People hang out on public WiFi sometimes with packet sniffing and other tools to exploit people. Especially some distros don’t have X server remote display locked down.
If you want to know what is open or exploitable CVE you can run a script that discovers all CVE exploits against a machine
Last time I tried Ubuntu, it had a firewall but it wasn’t active by default. Unless something changed in the last few years.
No firewall means your system is going to get scanned to see if anything is open or exploitable
Some distros ship with no firewall enabled, some newbie using public WiFi is going to be less secure.
A pain with OpenSUSE tumbleweed is firewall and SELinux by default, but it forces you to learn about security if you need to setup SAMBA or other connections to your machine
They are still weird
Android already had WiFi Direct, this change just brings Apple and Android into the same sharing room.
For mine, not TrueNAS, I boot to a live USB stick, so drives are not in use and do an full gparted copy to a back up drive, so it is a clone. Should the system die I swap the whole drive out.
Disable aliasing I guess, or change to root owner, read only permission
Then lock bash rc as read-only and root permission only, or disable aliasing altogether I guess
I guess that depends on distro, because sudo on OpenSUSE requires root password, so a script isn’t doing anything unless you enter the password
The inclusion of open H264 was helpful.
Shhh don’t tell them about 3rd party repos. That’s why I somewhat disclaimed it with the Learning Curve, but having yast and snapper for me onboard as a new Linux user was very helpful.
i use CTRL C and CTRL V … What am I missing here?
Zorin is user friendly. You may still need to use a password for doing updates.
If you game, then probably Bazzite.
If you hate the command line you could try tumbleweed, you will have Yast2 GUI apps for everything yo want to alter on the system. And it has automatic snapshotting if out you mess things up, you can boot to a previous snapshot. Howeverits will require a password whenever you want to make system changes. And a learning curve compared to other distros.
Not really getting away from typing a password, that’s the part that can keep malicious stuff out because it doesn’t have permission.
Cool. If you aren’t stuck on a diatro, then Tumbleweed has this built in. Snapshots are taken every time you make package changes or system changes, boot menu let’s you boot any old snapahot
Yeah, I’m using a large font in reader mode and I think I had the word encrypted showing without un onscreen.
You are correct, it makes a custom binary in the fat partition that is verified by TPM for unlocking/proceeding, that binary then contains the other parts to move forward.
Apparently its a patched grub2 for opensuse, and systemd boot systems. Makes a binary file that is verified by the TPM , different than just using LUKS encryption.
Just sharing for awareness because people often assume that because one diatro does not do it, means Linux doesn’t do it.
Like when everyone complains about Linux not having hibernation, it does.
True, other distros don’t have full disk encryption, they have partition encryption.
There is full disk encryption on Tumbleweeds using TPM and systems boot. It encrypts the ESP (EFI) partition and you supply password or fido2 key to unlock boot loader and disk
To answer all your questions I’d need some time, I’d have to go back to the 100s of hours of 2.5admins and security podcasts. But to clarify an exploit doesn’t have to be an open service especially if you aren’t running a firewall. Some bombard your network adapter into buffer overun etc, but network traffic is handled by the kernel stack. A good firewall drops packets instead of letting them all into the public interface and kernel TCP stack. Where CVE stuff can happen.
I’m not saying Linux can’t be hardened , but because it is user editable and not locked down like Mac, you have a lot of things people can alter (or not alter) by hand or packages that can leave you open.
There’s a reason we have AppArmor and SELinux, yet some don’t bother to use those tools.
There was something with discord? Discourse? screen sharing that used x11 forwarding, and was on by default. I want to say Ubuntu. When it was news I checked by SUSE install and thankfully its disabled by default. But also the reason Linux distros are moving to Wayland because X11 is a security problem.
Ubuntu ufw off by default https://documentation.ubuntu.com/server/how-to/security/firewalls/index.html