1w ago

What would be your distro of choice if you take the security with ease as the top priority

With the recent windows 10 EoL news, I was able to move my dad over to Linux mint. But he does a lot of finance stuff. Long ago, Linux had a belief that desktop Linux are not the primary target for crackers but I don’t believe that true anymore since it’s getting significantly popular lately like Europe government migration over to Linux and Libreoffice.

My question would be , given my dad is just as careful on Linux as he has been on windows, would it be fine to do finance like banking and trading (not the fastest kind )?

If not, what would be your distro of choice for that? Even browsers (I installed Firefox and Edge from Microsoft website deb file)

Comments

hendrik @palaver.p3x.de 1w ago
I think most Linux distros will be fine. As of today desktop marketshare is still small, the governments mostly work within custom business applications. And to this date Linux malware and viruses for the desktop are practically unheard of. The common attacks are against the browsers, not the underlying operating system (so do timely updates and install an adblocker) or we'd expect phishing or phone scams and that's against the human in front of the computer, again not the operating system. That makes me say they're about all alright. Of course they're not all equal. Immutable distros and sandboxing will help here. But the real deal is other countermeasures, like be aware how phishing works and try not to mix online banking and pirating games from shady websites. That belongs on separate user accounts or even installed operating systems. And use password managers, 2 factor authentication and these things. (And don't use Edge, or some browser from some random third-party repository.)
- rhabarba @feddit.org 1w ago
  And to this date Linux malware and viruses for the desktop are practically unheard of.
  This is dangerously false.
  edit: I'm sorry to see I have disturbed a few people here, downvoting the truth without a comment. Explains a lot of contemporary politics, I think.
  
  hendrik @palaver.p3x.de 1w ago
  
  Can I get some list or a reference to educate myself? As far as I know it still holds true. There's rootkits, a lot of old stuff and exploits of webservers or embedded devices, supply chain attacks towards developers and the one day the Mint ISO file got compromised. But I'm completely unaware of desktop computer malware with high risk or actually spreading?! And the list on Wikipedia seems to confirm what i said...
  
  Señor Mono @feddit.org 1w ago
  
  I guess the problem is not “the truth” but a claim without sources combined with a short communication style for a really complex matter.
  Even the link you posted just reporte of one malware instead of the current state or perception of the problem. Like a general threat assessment instead of one incident.
  
  Señor Mono @feddit.org 1w ago
  This is dangerously unspecific.
  
