APPS & TOOLS to improve LINUX PRIVACY & SECURITY
Ғылым және технология
Get 100$ credit for your own Linux and gaming server: www.linode.com/linuxexperiment
Grab a brand new laptop or desktop running Linux: www.tuxedocomputers.com/en#linux
👏 SUPPORT THE CHANNEL:
Get access to a weekly podcast, vote on the next topics I cover, and get your name in the credits:
KZread: www.youtube.com/@thelinuxexp/...
Patreon: / thelinuxexperiment
Liberapay: liberapay.com/TheLinuxExperim...
Or, you can donate whatever you want: paypal.me/thelinuxexp
👕 GET TLE MERCH
Support the channel AND get cool new gear: the-linux-experiment.creator-...
🎙️ LINUX AND OPEN SOURCE NEWS PODCAST:
Listen to the latest Linux and open source news, with more in depth coverage, and ad-free! podcast.thelinuxexp.com
🏆 FOLLOW ME ELSEWHERE:
Website: thelinuxexp.com
Mastodon: mastodon.social/web/@thelinuxEXP
Pixelfed: pixelfed.social/TLENick
Twitter : / thelinuxexp
PeerTube: tilvids.com/c/thelinuxexperim...
This video is distributed under the Creative Commons Share Alike license.
#linux #privacy #security
00:00 Intro
00:31 Sponsor: 100$ Free credit for your Linux or Gaming server
01:31 Encrypt your system or specific folders
03:36 Anti-virus
05:23 Sandboxing and application permissions
07:28 Web monitoring and blocking, & VPNs
10:08 Portable private Operating system
11:08 Web browsers & search engines
12:58 Other tools
14:40 Sponsor: Get a PC that runs Linux perfectly, from Tuxedo
15:37 Support the channel
A lot of Linux distributions will offer to encrypt your hard drive when you install them. Ubuntu, PopOS, elementary OS, and a lot more, they all have this option. If you didn't enable encryption when installing your system, you can encrypt your home folder or partition after the fact using ecrypt-utils, a command line utility.
ENCRYPTION TUTORIAL: jumpcloud.com/blog/how-to-enc...
KDE has something called Plasma Vaults, that lets you create encrypted folders with a nice graphical interface, with the ability to set different passwords for each folder.
You probably also have an anti virus, your best option will be ClamAV (and ClamTK, it's graphical interface). it detects trojans, viruses, malware and the like, it's open source, and it's completely free of charge.
But if you want to restrict permissions for Flatpak apps, then you need Flatseal. It's an application that will list all your flatpak apps and let you grant, or remove permissions to them.
If you want the benefits of a sandbox but without using Flatpak apps, you can also run any app installed from a regular package or an AppImage in a sandbox, using Firejail, and Firetools, its graphical interface.
If what you want is to make sure that the apps or services you run don't do anything weird with your internet connection, then there's Safing's Portmaster. It's open source, free of charge, and it lets you monitor every network request every part of your system makes, and restrict them as you see fit. Oh, and it also has a system wide ad and tracker blocker.
VPNs are a tool you can use to be more private online. I don't have any specific recommendations, but you can check the link I left in the description to TechLore's VPN chart to find one that is suitably private: techlore.tech/vpn.html
If you regularly use public computers, or someone else's, you might want to use TAILS, a live USB, but with persistent storage that is encrypted.
Your web browser will also be a big part of how private you are on the internet. If you prefer to stick to Chrome's rendering engine, then something like Brave will be way less intrusive and well configured by default, and if you don't want to encourage Google's monopoly on the internet, then Firefox is also very private, once you disable the opt-out telemetry in the Privacy and Security settings.
You also have LibreWolf, which is Firefox without the telemetry and with privacy focused search engines out of the box.
Speaking of which, your search engine is also something you should look at for privacy. Google or Bing are just NOT what you want for that. I personally use Ecosia as my default search engine. When Ecosia falls short, I use startpage, which is basically Google's results, but with complete anonymization of all queries, so Google doesn't know who or from where the query has been made.
VIDEO ON SEARCH ENGINES: • BYE DUCK DUCK GO, here...
Bleachbit will let you delete cache files, cookies, internet history, temporary files, logs and more.
If you want to just completely delete any single file, then there's GNOME File Shredder.
