to Quote the GrapheneOS developer account on the GOS forum (likely logged into by Daniel Micay for this post)
I cannot reply there, nor can anyone else with an opposing viewpoint, because I am presumably unwelcome due to disagreements on highly technical issues, primarily, I guess, the following disagreements:
- Mobile Operating System Comparison, chapter GrapheneOS
- discussion: Overview of Mobile Projects - That focus on either/and/or security, privacy, anonymity, source-available, Freedom Software. - News - Whonix Forum
The person who was working on most of it stopped contributing
That might suggest there was some kind of fallout with the contributor; however, this was not the case.
Since no references are omitted, I guess this is referring to madaidan. However, unfortunately madaidan is MIA (missing in action).
misinformation
All disagreements are being mis-characterized as “misinformation”.
trying to interfere with actual hardening efforts and spreading misinformation about projects like hardened_malloc
to discourage people from using them.
For context, wiki page Hardened Malloc uses wiki keyword __NOINDEX__. Quote Wikipedia:
The noindex value of an HTML robots meta tag requests that automated Internet bots avoid indexing a web page.
This is done deliberately to prevent the page from appearing in Google and other search engine results. The intention is to minimize drama. Discussion about hardened malloc is not a core activity of the project. Those interested in Kicksecure’s development and integration perspective can find the details; otherwise, the topic is considered sufficiently addressed.
Since the topic was raised again, it seems important to clarify the following.
The term “misinformation” appears to reference, though not directly cited, the wiki chapter Deprecation in Kicksecure (from the noindexed page).
Here is what may be the relevant controversial statement:
Unclear Benefit: See chapter Tickets and Discussions. Whenever it has been suggested to other projects to port to Hardened Malloc (HM), it did not get favorable reviews from other developers.
What is written there:
- chromium feature request: consider using hardened malloc
- No favorable review by Chromium developers.
This is probably made unnecessary by the PartitionAlloc work, which contains similar security features. See https://source.chromium.org/chromium/chromium/src/+/main:base/allocator/partition_allocator/PartitionAlloc.md.
- tor-dev mailing list: TBB Memory Allocator choice fingerprint implications
- tor-dev mailing list thread TBB Memory Allocator choice fingerprint implication
- The thread did not go well.
- Tor Browser feature request: consider using Hardened Malloc for better security in TBB - got closed probably due to the outcome of above mailing list discussion.
- glibc feature request: consider using Hardened Malloc
This material consists primarily of public links and documented developer feedback. If there are any factual inaccuracies, clarification would be welcome.
Only two distributions, to the best of current knowledge, use Hardened Malloc by default: GrapheneOS and secureblue. As such, Kicksecure has not adopted it yet. That position could change with broader adoption, more positive reviews from independent experts, and availability in Debian.
Neither Kicksecure or Whonix is trustworthy
This is a subjective judgment.
Related: Placing Trust in Kicksecure
Kicksecure doesn’t do useful work and is harming people.
“harming people”: Such a serious accusation should be supported with clear, objective evidence. Disagreement on complex technical matters alone does not constitute harm.
“no useful work:” As for the claim of “no useful work”, such a conclusion appears dismissive. A single example security-misc by Kicksecure demonstrates active technical contributions. A broader and more constructive critique would be more helpful to the community.
If you actually read the documentation for the different projects you will notice a stark difference in attitude, KickSecure reads like the developer is confident in what he is offering
Confidence is a subjective judgment.
Is confidence inherently negative? Some users value confidence; others may prefer more tentative language. Across the Kicksecure documentation, phrases such as “might”, “could be”, and “probably” are used frequently. This could be interpreted as cautious (a positive trait) or uncertain (a negative one), depending on perspective.
Security researchers often refer to themselves as such rather than as “security experts,” due to the high scrutiny in the field. Labels like “expert” can be seen as presumptuous or as justified, again depending on interpretation.
Throughout the Kicksecure documentation a high frequency of words such as “might”, “could be”, “probably” can be observed. This could be labeled “unconfident” (negative label) or “cautious” (positive label).
An example of a write-up being very unconfident in computer security: About Computer (In)Security
to quote the Kicksecure Features page “Linux is highly reliable and secure. It is Open Source and freedom paradigm sets it apart from other OS. That’s why Kicksecure is based on Linux.” what is this 2012? we know Linux has nothing going for it EXCEPT it’s opensource. This is just a fact, and for Kicksecure to have such outdated propaganda on their website should be an obvious red flag for anyone who knows anything about Operating System security.