  Ethanol @pawb.social 1w ago
  Regarding your edit:
  \ Having read through the comment chains here, your source is a relatively new malware called RingReaper.
  \ This article from cybersecurity news seemed nice and they linked to the actual PICUS security report which first identified the malware, I think.
  \ I'm not sure whether this malware is actually used to infect Linux desktops or if it's mostly used for infecting servers, or whether it is used at all. I agree that people shouldn't let their guard down with malware on Linux. Anti-malware programs on Linux are a good idea and it seems there are already projects tracking and combating malware on Linux. I do agree that Linux malware is not unheard of.
  \ Nonetheless you seem to over exaggerate a bit. There is malware attacking servers running Linux but I doubt that many of those would work on desktop Linux. Furthermore, desktop share of Linux is still low, so there won't be a big incentive for malicious actors to target Linux desktops specifically. The comments you posted here seem more like paranoia to me and do not seem useful, and your single example of a Linux kernel virus seems more like a derailment of the conversation. With that I can understand the downvotes. Don't take it too harsh either, no need for your witty comment:
  Explains a lot of contemporary politics, I think
  lol
Björn @swg-empire.de 1w ago
OpenSUSE is big on the security and usability front. None of the services you install activate by themselves. Firewall active by default. The first user doesn't get access to every group under the sun after installation.
And everything can be controlled through GUI tools. But it doesn't throw a fit when you've done something yourself through the CLI.
- BCsven @lemmy.ca 1w ago
  Also SELinux by default now instead of AppArmor. It can be a pain but it works. I.e. files dumped into a SAMBA share aren't autoshared unless they have the samba SELinux setting applied, etc
- JustEnoughDucks @feddit.nl 7d ago
  Opensuse MicroOS variants kalpa and aeon are probably what they are looking for. Stupid easy to set up and, from what I understand, quite secure.
  Downside is that it needs workarounds for some things like Steam Flatpak and such, but that is the nature of atomic distros.
Attacker94 @lemmy.world 1w ago
Based upon your wording, I am assuming your father is not particularly tech savvy, if this is the case first and foremost you should be picking a distro that is maintained by a large group of trustworthy developers, this removes the niche distros from the running. Secondly, since he isn't going to want to learn the terminal, you should be picking a distro that installs programs with a GUI package manager or flatpak manager, this removes the likes of arch, gentoo, & open suse tumbleweed. Thirdly, you will want a distro that is based on one you understand well enough to run tech support, I don't know which that is for you, if it is Debian based stick with mint, fedora based go with fedora workstation or fedora KDE, if it is opensuse I don't have any recommendations sorry.
After you select the distro you need to educate your dad that he should only be getting new programs through the package manager, and I would either tell him the inherit insecurity of some flatpaks or remove flathub from your mirror list unless there is something he really needs in which case you need to do your research.
In general security on Linux is a lot more active for IT than it is for Windows, but for the general user if they can get by using a well known distro's repos you shouldn't have any security issues.
If you are overly worried you could add apparmor to the system to isolate the system from programs or pick an immutable distro like bazzite, but in general the immutables are smaller teams which is why I don't prefer them.
- tiz @lemmy.ml 6d ago
  Thanks for the thought process it’s really helpful and also reassuring since it’s quite similar to mine and yeah. Secureblue definitely sounds cool but I’m afraid it would not fit my dad’s need. In the end it’s gonna be up to whether I and my father can trust the maintainers or not
kylian0087 @lemmy.dbzer0.com 1w ago
Top choice regarding security? Qubes OS. But that's not just a distro.
- tiz @lemmy.ml 1w ago
  this is the first time knowing the Qubes OS. and upon researching on wikipedia, it's meant to be used with multiple OSes for different tasks...? wow
  
  kylian0087 @lemmy.dbzer0.com 1w ago
  It is. the underlying OS is actually a type 1 hypervisor, XEN. better take a look at their official website then wikipedia though.
  
  Allero @lemmy.today 1w ago
  It essentially is multiple OSes, one host and plethora of separate virtual machines that only communicate what they were designed to communicate.
  This way pretty much nothing can get access to userspace.
ash64 @lemmy.world 1w ago
Maybe Secureblue?
That also comes with its own hardened browser based on GrapheneOS's.
And if you don't go with Secureblue and its browser, I'd recommend using a browser Chromium based, probably Brave. I know that's a controversial choice, but in terms of security and ad blocking, it's one of the better options. And disable JIT for V8.
- tiz @lemmy.ml 1w ago
  First time hearing about Secureblue. And it sounds great. Though their motivation is quite welcome to see, I’m unsure if it will be actively maintained for a long time. It’s quite young project.
Hyacin (He/Him) @lemmy.ml 7d ago
OpenBSD
ducks
- oneguynick @lemmy.world 6d ago
  I mean... Not wrong
- LeFantome @programming.dev 6d ago
  But x11 is insecure
  ducks
Tenderizer78 @lemmy.ml 1w ago
Secureblue is what I'd use if security was a major concern. Every time I've tried to use a non-Ubuntu distro I've immediately ran into a few technical issues so I stick with Ubuntu.
Generally I think I'm safe as long as I don't install untrusted software, and the distro didn't package untrusted software.
Cris @lemmy.world 1w ago

