Security application recommendations

1 Like

No comment, il just give a :+1: and let it go :wink:

Thanks for your replies, everyone!

To be perfectly sincere with you all, the laissez faire attitude towards system security I’m getting back from the community is concerning to me.

It is public knowledge that bad actors use various exploits, including fileless malware, on all operating systems. I’m not trying to seal all the avenues of attack, just make myself a harder target than the next computer.

I suppose I’m speaking to the part of the community who may have suggestions other than the typical “use your brain”. No offence intended.

Largely “security is something you configure”
(according to your use patterns and threat models)

1 Like

Your last sentence is already true by using

  • Linux instead of Windows
  • LibreOffice instead of Office
  • Thunderbird instead of Outlook
  • your brain when you receive a pdf bill on the middle of the month

There is nothing else you can do.

With Linux, Firefox with UblockOrigin and an understanding of when to open links gives you a 99% advantage over the average user.

1 Like

I really, really hate myself for doing this, and I’ll save it this time for future reference, but @Aragorn, can you please chime in about this?

1 Like

We are not lax about security. The first sentence in the arch wiki is

It is possible to tighten security to the point where the system is unusable.

Been there, done that. I dabbed at computer security at some point (call it “hacking” if you want although it isn’t true). As i learned what could be potentially done i wanted to protect myself from all possible theoretical threats (yes i even had an on access virus scanner in linux)…while some of them never really existed.

At some point i developed a common sense for not opening cat videos sent per skype in windows like my dad did :rofl: :joy_cat: :face_with_symbols_over_mouth:
And i understood what is enough to protect me in 99% of the time from 99% of the threats. I reallised what i could do to my neighbor’s network does not mean he has the knowledge to do it to mine…
And i realised the rest 1% will be exponentially hard and time consuming to secure against an exponentially diminishing threat. And it is not adequate for my situation. Like trying to secure the usb ports of a desktop pc that was only stationary at home.

So nowadays i passionately argue that linux viruses do exit. I do it for the sake of clarity and science. But i would never advise a noob to install an antivirus in linux. That’s the difference between theory and practice.

1 Like

I’d argue that the biggest threat, to any computer, regardless of operating system is the well-known PEBCAK virus…between that and the ID10T errors…


That’s because your mind is still stuck in the Windows paradigm. :wink:

Microsoft Windows started its life as a single-user graphical interface on top of MS-DOS, a 16-bit single-user, single-tasking operating system that ran all of its code with full hardware access. Basically, MS-DOS was more of an application loader than an actual operating system. When DOS loaded an application into memory, from that moment on, the application had full control of the machine, and it could do anything it wanted.

MS-DOS also had a very limited memory address space to work with, courtesy of having been developed for the 16-bit Intel i8086 and i8080 processor family, and their successor, the short-lived i80186.

This is why when more powerful processors came along — i.e. the i80286, and then later the 32-bit i80386 and i80486 processors — Windows also started including a DOS memory extender and a primitive cooperative multitasking system. But it was still only a single-user layer on top of a single-user operating system.

Cutting a long story short, somewhere along the line, IBM and Microsoft joined forces to create a successor for MS-DOS, named OS/2, and the plan was devised to start developing a joint platform of which the IBM version would carry the OS/2 interface and an API for OS/2 applications, while the Microsoft version would carry the Windows interface and an API for Windows applications, and while both of them would be compatible with earlier 16-bit software written for MS-DOS, for the 3.xx version of Windows (which ran on top of DOS), and for the 16-bit version of OS/2.

Then things went sour between IBM and Microsoft. Bill Gates broke his agreement with IBM, and with the help of VMS developer Dave Cutler, all of the code that Microsoft had written for the next generation of OS/2 was cannibalized, converted to Windows code, and crudely bolted onto a VMS-like kernel. This kernel is multi-user-capable, but other than that the Windows code was ported to run on that kernel, Windows itself continued to essentially be a single-user environment that was initially developed for an operating system that didn’t even have any networking abilities.

Even today, Windows is still Windows. It may have a slick-looking user interface — or, well, at least in the opinion of certain people — but underneath, it’s still a mess of duct tape with crude bolts and nuts. And that’s because unlike what Steve Jobs did at Apple when he in turn decided to replace Classic Mac OS by a more modern and UNIX-based foundation, Bill Gates absolutely did not want to change anything about the basic internal design of Windows.

