Trust on first use makes a ton of sense. It would be nice if the PGP people explained that prominently.

That’s Plan D in my OP. I still find hashes more convenient than PGP, but I’ll give PGP another try.

Not sure what you’re getting at.

plan A in my OP goes great. ubuntu.com has rarely if ever been compromised. They provide sha256 hashes over HTTPS via that site, see here. It’s signed with Lets Encrypt which updates every 90 days. In theory the Ubuntu PGP keys are more secure (less moving parts /attack surface) than their server, but in practice a compromise of Ubuntu.com lasting longer than 90 days would be extraordinary. Most times I see mirrors, the hashes are provided on the main site, which renders the mirrors obviously correct or incorrect. I can download an Ubuntu ISO from malware.ru and verify that it’s authentic with the sha hash.

The only flaw I have found in plan A is plan D.

❌ plan D

• bad guy owns software.org
• did not compromise the public key (created years prior by the true owner)
• they cannot distribute software that matches the public key
• software is malware, served over valid https, and verifiable with malware hashes served by bad guy

With a hash, assuming you can verify it properly, you know ubuntu.com served you what it wanted to serve you.

Getting an md5 or sha-1 hash is pretty easy even on Windows. There’s some BS md5 or sha function built in to Windows if you know where to look. It’s built in to most unixes with commands like md5sum and shasum. Those algorithms have few if any real-world flaws, but sha256 is plenty popular now and has no(?) known flaws.

If this is some comment in the vein of “Reflections on Trusting Trust” – there are tons of hash programs out there that can be run offline that will predate software to be hashed by years if not decades. I trust these myriad programs to provide accurate hashes.

HTTPS is super convenient. If you’re paranoid, or the entire chain is not HTTPS (HTTPS links to HTTP downloads), you can use a hash program.

a solution in wide use in several Linux distros, meaning the compartmentalization of apps in constrained environments is already a mechanic used in flatpack, snap, even docker

Not a good argument. Several distros use it, but most mainstream distros are not focused on sandboxed apps. If you look up “should I use Snap on Ubuntu” the responses are around 80% no.

no one was writing malware targeted at us

Probably not true now. It took some digging but I found e.g. BPFdoor https://attack.mitre.org/software/S1161/ which “does not need root to run” https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis

The silver lining is that a lot of these backdoors are nation-state level so you might not be targeted by them. If I had data on my computer worth a dang, I’d be more concerned.

It’s controlled by a major corporation that tightens up all the time (e.g. the manifest v3 changes conveniently hurting ublock origin, the weird app interests thing that only Google supports, the conflicts of interest between Chrome, Google, and Chrome users [webP vs JPEG-XL]). Stock Chrome/ChromeOS is a massive data harvesting operation that gets more insistent with each update. Once Google stops supporting them they can become paperweights if you don’t have alternate OS support (not every model does). Goes against the libre philosophy of mainline linux. ChromeOS running Linux is an implementation detail, for how much use it provides the average user.

Graphene has options to restrict that [user storage availability] but you have to set it up that way.

It’s also a bit of a pain to manage as an end user. I wish it shipped with a toggle that was a step up from stock Android but also not in the way constantly. Like “we went through the top 50 apps on Play Store and FDroid, we classified them as media player, social media, etc., and we made rules for each category that reasonably isolates it while still allowing core functionality.”

Your phone and optional software available for Linux go a step further [for bruteforce prevention]

Do you have specifics for Linux?

Cheers to this guy for what he’s doing, but the name is a little confusing. This approach works but it is not nearly as robust as the immutable distro paradigm implied by the name.

Good point. It’s a 1000 person PoC and not yet a titan. He’s doing in-the-field testing and even has his two kids daily driving it (one on testing branch, haha).

It’s great to reduce ewaste, but from a practical perspective I strongly suggest finding a phone that can do postmarketOS. This is becoming more of a trend and postmarket at least has a handful of guides from people who have put servers on PMOS. I suspect all phones lead to pain when self hosting, but postmarket leads to less pain.

Any modern operating system is so complex and has so many parts interacting with each other that it’s always possible to hide something malicious somewhere in the Rube Goldberg machine which most people will never notice.

