On Linux, Windows, Privacy, Security and Work

[Hexagonal]

Hello everyone,

I've been a reader for a while. Came here directed by someone at the Lenovo forums after my questions on an AFFS mod or 1440x900 screen could be done to an X201.

So, I thought I would summarize a bit what's been going on with the X201, an upgrade to Windows 10 on my W530 and recent thoughts on Linux and Windows with regards to privacy and security and work.

First, I'm a visual guy. I work in visuals (video and stills) and this is the main reason why I have a W530. I used to have an Intellistation, Thinkstation and T400, X61, x61t and now x201 with W530.

Quadro is good. 10 bit color is great. 2 internal HDDs are very practical in my profession and, especially for video, are life savers when it comes to saving those USB3.0 ports for something else. Also, AdobeRGB coverage is good.

I think for anyone who works with color critical stuff, we've been lucky to have the panels in the W530/W520/W510 and, in my case, be able to match these to a hardware calibrated monitor.

So in recent times I've been thinking about security, especially after hearing a talk by someone (can't remember the name) who spoke at MIT which made me think about securing connections and how, really, privacy and security of your hardware and your software are different but dependent on each other.

So, after much research (and I stand to be corrected by anyone's opinion or knowledge) if you want a secure system, you need Linux. Not just about malware, but if you also want a secure internet connection, you need Linux. Some people prefer running their OS from an USB stick, where it remains at default state all the time and no programs or modifications can be written on it. Others prefer to install very stripped down versions of a Linux distribution in order to seal and secure any holes or access points. On both camps, people seem to agree that you need to have some tools to protect your internet connection and to be able to scan and confirm whether your connection is secure with added tools. Some go to certain extremes as to only do online banking with virtual keyboards in case keyloggers are installed (does that really make a difference?)

In any case; a Linux based computer is safer than a Windows based or OS X one when going online.

Even if you were to have common sense and not go through the dodgy areas of the internet, you may still find certain sites (apparently banks or even paypal) where the site you land is a masked site where criminals/hackers would make it appear as the real thing but you input your details on their site.

"So", I thought, "I should then try and run a Linux based system. I can encrypt my drives, protect my work, get a VPN, etc."

But then, I couldn't run the software I need to which includes software by Adobe, Phase One and others. I researched this, and even if you can do it using programs like Wine, the actual running of the program after install may not be completely functional AND it may also be unstable. So, one needs a Windows or Apple machine if your programs run in one of these dominant flavors.

And here is the situation now. I upgraded to Windows 10 from 7. I like it a lot. I used Win 8 before but some things needed polishing. For starters, now I can run a 2.5K monitor and a second 1024x1400 monitor on the VGA plug WITHOUT having to exclusively use the NVIDIA card on BIOS (Optimus turned OFF) which was not possible before with Win 8. So I can run with Optimus, save battery, and have the performance needed when needed. The program feels lighter as well. The thing that bites the back of my mind is the, as I understand it now, slightly overblown issue with privacy (which apparently you can take plenty of control with just turning off features in Win 10) I'm sure everyone here has heard/read about it so I don't need to elaborate. The feeling this ends up giving, though, is what is important here. Trust in Microsoft and the trust of your data with them is now questionable. And to work and have personal data in an OS which you do not completely trust is something I find displeasing. But I can't work without Windows or OS X and neither company is particularly big these days with privacy (or so it appears)

So, should the situation be like this; one laptop for work - mostly offline - and one laptop to do be online where you can have your email set up, log into your online accounts and so on?

I can see the use for Linux when you travel and you're often connecting to public wifi connections. My understanding is that you can mitigate much of the wifi-spying with a VPN, but I stand to be corrected on that as well.

The W530 isn't as portable and as easy-going as Lenovo wants you to believe. I've been thinking of getting a more portable set and the X201 was a trial machine to see if the AFFS screen would give it a bit more oomph in color and contrast, and it does, but it is not 100% ideal. sRGB coverage is still low-ish (~75% as per my measurement) but it is a nice compact machine and easily portable. Thinkpads, while improving, have some way to go into getting color rich panels. Panel swaps are good and it is nice to see that many are plug an play affairs, but it would be nice to have them as stock, no?

So, if I was to go the way of 2 machines for travel work, I thought: W550s+ x250 or x1c running Linux with some tweaks for online safety.

