One escalation in info security is to harden your OS to minimise exposure to some of the more lazy ambient harvesting the gangsters/feds/gangster-feds can do. This is probably something that is worth your time if you are, for example, a journalist in a free-press-hostile state. You might want a hardened mobile device also.
One tactic one might try, for certain risk profiles, is open-source hardened operating systems. It is harder, for now, probably, for states to inject spyware into open-source systems than into closed commercial ones because of the greater transparency. Not impossible, mind you, and it will get easier as the backdoor infrastructure improves. Note also that many linux kernels include suspicious closed-source drivers and so on. I am not qualified to comment on how serious a risk that is at my shallow end of the swimming pool.
Anyway, let’s have a look at some in-principle ways to set up our machines for confidential uses, which we might suppose are at the very least troublesome to molest without a warrant.
I’m going to dump a bunch of stuff here while thinking it through. These will be nerdy notes, to be whipped into a more pedagogic introduction later.
Quotes are taken from distrowatch.com unless otherwise stated. See their security-focussed distro list also.
Pre-rolled hardened OSes
Hardened distros try to avoid the default not-especially-secure setup of computers that are designed to be friendly and welcoming and easy to do things on. But perhaps you want to have a computer that only lets you do things that are secure?
Qubes OS is a security-oriented, Fedora-based desktop Linux distribution whose main concept is “security by isolation” by using domains implemented as lightweight Xen virtual machines. It attempts to combine two contradictory goals: how to make the isolation between domains as strong as possible, mainly due to clever architecture that minimises the amount of trusted code, and how to make this isolation as seamless and easy as possible.
Is this very much better than ordinary hardened distros? Not sure. It certainly burns lots of CPU cycles in maintaining security.
Kickos, is the hardened core of Whonix, below. I don’t know much about it, except that it does not include all the fancy anonymisation stuff for which whonix is famous, so per default it does less work to hide your identity. For anonymity, see next.
Pre-rolled anonymous OSes
Anonymous hardened OS are more paranoid than merely hardended OSes. They don’t just try to keep you safe from the nasties, they also try to hide who you are, by erasing distinguishing tells in the OS, and by using encrypted networks such as TOR. Maybe other stuff.
Usually these systems is not designed to be your main or only OS, and indeed they are kinda annoying and slow to use. It’s for doing your confidential stuff, such as talking to journalistic sources, doing political organising, escaping your abusive spouse, and also less savoury uses
The Amnesic Incognito Live System (Tails) is a Debian-based live DVD/USB with the goal of providing complete Internet anonymity for the user. The product ships with several Internet applications, including web browser, IRC client, mail client and instant messenger, all pre-configured with security in mind and with all traffic anonymised. To achieve this, Incognito uses the Tor network to make Internet traffic very hard to trace.
Tails is low on features, but that might mean it’s harder to hack. If you don’t mind decreasing your security, you can install extra software. The basic idea is it runs on a USB and keeps as much as possible in RAM so it should forget what you were up to relatively quickly. So it is ideally also deniable.
Whonix is also a hardened OS, and anonymous, but it is designed for running as a virtual machine. It is not quite as amnesiac as tails, but slightly better at hiding your network, AFAICT, since it is easier to tunnel it over a VPN. Virtual machines are intrinsically more dangerous in this era of speculative execution bugs etc, but also they avoid some stupid nonsense like needing a whole spare computer to use. It has an amnesia VM mode, whonix-live and also an amnesiac non-VM mode (basically, imitating
tails) called grub-live.
heads is admirably crazy paranoid and aims to one-up tails.
heads is a privacy-focused Linux distribution designed to make it easy for users to access the Internet anonymously using the Tor network. heads is based on Devuan and features only free (libre) software. The Linux kernel has had non-free blobs removed.
However their release schedule is sluggish.
Linux Kodachi is a Debian-based distribution which can be run from a DVD or USB thumb drive. The distribution filters all network traffic through a VPN and the Tor network, obscuring the user’s network location. The distribution attempts to clean up after itself, removing traces of its use from the computer.
Not sure about the provenance for kodachi or the weird built-in VPN. But if it were secure it would be very convenient. possibly install from source would be wise? But that claims to be version 3.7 not the version 5.5 now being distributed. Red flag.
DIY hardened OS
How much do you trust the distro package maintainer though for any of these? (Just one guy is credited for e.g. Kodachi.) Or indeed, any OS distro? Groups like the core infrastructure initiative aim to facilitate this. Note that it is hard to trust the build toolchain right now; with the best of intentions a maintainer cannot easily guarantee that the components they supply are secure even if the sources is, until deterministic builds and other technologies come online for linux distros. Notably, this is not on the cards for Ubuntu or Redhat.
Would you rather build from source? In principle you can do this for any open source OS, but it’s a right pain in the arse in general. The chain of trust is long with many links.
Distros like Gentoo/ funtoo and archlinux support source builds in principle - but they require you to know what you are doing to ensure that you have actually set them up in a secure fashion, as opposed to just cargo culting some fancy esoteric OS in the hope that will be secure.
Gentoo Linux is a versatile and fast, completely free Linux distribution geared towards developers and network professionals. Unlike other distros, Gentoo Linux has an advanced package management system called Portage. Portage is a true ports system in the tradition of BSD ports, but is Python-based and sports a number of advanced features including dependencies, fine-grained package management, “fake” (OpenBSD-style) installs, safe unmerging, system profiles, virtual packages, config file management, and more.
EZ Gentoo is Funtoo.
Funtoo Linux is a Gentoo-based distribution developed by Daniel Robbins (the founder and former project leader of Gentoo Linux) and a core team of developers, built around a basic vision of improving the core technologies in Gentoo Linux. Funtoo Linux features native UTF-8 support enabled by default, a git-based, distributed Portage tree and Funtoo overlay, an enhanced Portage with more compact mini-manifest tree, automated imports of new Gentoo changes every 12 hours, GPT/GUID boot support and streamlined boot configuration, enhanced network configuration, up-to-date stable and current Funtoo stages - all built using Funtoo’s Metro build tool.
Arch Linux is an independently developed, x86_64-optimised Linux distribution targeted at competent Linux users. It uses
pacman, its home-grown package manager, to provide updates to the latest software applications with full dependency tracking. Operating on a rolling release system, Arch can be installed from a CD image or via an FTP server. The default install provides a solid base that enables users to create a custom installation. In addition, the Arch Build System (ABS) provides a way to easily build new packages, modify the configuration of stock packages, and share these packages with other users via the Arch Linux user repository.
Alpine Linux is a community developed operating system designed for routers, firewalls, VPNs, VoIP boxes and servers. It was designed with security in mind; it has proactive security features like PaX and SSP that prevent security holes in the software to be exploited. The C library used is musl and the base tools are all in BusyBox. Those are normally found in embedded systems and are smaller than the tools found in GNU/Linux systems.
This is not actually a source distro, but rather a pre-built one with a smallish attack surface. But that might be enough?