I have a new computer, and I’d like to install something from Fedora. I have no second computer or anybody I deeply trust, but I need software to make a bootable USB. I’m looking into
Etchdroid (reliability not well documented + I’ll have to go buy a USB-C drive)
Just making a throwaway Windows account on the same computer (Windows will probably not connect to VPN for its first connection)
Public computers (they need identifiable sign in)
Just choosing someone to trust in my life and be done with it (They have to trust me too)
All have cons. Any other options I should know?
Long version:
I have a new computer, and I’d like to install something from Fedora. I have no second computer. You have to have a working computer to write to a USB.
I have no one I deeply trust. They’d have to trust me enough to let me download software on their computer, too.
College computers near me do allow software downloads, but I don’t know if I trust them either. Both require (identifiable) sign in.
I’ve considered using mobile Etchdroid to write to a USB-C, but there’s not much documentation on how well it handles Fedora installs. Since I’ve bricked computers before, I’m more hesitant to take risks on a new one.
I could also just sign in to the preinstalled Windows to write the USB. I don’t have a Microsoft account yet and don’t want to start, though. Local account options seem to be getting killed off.
Between
picking a person in my life to trust, (person now knows)
signing in to a public computer (institution now knows?)
or making a throwaway Windows, (Windows now knows)
None of these options are SUPER AWFUL. I honestly prefer if no one knows what distros I use, though.
So, before I jumped into anything, I was wondering if there was cool info/better options I hadn’t known, like:
Are there more trustworthy sorts of public computers I should know about?
Are there local computer clubs or organizations/USB vendors I can trust that I should know about?
Are there better assurances about Etchdroid I didn’t know about?
If using the same new computer to write to the USB is the way to go, then are there ways to get a local account that I didn’t know?
My level is somewhere between Beginner and Intermediate. I have a privacy setup, just not Linux yet.
I’m a bit concerned that this type of thinking may be the result of poor threat modeling. What is your threat model? Are you sure that it is necessary to hide the fact that you’re creating a linux flash drive? If it is, a proper threat model could help determine from whom it is most important to hide that fact.
Thank you for your concern and I should have addressed this earlier.
I’m aware of what a threat model is, but I also just prefer to minimize where possible. I would like not to be identifiable where possible. Strictly speaking, you could be right that my threat model is poor!
Here, though, I’m not really asking for the perfect extreme solution, mainly just asking whether there were good options I didn’t know about.
In my defense, Linux is rare and Fedora is a fraction of Linux. There are people who could reasonably start targeting me, as I’ve been in fairly severe interpersonal conflicts/abuse before that originate from or relate to the digital world one way or another. I’m not an expert on how much they could find out, but my opponents are technologically more advanced than me, and also higher up in society in terms of resources/legal standing. People have gone digging for me before.
I have a weak sense of safety. That probably DOES mean conventional threat modeling sometimes just gives way to the desire to hide in general. That is all I know for now.
In the short term, if you’re really that worried about it, you could just create an installer usb for a distro you don’t plan on using via whichever method you find easiest and then once it’s is installed, use the freshly installed distro to create a second installer usb for the distro you actually plan on using long term.
That’s pretty ingenious. Didn’t think of that. Thank you!!
This is the first I heard of mental health being cited as a reason for good threat modeling, too.
I’ve read that article many times, qctually, but while scrolling the forums I sometimes feel like the rest of the community has an understanding of it that I don’t.
I’ve used the term Targeted attacks for my use case before, but feel it tends to draw doubt here, so I avoid it sometimes.
Mainly, thank you for your situation specific practical advice. Eagerly awaiting more such input from the people here before I decide on a course of action!
Yes, it turns out that when you don’t have a goal/direction and just decide you want “maximum privacy and security all the time for everything” it can lead to a bit of unhealthy paranoia and overthinking.
Obviously I don’t know your exact situation, but it sounds like targeted attacks may be a reasonable framework for your threat model given this
An immediate solution is to purchase a USB drive with linux already on it. For your use case, this USB Drive (technoethical is supported by the FSF) has one of several FSF approved distros (no one could say which one you used). You can then use this USB drive to install (or download whatever flavor of Linux you actually want) onto your hard drive.
However, as Anvil has pointed out, I don’t think this would be what you may really want and are trying to do. I’m not sure what attacker would benefit knowing what flavor of Linux you downloaded, and how they would get that information solely through Windows, lest you are moments away from having your computer snatched by some serious tech wizards. Ignoring that, the only way they an attacker could be privy to such information is if:
Someone has access to audit internet traffic from your ISP (this means you are already in deep water with law enforcement, or your attackers have some really serious ins, doesn’t sound like your case)
State level actors (doesn’t sound like your case)
Your computer is compromised already (generally requires state level actors, doesn’t sound like your case)
Someone is looking over your shoulder watching what you do (most probable)
Assuming your thread are technologically adept internet sleuths, your area of concern should be tying personally identifiable information (PII) back to you.