If you need to share certain images but hide some information on it, blurring it with a gaussian blur isn't enough, as it's now relatively easy to deblur an image. Obfuscate is a simple tool that lets you hide information.
Пікірлер: 233
Get 100$ credit for your own Linux and gaming server: www.linode.com/linuxexperiment
Librewolf does more than just changing your default search engine. They change the config files. Canvas resizing for example changes the size of your screen. Really needed if you have a screen with a resolution that's not common. I'm not sure but I think they also report that you are on windows by default. Anyways, those are all things that Firefox can do because librewolf is just Firefox but it would take forever to make those edits.
I'm usually paranoid when it comes to privacy and security, but that's one thing I forgot to do is encrypt my hard drive.
@TheLinuxEXP
Жыл бұрын
I always forget about it too!
@Agryphos
Жыл бұрын
I honestly skipped it on my latest install because my luks mapper broke suddenly on my last install for some mysterious reason 😅
@goku445
Жыл бұрын
Everyone should be. Our freedom depends on it.
@RogueRen
Жыл бұрын
I have my laptop encrypted but not my desktop, mainly due to the fact that it would take SIGNIFICANTLY more effort to get to my desktop's drives than just snagging my laptop in public
@SIMULATAN
Жыл бұрын
Same, but then again I use arch btw and fear that I'll have to do some system maintenance from a chroot and need to mount the FS externally
I feel like as a community, we need to talk more about tools like Selinux. I know it's not the sexiest thing to talk about but there is a lot of power and extensibility. I think the part that keeps most folks away is the learning curve.
@DrewTNaylor
Жыл бұрын
@i2Sage SELinux is "Security Enhanced Linux". I don't know much about it aside from it being good for security, but from a quick glance at the results of the iOS "Look Up" feature's Wikipedia result, it does appear to be similar (but a little different I think), if not perhaps more powerful due to being able to be fine-grained.
@MrGamelover23
Жыл бұрын
It's probably the fact that Linux arguably has no real security model to speak of. It doesn't need one, because nobody's making viruses for stock Linux and anyone who uses it for mission critical stuff gets it hardened. But it isn't hardened by default. At least that's what I've heard people say.
@TActually
Жыл бұрын
@i2Sage Android, in and of itself, is a sandboxed and customized version of Linux. SELINUX (security enhanced Linux) is a Framework that provides advanced sandboxing capabilities for standard Linux OSes. There are other Sandboxing tools for Linux like Firejail and AppArmor. FireJail would probably be the most Safety Net like of the bunch.
Again, you always have at least one or 2 programs in these things that I've never heard of, but are super useful. Thanks
@TheLinuxEXP
Жыл бұрын
Thanks, glad it helped!
something that's worth mentioning if you've got a laptop is usbguard. Prevents usb devices from functioning until you manually whitelist them. Fantastic if you're in an environment where you're required to move around (you'd also ideally be able to lock your laptop, but when you're presenting that's not always possible). Great for universities and schools!
For the record: Portmaster's SPN and Tor may share some properties, they are definitely quite different Specifically: With Tor you usually use the same chain for each request (within the same Tor-connection), and the chain is longer than 2, with SPN (as I understand it) you use different routes per request, but always with a 'chain' of just 2
@beardlyinteresting
Жыл бұрын
The chain is somewhat cusomisable, if I recall correctly you have a toggle for speed/security/middle
Long term the solution for most convenient encryption is homed (from systemd). You can store and encrypt your whole home directory per user inside a file. This file can be moved between devices but only accessed with the users password. The advantage is that it supports using the password from login to decrypt during login. So you don't need multiple passwords on boot/startup. Also this makes a lot of sense for multi-user setups which would weaken a LUKS partition with one password to share.
Thank you Nick 💜💜💜 Please do a video where the default security apps are configured such as AppArmor, UFW and SELinux 🙏🙏🙏
@TheLinuxEXP
Жыл бұрын
I might do a guide on hardening Linux later!
