Since switching to Linux a few months ago, Windows feels completely unusable and unstable.

Updates can't break a Linux install huh? I guess my time spent with Manjaro was just some fever dream!

Well... you lost my trust very quickly. Proton Mail is NOT as secure as you lead on. They now track IP addresses and allow access to government agencies. Plus, you need an even more traceable email to tie it to in order to get an account. It's a bullshit smokescreen.

@@None17555 The chance of breaking an update in linux is very small if you use a stable and well maintained distro like Debian. If you use Manjaro or Arch Linux well then it's mostly just a matter of time for it to happen.

that moment when Proton Mail isn't nearly as private as you would think

Yep! It all depends on the distro and how much you’ve configured it to resist the threats you’re most afraid of!

Isn't bulletproof, but Windows has much more holes and attack vectors. Windows if full of complexity due to legacy support and has closed code. When someone finds a vulnerability, sometimes it is exploited for quite some time before someone finds out. Linux is open source. People are constantly auditing the code for vulnerabilities and it's much quicker to find a vulnerability. So, yes, Linux is definetly more secure by default, but I agree that Windows is also more targeted. But remember that the vast majority of servers in the world are running Linux and those are the ones usually targeted by the most advanced hackers.

​@@rallealytI'm a Windows user but the defaults in Windows are very bad for security and privacy. They may be fancy and cool and animated and convenient.....but they cause a security risk too. But I'm an advanced user, so virus or malware attacks on my machine have never happened.

Yeah, but he only realised it last week when he got sick by virus and (as reminded him) he still needs an antivirus... At least he is well now

I mean, all the large-scale attacks on webservers are servers with linux behind, the applications installed are more likely to have vulnerabilities then the OS, I've never rly heard of any big websites running on Windows.

I use Fedora after a 25 year career using Windows. Thanks for everything you guys do, your OS rocks

The way I see it, if someone has physical access to my system it's game over anyway.

@@Ryan-ct3rv This hasn't been the case for smartphones for over a decade, and the same approach can be adopted on the desktop.

Great knowledge. Thanks for sharing.

I'd love to enable secure boot, but I also rely on being able to hibernate my device, which for some reason is disabled when secure boot is enabled as a part of the kernel lockdown afaik I'm already using UKIs with dracut and systemd-boot, so I'm well prepared for hibernation and secure boot to be easy For context I am running Debian Unstable, with a manually compiled updated dracut

@@Sqaaakoi I'm not sure about your device (laptop, right?), but most modern laptops don't drain too much battery while in sleep mode, aka suspend-to-ram. Personally I use only this option and my laptop remains cold and charged for a long time. At least, more than 3 days. Also it does not require a big swap file/partition. I did a quick google search and seems like newer kernels should allow hibernation after adding "lockdown_hibernate=1" to a kernel cmdline. I did not test, but hope it helps

Even an introduction to firewall configuration covering the most important points would be excellent!

Agreed.

Yes please!

exactly

So much this. uBlock Origin is a must, back then i used to have Adblock Plus but that thing was a RAM hog.

uBlock also supports disabling JS. Most dangerous browser vulnerabilities are because of JS (there's some HTML and CSS too). I use whitelist mode, so all websites are static, except for some domains where I need JS

UBO is my go to. I use it on both Firefox and Vivaldi. (I don't trust anything else.)

Yeah, I really wanted to explore them more, but they definitely will need their own video, there’s a lot to talk about!

