APPS & TOOLS to improve LINUX PRIVACY & SECURITY
Vložit
- čas přidán 15. 06. 2024
- Get 100$ credit for your own Linux and gaming server: www.linode.com/linuxexperiment
Grab a brand new laptop or desktop running Linux: www.tuxedocomputers.com/en#linux
👏 SUPPORT THE CHANNEL:
Get access to a weekly podcast, vote on the next topics I cover, and get your name in the credits:
CZcams: www.youtube.com/@thelinuxexp/...
Patreon: / thelinuxexperiment
Liberapay: liberapay.com/TheLinuxExperim...
Or, you can donate whatever you want: paypal.me/thelinuxexp
👕 GET TLE MERCH
Support the channel AND get cool new gear: the-linux-experiment.creator-...
🎙️ LINUX AND OPEN SOURCE NEWS PODCAST:
Listen to the latest Linux and open source news, with more in depth coverage, and ad-free! podcast.thelinuxexp.com
🏆 FOLLOW ME ELSEWHERE:
Website: thelinuxexp.com
Mastodon: mastodon.social/web/@thelinuxEXP
Pixelfed: pixelfed.social/TLENick
Twitter : / thelinuxexp
PeerTube: tilvids.com/c/thelinuxexperim...
This video is distributed under the Creative Commons Share Alike license.
#linux #privacy #security
00:00 Intro
00:31 Sponsor: 100$ Free credit for your Linux or Gaming server
01:31 Encrypt your system or specific folders
03:36 Anti-virus
05:23 Sandboxing and application permissions
07:28 Web monitoring and blocking, & VPNs
10:08 Portable private Operating system
11:08 Web browsers & search engines
12:58 Other tools
14:40 Sponsor: Get a PC that runs Linux perfectly, from Tuxedo
15:37 Support the channel
A lot of Linux distributions will offer to encrypt your hard drive when you install them. Ubuntu, PopOS, elementary OS, and a lot more, they all have this option. If you didn't enable encryption when installing your system, you can encrypt your home folder or partition after the fact using ecrypt-utils, a command line utility.
ENCRYPTION TUTORIAL: jumpcloud.com/blog/how-to-enc...
KDE has something called Plasma Vaults, that lets you create encrypted folders with a nice graphical interface, with the ability to set different passwords for each folder.
You probably also have an anti virus, your best option will be ClamAV (and ClamTK, it's graphical interface). it detects trojans, viruses, malware and the like, it's open source, and it's completely free of charge.
But if you want to restrict permissions for Flatpak apps, then you need Flatseal. It's an application that will list all your flatpak apps and let you grant, or remove permissions to them.
If you want the benefits of a sandbox but without using Flatpak apps, you can also run any app installed from a regular package or an AppImage in a sandbox, using Firejail, and Firetools, its graphical interface.
If what you want is to make sure that the apps or services you run don't do anything weird with your internet connection, then there's Safing's Portmaster. It's open source, free of charge, and it lets you monitor every network request every part of your system makes, and restrict them as you see fit. Oh, and it also has a system wide ad and tracker blocker.
VPNs are a tool you can use to be more private online. I don't have any specific recommendations, but you can check the link I left in the description to TechLore's VPN chart to find one that is suitably private: techlore.tech/vpn.html
If you regularly use public computers, or someone else's, you might want to use TAILS, a live USB, but with persistent storage that is encrypted.
Your web browser will also be a big part of how private you are on the internet. If you prefer to stick to Chrome's rendering engine, then something like Brave will be way less intrusive and well configured by default, and if you don't want to encourage Google's monopoly on the internet, then Firefox is also very private, once you disable the opt-out telemetry in the Privacy and Security settings.
You also have LibreWolf, which is Firefox without the telemetry and with privacy focused search engines out of the box.
Speaking of which, your search engine is also something you should look at for privacy. Google or Bing are just NOT what you want for that. I personally use Ecosia as my default search engine. When Ecosia falls short, I use startpage, which is basically Google's results, but with complete anonymization of all queries, so Google doesn't know who or from where the query has been made.
VIDEO ON SEARCH ENGINES: • BYE DUCK DUCK GO, here...
Bleachbit will let you delete cache files, cookies, internet history, temporary files, logs and more.
If you want to just completely delete any single file, then there's GNOME File Shredder.
If you need to share certain images but hide some information on it, blurring it with a gaussian blur isn't enough, as it's now relatively easy to deblur an image. Obfuscate is a simple tool that lets you hide information. - Věda a technologie
Get 100$ credit for your own Linux and gaming server: www.linode.com/linuxexperiment
I'm usually paranoid when it comes to privacy and security, but that's one thing I forgot to do is encrypt my hard drive.