@veterantruthtube3298
Жыл бұрын
@@TheLinuxEXP oh please do
Nice video. My suggestions: 1) The biggest security tool (after knowledge and caution 😉) is selinux in enforcing mode, and I think it is not mentioned here. 2) Update everything often. I do it every day with one click. 3) Don't install software from not trusted sources. 4) Don't give your user the permission to run software as "root", unless you know what you are doing. Become root instead, when needed. 5) 05:20 "virus ... can access your linux system entirely". That's not exact. They can access what the user which runs it can access. Therefore nothing that can be accessed only by another user, be it "root" or another. It is also noteworthy that a malware which targets Windows, has no effect on linux. To have effect, it should be a malware which runs via wine *and* it targets linux.
Wine works so well, it will even run windows viruses.
Great video. I really love privacy and security content. You present the tools in a way everyone can understand. Thanks.
@TheLinuxEXP
Жыл бұрын
Glad you like the video!
Thanks for putting together this list. Looking forward to looking through some of these tools.
Nice collection. Thanks for creating this one.
As we grow, this will be a more and more important topic. Tnx, mate. Infotained as usual.
1:41😂😂 The cat is pawsome!😊🐈
Always have been a big fan of AV solutions that capture viruses on the fly rather then by doing scans.
Was literally just about to look into Linux security. What timing!
@TheLinuxEXP
Жыл бұрын
Excellent!
Great video, Nick!
Another great video and some useful tools/apps in my journey through linux!
Super useful information. Thank you. I will try many of them.
Super content, i was looking for such programs
Very good and needed video....thanks
now THAT is a great browser recommendation segment! Told everyone about the tracking, explained a proper chromium alternative BUT also mention the monopoly of google.
Great video as always Nick
I really like this video as the one about your workspace with Fedora. Always interesting to see how we can improve how we use Linux. Thanks a lot for sharing.
@TheLinuxEXP
Жыл бұрын
Glad it was helpful!
The issue with opt in telemetry is that it provides a very distorted view of user behavior. Only people who check the settings and want telemetry will turn it on. That's such a small and restricted sample. It's much more important what is shared than if it is shared by default or not.
@leeo17
Жыл бұрын
@@hello-iw9pdi missed the part where he talked about not giving the users choice
@NikolasHonnef
Жыл бұрын
@hello Opt-out is still a choice, no? I think FF does this very well, if you consider that opt-in heavily reduces the usefulness of the collected data. They tell you very prominently that they are collecting some data, and where to turn it off.
@turun_ambartanen
Жыл бұрын
@hello No? How did you read that from my comment? I'm just saying that if you want to get high quality telemetry data your average user must have telemetry turned on. This is neither a case for telemetry, nor one against it. It's simply a fact. Your average user won't fiddle with the settings. Even without any telemetry you can still improve your product - based on Github Issues and angry mails sent your way - but that simply won't reflect the usage patterns of your average user.
At 10:09 VPNs.... He should have mentioned that VPN users should check the legality of using a VPN in their area. Currently, vpns illegal in Russia, Iran, China, last I heard India. Pakistan, Vietnam, and Thailand might also have restrictions on them. Since China and India combined has nearly 40% human population, there is a significant number of people that cannot use them....
@Tofu3435
11 ай бұрын
In china using vpn is legal just selling vpn is not. Because vpn is necessary for foreigner companies to work in china and for a lot of students... Yeah the Chinese government don't like people to use foreigner websites but it is not illegal in china of someone using it after someone got vpn access outside china.
@montecorbit8280
11 ай бұрын
@@Tofu3435 That is a loophole that I did not know of....
These types of videos are super helpful I always learn something new even if I knew some of these apps. Thanks!
Thanks Nick, for another great video!
Really like this video! Thanks!
USBguard is an extra security step, if you can handle the annoyance.
This info is incredible. My respects. Thank you.
Super interesting, thanks !
Thanks, a very helpful intro!
Thanks for the brilliant video Nick. Contemplating on moving back to Linux after a hiatus of many years (because of being forced into using Windows in the corporate environment). Found several new tools that I didn't know existed, Portmaster being one! You've got a new subscriber!
As I begin my Linux journey, this channel has been invaluable! I’m glad I found it
Useful, thank you!
Great tips for Linux users! Thank you very much 💪🏻
Nice one, thanks!
Very very cool i will definitely try them
Note that shred isn't effective on SSD like it is on mechanical hard drives.
