cross-posted from: https://lemmy.ml/post/12400033 (Thank you https://lemmy.ml/u/Kory !)

I first used Linux about 5 years ago (Ubuntu). Since then, I have tried quite a few distros:

Kali Linux (Use as a secondary)

Linux Mint (Used for a while)

Arch Linux (Could not install)

Tails (Use this often)

Qubes OS (Tried it twice, not ready yet)

Fedora (Current main)

For me, it has been incredibly difficult to find a properly privacy oriented Linux distro that also has ease of use. I really enjoy the GNOME desktop environment, and I am most familiar with Debian. My issue with Fedora is the lack of proper sandboxing, and it seems as though Qubes is the only one that really takes care in sandboxing apps.

Apologies if this is the wrong community for this question, I would be happy to move this post somewhere else. I’ve been anonymously viewing this community after the Rexodus, but this is my first time actually creating a post. Thank you!

UPDATE:

Thank you all so much for your feedback! The top recommended distro by far was SecureBlue, an atomic distro, so I will be trying that one. If that doesn’t work, I may try other atomic distros such as Fedora Atomic or Fedora Silverblue (I may have made an error in my understanding of those two, please correct my if I did!). EndeavourOS was also highly recommended, so if I’m not a fan of atomic distros I will be using that. To @leraje@lemmy.blahaj.zone, your suggestion for Linux Mint Debian Edition with GNOME sounds like a dream, so I may use it as a secondary for my laptop. Thank you all again for your help and support, and I hope this helps someone else too!

  • The 8232 Project@lemmy.mlOP
    link
    fedilink
    arrow-up
    2
    ·
    edit-2
    9 months ago

    it’s worth reviewing what Privacy Guides has to say on this.

    Interesting! Considering my threat model includes my ISP as an enemy, it would make sense for me to use a VPN behind Tor: However my threat model doesn’t care if my ISP knows I am using Tor, as it would only be collecting data uncorrelated with my activities. Although it could cause legal trouble if a presidential threat (for example) over Tor happened at the same time as my usage of Tor. The change I will make is this: I will resume my current usage until I am able to use a paid VPN plan to speed it up.

    but please consider to review Proton VPN on port forwarding

    See above, no paid plan yet ;)

    Unfortunately, at least for torrents, you’re no longer able to rely on Mullvad VPN.

    Bleh, and I was really beginning to like them for allowing cash payments!

    Easiest (and also one of the best options) is probably the use of a VM 😅.

    Fair, although didn’t GNOME Boxes have some sandboxing issues?

    there is merit in forsaking Anonaddy for SimpleLogin if decreasing the amount of trusted parties is desired. However, this comes at the cost at moving more into the the direction of putting all your eggs in one basket.

    I am using Anonaddy for that reason specifically, plus the severe lack of features in SimpleLogin’s free version.

    I hope an offline password manager is involved to some capacity.

    As mentioned, I will switch to KeePass soon. Some of my passwords are stored completely offline, however. Pen and paper never fails, I even dedicated a specific pen for it! On a related note, take a look at this

    Do you happen to know how they currently fare against each other in security/privacy features (beyond what’s found on the linked spreadsheet)?

    Once I get an Android phone, I will try out Briar (because I am obsessed with the idea). I personally reached out to SimpleX regarding the spreadsheet, and the response I received back outlined that SimpleX pads the encrypted messages both during transit and in cold storage, which they said a lot of other messengers don’t do. A comment on the original post for the spreadsheet mentions that the spreadsheet doesn’t outline which services route through Tor (which Briar does, of course). The spreadsheet is very thorough, and SimpleX is still a relatively young project, so I don’t have much I can say. I’ve tried using it on iOS, and my friend and I both agree it’s terrible to use sometimes due to lag and choppiness. I currently testflight the app, but still no change. Either way, if you want, you can use SimpleX’s built-in support chat if you want to reach out to the team yourself. They are very friendly and don’t talk like a CEO, but there can be delayed response.

    Ah, we’ve found the password manager, KeePass (be it DX/XC) is indeed excellent.

    Yep! One related note, KeePass on Tails is outdated for some reason. Have any idea why?

