Speaking of really niche preferences, Ima be upfront, I'm bout to type some
wack ass shit cause its been on my mind lowkey no cap, so sneed it or feed it.
TLDR sperging about paranoid security on the OS level
In the wake of the recent (west)world-wide push for increased surveillance, I want to start a little discussion: what do you think would be the best way to insulate yourself from prying eyes at the OS level? Or rather, which OS would you choose as the base for a 'secure' browsing machine? I'm only focusing on one machine directly exposed to the Internet here, because having shit like hardware firewalls doing packet cleaning or OpenWRT routers might be a bit too much to talk about up front. Ignoring the fact that 99% of "incidents" are due to human error, lets talk technicalities for a bit. For paranoid-level security, it'd need something like Tor-over-VPN routing, and since there is not any real pressure to gimp VPNs as of right now, Mullvad is the number one choice. This is assuming that the ISP is also a hostile entity. The next concern is fingerprinting. For browser fingerprinting, stock Tor Browser, Librewolf and Mullvad are pretty well hardened. For device level fingerprinting you can spoof your mac address & OS and DNS cleaning with tools like Parrot's
AnonSurf, and Mullvad-through-Wireguard is also really nice for preventing DNS leakage, but TCP/IP fingerprinting remains an issue. So, in my mind, it comes down to:
1. Tails with pseudo-persistence; my idea was to dd it onto an NVMe and have it live inside of a laptop, where eveyrthing but the boot space is set up as persistent storage with the built in feature of the same name, then install whatever other software & config files are needed on there; every reboot makes it do its thing and completely reset, then whenever it boots back up, you unlock the encrypted part and everything clicks back into place, or if you don't need it, you can roll around with just the amnestic basline; should show up as generic Linux/Debian; cancer to set up, but might be very good if done right
2. Whonix / Qubes where everything is a VM; excellent compartmentalization means it is very easy to split tasks into their own little isolated VM, thus avoiding ye olde opsec fuckup of cross contamination (to an extent); resource heavy, really cancer to maintain, really cancer to set up, really cancer to use in general (note: I have never used Qubes so I am speaking from what I have read); could be a good driver if set up right but seems like a very large time sink; fingerprinting should be fine as it runs a Fedora base in dom0
3. OpenBSD because it is definitely super secure by default with really useful tools for super duper hardening, excellent code cleanliness and a very autistic community that is devoted to its cause, only trouble is it would light up like a christmas tree in network sniffs due to TCP/IP uniqueness
4. Kodachi is a distro I know basically nothing about, but seemingly comes packed with a suite of privacy tools out of the box; annoying that it relies on systemd, as to almost all the other suggestions here, but it is what it is; based on an older Ubuntu version (18...), but I see it get mentioned quite often in security discussion circles, so might be worth looking into
5. Devuan / Artix / Antix / other sysd-free distros with all the aforementioned privacy hardening tools installed manually; probably the best bet for a daily driver that isn't super cancer to upkeep; probably a bit more than just a little risky because it relies purely on one's own capacity for manual hardening and technical expertise, I trust myself a good bit but I am not immune to human error
Ultimately the OS might not matter as much as the network hardening here, but it can't hurt to have a baseline that's already strong which you can then build on. Sorry for the autistic rant, been meaning to talk about this but most of the cysec people I know in real life are corpo goons that don't care for privacy as much as they probably should. Right now I'm considering going for #5, but keeping #1 or #2 in my back pocket in case the wack meter keeps going up, which it very well might.
Edit: The anti-systemd shit is part of the paranoia; just like Windows and MacOS/Darwin are spyware operating systems that don't give a rat's ass about user privacy and will openly stuff telemetry out their asses, I can certainly see a future where RH et al. commit a full corporate takeover of the Linux kernel, or most mainline Linux OSes in general, through shit like systemd etc.; again, this is about the
paranoid perspective.
