Genuinely interested: does it bring something to say "everything is crap anyway, but given that we must choose between one of them, we may as well choose the least bad" instead of "the best solution we currently have is X"?
Secondly, are you sure that it is impossible to secure a system for a whole department? I have seen relatively big companies having an IT team managing their own Linux flavour. That is, whitelisting the packages that can be installed by the users. Given that most computer users in the administration use a handful of programs, it doesn't seem super hard to audit them?
> Genuinely interested: does it bring something to say "everything is crap anyway, but given that we must choose between one of them, we may as well choose the least bad" instead of "the best solution we currently have is X"
Well I dunno if that's true, that's why I didn't say it. Linux _may_ be the best solution overall I am not sure. It is definitely not the best solution from a security perspective.
> Secondly, are you sure that it is impossible to secure a system for a whole department? I have seen relatively big companies having an IT team managing their own Linux flavour. That is, whitelisting the packages that can be installed by the users.
Just whitelisting packages isn't enough. ChromeOS effectively does this and their whitelist is extremely small, yet they are still only ok with that because they backed it up with the rest of the pieces needed to make a secure Linux desktop, including a fully vertically integrated stack.
> It is definitely not the best solution from a security perspective.
But that's compared to alternatives that virtually nobody uses, isn't it? No public service is using ChromeOS. In Europe they probably all use Windows, I would guess? So the question reduces to: is Linux worse than Windows in terms of security in this context?
The goal here is not to have the perfect system, rather to be sovereign. It's enough to not be significantly worse than Windows.
You know what happened at Google after Operation Aurora and they went full bore on security (BeyondCorp and all that)? They started phasing out Windows laptops for employees immediately.
I'm honestly having trouble taking you seriously, Windows has always been at the butt of security jokes, I guess you maybe didn't grow up with winnuke etc?
But maybe you could elaborate a bit more concretely about what kind of intra-host security boundaries are missing, and why they would be required on single-user computers in this scenario?
I worked at Google on post-Aurora endpoints security. Windows laptops are alive and well at Google. Linux laptops have had one foot in the grave for a while now (it's a bummer). Google historically made gLinux work only with enormous investments in customised distros and D&R.
> But maybe you could elaborate a bit more concretely about what kind of intra-host security boundaries are missing
- no boundaries between applications, everything runs as $USER which can read your browser creds
- no boundary between user and root, everything can trivially escalate privs (maybe we will fix this post Glasswing, let's see)
- no boundary between boots, root can trivially persist a compromise (probably non-root too)
The tech exists to solve all these problems on Linux, but there isn't a distro that strings it all together. (Unless you count ChromeOS/Android which are not really OSS).
> Unless you count ChromeOS/Android which are not really OSS
Wouldn't ChromiumOS and AOSP count? Though I read a lot of people generally complaining about secure boot on desktop (for reasons I honestly don't understand: secure boot seems to be part of the Android security model, and it seems valuable to me).
It's a good technical artifact yeah but it would need to be forked and degoogled, today it is only really useful with Google services as a backend.
Also it's coupled to the device ecosystem which is organised by Google. This coupling with the HW is one of its major technical strengths though, including for the security things I'm yapping about.
So yeah I think the two options for a EuroOS are:
- Fork and degoogle ChromiumOS/AOSP
- Invest in a Silverblue/bootc/Flatpak style system and just keep filling the gaps there
Hard to say which would be the better option. Both require at least tens of millions in investment over 5+ years.
>why they would be required on single-user computers in this scenario?
Because the single user does not write all the software running on the system. The proprietary software the user downloads could have its own agenda contrary to the user. The open-source software has security holes so that for example if the OSS is being used to inspect a repo downloaded from the net, the repo might contain files specially crafted to exploit the open-source inspection software. Of if the OSS is a file viewer, a file downloaded from the net might be able to exploit the file viewer.
I am just talking about the pure tech fact that GNU/Linux desktops do not have any meaningful intra-host security boundaries.
Is this a worthwhile tradeoff against being tied to US tech? Yeah maybe, like I said there are no good options here, and Linux might be the least bad.