I always forget about it too!
I honestly skipped it on my latest install because my luks mapper broke suddenly on my last install for some mysterious reason 😅
Everyone should be. Our freedom depends on it.
I have my laptop encrypted but not my desktop, mainly due to the fact that it would take SIGNIFICANTLY more effort to get to my desktop's drives than just snagging my laptop in public
Same, but then again I use arch btw and fear that I'll have to do some system maintenance from a chroot and need to mount the FS externally
I feel like as a community, we need to talk more about tools like Selinux. I know it's not the sexiest thing to talk about but there is a lot of power and extensibility. I think the part that keeps most folks away is the learning curve.
@i2Sage SELinux is "Security Enhanced Linux". I don't know much about it aside from it being good for security, but from a quick glance at the results of the iOS "Look Up" feature's Wikipedia result, it does appear to be similar (but a little different I think), if not perhaps more powerful due to being able to be fine-grained.
It's probably the fact that Linux arguably has no real security model to speak of. It doesn't need one, because nobody's making viruses for stock Linux and anyone who uses it for mission critical stuff gets it hardened. But it isn't hardened by default. At least that's what I've heard people say.
@i2Sage Android, in and of itself, is a sandboxed and customized version of Linux. SELINUX (security enhanced Linux) is a Framework that provides advanced sandboxing capabilities for standard Linux OSes. There are other Sandboxing tools for Linux like Firejail and AppArmor. FireJail would probably be the most Safety Net like of the bunch.
Librewolf does more than just changing your default search engine. They change the config files. Canvas resizing for example changes the size of your screen. Really needed if you have a screen with a resolution that's not common. I'm not sure but I think they also report that you are on windows by default. Anyways, those are all things that Firefox can do because librewolf is just Firefox but it would take forever to make those edits.
Again, you always have at least one or 2 programs in these things that I've never heard of, but are super useful. Thanks
Thanks, glad it helped!
For the record: Portmaster's SPN and Tor may share some properties, they are definitely quite different
Specifically: With Tor you usually use the same chain for each request (within the same Tor-connection), and the chain is longer than 2, with SPN (as I understand it) you use different routes per request, but always with a 'chain' of just 2
The chain is somewhat cusomisable, if I recall correctly you have a toggle for speed/security/middle
something that's worth mentioning if you've got a laptop is usbguard. Prevents usb devices from functioning until you manually whitelist them. Fantastic if you're in an environment where you're required to move around (you'd also ideally be able to lock your laptop, but when you're presenting that's not always possible). Great for universities and schools!
Long term the solution for most convenient encryption is homed (from systemd). You can store and encrypt your whole home directory per user inside a file. This file can be moved between devices but only accessed with the users password. The advantage is that it supports using the password from login to decrypt during login. So you don't need multiple passwords on boot/startup. Also this makes a lot of sense for multi-user setups which would weaken a LUKS partition with one password to share.
Thank you Nick 💜💜💜 Please do a video where the default security apps are configured such as AppArmor, UFW and SELinux 🙏🙏🙏
I might do a guide on hardening Linux later!
@@TheLinuxEXP oh please do
Great video. I really love privacy and security content. You present the tools in a way everyone can understand. Thanks.
Glad you like the video!
Nice video.
My suggestions:
1)
The biggest security tool (after knowledge and caution 😉) is selinux in enforcing mode, and I think it is not mentioned here.
2)
Update everything often. I do it every day with one click.
3)
Don't install software from not trusted sources.
4)
Don't give your user the permission to run software as "root", unless you know what you are doing.
Become root instead, when needed.
5)
05:20 "virus ... can access your linux system entirely".
That's not exact.
They can access what the user which runs it can access.
Therefore nothing that can be accessed only by another user, be it "root" or another.
It is also noteworthy that a malware which targets Windows, has no effect on linux.
To have effect, it should be a malware which runs via wine *and* it targets linux.
1:41😂😂
The cat is pawsome!😊🐈
Wine works so well, it will even run windows viruses.
Thanks for putting together this list. Looking forward to looking through some of these tools.
The issue with opt in telemetry is that it provides a very distorted view of user behavior. Only people who check the settings and want telemetry will turn it on. That's such a small and restricted sample.
It's much more important what is shared than if it is shared by default or not.
@@hello-iw9pdi missed the part where he talked about not giving the users choice
@hello Opt-out is still a choice, no? I think FF does this very well, if you consider that opt-in heavily reduces the usefulness of the collected data. They tell you very prominently that they are collecting some data, and where to turn it off.
@hello No? How did you read that from my comment?
