Secureblue: Is This the Most Secure Linux Distro?

I make the distinction between real-world reported attacks and theoretical security flaws, because I think it actually does make a huge difference for the end-user, and maybe we just agree to disagree on this point.

If anything, it is the exact opposite. Users rely far too much on what they read in the news and media (including and sometimes especially, youtube) instead of relying on security experts. This makes them far more susceptible to snakeoil. It’d be akin to getting medical information from the news instead of from a doctor.

What developers should concern themselves with mostly doesn’t overlap with what users should concern themselves with.

Developers don’t want users to get attacked. Users don’t want to get attacked.

Many people have an extremely distorted view of what actually matters

I agree, but in precisely the opposite way

The reductive and reactive approach you are presenting here is exactly the kind of thing I’m actively working against. It is damaging and distorts what actually matters here, by focusing on headlines instead of proactivity. What you are describing is the security equivalent of never going to the doctor to get a checkup, but instead only reactively screening yourself for specific illnesses that commonly show up in the news.

threat model

I don’t think most users have ever created a threat model.

Unfortunately, I just see too many security-minded projects cherry-pick theoretical exploits in their competitors to spread fear/uncertainty about,

Describing “theoretical exploits” aka attack vectors is not FUD… That’s part of what doing security analysis looks like.

Validated, real-world reports are far more valuable information in this situation.

This (relying on news reports) is not how scientific inquiry works. Journalists are not scientists. We don’t use news reports to make health decisions, for example, we refer to studies run by experts. Just because a news outlet reports a specific example of someone getting a particularly nasty disease, doesn’t at all mean that that disease is relevant to your health. Maybe it was reported on because of the rarity of the event, even.

Don’t you realize why this makes it to the news and not John Smith from Podunk was stupid enough to execute an infostealer?

@jonah If the question was “What are some real-world circumstances where targeted attacks affected Linux Desktop users“, it is difficult to find relevant news articles beyond rare examples. Because of this, I argue that this topic should be a genuine research question in an academic research paper. An excellent task by academic researchers to give us the answers we need through analyzing primary sources. Nevertheless, this makes it difficult for the average user to find information among the white noise I’m afraid.

Journalists excel at reading police reports, press releases, and court case filings. Cybercrime ironically is how we can learn about digital forensics and real targeted attacks. Like you said, the news won’t report always report CVEs that may impact most people. However, dedicated cybersecurity outlets like BleepingComputer do but that’s because they’re technical by nature.

I also think the line between “security researchers” and cybersecurity journalists are becoming blurred. With the amount of writeups and blogs popping up across the infosec community, I’m not surprised that this is the case. However, we can admit that there is a problem with HORRIBLE technology journalists that misrepresent security issues entirely.

this makes it difficult for the average user to find information among the white noise I’m afraid.

Couldn’t agree more… Generally speaking, enterprise information sources tend to be much more reliable for security info, although significantly less digestible. e.g.

https://public.cyber.mil/stigs/

etc

Because of this, I argue that this topic should be a genuine research question in an academic research paper. An excellent task by academic researchers to give us the answers we need through analyzing primary sources.

There has been some inquiry into these questions. Take for example this talk below:

I also think the line between “security researchers” and cybersecurity journalists are becoming blurred.

I guess it depends how you define “security researcher”

When I hear that term, I think either a security architect inside of an enterprise, or a red teamer. Far from journalism in either case.

Yeah, but “lorenzofb” is not some random tech journalist, he sure makes mistakes like any other journalist as this not an area of their expertise where can validate claims by looking at program’s source code and technical details.

But, you can’t however deny this report, unless someone audited the said Video player in the article and try to replicate multiple scenarios on how such attack was conducted, which you can’t still guarantee a useful result either.

I think you missed my point, it didn’t depend on denying the veracity of the report or the credentials of the reporter.

Again, not the problem being discussed in the first place.

Maybe we disagree on what is news, I would include these sources in my definition. It’s not limited to popular mainstream media, I’m just talking about any documented cases.

Within your doctor analogy above a lot of the problems with Linux, stock Android, etc. are like getting people worked up about… Ebola, or something. Yeah, it’s a very serious disease and the consequences of getting it are dire. Yeah, researchers should absolutely work on developing a vaccine for it. But are you going to get Ebola randomly? Probably not. This is the disconnect between what researchers need to worry about and what users need to worry about I referenced earlier.