@loc4725
Жыл бұрын
It'll wear it out. Better option is often the SSD's inbuilt "secure erase" facility, assuming your BIOS allows it or just *one* pass with: dd if=/dev/urandom of=/dev/your_ssd bs=4096k conv=fdatasync Followed by mkfs & fstrim.
@deloller2452
Жыл бұрын
What's the alternative?
@goku445
Жыл бұрын
@@loc4725 Yeah but it reduces your device's lifespan and more importantly it is very unpractical as you need to erase the WHOLE disk even if you wanted to destroy one file.
@goku445
Жыл бұрын
@@deloller2452 Full encryption. There is no alternative that I know of.
@loc4725
Жыл бұрын
@@goku445 Well deleting one file on an SSD will usually just cause those pages to be marked 'free' with the hope that they will later be purged by a subsequent trim() operation. They are still there and in theory could still be recovered. That said encrypting the drive works but but you _cannot_ just wipe the key; like the above the page containing it will remain until trimmed. To ensure and proper ease you'd have to either write so much data to the device that it runs out of spare pages and forces it to a trim or use the _secure erase_ feature (BIOS permitting), which hopefully will only erase the dirty pages.
Thanks!
I love full disk encryption but god damn it's so hard to troubleshoot a Linux install when the drive is encrypted; if only somebody could make it easier... 😅
good video buddy - thx
Thanks Man 💓
Merci!
Lol, "It won't shout at you in the middle of the night it's updated" ... I sense some Avast trauma's there XD
@TheLinuxEXP
Жыл бұрын
Oh yeah 😂
I've been using Zorinn for a half a year, and it's been great. The district on the website is old enough, but it updates the system regularly. I would revise that decision of yours
Hello, first a big thank you for your videos! really informative and useful. I have installed portmaster and find it very good, my question which is probably a stupid one is do I keep GUFW firewall now or remove it. Regards Phil
Wow, this is a great of apps. I didn't even know some of these existed.
This channel is a goldmine!
As always writing a comment to support the channel
It would be cool to see you review a Framework laptop, as they're basically open source hardware, so I would assume they're very compatible with Linux, but it would be nice to have confirmation.
@ars7374
Жыл бұрын
As a Framework owner I can say it’s generally a good experience. Only problem is that its screen is very high res , which means fractional scaling is preferred for an optimal experience, but on GNOME you’ll either have to deal with screen tearing or blurry XWayland apps. I personally wouldn’t recommend it if you use GNOME, but if you’re more of a KDE or WM person, it’ll work great.
@praetorxyn
Жыл бұрын
@@ars7374 I had a similar experience with an old ThinkPad W550S back in 2015 or 2016, and ended up selling it to buy a MacBook hoping I’d have less issues. I prefer KDE but they really ought to fix that, fractional scaling is such a basic thing.
I enjoy your videos Nick, which cover really useful stuff. Having just had a warranty anulled on my HP for having installed exotic software, (i.e. Linux), I am wondering whether it will soon be necessary to tux up. Geekom assure me that they are not Linux-phobic. For portmaster on Fedora, it is necessary to make it play nice with Selinux I do a cron job system update that runs every time I turn on. Will definitely be exploring these tools you mention.
Thank you for your video! What do you think about Self Encrypted Drives (SED)?
Plasma by now comes with something like flatseal... if the used distro has updated packages. My issue with flatseal is mainly that for a normal user, various descriptions just make downright no sense. Otherwise your list is great, Nick!
@softwarelivre2389
Жыл бұрын
True. But it bears reminding that elementaryOS had something like than even before Flatseal got famous.
This video was really helpful! Any suggestions for software/tools which can backup and rollback Linux if needed? Thank you.
@TheLinuxEXP
Жыл бұрын
Time shift!
For max privacy you have to use a new device that has never had its ID seen on the internet with any assocation to you.
Ah a fellow Ecosia enjoyer I see ^_^
also i would say replace librewolf for the mullvad browers it is like the tor browser without tor
Instead of firejail or firetools, I'd recommend bwrap. It's command line and it's what flatpak uses underneath.
Can I add usbguard (and usbguard-notifier) to the list? It protects you from sneaky malware filled USB drives or other Bad USB devices slipped into your ports. A must have for anyone who works for a company that may be actively targeted for hacks (banks, infra, govt, etc)
What about enabling firewall with gufw?