100%. From what you’re saying, though, it sounds like a Linux password is a red herring, and a secure password even more so. If SSH is disabled the class of attacks to be prevented are users ‘voluntarily’ running malware pretending to be goodware.

Never ever run any untrusted program or script, not even unprivileged. The biggest thing Linux has over Windows in this regard is the package manager, which is actively moderated by your distro maintainers, so you don’t have to download random installers from the internet like on Windows.

True, but does anyone operate this way? At that point it becomes an iPad or a Chromebook. (It does look like flatpaks or docker containers isolate behavior, so that’s a win.)

However, I will add that if you hate the default Debian installer and are willing to dig a bit through the website, they do have live USBs for each DE with a Calamares installer that I love. I really wish they would promote those more.

OMG. I used that years ago and assumed it got deprecated or something. The debian website is something else. Do they still bury nonfree ISOs?

What are passwordless solutions in Windows for remote access, disk/filesystem encryption, keyrings?

There’s the first-party remote desktop tool. I believe it pops a prompt on the client PC and asks to connect. Sysadmins can bypass that I’m sure. Third party tools like teamviewer configure a one-time password to authorize over the internet.

You can use biometrics for encryption, but I wouldn’t and don’t. Keyrings I’m not sure if Windows has OS-level password storage beyond the archaic storage of things like wifi passwords and SMB/samba logins.

That would align with my threat model which considers physical access to be game over (except for FDE). I hope there’s hardware token like yubikey out there as well.

Answering your question directly, the major threat to most consumer users is physical compromise or theft of device. Your statement that “physical access is game over” is not entirely accurate: disk encryption with a password is a very strong protection against unauthorized data access, but you need to use a password (doesn’t matter if it’s Linux or Windows).

Yes, this comes down to the laptop market being much more popular. I’m talking about a desktop.

If you have never used a password on windows or some other authentication mechanism then your Windows is not very secure.

Can you elaborate?

Some random person or app cannot just click through it.

So a regular script on Linux can run e.g. sudo apt update and just hope that there’s no password on the current account, and escalate to root?

The password deters a casual hacker and buys you some time to notice and deal with anyone seriously trying to break in.

Specifically, are you talking about physical access? SSH? Something else?

For a PC from around 2010-2018: Mint Cinnamon, Ubuntu 24.04, Lubuntu 24.04, MX Linux, in that order. Not Kubuntu, apparently it’s the lost sheep of the family. Until you’ve used Linux for a few years, always aim for LTS (long term support) or similar terms. Never use an OS billed as a “beta” or “release candidate”. “Rolling release” is suspect. It’s all fun and games until your OS doesn’t boot or you lose your data. Stability matters (and back up your data). Once you learn how Linux works, and if you become an enthusiast, you can do what you want. I highly, highly doubt you’ll find Arch as painless as what I recommend.

https://lemmy.frozeninferno.xyz/post/58612395

400+ installs in the past four years - discarded/donated business laptops that get fixed, cleaned, upgraded with cheapest SSDs and donated to predominantly tech illiterate users.

99% is ubuntu lts + ansible playbook that removes snap, disables A TON of update naggings, installs flatpak, coupla apps and systemd timer to autoupdate all flatpaks. this is the only thing that has low support requests, everything else we tried (mint, debian, fedora) has a disproportionately higher support request frequency (reinstalls, wifi, fix this, remove that, etc).

I’d say Ubuntu as #1 but it’s not known for maximum performance. Debian installer is a total mess and Linux fans don’t realize how foreign it is to a newbie. It feels like the Debian installer was last updated in 2004. I have a soft spot for Lubuntu and its classic Windows 2000 look. Runs fast too if that matters to you.

Per some feedback, I tried on another distro. Fedora 43 (hot off the presses) only has some of these bugs. I couldn’t reproduce 1, 2, and 4 here on Fedora 43 KDE live.

The first mistake is using Kubuntu. It’s always been a buggy mess.

Considering my experience with Kubuntu 24.04, I’m inclined to agree. But it gets top billing on kde.org because (it seems) Ubuntu pays more money than SUSE.

https://kde.org/distributions/