Choosing Your Desktop Linux Distribution

Not all Linux distributions are created equal. When choosing a Linux distribution, there are several things you need to keep in mind. Release Cycle You should choose a distribution which stays close to the stable upstream software releases, typically rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. For frozen distributions, package maintainers are expected to backport patches to fix vulnerabilities (Debian is one such example) rather than bump the software to the “next version” released by the upstream developer....

July 17, 2022 · 7 min · 1440 words · Tommy

Desktop Linux Hardening

Linux is not a secure operating system. However, there are steps you can take to harden it, reduce its attack surface and improve its privacy. Before We Start… This guide is largely based on Madaidan’s Linux hardening guide; however, it does take into account usability and ease of maintenance of each recommendation. The goal is to produce a guide that intermediate to advanced Linux users can reasonably follow to set up and maintain the security configurations....

August 17, 2022 · 21 min · 4460 words · Tommy

Docker and OCI Hardening

Containers aren’t that new fancy thing anymore, but they were a big deal. And they still are. They are a concrete solution to the following problem: - Hey, your software doesn’t work… - Sorry, it works on my computer! Can’t help you. Whether we like them or not, containers are here to stay. Their expressiveness and semantics allow for an abstraction of the OS dependencies that a software has, the latter being often dynamically linked against certain libraries....

March 30, 2022 · 19 min · 3925 words · Wonderfall

Linux Insecurities

There is a common misconception among privacy communities that Linux is one of the more secure operating systems, either because it is open-source or because it is widely used in the cloud. However, this is a far cry from reality. There is already a very in-depth technical blog explaining the various security weaknesses of Linux by Madaidan, Whonix’s Security Researcher. This page will attempt to address some of the questions commonly raised in reaction to his blog post....

July 18, 2022 · 6 min · 1160 words · Tommy

NetworkManager Trackability Reduction

MAC address randomization Note that Ethernet connections can still be tracked via switch ports, and WiFi connections can be broadly localized by access point. Furthermore, MAC address spoofing and randomization depends on firmware support from the interface. Most modern network interface cards support the feature. There are three different aspects of MAC address randomization in NetworkManager, each with their own configuration flag: WiFi scanning [device] wifi.scan-rand-mac-address=yes WiFi connections [connection] wifi.cloned-mac-address=<mode> Ethernet connections [connection] ethernet....

September 4, 2022 · 4 min · 852 words · WfKe9vLwSvv7rN

Securing OpenSSH with FIDO2

Passwordless authentication with OpenSSH keys has been the de facto security standard for years. SSH keys are more robust since they’re cryptographically sane by default, and are therefore resilient to most bruteforce atacks. They’re also easier to manage while enabling a form of decentralized authentication (it’s easy and painless to revoke them). So, what’s the next step? And more exactly, why would one need something even better? Why? The main problem with SSH keys is that they’re not magic: they consist of a key pair, of which the private key is stored on your disk....

April 9, 2022 · 5 min · 863 words · Wonderfall