Hi there,

Win10 is soon not supported. Tbh Linux have been on my radar since I started to break from the US big tech.

But how is security handled in Linux? Linux is pretty open-source, or am I not understanding it correctly. So how can I as a new user make sure to have the most secure machine as possible?

  • missfrizzle@discuss.tchncs.de
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    19 days ago

    the most secure possible? you’ll need to learn a ton. you’ll get there, but it’ll take a while.

    decently secure? install Linux Mint, install your updates, don’t run sketchy commands with URLs in them unless you know what you’re doing, maybe follow a hardening guide. you’ll be okay.

    if you need to be extremely secure and private, install Tails on a USB stick. it will be slow and frustrating, and you’ll need to save files to a second USB drive, but it will probably keep you pretty safe, and it’s decently user-friendly. just make sure you keep Tails updated! you’ll have to do that by flashing the new Tails onto a new USB drive, there’s no easy way around that.

    those are your two most user-friendly, safe approaches.

  • frongt@lemmy.zip
    link
    fedilink
    arrow-up
    0
    ·
    20 days ago

    You’re going to need to be more specific. There are dozens of aspects of security.

    But if you want to have the most secure machine, then never turn it on, encase it in lead, and drop it at the bottom of the ocean.

    • UheldigeBenny@feddit.dkOP
      link
      fedilink
      arrow-up
      0
      ·
      20 days ago

      Since I was referring to win10 losing support I thought it was understood that I asked about security updates like windows does. But to specify, how is the ongoing security updates working on Linux? Who does it? Is it even being done? It is an assumption on my side that the security is done in the same manner like win and mac, with continuous updates but that might as well be a wrong assumption.

      • Aelyra@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        20 days ago

        It’s kind of like Windows. You just hit that shiny “Update” button and boom, your software’s up to date and more secure. Depending on your Linux distro and setup, you might not even need to reboot, which is pretty cool.

        Under the hood, most distros don’t really separate security updates from regular ones for everyday apps like your browser. They just roll them all together. But for the kernel, the super deep-core part of the system, sometimes you get security fixes without any new features. That helps keep things stable and safe.

      • frongt@lemmy.zip
        link
        fedilink
        arrow-up
        0
        ·
        20 days ago

        Security updates are provided by each package maintainer and released on their own schedule. Microsoft releases updates monthly on Patch Tuesday, unless there’s a severe vulnerability that can’t wait. But since Linux is a bunch of different packages rolled into a distro, there’s no one authority managing updates.

        So, this means you might get them faster, or if a maintainer is not engaged, slower. Or, if a package is abandoned, not at all. Distros generally make sure their provided packages are maintained, but updates to third-party packages are not guaranteed.

      • relativestranger@feddit.nl
        link
        fedilink
        English
        arrow-up
        0
        ·
        20 days ago

        it’s similar. in a mainstream distribution with a desktop environment, updates can typically be configured to notify you or install automatically. it’s common for those updates to now also include third-party sources like flathub.

        upgrades (to a next point release or major version) are different, some can be fairly straightforward–others, not so much. and those upgrades will be more frequent, as the “lifecycle” for most linux distributions is shorter than windows’ 10 years.

  • Sunoc@sh.itjust.works
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    20 days ago

    Great to hear you’re willing to move to Linux!

    Like other comments pointed, there is no such thing as “most secure”. It’s a deep rabbit hole and it’s better in general to assume that any device connected to the internet is at risk. Hell, any storage can be compromised if the entity interested put enough effort into it.

    I recommande reading the page on Privacy Guides, it gives a good overview. In general, you should consider your thread model: what is you situation and why do you want security or privacy for?

    • Regarding security, I would say for a general case, any modern, popular Linux distro with full disk encryption is probably good enough and as secure as any other OS. I would recommande going with a Fedora Silverblue or an OpenSUSE Tumbleweed, but the more popular Ubuntu or Mint are great as well for new users.
    • If you also want “good enough” privacy, you should focus more on the software you are running, and the situation of your data, especially in your usage of your web browser. But that’s a different topic entirely.
    • If you actually want more advanced security though, that’s where it becomes difficult/fun. You need to consider what you are trying to protect yourself from, specifically. Virus? Maybe a compartmentized OS like Qubes might be a solution. Physical access to your device? You can get a dead man switch that kills you system disk if your laptop is taken away from you. You want to hide your OS install from a security inspection? You can set a deniable full disk encryption with a facade OS that protect your from a rubber hose attack. Probably many other things exist I am not aware of.

    But anyway, if your question is “Is a Linux distro at least as secure as my previous Windows”, the answer is definitely YES imo. And if you want MOAR, it’s gonna be a fun ride!

    [edit: and yes, updates! Update you system plz.]

  • Ulrich@feddit.org
    link
    fedilink
    English
    arrow-up
    0
    ·
    20 days ago

    Most of the security is in the kernel so you can make sure you have the latest kernel. Also secureblue is a security focused distro that makes use of GrapeneOS’s hardened malloc so that’s the most secure one that I’m aware of.

  • atzanteol@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    0
    ·
    19 days ago

    So how can I as a new user make sure to have the most secure machine as possible?