Must see video
Can someone go into more detail about blurring being easy to unblur?
@TheLinuxEXP
Жыл бұрын
Basically a Gaussian blur just “smears” pixels in a certain direction, and it’s easy to determine the direction and strength and undo it
Hey, I have a question: When I enable system encryption on installation, do I have to type the security key every time I open my computer
@adambyte256
Жыл бұрын
Yes
@raptag7114
Жыл бұрын
@@adambyte256 aw man, I guess no encryption for me ☠️
As the vast majority of systems have SSDs now, "shredding" files does not work. Encryption is your best friend, as well as ensuring TRIM is executed regularly and hoping it is correctly implemented. I personally have a ton of ram, encrypted swap file, mount /tmp as tmpfs, and mount an addition temp space in my home folder as tmpfs. I have tens of gigabytes of in-memory storage for things that do not have to be saved. You can symlink a bunch of work folders from various apps to this space and end up not crowding tons of subfolders with crap.
Just a quick question: I’m thinking of downloading ClamAV, Portmaster, and most likely Flatseal. But I wanna double check with you to see if Having all that software together will mess everything up? Like would the security from Portmaster clash with the security of ClamAV? I know Clam is antivirus software, and Portmaster is firewall and network monitoring software, but would they interfere with each other? Same with Flatseal if I add that to my system too?
Is Brave search worth using privacy wise as it is the default search engine on the Brave browser?
Portmaster isn't available on flathub or from the apt repo on ubuntu, at least not on 22.04. For a long time, Ubuntu/Mint has come with a builtin firewall frontend to ufw. ufw is easy to use, especially if you want to quickly enable the must have security settings: block incoming. Adding exceptions is also a breeze. I'm used to manage it from the command line, but the frontend seems intuitive enough. Some people will tell you you don't need a firewall because you're behind a router. You should not take advice from people who discourage you from such simple security measures that have you covered if your wifi gets hacked, or if visitors frequently use your main LAN, or if you take your computer to other locations.
Hi, do you have a link for the obfuscate program? Thanks in advance.
@TheLinuxEXP
Жыл бұрын
It’s on Flathub!
Great video but i wonder if Portmaster actually works on Debian and if it's better than firewalls like ufw or firewalld ?
Encrypted /home here 😊
How does encrypting the hard drive work together with dual booting *sigh* windows?
@TheLinuxEXP
Жыл бұрын
Shouldn’t have an impact, you’ll just encrypt the Linux partitions
@Linux_ASMR
Жыл бұрын
If you want to encrypt your files like documents or pictures, I can suggest cryptomator. It works on both Linux and windows and is open source. That way if you store your personal files on a separate partition you can open them on both Linux and windows.
I would tout gocryptfs instead of ecryptutils for file system encryption.
I tried full disk encryption on openSUSE, but was frustrated by the double entry of the encryption password during boot. I ended up only encrypting the home directory using the guided setup. Not the up to the level of Fedora or Ubuntu, but at least my personal data is encrypted at rest.
@pleonexia4772
Жыл бұрын
You can embed a keyfile in your initramfs so you don't have to enter your password twice. I've set mine up where I don't even need a password to boot/decrypt partitions, I just use a fido2 key. Compared to yubikeys, hyperfido's fido2 key is a fraction of the cost ($25AUD or $17ish USD) and works perfectly. If you wanna have another go at trying to encrypt your OS again, I can walk you through the process to get everything setup the way you'd like. I can run you through the setup on a VM so you can get comfortable with the process before you attempt it on your harddrive(s).
5:08 Will be helpful :)
hey nick can you make a guide on OBS and how to setup on Linux , the reason im asking is because it is very easy to set up OBS but on linux we dont have a good encoder FFMEG is the default but GloriousEggroll suggested Gstreamer-VAAPI and that works to some extent but when recording a video / game the gpu usage goes 100% all time even when nothing demanding is happening , its a pain to record at 720p30 , going any higher means the gpu usage goes 100% and will slow down the system , even with an RX 570 :(
@TheLinuxEXP
Жыл бұрын
I can look into it, but I personally only use NVENC with my nvidia GPUs, it is unparalleled
Is it possibile to encrypt a specific folder, making it possible to open it only with a password in GNOME?