But after thinking about it a bit more, I wonder if I may be overthinking this. Or if this is really what should be done if you wish to control the data you create as sub-product of you using your machines. It isn't just about a corporation keeping copies of your data, or knowing how you use your machine to find a behavior in your use, but also the overall security of your own home connection and connecting to public wifi.

What do you think? or, even better, what do you do to keep your data safe?

[kony]

Why not just dual boot in this case? Use linux for everything but the applications you can't run on it?

[Hexagonal]

Hi Kony,

Thank would mean I can only do one thing at a time. It wouldn't be possible for me to boot back to Linux while encoding a video.

[kony]

What about using a virtual OS then? Use Linux and run Windows via such software? Have you tried that? https://www.virtualbox.org/ Maybe it would be more convenient than taking along two laptops with you. I am not sure about the performance of an emulated OS though (I have never used it), so test it before going for it.

[Hexagonal]

Virtual OS sounds really good!
That being said, I think the performance of Windows in a virtual environment could be too hampered.
I remembered a friend of mine had a Windows within Windows VirtualOS and said that although you can assign X cores from the 8 he had to the virtual OS, the actual performance of the virtual OS was not very good as that of the main OS.
He tried playing games in the virtual OS but the graphics weren't the same as those in the main OS either but I can't remember the reason for that.

So, my question would be then whether I could use Linux as a virtual OS. And it looks like it can be done:

https://www.youtube.com/watch?v=Cja71icfrUE

Now I would need to research how can I make Linux's virtual OS focus on limited ports, limited functionality and secure the OS within Windows or whether Virtualbox itself is a hole...

More homework.

To top this off, though, VirtualOS requires at least 1 dedicated CPU core, which kills the W550s as a portable workstation because it only has 2 CPU cores. So, I would need to find a machine that is similar to the W550s in dimensions or more compact but with Quadro and with 4 CPU cores minimum.

[Puppy]

In any case; a Linux based computer is safer than a Windows based or OS X one when going online.

No. All the safety depends on a user. Have you already studied all source code your "safe" Linux based box ? Do you think anyone else has done it and how ? How comes a serious Shellshock bug have been found 20 years later if all these "super-safe" open source code reviews applies ? What about your BIOS or CPU microcode or HW firmware ? All of these components can be compromised these days and there are known proof of concepts.

No, Linux is not safe. Not better than Windows, in "wrong hands". Android is a different story of course but there is simple reason why it can not be safe, it is vulnerable by design. As for Windows 10 and telemetry, it is not worth to repeat that all these speculations are pure nonsense. There are no keystrokes sent anywhere, there is no reason for that.

Safety by virtualization is another misconception, especially since HW vitrualization have been introduced. For example a vulnerability has been found in VirtualBox that allowed to break the virtualization host/guest (including privilege escalation in the host) isolation for a long time, fixed in 4.3.14 version first. Also the host/guest isolation is affected when using 2D or 3D acceleration inside a guest OS. Don't mention Windows licensing issues as a virtual guest OS.

Proper use of user privileges solves most of security issues, in any OS that supports it. That excludes any phone-based OSes because of lack of user privileges management (unless rooted).

[kony]

No. All the safety depends on a user

Then why is it so easy to catch a virus on Windows and so difficult on Linux (to the point that users never catch any unless the software is specifically targeted at the individuals

Have you already studied all source code your "safe" Linux based box ?

The difference is that it can be done on Linux, while it is hidden for anyone but its creators in case of Windows/Mac.

How comes a serious Shellshock bug have been found 20 years later if all these "super-safe" open source code reviews applies ?

Well, if nobody knew about it for 20 years and it was most probably never targeted, then I guess it wasn't that 'seruous', was it? Moreover, all the Windows and MacOS weaknesses are hidden to average user, because Microsoft and Apple do not want you to know their systems are full of holes. In case of Linux we at least know when someone finds a weakness and can modify the software to lessen the chances of being a successful target.

No, Linux is not safe. Not better than Windows,

This is a lie, even if only considering the stuff I have already written in this post.

As for Windows 10 and telemetry, it is not worth to repeat that all these speculations are pure nonsense.

All the proof shows otherwise, and Microsoft really wants to force you to accept all this 'telemetry' stuff too. They might even automatically turn it on after you switch it off...