If you're picking a distro for someone else I would not recommend a small project distro or something incredibly niche 😅
Any of the big projects should be decent. Fedora, maybe fedora silverblue or whatever their imutable variant is called, opensuse, Mint, Ubuntu, debian. (Personally I don't like some of the choices Ubuntu makes but it may still be a very good option for less technical folks)
Others can tell you which of those have the best security defaults, but to be honest it doesn't sound like you actually have particularly exceptional security needs relative to what any distro will provide. I'd prioritize something stable and user friendly- which, again, your best bet is NOT picking a niche small project or something most people have never heard of
Hugging Stars @programming.dev 7d ago

Qubes OS gives him high security with relative ease.
Fedora Silverblue with auto update and Flatseal tightened apps is a nice middle ground.
RHEL minimises supply chain attack risk and provides features like kernel hot patching. He can use free developer subscriptions. Also try SUSE.
Security wise Chromium is a bit better than Firefox. Try to seal it up with SELinux. Red Hat only supports Firefox however.
SecureBlue can be used as a reference, but it's still downstream so personally I'd avoid using it in case of supply chain attacks unless securing Silverblue is too much of a hassle.
Keep in mind that Flatpak sandbox interferes with browser sandboxes.
Mactan @lemmy.ml 7d ago
security or ease , pick one
SayCyberOnceMore @feddit.uk 1w ago
Security is the output of removing vulnerabilities and insecure configs
So, the real answer is: what's the minimal software you need and the most regularly updated.
So, my choice is Arch.
Yep, installation takes a little longer and needs more technical skills, but only install the bits you need (also learn a little more this way) and then updates are tiny and can be done as often as you're comfortable with.
Whatever you choose, it will break / die / be deleted or corrupted one day, so always backup your data separately than the OS (separate drive partitions can help) and you're done.
Lukemaster69 @lemmy.ca
BOT
6d ago
Ubuntu or mint both are fine
rozodru @piefed.social 1w ago
if you're looking for something with the most security, then Qubes. It's heavy, it's slow, but good luck to anyone looking to break into that system.
Bit of a learning curve and a bit to wrap your head around it but I would tell him to think of it like you have access to a bunch of individual computers that don't talk to each other but you control all of them. So he could have a Qube for casual web browsing, could have a Qube for work, and another Qube for financial stuff. all independent of each other. IF something were to happen (malware, trojan, whatever) just simply close that qube window and spin up another.
Sonalder @lemmy.ml 1w ago
Education + Up to date and highly popular distro with tons of contributors + good track record regarding security
pastermil @sh.itjust.works 1w ago
Between Debian and AlmaLinux, depending on the exact use case.
thingsiplay @beehaw.org 1w ago
Kali Linux
/s
birdwing @lemmy.blahaj.zone 1w ago
PureOS might be one, though it's maintained by an American computer corporation.
rhabarba @feddit.org 1w ago
OpenBSD. No Linux, but much more secure. And yes, there is quite some amount of Linux-specific malware around these days.
- ash64 @lemmy.world 1w ago
  True, but my issue with OpenBSD is that the performance is really lacking in terms of desktop smoothness. It feels like sub 60 fps compared the smoothness of Linux and FreeBSD.
  I hope it's just a current driver incompatibility and not related to their hardening. Will try again once 7.8 releases.
  
  rhabarba @feddit.org 1w ago
  
  OpenBSD gets SMP improvements all the time, so yes, chances are that 7.8 will be even snappier. For banking, however, desktop smoothness would not be my primary concern.
- Auli @lemmy.ca 1w ago
  Ah now it makes sense why you are spamming the Ring reaper. Still needs an exploit to get it on your machine. BSD has way less hardware support then Linux.
  
  rhabarba @feddit.org 1w ago
  The precise amount of hardware support of an operating system largely depends on your hardware. For example, iOS runs on iPhones while Linux does not. Does iOS have greater hardware support now?
  Frankly, there is not one piece of hardware in my household that wouldn’t work with OpenBSD. I’m sure I could say the same about Linux. And you.

56 Comments