I just want developers to think about and solve a lot of security problems, while not making other people think they’re very likely to encounter those problems in practice today

Edit: This isn’t even the best analogy because some people are actually commonly affected by Ebola. It’s almost more like being worried about vaccines modifying your DNA, or something theoretically maybe within the realm of possibility but has essentially never happened. I don’t know, I’m not a doctor. Don’t focus on this lol

Within your doctor analogy above a lot of the problems with Linux, stock Android, etc. are like getting people worked up about… Ebola, or something. Yeah, it’s a very serious disease and the consequences of getting it are dire. Yeah, researchers should absolutely work on developing a vaccine for it. But are you going to get Ebola randomly? Probably not.

Right, but in my analogy: Ebola would be analogous to isolated security incidents you hear about. Meanwhile what’s actually relevant to you would be proactive measures, like vaccination, regular checkups, cancer screenings, etc.

Edit: if we agree on one thing here it’s that this analogy is getting stretched beyond utility

I just want developers to think about and solve a lot of security problems, while not making other people think they’re very likely to encounter those problems in practice today

I don’t think this is what security-oriented developers are doing. Saying something like “It’s important to be proactive against the unlikely event of X Y or Z” doesn’t indicate at all that something is particularly likely. Would you say that doctors are making people think they’re likely to have health issues by encouraging regular proactive checkups? No… Are there still going to be people who say “I’m young and healthy so I don’t need to go for my annual checkup?” Yes… but we should be discouraging that line of thinking, not leaning into it.

Hope for the best, prepare for the worst.

How about don’t rely on anyone? Are free software advocates evil for giving advice despite not being experts, even if said advice is good advice? Because if the big tech advocates and security extremists had their way PG would be a big tech shill site.

Security matters, but it is not the only thing that matters.

Well, I think you and I are just dealing with different developers

I believe it

There are definitely ways of phrasing this stuff that can come across as alarmist, so in that sense I get what you mean. Communicating why proactivity and preparedness for unlikely events (with anything really, health, natural disasters, etc) without alarming people is hard to do.

Also is this now healthguides?

Between a country where the researchers work on developing a vaccine or the government secures ways/agreements/budget to source the vaccine, the government actively invests in isolative infection control measures, equipment sterilising resources and PPE for hospitals/clinics, privacy-preserving contact tracing infrastructure and software, accessible hygiene facilities for people etc. and a country that does none of these things until a pandemic crosses their borders- which would you recommend someone settles in?

I’m glad you brought this analogy back in to play lol, but I don’t think you understand what I was saying. I was explicitly saying developers (in your analogy the government, researchers, etc.) do need to worry about and work on these problems ahead of time, but end users don’t necessarily.

What your question should be with that in mind is: would I recommend someone settle in a place where the government forces lockdowns and enforces curfews and social distancing on its citizens as a preventative measure before a pandemic happens, or a place where they do that after a pandemic crosses their borders? And I would certainly say the latter!

I think we can all agree this analogy is very drawn out though so I’m not going to litigate it further than this

It is possible I will not be able to understand exactly what you mean, but I can definitely see that this is at least a highly extreme and additionally inefficient and nonproportional use of resources.

I guess for me it is hard to understand why people don’t see the standard iOS/GrapheneOS aim for as the proactive minimum to ensure generic pandemics (among other health problems) are as manageable/prevented as comfortably allowed. Rather than being happy with never hitting that minimum until disaster has already struck (causing the extreme measures to be much more attractive).

Fire prevention might be a more useful analogy. Buildings have sprinklers, fire extinguishers, fire-resistant materials, building codes to ensure escape routes, etc

Proactive protections for unlikely scenarios are important not because those scenarios are likely, but because of the gravity of the impact of those scenarios should they occur.

At PG, we don’t use the OWASP definition, but a more layman version of defining basic adversaries and countermeasures.
I also don’t believe many people here have created a

Also remember that SecureBlue is security first in terms of priority ordering. This does relate to PGs goals but there will be misalignments. This is OK. Not everyone has to do Privacy > Security.

I’m in alignment with you. Your perspective is offering a service to let’s say thousands of users, where an unlikely event for a single user now becomes semi-common based on probability. It’s important to be as secure up-front, and let the users rollback protections they personally don’t need. Opt-out security rather than opt-in sets a strong precedence.

