#Is Secureblue right for me?

Apologies for the length of this post. I did my best to make it succinct, however it's still too long for Discord, so the rest will be put in the first post.

Some background on me:

• A long-time GrapheneOS user, I noticed similarities between GOS and Secureblue, and I'm trying to avoid repeating early mistakes that compromised security unnecessarily.

• I've read Secureblue's documentation and this linked blog post from the FAQ (https://madaidans-insecurities.github.io/linux.html), and if these issues persist despite Secureblue's best efforts, I'm open to using Windows if it is a better option for me. Ideally this would not be the case.

• I also reviewed Qubes discussions on this server, but its reputation here as a "reasonably secure" project is unclear, leaving me uncertain about its suitability for my needs.

Here's my priority list, in order of importance. I'm trying to balance security needs with a limited budget that will remain constrained for a few years, limiting my ability to isolate tasks with separate devices:

1. Browsing the internet: I'm on board with hardened Chromium and official Tor Flatpak, and open to Mullvad Browser if recommended.

2. Local AI usage: I want to use AI for rewording online posts to avoid stylometry analysis (though I'm unsure about its effectiveness), keep my writing succinct, and as a starting point for research, with the following requirements:
   • Sandboxing with no internet access
   • I have a 3060TI, but Secureblue's resource usage is a concern
   • I'd like to explore any options for allowing extra leniency within a sandboxed environment, possibly by adjusting settings with ujust or finding an alternative solution

(cont'd below)

3. VPN usage: I'm using Proton VPN (chosen for its reputation and port forwarding capabilities) and want to torrent and achieve secure "split tunneling" with a setup that includes:
   • Three separate networks: main (behind Proton), dedicated IP VPN (not Proton), and one with my actual IP
   • The dedicated IP VPN and actual IP networks would be used for minimal internet browsing

4. Mining: I mine Monero to support the network, despite it being at a financial loss. I'm concerned that running it on Secureblue with default options might be too resource-intensive, so ideally I'd like to run it in a sandboxed environment with more lenient CPU permissions, but again I'm unsure if this is feasible regardless of the distro/OS.

5. Gnome extensions: I'm willing to forgo using them, as they're likely disabled by default for security reasons, similar to concerns about browser extensions.

6. Gaming: I'm not so concerned about gaming, as I rarely have time for it and usually play lightweight indie games; if needed, I could install Windows on a separate drive, but I'd prefer not to.

Thanks for any help or advice!

For 5) you can use them, you just have enable them via a ujust command

if these issues persist despite Secureblue's best efforts

some do, some dont

official Tor Flatpak, and open to Mullvad Browser if recommended.

Nothing firefox based is recommended, including tor browser

Secureblue's resource usage is a concern

what usage

5. Gnome extensions: I'm willing to forgo using them, as they're likely disabled by default for security reasons, similar to concerns about browser extensions.

many are available as rpm

Apologies for the delay, I'm often busy. I considered posting on Github, but wasn't sure if it qualified as an "issue", despite the formatting being a better fit there.

Regarding Gnome extensions:
@rancid lava @steel karma

I based my judgment on the FAQ (https://github.com/secureblue/secureblue/blob/live/docs/FAQ.md#how-do-i-install-software) and default settings. I'm hesitant to use OS-Tree for RPMs where it could be avoided, but will consider it if it's more secure. Avoiding Gnome extensions seems best, and since I only wanted to replicate Windows/KDE taskbar functionality, it's a low priority either way.

Regarding Linux's and Tor Browser's limitations
@steel karma

I looked for documentation on how Secureblue addresses the concerns mentioned in the blogpost, but may have missed it. I'm trying to better understand what Secureblue covers and how much it helps. Linux's inherent flaws, particularly the kernel, are a concern. Unlike Windows, which has had significant resources to address similar issues, Linux's support is lacking. I'm trying to avoid perfectionism, but it's frustrating to see the project's potential hindered by external factors. I value this project and hope it or something similar is the future.

About Tor Browser, I recall the SB team mentioning that while Firefox has issues, Tor compensates for them. However, upon reconsideration, I think I may have misinterpreted their comments, and it's likely that Tor can only address certain limitations, with some Firefox flaws remaining currently insurmountable unless they switch to a different browser base.

Regarding adversarial stylometry:
@fickle iris

I think adversarial stylometry is currently a challenge, especially for non-experts. I've been trying to come up with potential solutions for the average person, but I'm aware of my own limitations in this area.