    That’s not what you want. You want a reasonable level of confidence that your system is secure.

    The process is similar to Windows - keep it up-to-date, use good passwords, don’t run things as root (admin), and don’t install things that are questionable.

    The package manager under linux is where you should start, and that varys by distro some. But generally speaking things installed from there are “safe” and will be updated by the package manager when you do updates.

  • 🧟‍♂️ Cadaver@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    19 days ago

    To have the most secure machine possible, you might need a hardened kernel but you absolutely need to have SELinux (or equivalent) rules set up.

    The easiest way to have a go at this would be to install OpenSuSE (any version will do, they all ship with SELinux ootb) and follow guides on how to setup SELinux permissions.

  • muusemuuse@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    20 days ago

    Windows has a lot of shit to second guess the user. Linux doesn’t. Linux doesn’t babysit you. It has some guardrails but the general idea with Linux is it’s your computer, it will do what you tell it do, even if it’s a bad idea. This makes things lighter, faster, more private, but it has also led to security incidents.

    Windows and Mac will watch what you are doing. If they see something suspicious, the security software can jump in and telemetry means they can notice patterns as new malware appears on their users machines. This makes the machines slower and heavier and less private, but also easier for users to deal with because they doesn’t have to actually know anything. They can just buy their way out of a problem with superdupertotallaylegitantivirus2025pro.

    Anyone who says Linux doesn’t get viruses is lying to you. It does. They all do. But it’s not that common because Linux is a smaller market share so most nefarious people won’t waste their time on a smaller target unless there is something that specific target has they want. So old people using fedora kinoite to access email and facebook are fine, but Pete Hegseth watching ignoring security practices and visiting shady sites is probably a worthwhile target and could be vulnerable.

    Linux has major advantageous over the industry approach of “we know best” but it also has disadvantageous. If you are the kind of person who wants to learn and improve and grow, Linux could work for you. If you are more the irresponsible buy-someone-else’s-solution-to-my-problems type, it’s not.

  • fodor@lemmy.zip
    link
    fedilink
    arrow-up
    0
    ·
    19 days ago

    You don’t actually need “perfect” security in the future, any more than you did in the past. Windows was not perfect, right? So stop looking for perfection. Instead, look for “good enough for 99.9% of the world”. And you can get that with many of the popular Linux distributions.

    Basically, install a popular distro, and keep your software to whatever is in the package manager. Don’t install random shit manually. Don’t download random software from random websites. Don’t fuck with security settings unless you read up on the topic very thoroughly. Then you’ll be fine.

  • utopiah@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    19 days ago

    Others have said it before but basically : what is YOUR (not me, not your best friend, nor your colleague, etc) threat model?

    To clarify that means WHO is actually trying to threaten your security?

    Typical for most people it would be :

    • scammers trying to get pieces of your identity or your local cryptocurrency wallet or resources they can use to repeat that on to others.

    For some people, like activists or political journalists it would be :

    • national actors, e.g. governments, with their surveillance apparatus, who might end up on a list with a set of conditions that would trigger some automated scan to get e.g. Signal logs

    For very very few people, say Edward Snowden, who within the previous group actually did trigger some action :

    • actual team of hackers trying to hack into their devices

    So as you can imagine if you are part of group 1, 2 or 3 then way you will protect yourself is totally different. What you will also have to protect is also different, e.g. if you have no cryptowallet but are traveling you might have to protect your phone physical phone and its data.

    So… if you are serious about this, take a cybersecurity class. There are plenty available but how a computer works, software and hardware alike, is precisely what makes them simultaneously powerful and also dangerous. There are plenty of ways to break security (e.g. return oriented programing), plenty of ways that practically impossible (e.g. encryption) due to the very nature of computers (i.e. computational complexity) which IMHO makes this one of the most fascinating topic. Ask yourself come the credit card in your pocket (costing few bucks to make) can’t be cracked by the largest super computers (costing billions) on Earth?

    TL;DR: no offense but you don’t seem to be ready for the answer without getting the basics first.

  • ColdWater@lemmy.ca
    link
    fedilink
    arrow-up
    0
    ·
    19 days ago

    Nothin, just install your favourite distro and don’t run random command/scripts/binaries you found on the internet

  • MonkderVierte@lemmy.zip
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    19 days ago

    So how can I as a new user make sure to have the most secure machine as possible?

    Shut the computer down. That’s it; computer as secure as possible.

    Otherwise, if you actually want to use your computer, google for “threat model” first.

    But generally: use an adblocker in your webbrowser, don’t execute random commands/tools from the internet before you know for sure what you’re doing, update stuff now and then and make backups.

  • arsCynic@beehaw.org
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    20 days ago

    So how can I as a new user make sure to have the most secure machine as possible?

    • Always use uBlock Origin in a Firefox-based browser (e.g., LibreWolf, Zen).
    • Never click on links in communication of any kind you didn’t expect or is too good to be true.
    • Never reinstall Windows.

    arscyni.cc: modernity ∝ nature.

