Category Archives: linux

Hardening Debian for the Desktop Using Grsecurity

I recently built a desktop system that I think is reasonably secure. It’s running Debian sid, also known as “unstable” — though in the Debian desktop world that just means you get to use the newest software. It’s just about as stable as “stable”, and besides, #yolo. It’s also running a grsecurity-patched Linux kernel and PaX, technologies that make Linux way more secure. Grsecurity protects you against memory corruption attacks, such as buffer overflows.

Last October I traveled to Moscow and interviewed Edward Snowden. Here’s one of the things he told me:

“Something that we haven’t seen that we need to see is a greater hardening of the overall kernels of every operating system through things like grsecurity, but unfortunately there’s a big usability gap between the capabilities that are out there, that are possible, and what is attainable for the average user.”

Since I just set up Debian with a grsec kernel, I figured I’d write a tutorial for how to do it. It’s still a long way before the average user can take advantage of this stuff – it breaks everything, and the user needs to learn how to diagnose and fix it themselves – but I think that it’s well within the capabilities of Linux nerds who are comfortable using a terminal. You can probably also follow along no matter what Linux distribution you’re using. Also, I’m fairly new to grsecurity myself, so if you have tips or suggestions, or if I got something wrong, please post in the comments.

Continue reading

Why I say Linux instead of GNU/Linux

I’ve been writing a computer security column for the Intercept. In most of my columns I mention Linux. Even when it’s not directly relevant (though it often is), most of my columns are in the form of tutorials, and I’d like my tutorials to be equally useful for Linux users as they are for Windows and Mac users.

For one thing, I love free and open source software. These projects are critical for security, privacy, and for the ability to tinker with and learn about your own computer. As the number of people who run free (as in speech) operating systems rise, so will the development resources that get poured into those operating systems until they “just work” at least as well as Windows and OS X do, so I talk about them every chance I get. Many of my readers already run free operating systems, and I would hate to leave them out.

After writing a column about how to communicate in secret while we’re all being watched, I got an email from Richard Stallman saying when I say Linux I clearly mean the GNU system, and he asked that I start referring to Linux distributions as GNU/Linux “so as to give us equal mention when you talk about our work.” And after writing my most recent column about how VMs can be used for isolation security, Stallman wrote a comment again saying that I mean “GNU and Linux” and asking that I give GNU equal mention. This is a really common point of view (though not at all a consensus) in the free software community, and one that I shared for a long time. But I’ve come to change my mind.

Continue reading

Dual-booting Qubes and Ubuntu with Encrypted Disks

Qubes is my preferred operating system, but occasionally you need to run something else. It’s hard to get certain hardware working the way you expect in Qubes, like webcams or non-disk USB devices. And Qubes VMs don’t support 3D acceleration, which you might occasionally need. You also can’t run VirtualBox inside of Qubes. You normally don’t have any reason to do this, except for very specific cases, like software development with Vagrant.

So here are instructions for how to dual-boot Qubes R2 rc1 and Ubuntu 14.04 LTS, using disk encryption for both. You should be able to adopt this same technique to dual-boot pretty much any two GNU/Linux distros with disk encryption. Keep in mind that if you’re booted into Ubuntu and you get owned, it’s possible for the attacker to then compromise Qubes. (You have to get really, really, really owned for an attacker who compromised Qubes to then compromise Ubuntu.)

Continue reading

The Operating System That Can Protect You Even if You Get Hacked

This was originally published on the Freedom of the Press Foundation’s blog.

We wrote about the importance of the Tails operating system to all of the NSA journalists last week, but there’s also another little-known operating system that journalists should consider using if they find themselves in high-risk scenarios. It’s called Qubes.

I’ve only been using Qubes for a few weeks, but I feel like my operating system is now a digital fortress. Let me try to explain why, and how Qubes differs from Tails.

Qubes’ design is based off an important law of software: all programs contain bugs. Some of these are security vulnerabilities. Your computer can get hacked by viewing a Flash video or using javascript in your web browser: this is likely how NSA’s QUANTUM/FOXACID programs hack people. Your computer could also get hacked by opening a PDF, or a Microsoft Word or LibreOffice document, or just by viewing a JPG or GIF.

If any piece of software gets compromised, your whole computer is compromised. The attacker can look at your files, log your keystrokes, take screenshots, steal your encryption keys, and read the emails that you type before you even have a chance to encrypt them.

Continue reading

Ubuntu is finally taking privacy seriously

Update: A couple people have pointed out that the privacy changes won’t actually take affect in 14.04, which means that fixubuntu.com will still be necessary until at least 14.10, which will be released in October. Oops.

In October 2012, Canonical made a horrible mistake. They included a “feature” in Ubuntu 12.10 that has been widely considered adware and spyware. I blogged about the new Ubuntu’s Amazon ads and data leaks for EFF at the time, with the main ask being that Dash’s online search should be an opt-in feature and not enabled by default.

Continue reading

People Seem to Care About Why I Switched from Ubuntu to Debian

About a month ago I decided to rent a $16/month VPS from Gandi, hosted in Paris, that I’ve been using to run a fast Tor exit node called gollum. I wanted to tunnel my Thunderbird, Pidgin, and IRC traffic through gollum as well, but realized that that wasn’t a good idea. Tor recommends that you don’t mix personal traffic with exit traffic, not to mention freenode and other IRC networks block Tor exits.

Continue reading

Why I’m Leaving Ubuntu for Debian

I decided to switch to Debian.

I’ve been using Ubuntu as my primary operating system since 2005. Back then it was truly amazing. Before I started using Ubuntu I tried out Red Hat, Mandrake (and later Mandriva), Slackware, Gentoo, and even Debian. In all of them, something didn’t work. Usually it was wifi, but sometimes it was audio or video, or weird X config problems. But when I switched to Ubuntu, all of that went away. Rather than being frusturated that I was still a Linux noob and couldn’t even connect to the internet, Ubuntu helped me get past the initial barriers so I could really dive in. I’m eternally grateful to Ubuntu for this, and I’m very impressed at how successful they’ve has been at fixing bug #1 (though there’s still a long way to go).

However, a lot of Ubuntu’s recent decisions have been turning me off. It started a couple years ago when they changed the default desktop environment from GNOME to Unity. I had played with Unity when it was called “Ubuntu Netbook Remix” and I thought it was a fun toy, and might be easier to use on a touchscreen device than GNOME. But they made it the default before it was ready. Still, I saw where they were going with it and respected them for being so ambitious.

Continue reading