@@TheLinuxEXP Might wanna start of with SELinux vs AppArmor and what theyre used for and where the differences advantages and downsides are

@@TheLinuxEXP as a casual linux user wanting to find easy ways to run more securely, the most frustrating thing about security on any system (windows is worse obviously) is how fundamentally mixed up everything is at a low level, making it impossibly difficult to troubleshoot or make a security profile from simple, rational concepts. If you could make a video on how to get just deep enough into something, maybe like SELinux or Apparmor but not overwhelming... I would appreciate that a lot. An example of something I would love it if you made a video about is how I can most easily run insecure things securely. For example - I want to install an new notepad program, so I find one and install it. At a very basic level I know a few things, like when I'm not using it it shouldn't have any processes running. And it should never connect to a network, unless it's doing some cloud saving, for example. How can I easily manage security flip switches to turn those abilities on and off? Don't even give that process a sign there is a network card until I flip a switch? Same for executing in the background, writing to anything, etc. If that can be done in a video, I would be grateful and impressed. As for how... allow me to ramble on how I've found this impossible... Like trying to accomplish application container/sandbox style security.. I need to setup apparmor or SELinux... okay, maybe there's a GUI profile manager? Nope.. I haven't been able to find anything. And it seems intentional. For apparmor, supposedly easier to use but being less 'fundamentally' secure than SEL, had a GUI, premsde profiles... but now all that is gone, they're all paywalled. A bad trend for linux recently. SELinux on the other hand just seems to be ideologically against GUIs and profile tools because you *must* understand / accept full responsibility for all the nuanced complexity it has, in which case you aren't going to be some GUI using slob, you'll obviously live and die by CLI. It pains me I can't just install a new program I kind of trust but not fully and use linux to 'watch it' for abnormal behavior, because whenever anything uses any system services/resources they just "have access" or "don't have access". For a super common example - application specific network limitations and/or traffic monitoring / firewall is literally not a thing. It seems insane to me from a not-a-kernel-dev perspective that there is simply no fundamental way to watch / attribute all network traffic to specific processes. I get it that the way the architecture of the system is.. it's just hard or impossible to trace the source back into userspace from the kernel. But if you COULD simply monitor application traffic and behavior, profile 'normal' behavior, it would make it so easy to spot, or even automate spotting, abnormal / compromised process behavior. That would make malicious intrusion incredibly difficult, having to move around within other proceedes. Instead if you want to do that for network traffic you'll have to become an expert at ip/port/packet analysis to... make best guesses? Or start down the rabbit hole that is various tools to approximate this idea. I get that a fundamental problem arises from granular control (SELinux being the ultimate granularity) and config gets more and more complex as you get granular in a system with a complex web of interlocking parts... but I mean, why aren't basic, best practices and profiles easiee to make? Get me an 80/20 profile. We know one of if not the most common attack vectors is a malicious or infected process, so why are the tools to control, isolate, and analyze process behavior so arcane? /rant

@@stevenwinderlich2891 wrong channel

@@TheLinuxEXP Would still love to see a dedicated firewall video from you. You explain things really good und easy to follow.

Fail2ban is much more about passwd brute forcing than DOS blocks

"either disabling services or via firewall". No, you don't do only either, you must do both (assuming the service ain't used).

@@rautamiekka What do you expect a firewall to do when there is no actual service running?

❤ I second this as well. Make it so.

Me too! 🤚

Second this as well :)

True!

Oh sweet, ty for the tip lol

It’s conflicting that by default, the firewall is turned off on most Linux desktops.

@@a-yon_n and it is that way because there aren't any really user friendly configuration/management tools. Which sucks but makes sense.. people went through all the trouble of writing the actual firewall code for free and now some normie wants them to do more work to dumb it down and make it easy for them to use? Leave it for someone else...

And the other topics like SELinux and App armour would also be great.

​@@craigslist6988isn't the firewall gui on mint pretty straight forward even for noobs?

@@craigslist6988I’d argue that end user experience is an important part of any software project

That’s also a very good tip, yeah!

@@TheLinuxEXP Sadly ClamAv gives false positives a LOT of the time. I won't use it anymore. It's a known problem.

I second that. Feel pretty secure with openSuSE's default but I too enjoy having secure machines.

Having a TPM module is nice, software using it rare though. The more rare when the most needed.

@@lince4824 In some sense you would want fewer pieces of software to use TPM, so its functionality can be kept minimal and stable. More usage = new requirements = new bugs.