    I also planned to add this to my original message: I have never once had a cellular provider, which to me has been the biggest privacy boost since burning Windows at the stake.

    • Throwaway1234@sh.itjust.works
      link
      fedilink
      arrow-up
      1
      ·
      8 months ago

      Fair, although didn’t GNOME Boxes have some sandboxing issues?

      Could be; I simply don’t know. Do you recall the exact issue?

      I even dedicated a specific pen for it!

      Is it something fancy?

      On a related note, take a look at this

      TIL. It’s definitely neat. Thank you for that!

      Once I get an Android phone, I will try out Briar (because I am obsessed with the idea). I personally reached out to SimpleX regarding the spreadsheet, and the response I received back outlined that SimpleX pads the encrypted messages both during transit and in cold storage, which they said a lot of other messengers don’t do. A comment on the original post for the spreadsheet mentions that the spreadsheet doesn’t outline which services route through Tor (which Briar does, of course). The spreadsheet is very thorough, and SimpleX is still a relatively young project, so I don’t have much I can say. I’ve tried using it on iOS, and my friend and I both agree it’s terrible to use sometimes due to lag and choppiness. I currently testflight the app, but still no change. Either way, if you want, you can use SimpleX’s built-in support chat if you want to reach out to the team yourself. They are very friendly and don’t talk like a CEO, but there can be delayed response.

      Thanks for the elaborate answer!

      One related note, KeePass on Tails is outdated for some reason. Have any idea why?

      If I would have to guess, it’s probably because its respective package found in the repos of Debian is outdated. As Tails is based on Debian, it makes sense for them to continue to rely on Debian’s packages as is and only backport security updates. Unfortunately, most of the established distros that are known for taking security, privacy and anonymity very seriously (i.e. Kicksecure, Tails and Whonix) are based on Debian; known for being stable, hence older packages. The exception, Qubes OS, has Fedora 37 (which has gone EOL since last december) in dom0. Though, in Qubes OS’ defense, dom0 is (by default) not directly exposed to the network. And in general is just really fortified; I can’t imagine anyone but state level threat actors to get through that as long as one upholds best practices. Furthermore, the qubes are as modern as you’d want them to be. So, within those, the desired up to date packages can be acquired. Regardless, unsurprisingly, Qubes OS’ approach is (simply) strictly superior over the others.

      I have never once had a cellular provider, which to me has been the biggest privacy boost since burning Windows at the stake.

      Very interesting! Is it what’s elaborated upon in this video? If not, would you mind elaborating?

      • The 8232 Project@lemmy.mlOP
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        8 months ago

        Do you recall the exact issue?

        No, sorry. Some Reddit/Lemmy commenter.

        Is it something fancy?

        No, although invisible ink would be somewhat cool. Have any ideas for a “password pen”?

        TIL. It’s definitely neat. Thank you for that!

        No problem! :) You can also thank whoever on privacy@lemmy.ml posted it (I wish there was a search box…)

        The exception, Qubes OS, has Fedora 37 (which has gone EOL since last december) in dom0

        Yikes, any reason for that?

        Is it what’s elaborated upon in this video? If not, would you mind elaborating?

        More backstory time! I have never used a cellular carrier, and only watched that video about a month ago (because it didn’t exist prior). The first part of my life was spent electronicless (because kids really shouldn’t have phones… look at me now mom, I’m talking to strangers on the internet by routing through a global censorship circumvention network!). The next part was spent somewhat disconnected, only had access to a non mainstream social media (it has since been merged with another one made by the same company, and became paid. Capitalism.) through WiFi + never went out much. I then finally had unrestricted access, but still never went out much. Then I started to go out much more, and the places I went to didn’t have WiFi. That, in turn, led me to take up network hacking as a hobby. I never managed to hack the network in question (WPA2-E). Finally, I got my first job around the same time I learned about privacy. That meant I had the money to get a cell plan, but I had the knowledge to know why that was a bad idea.

        It’s funny, my mother recently called me because she was stressing about trying to find me a carrier (apparently?) and started saying “Your sister offered to add you to her plan if-” and I told her “I don’t want a carrier, but thank you!” and she said “Oh… Well that solves that problem.” and looked very relieved.

