Online Security - Part 3 - Advanced OS, Online & Messaging
The penultimate part of our security and privacy guide moves to more advanced options including running isolated VMs (Virtual Machines) and MixNets.
Previous articles have been published to ensure you have the basics in place but now we move into more advanced security measures.
Desktop Operating System
QubesOS is widely regarded as the most secure operating system for desktop use. It operates on the principle of "security by isolation." It uses a hypervisor to run everything in isolated, separate virtual machines called "qubes." For example, your web browser, email client and document editor each run in their own isolated qube. If one qube is compromised, the malware is contained and cannot affect your other data or the rest of the system, the qube can be destroyed and another built in its place. This level of compartmentalisation is what makes it so secure, but it also has a significant learning curve and not for the fainthearted!
TailsOS is designed for privacy and anonymity. It's a live OS that you can run from a USB drive and can be Windows, Mac or Linux. Just plug the USB drive into your machine, start it and it boots from that drive and not the OS on the machine. It routes all internet traffic through the Tor network, and it is "amnesic," meaning it leaves no trace on the computer after you shut it down. This makes it an excellent choice for tasks where anonymity and leaving no digital footprint are crucial such as investigative journalists who need to keep all their information private and secure.
Linux core security model is based on a Unix-like system where user accounts do not have root (administrator) privileges. This means malware needs to overcome multiple layers of security to do significant damage, similar to MacOS. Linux also benefits from a vast open-source community that quickly identifies and patches vulnerabilities. However, the security of a Linux distribution depends on how it is configured and how diligently the user manages updates thus you really do need to be a power user if you wish to build your own Linux machine. Its worth noting that there is not the support for business software like MS Office suite but you could use the browser versions.
https://www.linuxfoundation.org
Mobile Phones
If you want to be more secure than even Apple, then there really is only one option.
GrapheneOS is a hardened, privacy and security focused mobile operating system based on Android. It's not a flavour or wrapper over Android like some providers offer with their own plenthora of junkware that spy on you and slow your device down. This is a complete re-engineering with a focus on minimising the attack surface and user data collection. It ships without any Google apps or services meaning there's no constant flow of telemetry data back to Google servers. Be aware that yes you can buy one preinstalled but the best way to have control is to have your own Pixel phone and manage the deployment yourself, plus some apps do not work on this OS but you have to make some sacrifices for your privacy.
Step Up From A VPN
Mixnets are worthy of note as an alternative to traditional VPNs. Nym is one of the new Mixnet service providers and is a decentralised network of nodes that encrypts and mixes internet traffic together from multiple users along with adding noise to obscure patterns and metadata. It's built to resist sophisticated surveillance and although it’s still in its infancy and might not be as fast as a traditional VPN, we are a huge fan of this emerging technology.
Instant Messaging
Threema is a paid for option which helps it maintain its independence and avoid a business model based on data collection. You don't need to provide a phone number or email address either to create an account. It assigns you a randomly generated ID, making it truly anonymous. As for retaining data, it’s designed to generate as little data on its servers as possible, with group memberships and contact lists managed on your local device, not on the their server.
Salt Communications provides secure communication for governments, military and security services. Their platform offers encrypted voice calls, messaging, and file transfers with on-premise or "sovereign cloud" deployment options. This allows government agencies to have complete control over their data, ensuring it never leaves their own networks or passes through foreign servers. Another paid option but well worth the investment if you or your team need military level of security.