"Linux is way less secure than Mac" - true or false? (Get your popcorn ready :D)

Inn a security/privacy group I am a member of I just mentioned that I am moving away from Apple (completely) and got a new laptop to run Linux on. I didn’t say Fedora.

Quite a few responded with comments like “Will be a massive loss in security moving to Linux from Mac”.

My response was “pff”, and I don’t want to get into the details but for good well-researched reasons I do NOT trust Apple (for privacy), whilst I do understand the security is good. In my opinion (which I don’t fancy debating!) Apple offers premium security as a carrot to get people in their walled garden, where they then abuse them in various ways and DO collect personal data and DO co-operate with governments, and not just the CCP!

I chose Fedora as most people tend to regard it as a good option for security/privacy/ease of use (three big things for me).

But would appreciate any comments from Fedora users here on the alleged lack of security.

I need to learn how to increase security in as many easy ways as possible after installing Fedora, but the way I see it, if I install Fedora and use full disk encryption, use very strong passwords (always do), and generally practice ‘good opsec’, I think it will be a nice and secure system. How secure? Well I don’t know, but secure enough for me! Just felt I wanted to hear some responses to the comments mentioned above.

1 Like

MacOS has had holes in it for a long time. . . Honestly not a discussion worth having. Fedora runs SELinux enforce which is pretty good and convenient for typical end users. If you are like me and need more security for “Projects”, sandboxing applications via SELinux context, Flatpaks, Systemd-Nspawn, Podman/Toolbox containers takes you to the next level and beyond.

Ultimately, Security is down to the user. My Blender & Krita friends who want security and convenience, just use Fedora Linux OOTB.

My “test new Blazingly Fast Web Browser from unknown High School Kid who compiled it from source with special flags” community of friends, we use what we need for security to the max.

You made several statements here that are a concern for me, phrases like “Premium Security” but not trusting also Apple. There’s a lot to be said. I do know from experience that Apple is viewed in IT a certain way because “It’s not Windows… So Windows viruses don’t work on it” argument, but deep down the rabbit hole, MacOS is not what your tyoical layman thinks.

2 Likes

Hey Joey,

Can’t comment on Mac OS, I have never used it personally or looked into it.
I’ll insert obligatory, “depends on your threat model what secure linux distro is”, come up with what your security parameters are.

I don’t think of security as a, one solution fit all. I like to think and work with layers of security, you can go through each method of mitigation or securing your device and decide what to implement and what is not needed.

Fedora in general is going to make itself bit more secure in Fedora 40, see the proposals
WIFI MAC Randomization
Systemd security hardening

Of course there is always more that can be done but do consider if you truly need these changes.
Hardened Kernel using kicksecure patches , Stricter firewall rules , Using DNSSEC, limit SSH connections and use keys files only with SSH etc. There are plenty more things you can do to take security even further, I’m only mentioning things I have tried and know of.

Options are there, make linux secure they way you feel it best fits your needs.

2 Likes

Thanks, didn’t follow some of that but thanks.

I certainly agree with your general sentiment.

“You made several statements here that are a concern for me, phrases like “Premium Security” but not trusting also Apple.” - not sure what you mean here but to clarify, my point was that I view Apple’s model as something like “We protect you VERY WELL from hackers and thieves”. With the unwritten true ending to that statement being “by doing so, only WE can get your data, and we can/will/do when needed”

I’d be interested in learning more about enhancing security of Fedora (privacy even more so which is of course related). All I know of Linux security is from my dabbles with Ubuntu years ago which, IIRC, was something called uncomplicated firewall and apparmor (that’s all I can remember). Are either of these relevant and worth doing with Fedora? If so I will look them up to remember what the hell they are again :smiley:

If anyone knows of a guide to help a new user add some extra security and privacy, I’d be very grateful for a link. Will scour myself otherwise

Thanks Bill. I certainly like the idea of Mac Randomization. (I run GrapheneOS on my phone which has that)

I am limited in knowledge, but will learn where improvements are worthwhile. I agree re threat models. I have virtually no risk to local hackers or criminals of any sort. I am effectively “off grid” (not truly, but compared to 99% of people, I am just due to location and lifestyle). My main desire is to secure my system from being cracked open to view my files (purely on principle) but I am very keen on limiting my footprint around the web as much as possible which I know is more about use of things like browsers etc, I am pretty knowledgable and happy with my processes for general use of the web. But would be nice to lock my machine down a bit in simple ways, without going to extreme degrees like amnesic operating systems or even Tor.