        Edit: I guess your question is asking ultimately why I don’t want a carrier, and it is due to the points that were also brought up in that video, yes.

        • Throwaway1234@sh.itjust.works
          link
          fedilink
          arrow-up
          1
          ·
          8 months ago

          Preface: this is written with less care than I do usually. I was writing one of my usual replies, but my phone chose to restart while the text was being written in its browser.

          No, sorry. Some Reddit/Lemmy commenter.

          Np. FWIW, I’m using virt-manager anyways.

          No, although invisible ink would be somewhat cool.

          Definitely! Thanks for the inspiration!

          Have any ideas for a “password pen”?

          Unfortunately not. I have been completely reliant on KeePass* plus the aforementioned (‘algorithmic’) ‘salt’. But I think a password card and/or invisible pen is definitely worth exploring for passwords I don’t use daily. So, once again, thank you for mentioning those!

          You can also thank whoever on privacy@lemmy.ml posted it (I wish there was a search box…)

          Was that rhetorical 😅? I actually found the (presumably) original poster through the search capabilities found on Lemmy.

          Yikes, any reason for that?

          For a complete answer, let’s go for a trip back in time. Qubes OS’ alpha release happened in April of 2010. The Linux landscape was vastly different then to how it’s today. But, regardless, out of all possible options, a distro would have to be chosen for dom0. And, while none of us has the capability to look into the future, the chosen distro still had to be future-proof (i.e. not be abandoned any time soon). The second criterion was that it should be close to upstream (i.e. not a distro with outdated packages and kernel) for the sake of hardware compatibility (the very same reason for which Linux Mint has recently launched its Edge release). And, on that note, be excellent in terms of hardware/device support. Out of the then prevalent distros, Fedora simply fit all criteria best; Fedora being the community-driven distro to industry giant Red Hat, definitely played a huge role. And, in retrospect, it’s undeniable that picking Fedora was (and still is) a great decision. Honestly, I can’t even think of a better pick… Which is (perhaps) better understood by answering the second question; namely: Why Fedora 37 and not Fedora 38 or Fedora 39? Both of which were already released, while Fedora 37 had just gone EOL release. For that, we need to understand that Qubes OS actually does allow the installation of select packages in dom0, even if it’s regarded as a feature that only more advanced users should look into. As Qubes OS is (by default) a sensibly secure desktop OS, it only makes sense that they have to ensure that packages installed on dom0 are 100% safe and secure. But Qubes OS doesn’t want to waste resources on checking the security integrity of a moving system (i.e. a non-stable/non-EOL release). Thus, by necessity, it has to resort to an EOL release for Fedora. Going back to them picking Fedora in the first place; if we add the criteria that user repositories are undesired and that security should be handled very seriously by the maintainers, then Fedora was and still is the distro to pick.

          More backstory time! I have never used a cellular carrier, and only watched that video about a month ago (because it didn’t exist prior). The first part of my life was spent electronicless (because kids really shouldn’t have phones… look at me now mom, I’m talking to strangers on the internet by routing through a global censorship circumvention network!). The next part was spent somewhat disconnected, only had access to a non mainstream social media (it has since been merged with another one made by the same company, and became paid. Capitalism.) through WiFi + never went out much. I then finally had unrestricted access, but still never went out much. Then I started to go out much more, and the places I went to didn’t have WiFi. That, in turn, led me to take up network hacking as a hobby. I never managed to hack the network in question (WPA2-E).

          Thank you so much for the elaborate answer!

          Finally, I got my first job around the same time I learned about privacy. That meant I had the money to get a cell plan, but I had the knowledge to know why that was a bad idea.

          I thought I was well integrated into the privacy communities. But it seems that I was wrong; for I was unaware of the specifics until Naomi’s video. Would you mind sharing blogs/sites etc that you find exceptionally useful for finding out about these things?

          It’s funny, my mother recently called me because she was stressing about trying to find me a carrier (apparently?) and started saying “Your sister offered to add you to her plan if-” and I told her “I don’t want a carrier, but thank you!” and she said “Oh… Well that solves that problem.” and looked very relieved.