Because of Windows’ legacy as a layer on top of MS-DOS, Windows still regards a file as executable solely based upon the filename suffix, i.e. .exe, .com, .bat and friends. By consequence, in Windows, open() still equals execute(), just like in MS-DOS.

Furthermore, also just as in MS-DOS — which, remember, was a single-user operating system for non-networked computers, and which approaches storage as individual volumes, each with their own root directory and subdirectories — the user has write access to everything, with the exception of C:\WINDOWS and C:\WINDOWS\SYSTEM (or whatever it’s called these days).

And so as to make things even worse, Microsoft’s philosophy has also always been one of aiming for commercial and proprietary application software, if not from Microsoft itself, then from Microsoft’s partners. And security was only an afterthought, because first and foremost, they wanted the user to have the same ease of use as with the non-networked MS-DOS, while security precautions were perceived as standing in the way of Microsoft’s idea of “user-friendliness”.

On top of all that, whenever Microsoft releases something as production-ready, it still contains tens of thousands of bugs. It is in fact what every serious software developer would consider beta-grade software, not even release-candidate material yet. And then they gradually fix things over time by way of so-called service packs.

The bottom line is that Microsoft Windows is full of holes, both because of coding errors — which is normal, although Microsoft in particular is quite known for letting more coding errors slip through their quality control than any other proprietary software company — and most crucially, because of the very way that Windows was designed.

And given that Windows comes preinstalled on most brand-name commodity hardware, in combination with Microsoft’s multi-million-dollar advertising and PR campaigns, the typical Windows user is accustomed to the fact that they have to take additional precautions to protect their system. Of course, given that Windows is much more ubiquitous on desktop and laptop computers than any other operating system, it’s also a much bigger target for the malware industry and the black hats.

But that’s Microsoft Windows, and unlike GNU/Linux, it has virtually no peers. Yes, there is ReactOS, which is an attempt to write a Free & Open Source clone of Windows, but given the complexity and proprietary nature of Windows proper, ReactOS has yet to rise out of the alpha stage in terms of usability.

GNU/Linux on the other hand is an entirely different story. First and foremost, it’s a UNIX system, and UNIX is an operating system architecture developed in 1969-1970, and then improved and perfected.

Furthermore, UNIX was designed from the ground up as a multi-tasking, multi-user operating system than ran on minicomputers and mainframes, to be accessed and used by multiple people concurrently via so-called dumb terminals. It was essentially a slimmed-down version of the Multics mainframe operating system.

In other words, UNIX was designed from the ground up to have a built-in security system based upon a simple but very flexible and efficient permissions model with file ownership and groups, and based upon the principle of least-privilege. In UNIX, unprivileged users only have write access to their own ${HOME}, to /tmp, to /var/tmp, and if the machine runs a local mail server, to /var/spool/mail/${USERNAME}. Everything else is read-only to anyone other than root.

In addition to that, in UNIX, the filename is irrelevant as to whether the file is executable or not, because whether it is or isn’t — and for whom — depends upon the file’s permissions mask. Not to toot my own horn, but I’ve written an extensive tutorial on UNIX file permissions and ownership, which you can find below. :arrow_down:

Unlike in Windows, an unprivileged user is not hampered by the security system, because they can do everything that they need to be able to do without having to resort to root privileges, and nothing that they shouldn’t be able to do.

UNIX is an industry-standard operating system architecture, and although some proprietary UNIX versions still exist — e.g. Oracle Solaris, IBM AIX, Hewlett-Packard HP/UX, et al — most UNIX systems in use today are based upon one of the many Free & Open Source UNIX platforms, of which GNU/Linux is the most popular one.

As the matter of fact, about 80% of the internet is powered by GNU/Linux, with the remaining 20% divided among the various Free & Open Source BSD systems — i.e. FreeBSD, NetBSD, OpenBSD, et al — and macOS, which is a modified and partly proprietarized FreeBSD. Microsoft Windows dangles somewhere at the bottom with maybe a 2% market share in the server rooms, exactly because (1) it’s proprietary, (2) it’s not stable enough, and (3) it’s a security nightmare.

By consequence, if you are new to GNU/Linux and you come from the Windows ecosystem, then you will indeed be surprised by what you term our cavalier attitude, but those of us who’ve been using GNU/Linux for many years — and in my case, that’s over 24 years, and exclusively so — know that we don’t need to be paranoid about attack vectors that only apply to Microsoft Windows.