I do use VPNs, which is becoming a nightmare. (Case in point, was hoping to read this but connections refused presumably due to VPN! How to encrypt your Fedora file system - Fedora Magazine) but I need to use them for work. I understand they are limited in what they offer in terms of privacy, but I think they help reduce a footprint (of IP), but for me they mean I can do online research from anywhere on the globe I want, and that’s essential

thanks again for your thoughts

Sure thing, My point is that often times, Apple is viewed in the public eye as “different” and that difference is security. More like Security by Obfuscation. When in fact Apple has made the news a lot for holes in MacOS, it’s just that the public/ internet media won’t cover it. It doesn’t help them get those < enter apple device name here > for review, or get clicks for positive views towards Apple.

Typical from a Company selling services. . .

Honestly, Fedora is Very Good in this aspect OOTB. There a lot to how Fedora packages software with compiler flags etc. Also it’s use of SELinux.

When I talk about security, it’s usually software dependent. Need to test Random Youtuber recommended Web browser? Containers with SELinux sandbox context. Need to test packages? toolbox or distrobox, Need to test/ build an OCI image of BlackArch ? systemd-nspawn or podman . There’s a lot to talk about and go into depending on what you need.

Right tool for the job.

1 Like

Ah, in that case I understand fully, and agree FULLY, re Apple’s model and why it doesn’t get talked about. I don’t think it’s JUST a case of “selling” (i.e. profit motive). There have been many philanthropists throughout history who had billions and sought to make nothing (or lose money) from their philanthropy. I think the world just lacks that spirit now, we are all about ‘obedience’, whether we know it or not (we being the average masses, not every individual of course).

Anyway, my philosophical soap box aside…

Not sure what SE Linux is, but it’s a great comfort to hear that about Fedora thank you. I don’t seek to test anything! My use basically involves mail and browser, plus some apps here and there but from now on they will only be FOSS ones (at least wherever possible, which I think will be 100% of the time but not certain yet). Example: I used LittleSnitch for years, trying to block the thousands of little connections Apple does ‘to protect me’, while shipping data home about my iPhoto libary (via photolibraryd or whatever), as well as to block nefarious connections from other apps (mostly OS based though).

I can feel better about Linux (generally) and especially Fedora as it won’t be TRYING to screw with my 5hit so often, if at all, hopefully the latter! But I may look for a FOSS replacement for LittleSnitch, as I do like to see what’s going in/out over the network, but I am hoping to obsess less about this in future (the thousands of hours I have spent tearing hair out over Mac OS doing ‘stuff’ i don’t like, for no apparent reason, like icloud crap when I have all that turned off from the day they invented it!). I also use Carbon Copy Cloner and other paid apps, which I will look forward to never buying again, and hopefully can use Deja Dup or a few others I have heard about.

I use Brave after leaving Firefox a year or two ago, mainly for the reduced ‘fingerprint’ of extensions i was using to protect my privacy (ublock, adguard, decentraleyes, invidition (love that!) and several others). I like the privacy built in, meaning fewer plugins (i now have only one, Bitwarden, which is pretty essential for my thousands of logins built up over the years and my desire to ensure all are secure and different from any other!)

I don’t do a whole lot more. Email - hoping to try out Geary, I have used Thunderbird but would like to try something outside the Mozilla set first, can always fall back to Thunderbird if needed.

I used to use a lot of apps (web design and SEO type stuff) but these days so many are web-based (which I used to hate, but now like, fewer apps on machine can only be a good thing!) so my use of the machine is heavy, but not in technical terms, just in man hours terms :smiley:

Thanks again for your input, much appreciated.

macOS is an immutable OS + apps that are treated as containers for security.
Fedora offers the same structure with silverblue + flatpak (or snaps) as far as I can see.
Both ofter full disk encryption.

The security risks, I’d hazard a guess, are approximately the same.

3 Likes

The problem is that “Secure” in this context is broad to the point of being meaningless. Especially if the point of comparison is “Linux”.

It is a myth that Linux is inherently secure. It can be made to be secure. Different distros ship with default configurations that range from reasonably secure to quite insecure. Using Fedora Workstation as an example, I would say it is somewhere in the middle.

I am not intimately familiar with MacOS security but I strongly suspect we could pretty easily identify ways the MacOS is more secure than Fedora and the reverse is equally true.