I'm just saying that if you want to get high quality telemetry data your average user must have telemetry turned on. This is neither a case for telemetry, nor one against it. It's simply a fact. Your average user won't fiddle with the settings.
Even without any telemetry you can still improve your product - based on Github Issues and angry mails sent your way - but that simply won't reflect the usage patterns of your average user.
Nice collection. Thanks for creating this one.
As we grow, this will be a more and more important topic. Tnx, mate. Infotained as usual.
Always have been a big fan of AV solutions that capture viruses on the fly rather then by doing scans.
Great video, Nick!
now THAT is a great browser recommendation segment!
Told everyone about the tracking, explained a proper chromium alternative BUT also mention the monopoly of google.
Another great video and some useful tools/apps in my journey through linux!
Super useful information. Thank you. I will try many of them.
Was literally just about to look into Linux security. What timing!
Excellent!
These types of videos are super helpful I always learn something new even if I knew some of these apps. Thanks!
USBguard is an extra security step, if you can handle the annoyance.
I really like this video as the one about your workspace with Fedora. Always interesting to see how we can improve how we use Linux.
Thanks a lot for sharing.
Glad it was helpful!
Great video as always Nick
Super content, i was looking for such programs
Super interesting, thanks !
Very good and needed video....thanks
Thanks Nick, for another great video!
Thanks for the brilliant video Nick. Contemplating on moving back to Linux after a hiatus of many years (because of being forced into using Windows in the corporate environment). Found several new tools that I didn't know existed, Portmaster being one! You've got a new subscriber!
Really like this video!
Thanks!
This info is incredible. My respects. Thank you.
Thanks, a very helpful intro!
As I begin my Linux journey, this channel has been invaluable! I’m glad I found it
At 10:09
VPNs....
He should have mentioned that VPN users should check the legality of using a VPN in their area. Currently, vpns illegal in Russia, Iran, China, last I heard India. Pakistan, Vietnam, and Thailand might also have restrictions on them. Since China and India combined has nearly 40% human population, there is a significant number of people that cannot use them....
In china using vpn is legal just selling vpn is not. Because vpn is necessary for foreigner companies to work in china and for a lot of students... Yeah the Chinese government don't like people to use foreigner websites but it is not illegal in china of someone using it after someone got vpn access outside china.
@@Tofu3435
That is a loophole that I did not know of....
Useful, thank you!
Great tips for Linux users! Thank you very much 💪🏻
Nice one, thanks!
Very very cool i will definitely try them
Thanks!
Merci!
I love full disk encryption but god damn it's so hard to troubleshoot a Linux install when the drive is encrypted; if only somebody could make it easier... 😅
This channel is a goldmine!
Hello, first a big thank you for your videos! really informative and useful. I have installed portmaster and find it very good, my question which is probably a stupid one is do I keep GUFW firewall now or remove it. Regards Phil
good video buddy - thx
Note that shred isn't effective on SSD like it is on mechanical hard drives.
It'll wear it out.
Better option is often the SSD's inbuilt "secure erase" facility, assuming your BIOS allows it or just *one* pass with:
dd if=/dev/urandom of=/dev/your_ssd bs=4096k conv=fdatasync
Followed by mkfs & fstrim.
What's the alternative?
@@loc4725 Yeah but it reduces your device's lifespan and more importantly it is very unpractical as you need to erase the WHOLE disk even if you wanted to destroy one file.
@@deloller2452 Full encryption. There is no alternative that I know of.
@@goku445 Well deleting one file on an SSD will usually just cause those pages to be marked 'free' with the hope that they will later be purged by a subsequent trim() operation. They are still there and in theory could still be recovered.
That said encrypting the drive works but but you _cannot_ just wipe the key; like the above the page containing it will remain until trimmed. To ensure and proper ease you'd have to either write so much data to the device that it runs out of spare pages and forces it to a trim or use the _secure erase_ feature (BIOS permitting), which hopefully will only erase the dirty pages.
Thanks Man 💓
I enjoy your videos Nick, which cover really useful stuff. Having just had a warranty anulled on my HP for having installed exotic software, (i.e. Linux), I am wondering whether it will soon be necessary to tux up. Geekom assure me that they are not Linux-phobic. For portmaster on Fedora, it is necessary to make it play nice with Selinux
I do a cron job system update that runs every time I turn on. Will definitely be exploring these tools you mention.
I've been using Zorinn for a half a year, and it's been great. The district on the website is old enough, but it updates the system regularly. I would revise that decision of yours
Lol, "It won't shout at you in the middle of the night it's updated" ... I sense some Avast trauma's there XD
Oh yeah 😂
As always writing a comment to support the channel
Thank you for your video! What do you think about Self Encrypted Drives (SED)?