I think that people simply find some aspects too restrictive. At the end of the day, people generally want to be able to shoot themselves in the foot, for better or for worse. This is why I am primarily concerned about the scenario where someone does everything correctly but gets pwned anyways.

Something which occurs to me is that you might be saying unlikely, but using examples which are very likely, just infrequent. Fire drills are very important because the likelihood of you being in a fire is actually pretty high, but it could be in an hour or it could be in 20 years.

Whereas I feel like I commonly see people very worried about situations which are actually just quite unlikely to occur, and I commonly see people stoking those fears.

And to me, likelihood is conditional on having some prior knowledge. You can establish that with evidence, like knowing how often fires occur and about flammable materials. If it hasn’t happened before, you can also establish that with knowledge about the potential threat. Like during the Cold War there were drills about what to do in the US if Russia attacked us, because we considered it very likely based on our evidence-backed knowledge about their capabilities. Luckily that never happened, but only because the Cold War ended. If that event were extended over a long enough period of time it almost certainly would’ve happened eventually.

In a very general sense (i.e. not specifically from you, but from many stereotypical “hardening” proponents), what I have observed is security measures being advocated for and implemented without ever establishing the likelihood that they’ll actually matter, and when those measures add additional burden or restrictions to users, I have a bit of a problem with that. I mean if you can fix a security problem in an unnoticeable way then who cares how unlikely it is, more power to you, but realistically most measures do have side effects.

Edit: To complete the analogy, an unlikely event is like an alien invasion. Most scientists think the probability of aliens existing is basically 100%, which makes the threat extremely real actually. But without any evidence-based knowledge about them we simply cannot establish any likelihood, so we’re not going to drill for an Independence Day scenario.

Since the probability exists I’m still glad there are researchers searching for them

Not everyone has to do Security > Privacy > Freedom.
Not everyone has to use Chromium.
Not everyone has to avoid uBlock Origin just because it’s MV2 or not use any extensions at all.
Not everyone has to own a Google Pixel.
Not everyone has to use their phones for everything possible.
Not everyone has to use GNOME with no extensions, or avoid Linux entirely.

Something which occurs to me is that you might be saying unlikely, but using examples which are very likely, just infrequent.

Every analogy has its limits. Security incidents are both very likely and very frequent. They are constantly happening. Whether a particular person is going to get caught up by a particular attack, targeted or untargeted, is where things get less likely.

the likelihood of you being in a fire is actually pretty high, but it could be in an hour or it could be in 20 years.

This is even more true for security incidents. Fires are just far more visible and far less automated.

Whereas I feel like I commonly see people very worried about situations which are actually just quite unlikely to occur, and I commonly see people stoking those fears.

There’s a difference between being worried about something and soberly acknowledging and mitigating a risk. I don’t understand why you keep conflating the two. The people stoking fears are (anecdotally) usually the ones trying to sell you something anyways

what I have observed is security measures being advocated for and implemented without ever establishing the likelihood that they’ll actually matter

Frankly, this is just not how things work in computer systems security and that’s probably why all these analogies are failing. Unlike in other scenarios, there are millions of possible combinations of attack vectors using any possible combination of vulnerabilities in different subcomponents of the system or even across systems within a network. Yesterday’s vector was one thing, and tomorrow’s will be another. You’re asking security experts to provide a crystal ball. There isn’t one. The landscape is constantly changing.

Also, your statements about trying to catalog past disclosed vulnerabilities makes me think you haven’t deeply looked into what risks are present and how defensive security works on a day to day basis in some of the largest organizations on the planet. I’m hoping the cavalier attitude towards this subject is motivated by that, because if it is being done knowingly it is fairly irresponsible. Large enterprises aren’t the only ones with things worth protecting. End users have data, privacy, accounts, personal information, etc that are worth protecting too, and they should be provided with education that soberly makes them aware of risks and points them in directions that mitigate those risks. To downplay the risk and in particular the poor state of desktop linux, or to point users in a direction that doesn’t properly mitigate those risks, is to do them a massive disservice and to imply that they don’t have something that’s valuable enough to be worth protecting against remote contingencies. I think that they do

You are free to choose less secure options. For me personally, my goal is not to try to convince people that they should prioritize security. My goal is to help people who have already decided they want a more secure option. If you don’t want to prioritize it, don’t prioritize it.