@@generic694 it must be used WHERE it is needed and WHENEVER it is needed. If you store critical passwords in RAM to avoid using the TPM module that's a security hole, as it happened to a serious widely exploited to the own Microsoft Servers network, because they decided to keep that password in RAM. It didn't need any high tech tool or software to abuse it, just a crash report sent to the development team, which in fact happened to include that CRITICAL Microsoft Exchange password. Do you think it cannot happen in Linux? TPM must be used whenever it is needed, not more, NOT LESS

AFAIK, it's possible to login by user ID. root must always be 0. So even if the name is unknown, you can still login to user 0

@@Rudxain This highlights the biggest issue. Educate yourself about how linux actually works. Then act accordingly. Misconceptions are what get people in trouble. Whether that's trusting something that shouldn't be trusted, or the example you give here.

@@that_heretic exactly! ... wait, you mean I'm ignorant or OP is ignorant? I'm genuinely confused. I could be wrong about the UID

Linux user have time

Strangest comment I've ever read. Very passive aggressive dig at Linux users dude. All the relatives and friends I've moved over to Linux have had zero security issues after having had regular attacks on Windows, and all they do is let the system run automatic updates whenever it asks. I've been using Linux 100% (no dual boot) for almost 20 years now and I have never had security issues regardless of my "indifference".

Yeah, i have been using linux by a year, and i found interesting how the SO (At least the few i tested) have the firewall turn off by default. It is dangerously strange to say the least.

@@howiecourt3445 lmao, Linux users suck and they have a terrible attitude in general. You are a part of the problem. If you think Linux has perfect security you are wrong. Every OS in the world needs to be aware and step up their security game these days, you can have malicious attacks on linux, macos, windows. It does not matter as long as someone constructs a program that is cross-platform, if you click on the wrong link it will hit you too.

@@howiecourt3445 Not a passive aggressive dig at anyone. I'm a linux user myself, obviously, as I suspect are more than 99% of Nick's subscribers and viewers. What I am criticizing, is the -widespread- omnipresent blasé nonchalance among linux users and developers towards security. In passing, I am also espousing Luke Smith's confutation of the term "linux community".

@@howiecourt3445 this is the strangest comment you've ever read? Well, let me be the first one to welcome you to the world wide web, you're in for a wild ride.

what security does this actually add? an attacker just needs my user's password to use sudo if they have an ssh session which i think is harder to obtain than the password.

Can you elaborate why? Wouldn't running the entire docker as sudo make it even worse if the image/contrainer was compromised? What about passing UID to the container, rather than making it run as root by default)?

@@SirRFI Docker daemon (server) is always running as root. The only thing you can decide about is whether client software is running as root or not. Having docker command available in your command line without sudo is like having sudo without password. With reasonably simple docker run invocation you can modify host files of your OS which is very big security hole.

Oh that is totally true. I’m an absolute goof and am being honest for the sake of agreeing with your posts’ accuracy.

Sometimes it's too painful to use random ports. Personally, I think that port knocking and limiting login attempts will be good enough in most cases

On the basic level. Windows still has FAR more services running as SYSTEM user (higher privileges than Administrator) than on Linux as root user. That said, I think it would be great to have Linux further develop with running less things as root. And as you mentioned have better defaults, or make it easy to have a distribution package called hardening. A huge missing feature of Windows is proper container support. That said I think Linux containers are still behind on Solaris Zones security level.

@@autohmae containers are definitely a linux security perk. i agree that you can do more in depth hardening with linux. but windows gives you simpler options and intuitive defaults

On my end, I am still trying to harden my Windows using Sandboxie and custom rules. And damn, I am still not done.

Good tips, thanks!

You're very wrong . I stopped reading at paragraph 2. Tin foil hat please, just kidding, but you're very very wrong. You are right that most people, experts and admins will make a barely secure system much much more insecure on the first day though.