Wow, this is a great of apps. I didn't even know some of these existed.
Instead of firejail or firetools, I'd recommend bwrap. It's command line and it's what flatpak uses underneath.
It would be cool to see you review a Framework laptop, as they're basically open source hardware, so I would assume they're very compatible with Linux, but it would be nice to have confirmation.
As a Framework owner I can say it’s generally a good experience. Only problem is that its screen is very high res , which means fractional scaling is preferred for an optimal experience, but on GNOME you’ll either have to deal with screen tearing or blurry XWayland apps. I personally wouldn’t recommend it if you use GNOME, but if you’re more of a KDE or WM person, it’ll work great.
@@ars7374 I had a similar experience with an old ThinkPad W550S back in 2015 or 2016, and ended up selling it to buy a MacBook hoping I’d have less issues. I prefer KDE but they really ought to fix that, fractional scaling is such a basic thing.
Plasma by now comes with something like flatseal... if the used distro has updated packages.
My issue with flatseal is mainly that for a normal user, various descriptions just make downright no sense.
Otherwise your list is great, Nick!
True. But it bears reminding that elementaryOS had something like than even before Flatseal got famous.
Ah a fellow Ecosia enjoyer I see ^_^
This video was really helpful! Any suggestions for software/tools which can backup and rollback Linux if needed? Thank you.
Time shift!
What about enabling firewall with gufw?
Can I add usbguard (and usbguard-notifier) to the list? It protects you from sneaky malware filled USB drives or other Bad USB devices slipped into your ports. A must have for anyone who works for a company that may be actively targeted for hacks (banks, infra, govt, etc)
For max privacy you have to use a new device that has never had its ID seen on the internet with any assocation to you.
Just a quick question:
I’m thinking of downloading ClamAV, Portmaster, and most likely Flatseal. But I wanna double check with you to see if Having all that software together will mess everything up?
Like would the security from Portmaster clash with the security of ClamAV?
I know Clam is antivirus software, and Portmaster is firewall and network monitoring software, but would they interfere with each other?
Same with Flatseal if I add that to my system too?
also i would say replace librewolf for the mullvad browers it is like the tor browser without tor
Great video but i wonder if Portmaster actually works on Debian and if it's better than firewalls like ufw or firewalld ?
Is Brave search worth using privacy wise as it is the default search engine on the Brave browser?
Must see video
5:08 Will be helpful :)
Encrypted /home here 😊
Portmaster isn't available on flathub or from the apt repo on ubuntu, at least not on 22.04. For a long time, Ubuntu/Mint has come with a builtin firewall frontend to ufw. ufw is easy to use, especially if you want to quickly enable the must have security settings: block incoming. Adding exceptions is also a breeze. I'm used to manage it from the command line, but the frontend seems intuitive enough.
Some people will tell you you don't need a firewall because you're behind a router. You should not take advice from people who discourage you from such simple security measures that have you covered if your wifi gets hacked, or if visitors frequently use your main LAN, or if you take your computer to other locations.
I would tout gocryptfs instead of ecryptutils for file system encryption.
Hi, do you have a link for the obfuscate program? Thanks in advance.
It’s on Flathub!
14:49 macbook killer
Can someone go into more detail about blurring being easy to unblur?
Basically a Gaussian blur just “smears” pixels in a certain direction, and it’s easy to determine the direction and strength and undo it
8:33 if you have an application that you don't trust some of it's internet connection... should the application not be on your computer in the first place?
Hey, I have a question:
When I enable system encryption on installation, do I have to type the security key every time I open my computer
Yes
@@adambyte256 aw man, I guess no encryption for me ☠️
hey nick can you make a guide on OBS and how to setup on Linux , the reason im asking is because it is very easy to set up OBS but on linux we dont have a good encoder FFMEG is the default but GloriousEggroll suggested Gstreamer-VAAPI and that works to some extent but when recording a video / game the gpu usage goes 100% all time even when nothing demanding is happening , its a pain to record at 720p30 , going any higher means the gpu usage goes 100% and will slow down the system , even with an RX 570 :(
I can look into it, but I personally only use NVENC with my nvidia GPUs, it is unparalleled
As the vast majority of systems have SSDs now, "shredding" files does not work. Encryption is your best friend, as well as ensuring TRIM is executed regularly and hoping it is correctly implemented.
I personally have a ton of ram, encrypted swap file, mount /tmp as tmpfs, and mount an addition temp space in my home folder as tmpfs. I have tens of gigabytes of in-memory storage for things that do not have to be saved. You can symlink a bunch of work folders from various apps to this space and end up not crowding tons of subfolders with crap.