  • the16bitgamer@programming.dev
    link
    fedilink
    arrow-up
    0
    ·
    19 days ago

    From a windows perspective Linux does 2 things differently which makes it more secure to Windows.

    1. Like MacOS it doesn’t need antivirus software like Norton. Windows needs antivirus because DOS the OS windows is based on, had it where any program had access to anything. This is still sadly true even on Windows 11. Linux is Sandboxed, where instead of giving the program full access to everything, you just give it a sandbox with what it needs.

    Unless you deliberately run a program as the admin of Linux (su or sudo), malicious code can just delete system32.

    1. Linux’s is open source and while the desktop market share is tiny, there are a massive market in servers. As a result since there are a lot of eyes on the project if/when problems are found they are fixed quickly. I remember a time when a malicious actor was trying to add a backdoor into a library as a blob and it was caught.

    Windows on the other hand is closed source, meaning if MS can’t find the issue, the only time it is found is when it’s in the field. To avoid downtime MS offers bug bounty programs for those who can find issues, rather than to let them exploit it.

    • Eggymatrix@sh.itjust.works
      link
      fedilink
      arrow-up
      0
      ·
      19 days ago

      I don’t know where you got your information from, but your mental model on how and why things work the way they do in both linux and windows seems to be really off.

      Since you seem someone that is actually interested in understanding this stuff, I strongly suggest to find some better sources as your base

    • ramenu@lemmy.ml
      link
      fedilink
      English
      arrow-up
      0
      ·
      19 days ago

      Windows isn’t based on DOS, though. It hasn’t been for a very long time. Linux isn’t sandboxed. Userspace applications can be sandboxed. There’s a difference.

      • the16bitgamer@programming.dev
        link
        fedilink
        arrow-up
        0
        ·
        19 days ago

        Yes modern Windows is based on the NT Kernal. However to keep with compatibility with older programs, NT needs to be compatible with DOS. For most people they never saw the transition from DOS to NT, since it was quietly done with Win XP.

  • deadcade@lemmy.deadca.de
    link
    fedilink
    arrow-up
    0
    ·
    20 days ago

    Security is an insanely broad topic. As an average desktop user, keep your system up to date, and don’t run random programs from untrusted sources (most of the internet). This will cover almost everyones needs. For laptops, I’d recommend enabling drive encryption during installation, though note that data recovery is harder with it enabled.

    • EpicStuff@lemmy.ca
      link
      fedilink
      English
      arrow-up
      0
      ·
      7 days ago

      I hear don’t run random stuff from the internet alot but back when i was using windows, if i found something interesting on say github i would just download and run it and i expected windows defender to block any viruses. Is there something similar for linux? Like if I go around installing random Aur packages, is there anything stopping viruses from doing virus things?

    • Tanoh@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      20 days ago

      That is good advice, however sadly a lot of install scripts are basically: download this script from us, and pipe it to a root shell.

      • procapra@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        20 days ago

        Why not? You (usually) just click the check box during install, and you have 1 extra password when you boot up your system. Doesn’t seem too hard but I might be missing something.

        • Tenderizer78@lemmy.ml
          link
          fedilink
          English
          arrow-up
          0
          ·
          19 days ago

          It’s surprisingly annoying trying to configure LUKS full disk encryption. I had to look up instructions many times over on Mint.

          • NewNewAugustEast@lemmy.zip
            link
            fedilink
            arrow-up
            0
            ·
            19 days ago

            Wait what? I don’t use mint, but with every other distro you just check the box at install and that is it.

            Are you saying its hard to configure after you have already installed? I could imagine it might be, but why not export a list of programs you use and back up the home directory. Reinstall and check the box, restore home, and import your package list?

            • Tenderizer78@lemmy.ml
              link
              fedilink
              English
              arrow-up
              0
              ·
              edit-2
              19 days ago

              Firstly, LUKS is under “physical disk for encryption” which is a stupid and confusing name.

              Secondly, if you want to dual-boot with LUKS you need to manually configure the partitions.

              Thirdly, you need to seperately assign root to be installed on the “physical disk for encryption”, and they have multiple volumes for that in the list.

              Fourthly, as with all LUKS encrypted Linux distros you need a seperate EFI, boot, and root partition.

              Fifthly, all of this partitioning is on a really small window that can’t be resized.

              • NewNewAugustEast@lemmy.zip
                link
                fedilink
                arrow-up
                0
                ·
                19 days ago

                I don’t dual boot, so I guess there is that. But everything else seems very confusing. All other installers say, do you want this encrypted? You click yes. And that’s it.

        • Jumuta@sh.itjust.works
          link
          fedilink
          arrow-up
          0
          ·
          19 days ago

          when you fuck shit up you can’t really easily boot in from a usb drive and learn the recovery process

  • transscribe7891@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    0
    ·
    20 days ago

    I used to use ClamAV, but not sure I noticed much of a difference, so haven’t really used any antivirus software for a while now. Curious what people in this thread think of clam.

    • Nilz@sopuli.xyz
      link
      fedilink
      arrow-up
      0
      ·
      20 days ago

      ClamAV looks for signatures of known viruses, most of which target Windows and not Linux. So it’s debatable how much more secure you really are by running ClamAV