Conversely, Kicksecure’s feature page is bloated with unnecessary graphics and side scrolling,
Compared to what? Got any alternative? Qubes, Xen? Ok, but that’s not an “either/or”, can be “and”.
The homepage is primarily targeted at visitors who’ve never heard (much) of Linux, i.e. Windows users. How the homepage should look can be a highly opinionated matter. For example, the original poster in Is graphene os a little to intimidating? - GrapheneOS Discussion Forum was arguing for making the GrapheneOS homepage look more like the Whonix homepage.
Much more technical write-ups can be found in the wiki.
secureblue on the other hand bases itself on Fedora Atomic and Core for Sane updates and a better beginning point.
Immutable has advantages and disadvantages.
(its lagging decades behind MacOS and Windows at this point)
Windows, MacOS is not even in the same category:
- Non-freedom software → Avoid Non-Freedom Software
- Microsoft Windows Hosts
- macOS Hosts
listed in easy to read format here Features | secureblue
For a less graphical, more textual, more summarized security feature overview, is available here:
the vast majority of Kicksecure’s improvements are simple configuration choices
It is unclear how that could be objectively quantified.
the vast majority of Kicksecure’s improvements are simple configuration choices the same of which have been made by the secureblue Devs.
Some of the configuration choices have been copied over from Kicksecure to secureblue. Quote Comparison of secureblue with Kicksecure and Development Notes
secureblue /etc/sysctl.d/hardening.conf file as of commit a6b58f042b0e9e9036a6d68a5b202eed96a1a892 was inspired by, more or less copied and pasted from Kicksecure as can be seen from the following comment found in that file.
## Prevent kernel info leaks in console during boot. ## https://phabricator.whonix.org/T950 kernel.printk = 3 3 3 3
verified by a chain of trust starting in the BIOS, preferably Secure Boot with custom keys.
You might like the upcoming Sovereign Boot.
A vendor-neutral mechanism to allow operating systems and users to adopt UEFI Secure Boot without relying on Microsoft’s Secure Boot key.
Sovereign Boot Provisioning Wizard is an UEFI application designed to guide end users through the provisioning of UEFI Secure Boot. The objective is to offer a user-controllable mechanism for managing platform trust relationships and establishing UEFI Secure Boot infrastructure, with a primary focus on transparency, informed consent, and usability.
Unlike traditional firmware interfaces, which expose UEFI Secure Boot as a collection of loosely connected toggleable settings and unmanaged certificate stores, this application presents a coherent, wizard-like experience. Its purpose is to make the process of reviewing and enrolling platform keys intuitive for users who are not security experts.
References:
- GitHub - 3mdeb/verified-boot
- Sovereign Boot Provisioning Wizard - Dasharo Universe
- https://www.youtube.com/watch?v=sCohCVvcp7E
- more updated will probably be posted by 3MDEB / Dasharo
- I’ll also post more updates here as they become available: Verified Boot - Development Discussion - Development - Kicksecure Forums
- An app sandbox (FlatPak)
Flatpak / Flathub has many issues:
- Flathub Package Sources Security
- Flatpak Breaking the Native Sandbox of Applications
- When Flatpak’s Sandbox Cracks: Real‑Life Security Issues Beyond the Ideal | Linux Journal
Such a web browser seems like a very basic requirement for any distribution that calls itself security and privacy focused, to at the very least not call home. Yet, KickSecure ships Firefox. They talk at lengths on their wiki about how bad of a choice that is, but hasn’t done anything about it.
- Coming soon: Browser Choice
- related: Is Firefox really an appropriate default browser for Qubes?
No, removing sudo isn’t doing something, all your sensitive data is still accessible, as is privacy sensitive hardware like web cams, without any root rights.
- Rationale for Protecting the Root Account
- Strong Linux User Account Isolation
- Quoting myself from Qubes vm-sudo documentation write-up against sudo passwords inside App Qubes outdated · Issue #8823 · QubesOS/qubes-issues · GitHub
The security of non-root enforcement generally
It’s futile to argue that non-root enforcement cannot improve the security of the system (in case of Qubes, of an App Qube).
Non-root enforcement is the industry standard for Android [1], iOS and any locked down Linux based operating system.