@softwarelivre2389
Жыл бұрын
You can compress a folder with a password on GNOME, but the regular folder, that I do not know.
Still looking for a tool capable of encrypt a folder easily and that works with Linux and Windows.
Which Linux distro did you use for this video?
Oh my, Nick, why would you feel the need to scan those Warhammer novels you surely aquired from the reliable and fairly priced Black Library? But back to Wine, wouldn't deleting the Z: folder that links to your /home directory and restricting Lutris/Steam to a dedicated folder with Flatseal solve most security concerns?
@TheLinuxEXP
Жыл бұрын
The worse part is, I actually bought most of not all of them 😂 I think it would help, yeah. As long as the app that runs Wine is sandboxed, you’re probably relatively safe, apart from what the virus might access while the program is running
for tail is persistent not the wrong word because for me it means that all my data is saved even when i unplug it
Which distro do we see at ClamTk? (3:40 - 5:00)
8:33 if you have an application that you don't trust some of it's internet connection... should the application not be on your computer in the first place?
7:28 No Opensnitch firewall 9:00 Mullvad VPN 11:08 No Ungoogled Chromium
LOL it won't wake you up in the middle of the night 🤣😂
@TheLinuxEXP
Жыл бұрын
Anyone who used Avast knows
read how flatpak works. pretty neat system. my worries about every tiny app taking 2 gig hard dist were put to rest. no more nightmares when this guy is talking about flatpaks.
14:49 macbook killer
Since we talking of security can someone tell me why does linux firewalld make chromecast and kde connect not work ( at least in firewalld kde connect has a service ) what about chromecast and airplay I use services called cider that helps me use my family apple music account .
Title: APPS & TOOLS My brain: APRIL FOOLS Me: Kinda late huh?
You forgot to mention Cryptomator 😁😁😁😁
where is the techlore link?
@TheLinuxEXP
Жыл бұрын
In the description
The problem with Librewolf and other Firefox forks is that they can be days behind on security patches. Not worth it imo.
Is encrypting ssd dangerous?
@hellomine2849
Жыл бұрын
@@anon8510 shorting the life span idk
While good start, the ultimate secure OS is obviously templeOS.
@st0rmrider
Жыл бұрын
Actually CubeOS if you manage to make it work
clam always tells me it's outdated, and it never scans what i tell it. i have ticked the right options, and looked at tutorials, haven't gotten it to work :( other than that, thanks for all of the really good suggestions!
@dmknght8946
Жыл бұрын
My honest advice: dont use clam. I played with clamAV engine, its signature, ... More than a year and i can tell it's not strong enough against malwares. (No disrespect to clam team. They are cool guys providing clam for free)
@Komatik_
Жыл бұрын
Clam is probably worse than not having anything in the first place because as far as I know its detection rates are quite low and that can give the user a false sense of security.
@swagmuffin9000
Жыл бұрын
@@Komatik_ ok, that makes me feel a little better
@swagmuffin9000
Жыл бұрын
@@dmknght8946 yea, that's the thing, it always says the signature is outdated even after updating. I don't typically download things, but on the off chance i do, I would want something to check.
@dmknght8946
Жыл бұрын
yeah as in malware scanner (which is the actual job of current clamav, it supports only hash checking and pattern matching (a lot of ClamAV old signatures depends on hashes. I meant if anybody compare ClamAV with Yara, Yara has more techniques to detect malware (or binaries in general) than ClamAV. As a AV, ClamAV doesn't have process scan (or memory scan- last time i check). It doesn't have syscall / function call hook checking either. And the most important thing, IMO, is the emulator to detect packed, encrypted malware. Overall, ClamAV is the only truly open source AntiVirus engine out there. But it's not enough to defend user against malware, especially modern malware.
Hmm, doesn't look like the vaults work on Steam OS. I just tried to create one while watching this video and I just get an error.
@TheLinuxEXP
Жыл бұрын
That’s because the filesystem is read only
@DreadfulUtopia
Жыл бұрын
@@TheLinuxEXP but why does that matter if I'm trying to make an encrypted folder in my home directory or external drive? I'm not trying to modify system files.
Sadly my library doesn't allow anyone to use USB or external harddrives while they use the computers. I guess it's a safe measure.