had their web browser open, found they could login in to all the things they liked and still enage with their friends.
I never heard a peep from them. no more anti-virus scans or malware.
It was heaven.
Ive used Linux for 20 years and never had a virus.
I just want to say that you’re probably worrying too much about it. Of course, there is lots of things one can do to improve security (which the others here are listing dutifully) and it is foolish to just assume that one’s computer is entirely secure, because as a user, you will always have the ability to bypass that.
But there’s a pretty firm consensus in the IT industry that Linux is more secure than Windows. And that the popular Linux distributions are more trustworthy organizations than Microsoft.
So, it’s good to inform yourself, but if you survived on Windows, you at least should not worry about the Linux side of things. It’s more than fine.