Yes, a certain degree of caution is always required, but when it comes to GNU/Linux, the weakest link in the security of the system is the biological mass between the keyboard and the chair, unlike in Windows, which is a very promiscuous operating system by way of the refusal of its creators to redesign the system from the ground up. If Microsoft had been smart, then they would have opted for a UNIX-based design, just as what Steve Jobs did over at NeXt Computing, which was later acquired by Apple, and what Jobs then continued to do when he was put back in the saddle as the CEO of Apple Computer.


Just a FYI to anyone who thinks computers can be made 100% save:
It is a Myth, and impossibility.

  • All software is run by your CPU like an obedient slave without own will.
  • All software is written by humans.
  • All code that the CPU has to execute can be read and understood by humans by using disassemblers.
  • So they can always try to find weaknesses to bypass the build-in software protections.
    That’s what true “hackers” do :wink:
    (At least, that’s what i did when i was young and into that side of the fence, although in that time i could read the code by just looking at the bytes them self without using a disassembler)

That’s why IMHO, Anti-Virus software are like placebo pills. They make the patient feel better but they don’t cure the real cause nor protect it vs the thread.

1 Like

Now THAT’S a humble brag if I’ve ever seen one…

Wasn’t mean to be a brag, i just felt sharing what i did in practice back then, to make a point.

Even more so…

:wink: :stuck_out_tongue_winking_eye: :smile:

What Aragorn wrote should be carved in stone somewhere…

A small addition for the users that dual boot and are still tied with Windows: in the Era of Wind 10 before 2-3 years, Microsoft decided to cut cost on the Quality assurance department. Despite laying off the people, they decided testing on real hardware is too hard and expensive. So nowadays, there is virtually no testing of the os updates on a real hardware, it is all virtual. Which leads to all sorts of problems when a driver updates, and boy, it of course updates automatically… So if Windows was beta quality before 10 years, since Win10 it is practically an alpha quality software.


I assume - new to Linux - since you have to include the next sentence.

Running LInux as your workstation OS is not the same problem as it is running Windows.

The vast majority - I dare an estimate around 99% - in the malware family targets Windows operating systems - and as such no real threat to Linux desktop.

That is great - then you know to steer clear of dubious sites, porn, wares and illegal distribution sites etc.

As mentioned by @cscs security is not a one-size-fits-all,

A private workstation behind an ISP router cannot be reached by a random bypassing bot - so not in the same threat zone as a public webserver.

A webserver on a public IP on the other hand - requires attention - how much attention depends on the sites served.

If you host a wordpress site, you will desparately need WAF (Web Application Firewall), to fend of all those attack vectors Wordpress CMS presents.

So you see - the answers to your question - is not straight forward.

What you really need - Windows or LInux - is a service which filters your internet traffic for ads and known malware sites.

  • opensnitch is an application firewall
    • look at it as a reversed firewall
    • it filters your outgoing traffic instead of inbound
  • portmaster-stub is an installer to download the latest PortMaster App and rules
  • firewalld is an excellent firewall for systemd based LInux

The good thing in Linux is, it is all free software in the repositories, with tons of programs. So you do not need those dubious sites and cracks anymore, which are geared towards Windows anyways.
I guess the porn sites are inevitable for younger users :stuck_out_tongue_winking_eye:

And use an adblocker service on the browser, like for example. It blocks some of the exploits and malware sites too.

1 Like

And DuckDuckGo Privacy Essentials. And don’t use Google as a search engine. Use DuckDuckGo or StartPage.



Hmm i never heard of that, but reading a bit it sounds and looks great, thanks for mentioning/linking it :+1:
I find it refreshing to have a user friendly outgoing-firewall per app on Linux :clap:
I will try it soon™ Works nice!

If you want “better” answers, you need to ask “better” questions :wink:

If you name exactly what kind of risk you want to protect yourself against, then you will certainly get concrete, sensible answers.

But first you have to deal intensively with Linux (enough material is already in this thread)

The main point is:

Linux is not windows.

This means that you don’t need to have the same fears on a Linux system as you do on a Windows system. Enough has been written above about why this is the case. But you don’t just have to read it, you have to “process” it and “look it up”. In 2 or 3 years you will understand us :wink: .

Because Linux is so secure, it is particularly important that the user does not destroy it with his own gross mistakes. (Hence the warnings above).

User carelessness is by far the biggest security problem with Linux, and there are no programs to deal with it



Consider SearchX as well :arrow_down:

1 Like