          Hehe, 🤣.

          Edit: I guess your question is asking ultimately why I don’t want a carrier, and it is due to the points that were also brought up in that video, yes.

          Thanks for the clarification!

          • The 8232 Project@lemmy.mlOP
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            8 months ago

            Preface: this is written with less care than I do usually. I was writing one of my usual replies, but my phone chose to restart while the text was being written in its browser.

            No worries, we’ve all been there! Was the restart due to annoying OS features (e.g. Windows used to restart immediately without asking, iOS restarts if your phone is locked and it’s night time, etc.)

            Was that rhetorical 😅?

            No, I’m just blind :,) I found it now

            Edit: Here it is!

            Would you mind sharing blogs/sites etc that you find exceptionally useful for finding out about these things?

            Until the Rexodus (by the way, I’m apparently the only one to call it that. Please, people, it’s such a good name!), I had simply kept current with every post on r/privacy. I had occasionally read a few old posts, but it was mostly just keeping an eye on what the community was posting about and reading the discussions to learn as much as possible. I have a few old screenshots, like from this post and this one, but besides that it was just miscellaneous posts.

            Edit: I found others calling it the Rexodus! Here is one

            • Throwaway1234@sh.itjust.works
              link
              fedilink
              arrow-up
              2
              ·
              8 months ago

              Was the restart due to annoying OS features (e.g. Windows used to restart immediately without asking, iOS restarts if your phone is locked and it’s night time, etc.)

              Actually, I am not sure why it happened 😅. It was connected to the charger and I didn’t do anything that would otherwise be a direct cause to the phone to shutting off. To be honest, I don’t recall it ever happen before 😅. Kinda spooky… Or just technology being derpy at times 🤣.

              No, I’m just blind :,) I found it now

              Hahaha, glad to hear that you found it!

              Edit: Here it is!

              Thank you!

              Until the Rexodus (by the way, I’m apparently the only one to call it that. Please, people, it’s such a good name!),

              I’d argue that Rexxit is just plain better 😜.

              I had simply kept current with every post on r/privacy. I had occasionally read a few old posts, but it was mostly just keeping an eye on what the community was posting about and reading the discussions to learn as much as possible. I have a few old screenshots, like from this post and this one, but besides that it was just miscellaneous posts.

              Thank you for the answer! I started out following r/privacy diligently until I noticed that my threat model didn’t quite align with some of the more common echo chambers found there. To be more elaborate; it seems as if I was more absolutist when security was concerned, while the community was more absolutist when privacy was concerned. To be fair, it’s r/privacy, so it makes sense for it to be that way. Though I had hoped that security wasn’t treated like a second-class citizen; at least that’s how I felt*. Regardless, it seems that I’ve missed some gems along the way. Hopefully I will be able to catch up.

              • The 8232 Project@lemmy.mlOP
                link
                fedilink
                arrow-up
                2
                ·
                edit-2
                8 months ago

                the community was more absolutist when privacy was concerned.

                Yeah, after the Rexxit (heh) started the whole r/privacy community lost a massive amount of quality in the community. Even before then, they pushed to tell people the clear disconnect between privacy and security (which, while there is, a threat model is a threat model, privacy or not). !privacy@lemmy.ml has a much nicer community and is very open to the idea of services that are designed for security and not privacy. In my eyes, c/privacy is the more “mature” version of r/privacy. I used to occasionally check up on r/privacy after the Rexxit, and always left feeling very mad about a lot of the posts and responses.

                • Throwaway1234@sh.itjust.works
                  link
                  fedilink
                  arrow-up
                  2
                  ·
                  8 months ago

                  Thank you for the great reply! I think I will be paying more attention to c/privacy going forward. Btw, how is secureblue going?

                  • The 8232 Project@lemmy.mlOP
                    link
                    fedilink
                    arrow-up
                    2
                    ·
                    8 months ago

                    Btw, how is secureblue going?

                    Thanks for asking! I haven’t switched yet, because I want to run it on a separate SSD that hasn’t arrived in the mail yet. The SSD will not only be an upgrade from my current one, but it will make my Linux journey a lot less painful down the road.