Downloading Linux does not tie PII back to you (I’m ignoring IP address stuff). In fact, because you never login to any website, and the websites where you download Linux are often very trusted, its one of the least risky things you can do.
In order for people to target you for using Linux, they have to know you are using Linux. In order to know if you are using Linux, the attackers need you to visit a site and know its you who visited a site, and then analyze the traffic you sent them. Unless you are going to dodgy sites, or your attackers have compromised your networks (i.e. DNS poisoning, again quite rare to target individually imo) to redirect you to sites they own, or they somehow have an in with sites you are visiting, they won’t know you use Linux. And again, this is assuming someone is seriously going out of their way to compromise you, which is quite different from passively monitoring.
I think the important part of what you said is
There are people _ who could _ reasonably start targeting me
If you are not actively being targeted, or about to embark on something where you must defend yourself, this means you may be over concerned (I don’t want to be too presumptuous, as I don’t know your situation). Being proactive is good! But as Anvil said, I think a threat model and being honest if this is an immediate concern where a mistake now could hurt you, or if its simply taking the right steps now in a better long-term privacy hygiene strategy. Being more private and secure isn’t a bad thing, but also it can add unnecessary friction in you life if its not what you are trying to solve.
Assuming you are being very proactive about privacy hygiene: just install Linux. You downloading it isn’t a big deal. Your concerns don’t seem to be about this part. After installing Linux, you should be considering some of the below choices to maintain usual anonymity of how you browser the internet:
Use Tor Browser for anonymous research.
If Tor seems like overkill for your use case or not working, consider a VPN + Mullvad Browser for anonymous web usage, and VPN + (FireFox + Arkenfox / Trivalent) for logged in usage.
If you use online accounts (more-so geared at social media and places where you talk to other people or openly communicate), create separate accounts for IRL usage, and separate accounts for digital usage. Don’t link or mix the two at all.
If you have active online accounts that have mixed IRL + digital, this is where I would consider your highest area of concern! Think really hard about if you want these accounts to exist, and how you want to navigate this.
I also recommend encrypting your hard drive as well (I recommend that for everyone). Be sure to turn your computer off when you are done using it. If it gets snagged and it’s turned off, you’re very likely going to be fine.
Getting updates from specific Linux distribution servers (even with VPN: traffic analysis) will reveal which distribution you have installed. Complete anonymity is impossible.
To whom is a better question, and if that is not that important, it’s not a big deal.
Let’s not hand wave “traffic analysis”. This is not an average attack of non state level targeted people (imo). A VPN with non leaking DNS should mask your traffic to everyone but the VPN provider and a powerful agencies.
There are still methods to bypass the need for a Microsoft Account.
picking a person in my life to trust, (person now knows)
Outside of some very specific situations, I personally wouldn’t consider this to be a very reasonable concern.
But, assuming that you have good reasons for not wanting people to know what distro you use, What’s to stop you from just changing distros once you’ve got your first distro installed.
But really, why do you see the need to hide your usage of Linux? It’s just a normal, fairly widely used OS.
If you trust your phone, there’s no reason you shouldnt be able to make a bootable disk from it. Youd need to pick up an OTG cable to interface with a USBA drive
Here is a FOSS android app that will make a bootable drive, available in FDroid. Buyer beware: I’ve never used this tool, I offer no endorsement. I leave it to the reader to determine if this is a secure & reasonable solution. But it is a solution
I mentioned my thoughts on Etchdroid in my post. Basically I was waiting on more confirmation of etchdroid success before I go ahead with the Etchdroid possibility. I didn’t know about otg cables though so that’s helpful, I thought I needed a USBC drive!
If you need to install something from Fedora, why not use a VM? About the network, create a separate VLAN for the VM and route it through a VPN connection. Disable any kind of host sharing and isolate the VM.
For the Windows part, you can install it with a local account. Get a Pro trial version, implement group policies for better security like from security baselines, and if possible use it with DNS service like NextDNS or Control D. You can also use it with a VPN with killswitch. Proton has Free servers which will serve this purpose.
Just go with Etchdroid. It works good on Ubuntu/Mint. And if you are not satisfied with them, just use their Live mode to download and create new Bootable usb (you will need second flash.
Account on windows is the worst option. They can record HWID, so they can track you even if you reset everything.
I’m glad to hear more experiences with etchdroid. What would you recommend for the first boot drive from Etchdroid on phone, a USB c or an OTG cable, and what are ether reasons for it or either?