I considered using a single popular offline model, like Llama, as a way to blend in with others who might use it for posting online, similar to the reasoning behind using Tor Browser. It is not clear to me that using different models would help in this endeavor. We're all waiting for a proper XAI solution, if it's even plausible, but in the meantime, I'm not sure what the best approach is.

These were the starting points for my solution:

https://www.whonix.org/wiki/Stylometry (with a focus on the AI Based Stylometry Defense section)
https://www.kicksecure.com/wiki/Artificial_intelligence
https://en.wikipedia.org/wiki/Explainable_artificial_intelligence

avoiding gnome extensions is best, but if you need them, use the rpm

I'm trying to better understand what Secureblue covers and how much it helps.

covered in the readme

while Firefox has issues, Tor compensates for them

No, Tor has the same issues as firefox

it's frustrating to see the project's potential hindered by external factors

secureblue's goal is to be the most hardened desktop linux system, not the most hardened desktop system

if the latter is your goal, secureblue is probably not right for you

you're better off with macos or chromeos in that case

if it's even plausible

if your goal is to "not be fingerprinted" or something along those lines, I'd say this is an exercise in futility

I think I've been severely misled by well-meaning people of varying competence in privacy circles. do you have any resources that better explain this? I have access to journal articles

better explain what?

what is your goal

and why

You need to explain that first, otherwise idk what I'm responding to 🙂

sorry, the futility of avoiding fingerprinting. this will shape how I look at all of the other factors I currently consider as important, as outlined in the OP @steel karma

The painful, painful truth. Though hopefully desktop mode GOS can take the crown with desktop mode providing chrome os level functionality in the future.

well start with, what is your goal in "avoiding fingerprinting"?

this is probably not the right place to ask, secureblue is a security project

I'm not understanding this response. I'm not asking for help in addressing all of the concerns relating to my goal. I spoke of my goal only in the context of explaining why online security is so important to me, and you had asked what my goal was.

what you described has little to do with security

@thick python None of the tasks you listed seem to be very sensitive. You would be fine with any up-to-date OS imo.

I don't think sharing my goal to this extent was helpful here, and it seems to be derailing the topic quite a bit. I'm not asking for advice on privacy concerns. I'm only asking for advice as it relates to online security, which directly relates to the OS/distro I choose.

you asked me to explain the futility of avoiding fingerprinting. fingerprinting has nothing to do with security, ergo it required an explanation from you to explain what you mean

if you don't want advice on privacy concerns, why did you ask about fingerprinting? 🙂

in any case, it seems like you're conflating terms. And "privacy" isn't even in scope for the project and is actively out of scope, as called out in the readme:

Anything that sacrifices security for "privacy". Fedora is already sufficiently private and "privacy" often serves as a euphemism for security theater. This is especially true when at odds with improving security.

Desktop operating systems have many security issues, as I'm sure you know. Anything sensitive can and should be done on your GOS device, which would make desktop security less relevant.

Also: choosing a distribution like secureblue does not lock you into that choice. You can try it out and later rebase to something else without data loss.

sharing information like this online is unwise, please be more careful

tEchNicAllY secureblue isn't a distro 😛

https://tenor.com/view/nerd-well-actually-as-a-matter-of-fact-gif-27665011

what do you call it?

image

right

I see that three weeks ago, one of the moderators here thought fingerprinting should be in scope: https://github.com/secureblue/hardened-chromium/issues/105

I'm not sure why I am being expected to know something that a moderator here didn't up until recently. I did not see any documentation concerning fingerprinting being out of scope, which I may have missed. Additionally, you responded to the concern about fingerprinting, which is why I asked about it - at the time I assumed it was in scope.

Consider the fingerprinting topic dropped then! It doesn't bother me either way, I can do my own research.

Errrm ackchuallee 🤓

no, you're misreading Hooly's comment. It's pretty explicit:

Many of the changes in Hardened Chromium are site-visible and can be used for fingerprinting and reducing this fact is not a goal of the project.

@shut jasper explicitly said the opposite of what you interpreted

I assumed it was in scope.

No, anti-fingerprinting is largely snakeoil.

if hardened-chromium changes are the same for every secureblue user, it doesn't really impact fingerprinting apart from identifying secureblue users as such

im gonna close this post since it's not related to secureblue 🙂

I did misinterpret Hooly's comment. And no worries, do what you feel is best.