A main reason for me to try Linux was to get as far away as possible from the massive metadata collection that Windows and data brokers are known for. I understand the very basics of the kernel and it's advantages but what seems to be the majority opinion after spending 30+ hours reading forums is that people think they are 100% immune from anything bad simply by using Linux. That simply can't be true. I know a lot about Win, but new to Linux and I see almost no talk about the browser, security settings, firewall(some) or other software/hardware choices to harden your system. I know different distro's offer different things but a daily driver like LM or others I think may be tweak'd or made better maybe.

Also something that seems ignored is that Linux represents such a small % of overall individual users that the majority of bad actor's are being smart and fishing the large pond of Win user's but should they ever use their talent to target Linux, I fear that many would find that Linux is not as 100% secure as they believe?

Any system is pretty secure if the user isn't a total idiot. That being said the default security model on linux does make it a bit more protected from the unknown. But not immune.

Ask any professional SysAdmin: "total idiot" is, in fact, the base assumption one should use as a working assumption about your average user. True.
Windows and Mac assumption is that you are not only a total idiot, but that you will gladly pay them big bucks to have them provide the brains behind your security.
The Linux assumption is that you want a base level of security by default, will take it the rest of the way yourself if you need to, will use FOSS solutions wherever they will serve, and if you do not know what you are doing on day one you WILL figure it out or get help. (I apologize for what that appalling sentence did to your brain!)

LQ is one place to get help.

Linux IS more secure, but nothing is secure against users who insist on doing dangerous things that "seemed convenient at the time" or that they "saw in this great magazine...".

Browsers shed a ton of data about every connection, and the server collects much of that and generates more. All Google tools and services dummp into that great honking database and they KNOW you!
Using a browser that provide some kind of "privacy tab", "Privacy window", or "Secure mode" helps but as soon as you log in or identify yourself you have given away data about yourself and your hardware, software, and behaviors.
Using a browser that LIES in the data it sheds can help a bit.
Using a VPN CAN help a bit. (But if it is a commercial VPN, assume they may be collecting that data!)

Running a Firewall can protect you from incoming threats, but not the ones you invite into your home network.
Running intrusion protection MAY help against anything that get past the firewall.
Running a honeypot with network blocking can add a layer of protection.
Encrypting traffic as much as possible may help, as will avoiding obsolete protocols that use unencrypted authentications.
Avoiding allowing software (or users) to use uncontrolled or automated authority escalation tools helps protect against errors or sabotage.
Rootkit detection and change detection can be useful.

Or you can just back everything important up with rotating generational backups and plan on reloading and restoring if things go south because of hacking, malware, hardware failures, or geothermonuclear war.

Most people learn all of that and decide it is too much to worry about, and pretty much ignore it all. I have fun with it.

You decide what your risk level is, what risk you are willing to allow, and adjust your security plan (including all of the above, none, or some different plan or tool I have not mentioned) as the owner of that risk.

BTW: I routinely put a small honeypot (AC or virtual machine running services that look vulnerable just to get people to attack it) and monitor the attacks on it. I load it from read-only media (Generally a mini-CD) so the attacks can succeed but a simple reboot puts it back to original state.
I automated a monitor of every connection to the honeypot, transfer the connection information to my network firewall device for blacklisting. I also generate a report every day of the IP address added along with the WHOIS information I can scrape about them. Ten years ago I was blockin most of China and certain subnets in South America, Europe, and Russia. These days it is all of that, half of the middle east, and dozens of threat subnets in North American, including some owned by my own ISP! Darned if I know what is going on or why, but it looks mostly like scripted network scanning of standard ports (a lot on port 22).
I do not recommend that level. If you do not find it fun, it could drive you crazy.

That canard is not ignored, it is just that it has been debunked again and again and again, going back decades. m$ boosters pretend not to hear and trot it out every few months. Notice that counting either by number of hardware devices or by number of services or by number of users, the majority of the world's servers are GNU/Linux and the servers are where the valuable resources, bandwidth and data, reside. Yet Windows is the domain of malware, especially ransomware.

The weak point on all desktop systems will be the steaming pile of legacy spaghetti code known as the web browser or the mess of X11. Yet, the underlying system design differences carry GNU/Linux far in regards to security. There are three reasons for that. On is a much more appropriate, modular design which has been oriented towards multiple concurrent users since day one. The other is quality workmanship, at least prior to systemd that is. The last is the theoretical foundation. Being Free Software, a subset of Open Source Software, is not magic. However, it is a necessary first step and that has been known all the way around since before the 1980s. Here's why that theory matters:

Reflections on trusting trust (1984)

and a followup:

Fully Countering Trusting Trust through Diverse Double-Compiling (2010)

However, if you're really worried, learn C and then run OpenBSD without X11. It has even better design and the most careful workmanship.

1 members found this post helpful.

it is never the OS itself, but the maintainer (admin) who can secure the system and keep it secure.
Security is not a software, but an activity that should not be abandoned

I would agree that the user is the key to privacy/security, but can't be all of it. We still have to use a browser, connect to the internet and wherever there is a financial incentive for people's data, someone will try to get it. So which browser is most aligned with the culture of Linux, which VPN and which add-ons/extensions/programs? Anonymity doesn't exist today in the daily driver category, but in the quest for privacy in a non-private world there has to be good options.

One of my favourite quotes (from last century no less) was from Scott McNealy:

"You have zero privacy anyway, get over it."

Basically all you're asking for is bandaids to fix the holes in the Titanic ...

You being from Australia, just about the worst privacy rules in the world, yeah, get over it. You have none there.

Try a search for "hardening linux"...

And there's a number of security auditing tools, my favorite is Lynis.


Microsoft and Linux are in the same boat when it comes to security. 99.9% boils down to user behaviour...


My weapon is backups. Can't have too many backups...

1 members found this post helpful.

I've been messing around with the Privacy Badger and Ublock Origin system installs as well as PortMaster, Privoxy and dnss.
I think they're worth looking into for desktop use privacy and security.

Yeah they are some of the ones I heard of most often, but the Linux attitude is mostly that nothing can get to Linux, which falls under the stupid user category mentioned. Not every one wants to run several distro's but mainly just stay with one as a daily driver and make it as secure as possible. What no one on Linux ever mentions is metadata collection. Every site you visit is trying to get it. Linux users don't seem to understand that. Doesn't mean Linux is not safer than Windows, it is, but if your on the internet and there is the incentive for some one to sell your data, they will. Ubuntu had a small issue years ago but it was more Ubuntu collecting your data and I don't think they were selling it so not the same thing. Many programs will show you who all is trying to get data on you on every site, no info that I can find say's Linux protects you from that. I will look into the programs you mentioned, thanks.

This is just wrong. Browser vulnerabilities are largely independent of the operating system itself (not to speak about the fact that you can install the same adblock and similar plugins)

And again, this is just nonsense. How do you know that?

Let's use the full quote for clarity: "What no one on Linux ever mentions is metadata collection. Every site you visit is trying to get it. Linux users don't seem to understand that." That is absolutely true on both counts.

If browser vulnerabilities are "largely independent of the operating system" as you say, how exactly do you connect to the internet?

How do you know that? it is still just wrong.
There are several different ways, currently it is a mac, using vpn. But sometimes I use ubuntu or debian, sometimes MS Windows. Not to speak about android and other devices...
By the way, am I a linux user and I don't understand that or am I a windows user and I understand that?

If you honestly believe that when you are connected to the internet and visit websites that no one is tracking your activities or collecting data about you...then you should follow your own advice above and simply not connect/browse as you will be the problem.

BTW: Loved Budapest.