[hhhd1]

To top this off, though, VirtualOS requires at least 1 dedicated CPU core, ..

well, not exactly, it doesn't take away 1 of the cores of the host computer, .. so if the guest os is not doing anything cpu intensive, the host os will be almost not affected at all except for the allocated RAM.

the guest os runs as a process on the host os.

virtual machines do benefit from having the extra cores, but if all you will do in linux is average internet usage, then dual core processor (with 4 threads) is perfectly fine.

you may also look at 'vmware player' which is free, or 'vmware workstation' which is not free, but have extra features.

they offer much better graphics performance than virtualbox, although not good enough as host os, but some less demanding older games will run fine.

[jdk]

Not going to jump into the Linux vs Windows flamewar other than to say that Microsoft has gotten a lot better at securing their stack over the years, while many Linux distributions out of the box are vulnerable given the insane "user-friendly" defaults (no SELinux enforcing, no smash/stack protection enabled, no firewall, superuser access handed out like candy with standard user passwords) and 25+ years of the legacy code in the kernel.

Security is a process, not something you install and keep trusting. You can have a secure or vulnerable system regardless of the OS. What kind of security measures are you implementing already? Do you at least have a separate root account from what you login with, such that it requires a different username/password at the UAC prompt? Do you allow just any old website to execute javascript code on your machine? How is your hosts file configured? Do you use the same password on more than one website (Lastpass or KeePass would help in that regard)? How is your router and firewall configured? Did you install a properly audited and updated operating system on your router (pf, DD-WRT, OpenWRT) or did you just put your trust in something where the manufacturer stopped providing updates two years ago?

I think for the original poster, since you need Adobe, the ideal setup would be to secure Windows 10 on the W-series. Block the Windows telemetry stuff at the firewall. I am not a Windows user, but I guarantee there are HOWTO's online for doing this. Since you have a technical mind and an aptitude for attention to detail, I would keep and use that X201 (very well supported by everything out there) for travel and to learn about other operating systems and how they function, broadening your skillset and helping refine your safe computing practices. You can develop universal computing habits that protect your security and privacy.

[Puppy]

Not going to jump into the Linux vs Windows flamewar other than to say that Microsoft has gotten a lot better at securing their stack over the years, while many Linux distributions out of the box are vulnerable given the insane "user-friendly" defaults (no SELinux enforcing, no smash/stack protection enabled, no firewall, superuser access handed out like candy with standard user passwords) and 25+ years of the legacy code in the kernel.

Exactly

As I wrote, proper use of user privileges and applying updates is the key point of any OS security. Windows have very good support for it for those who want to have secure system (most of users actually don't want to have it because it looks "complicated" for them). You also have to understand feature called Software Restriction Policy. Basically you can imagine it as another NTFS "execute" permission, this article is a good start http://www.mechbgon.com/srp/ I use it since Windows XP (together with using limited account only for everyday use) and I have never had any virus.

[Hexagonal]

Dear all,

Thank you for all of your advise.

I can see how this topic can be divisive and I wish I could give something into it but I'm just starting to learn about this because I've put more seriousness into this recently.

What I have taken so far from the points made are that all OSs can be made as secure as they can be, IF you know what you want to do and how to achieve this. Kony disagrees that Linux is as safe/unsafe as Win/OSX but jdk and Puppy disagree.

Overall, user levels protect the machine. That so far sounds like a 1st step everyone should take, to begin with.

Puppy, the last link you provided sounds very informative. Thanks for that. I had a quick glance, and it makes sense to me from what I read, but I will have a good read into it when I get a bit more time.

I guess it would be interesting if I start a new thread that asking for people's way of securing Windows and securing their internet connections. Am I right to believe that the "user procedure", as I understand it from Puppy's link, can be similar if not exactly same Windows XP -> 10 when it comes to user level security?

I could also start a thread of Linux vs Windows for security (as jdk suggests that it is down to the user to make the best of any system) but I suspect we get a heated thread where we just might not get anything concise.

What do you guys think?

[MikalE]

Security issues aside, if you need to access both systems at once I believe your only solution is two computers. What's not to like about that except for maybe having to lug them around?

I recently installed a second hard drive in the Ultrabay running a copy of Linux Zorin, but as you have noted you can't access one while using the other. If you need that access, two computers are in your future I believe.

[RealBlackStuff]

This forum is more about technical aspects of Thinkpads, rather than general security issues.
If at all, such questions/postings should go in the Off-Topic forum.
Don't think you'd get much feedback other than more cursing and swearing at Big Brother's snooping.

[Temetka]

Big Brother only snoops because he loves you and wants you to be safe.