In the end, it will always come down to an individual’s specific risk model and which risks they are concerned about.

5 Likes

Would it be an idea to ask them to expand on this? Even if they enumerate the security features that Mac provides, we can see if they are enabled in Fedora or how to enable them if they aren’t?

2 Likes

I have shifted this to the watercooler because this seems to be a general tech-talk discussion without a specific problem that is to be solved :wink:


Let me answer this request and also do some marketing for our SIG here :smiley:Security enthusiasts wanted: from beginners up to SELinux experts to make up the SELinux "Confined Users (SIG)" to foster Fedora's security capabilities with subtopics [1] and [2]. I assume the subtopics may apply more explicitly to your request. But you will find much more when you query for “security” in the *.fedoraproject.org pages.

5 Likes

It’s not even that. MacOS is closed source. You cannot even examine it for security. MacOS is by default inferior to Linux.

You might benefit from some increased security hardening in some areas, but honestly Fedora is very secure by design, very updated and has a lot of hardening included, like good compilation flags and selinux.

I believe there’s no ‘secure os’ if the user is dumb and runs untrusted software, regardless of the security design. Macos makes no difference.

They probably read some misinformation on the internet, there’s a lot of that. Also, never listen too much to people in security groups, my experience is that they tend to be extremely biased and sometimes they develop their own views and threat models they apply to anything.

That’s spot on, and the reason I won’t be asking for more information as these people make biassed statements and have all week to play silly games in discussions, taking it personally if their paradigm is questioned. They are frankly ideologically possessed, and I don’t wish to dig deeper. My first instinct was to ignore the statement, I do NOT trust Apple and never will (for good reasons, not ideological ones), I just wondered how some might respond to it in here. It wasn’t a challenge, I expected the replies I got and am happy that I did :slight_smile:
Thanks everyone. Obviously, to say Linux is anything is flawed, as Linux comes in so many shapes and sizes, before we even think about HOW the user USES their OS/apps etc!

Linux was a lot more insecure years ago, but currently the security model is changing into wide adoption of containers, flatpaks, sandbox, immutability… It is unfair to compare Windows or macOS of today with Linux of 15 years ago and still there’s lots of people doing that in security circlejerks. Moreover, LUKS is a very powerful tool to secure your data at rest. With it, I have no fear of my laptop being stolen and all my data compromised.

1 Like

“Circlejerks” - perfectly put!

I am not a power user, so I have to make very careful decisions about what I use. I am very privacy/security conscious, as much as I can be. I use Signal for all messaging, don’t do anti-social media, use Mailbox.org for email (not encrypted but chose provider carefully), brave with as much anti tracking BS as poss, and so on.

Not being able to understand the underlying tech stuff is horrible, especially when you are trying to aviod the global surveillance going on whenever you touch the web!

I am happy with my choice of Linux, and it means I am one step away from another monolithic silicon valley outfit (apple) which has been a goal of mine for years. I feel better already, and barely using Fedora yet!

Please stay rational and calm, and avoid ambiguous wording that can be interpreted in a offensive way :wink: I would like to avoid that users/proponents of other systems (or people with other perceptions) feel offended of what is written here, and such wording can be interpreted in many (including offensive/negative) ways, even if you do not mean it that way.

I think false rumors and misleading selections of information exist on all sides, including Linux, Mac and Windows :wink:

I am 100% rational, and 100% calm. Not sure what suggests otherwise.
The only way to risk not offending anyone, is to never speak. The modern way of pathologically worrying about what “someone” might “feel” serves to simply risk offending a new person, i.e. me!
Having said that, if there are words clearly used with INTENT to cause offence, that’s a different matter and is understandably best avoided. I certainly didn’t mean any, in case it appeared that way.

As for :

Fair enough, point taken.

I must say, for one of those speech policing type of replies, you handled and worded it excellently, hence I am not taking offence where I might otherwise have done (at the suggestion of my being irrational or anything but calm. :slight_smile: For that I thank you and wish others were at least half as tactful in their approach to such things.

Quick curiosity question.
Fedora 39 - I typed sudo dnf update and noticed it says “google-chrome 3.6kb”
That surprised me. I haven’t installed any google software. Why does it say this when I run updates?

And are increasingly easy to find with web searches, etc. A more important question than “which OS is less secure” is “who are the users?” In my experience, kids and bosses are more likely than “knowledge workers” to fall for phishing or click on dubious links that install malware.

1 Like