@@lince4824 What do you feel I got wrong and why? I don't mind disagreement, but I really don't see much wrong with my list as a basic first pass. Keep in mind you can do much more, and should. Oh, and the #1 thing admins do, usually by accident or because they're busy, give everyone sudo, and sudo ALL=ALL. Actually, in a lot of case I recommend removing sudo, it's a very powerful tool, and you almost certainly don't actually need it.

Propper!!

Just forbid password login and use key only.

@@generic694 Amen to that.

Your firewall is only as good as how hard it is to pretend to be those camera's then. I hope they use an SSH-key to provide host identity

"2 or 3 word combos"? Like, for example, My1Password2Sucks3? For a proper password use a mix of upper and lower case letters, numbers, and symbols: Gx72&tP9kW28%5+Zz3F$28Q-14Rs. Use something similar as the user name, and wish every brute force attack good luck.

Also instead of selinux or app armor you may want to consider SNORT or Suricata. They all utilize a similar rules based method for partition to partition, app to app, system to network, and network to system management and logging. The only benefit of Suricata is that it can make use of GPU tech. So those with a dual/multi GPU setup can get a tiny performance boost. So if you're one of those with a dedicated GPU and a CPU with integrated graphics (Intel k series or AMD APU) you can run Suricata without too much of a system performance hit.

Browsers are one of most secure softwares there can be on desktop OS. I fail to see how this adds anything. Containers aren't a security boundary. GPU processes, audio processes are all vectors for attack. And you do not contain those with a simple container.

@@WarkWarbly, browsers have dedicated security teams with people on payroll. A browser executes remote untrusted code. It's a miracle they don't pwn their users every day. Sure, some zero days existed and do exist.

Yep!

Noted!

I use an expanded version of this idea.. buy 4x (or find them lying around, like that old laptop) flash drives. You can run a live distro on each drive, completely separated operating systems. Even 16GB is enough to run the basics, GUI, web browsing and all the other basic apps.. 32GB is much more comfortable for Firefox's crappy memory leaks. 128GB you'll never run into a space issue if you just use external storage for large downloads. These drives are < 20$ now, fairly small price to pay. What I wish is that they had something I could 'hot swap' between these OSs.. like VMs, but without emulation losses. You can hibernate and swap to estimate that behavior though... if you can get hibernation working (need more space also, 128GB is plenty for it).

@@craigslist6988 oh yes. the most insane variant of using old laptops was from around 20 years ago. knew a guy who bought a bunch of old laptops from his employer just for surfing in somewhat risky situations. to be more precise: he loved surfing in the internet while being on an air mattress. sometimes, a laptop met the bottom of his pool. no problem, he took the next laptop from the stack of laptops he had.

No offence intended here but changing ports is generally considered useless, bots are not probing any ports specifically, they mostly probe for any open port. The protocol is then as simple as a packet sniff. You can get better results by disabling ping requests from unknown sources.

On a server? 😅

​@@MarcinTrybuson the router 😈

tip 102: if you need internet, tor

Totally agree! Just wanted to share some thoughts: Let's imagine an attacker has physical access. Since grub config is not signed nor encrypted, an attacker can change it by using live usb. What's next? Disable usb boot? It is still possible to remove a disk and make modifications on another computer. It would be better to encrypt /boot then. But how to configure it and where to store a key? Ok, grub supports luks1, but it doesn't support tpm yet. So it will require a password from user. Even modern Linux distros need a LOT of work to make boot process secure.

@@alexk4894 Your points are the kind of things that keep me up at night. I have luks encryption on my drives. What I'm trying to prevent is access from a digital forensics specialist if my tech ever gets seized.

Mostly not possible, most fingerprint readers don’t have drivers for Linux :/

If the private key is password encrypted on your client it's much harder to steal the actual key. If it is stolen you can disable that single key. Of course if you're paranoid I believe you can set up sshd to require key _and_ password.

Now i’m curious. How exactly does that work on windows?

You’re welcome!

It’s planned!

@@TheLinuxEXP When will it be published? I’m very excited.