Depending on file size if 500mb file modified with '123' chance of recovery 0%
Oh my, Nick, why would you feel the need to scan those Warhammer novels you surely aquired from the reliable and fairly priced Black Library? But back to Wine, wouldn't deleting the Z: folder that links to your /home directory and restricting Lutris/Steam to a dedicated folder with Flatseal solve most security concerns?
The worse part is, I actually bought most of not all of them 😂
I think it would help, yeah. As long as the app that runs Wine is sandboxed, you’re probably relatively safe, apart from what the virus might access while the program is running
How does encrypting the hard drive work together with dual booting *sigh* windows?
Shouldn’t have an impact, you’ll just encrypt the Linux partitions
If you want to encrypt your files like documents or pictures, I can suggest cryptomator. It works on both Linux and windows and is open source. That way if you store your personal files on a separate partition you can open them on both Linux and windows.
read how flatpak works. pretty neat system. my worries about every tiny app taking 2 gig hard dist were put to rest. no more nightmares when this guy is talking about flatpaks.
Which distro do we see at ClamTk? (3:40 - 5:00)
I tried full disk encryption on openSUSE, but was frustrated by the double entry of the encryption password during boot. I ended up only encrypting the home directory using the guided setup. Not the up to the level of Fedora or Ubuntu, but at least my personal data is encrypted at rest.
You can embed a keyfile in your initramfs so you don't have to enter your password twice. I've set mine up where I don't even need a password to boot/decrypt partitions, I just use a fido2 key. Compared to yubikeys, hyperfido's fido2 key is a fraction of the cost ($25AUD or $17ish USD) and works perfectly. If you wanna have another go at trying to encrypt your OS again, I can walk you through the process to get everything setup the way you'd like. I can run you through the setup on a VM so you can get comfortable with the process before you attempt it on your harddrive(s).
for tail is persistent not the wrong word because for me it means that all my data is saved even when i unplug it
Which Linux distro did you use for this video?
Still looking for a tool capable of encrypt a folder easily and that works with Linux and Windows.
Is it possibile to encrypt a specific folder, making it possible to open it only with a password in GNOME?
You can compress a folder with a password on GNOME, but the regular folder, that I do not know.
7:28 No Opensnitch firewall
9:00 Mullvad VPN
11:08 No Ungoogled Chromium
Title: APPS & TOOLS
My brain: APRIL FOOLS
Me: Kinda late huh?
You forgot to mention Cryptomator 😁😁😁😁
LOL it won't wake you up in the middle of the night 🤣😂
Anyone who used Avast knows
Hi 🎉
Since we talking of security can someone tell me why does linux firewalld make chromecast and kde connect not work ( at least in firewalld kde connect has a service ) what about chromecast and airplay I use services called cider that helps me use my family apple music account .
clam always tells me it's outdated, and it never scans what i tell it. i have ticked the right options, and looked at tutorials, haven't gotten it to work :( other than that, thanks for all of the really good suggestions!
My honest advice: dont use clam. I played with clamAV engine, its signature, ... More than a year and i can tell it's not strong enough against malwares. (No disrespect to clam team. They are cool guys providing clam for free)
Clam is probably worse than not having anything in the first place because as far as I know its detection rates are quite low and that can give the user a false sense of security.
@@Komatik_ ok, that makes me feel a little better
@@dmknght8946 yea, that's the thing, it always says the signature is outdated even after updating. I don't typically download things, but on the off chance i do, I would want something to check.
yeah as in malware scanner (which is the actual job of current clamav, it supports only hash checking and pattern matching (a lot of ClamAV old signatures depends on hashes. I meant if anybody compare ClamAV with Yara, Yara has more techniques to detect malware (or binaries in general) than ClamAV. As a AV, ClamAV doesn't have process scan (or memory scan- last time i check). It doesn't have syscall / function call hook checking either. And the most important thing, IMO, is the emulator to detect packed, encrypted malware.
Overall, ClamAV is the only truly open source AntiVirus engine out there. But it's not enough to defend user against malware, especially modern malware.
Hmm, doesn't look like the vaults work on Steam OS. I just tried to create one while watching this video and I just get an error.
That’s because the filesystem is read only
@@TheLinuxEXP but why does that matter if I'm trying to make an encrypted folder in my home directory or external drive? I'm not trying to modify system files.
While good start, the ultimate secure OS is obviously templeOS.
Actually CubeOS if you manage to make it work
Do you endorse ExpressVPN ? I live in the US.
Make a hardenning linux video!
Probably later!
Anything on the Linux world about Amazon sidewalk?