Security and privacy for Windows, macOS and Linux

How secure and private are PCs?

As I’m sure you’ve heard, PC’s (personal computers) were developed back in the 70’s. The goal at that time was to give computers as much power as possible for the user programs. Since there was no Internet and little networking at the time, security was not the focus of development.

Therefore, the security model of today’s PCs is still quite patchy and offers attackers many vulnerabilities in the hardware and operating system. That’s why some security experts recommend not using PCs anymore.

“If you can, stay away from the PC and use a mobile device.” madaidan (Security Researcher) Articles | Madaidan’s Insecurities

Market shares of the operating systems

How do the major PC operating systems share the market? According to Statista 07/2022 work:

• 75.4% of all PCs with Microsoft Windows

• 14.5% with Apple’s macOS

• 2.4% with different Linux systems

The figures show that the user of a Windows or Apple PC may faces more potential threats than a Linux user.

What about security and privacy?

Microsoft and Apple have noticeably improved the security of their operating systems in recent years. If you use Windows 11 today, for example, preferably in S-mode on a Secured Core PC, or macOS on a MacBook from the M1 generation onwards, both manufacturers now also offer proactive security features such as :

• the mitigation of as yet undetected security vulnerabilities (exploits),

• the verified start of the operating system (Secure Boot),

• the sandboxing of apps and

• the use of memory-safe programming languages

However, both systems also send insights about their users and their usage back to their “builders” by default. They then use our data for their own analyses, possibly sell it on to data traders and share it unfiltered, e.g. with the American government (NSA / PRISM program).

You can read about this, for example, in the Microsoft privacy policy. You can find a summary of the Edward Snowden releases from 2013 here and here.

With both systems, security can be further improved and the extreme extent of data collection reduced… but unfortunately not eliminated.

A “secure” and trustworthy system is the basis for all other security measures, such as Encryption or low-trace web surfing. Mike Kuketz

Linux or mainstream?

Those who want to protect their privacy can switch to an open-source, free and trusted operating system like Linux. Especially the distributions like Ubunto and Linux Mint are well suited for beginners. They are compatible with almost any PC, are easy to install and offer you anonymity, privacy and the freedom to decide for yourself. These systems are maintained and updated daily by a huge community of volunteers worldwide. Detected security holes are “fixed” almost every hour and can protect your computer via automated updates.

Linux is ahead of the game when it comes to your privacy, trustworthiness, auditability, and freedom in customization.

Unfortunately, this does not mean that Linux is a secure operating system per se. If you place a lot of value on IT security due to your “threat situation”, I recommend using Windows 11 on a Secured PC or macOS on a MaxBook Pro from the M1 class. The modern and proactive security standards present there do not exist on a standard Linux PC today.

However, whether your PC can then be “bugged” by investigating authorities or whether cyber criminals succeed in stealing your identity also depends on the following factors, among others:

• of your threat situation
  Who is interested in you and your data?
  What means and determination will a potential attacker use?
• your IT experience, time and budget
• your discipline and daily form-dependent attention at work on the PC

Basic attitudes and behaviors

.. which you can easily implement on any PC with Linux, Windows or macOS operating system.

Use only trustworthy, secure sources for your hard- or software. Software. Increasingly, you should also rely on your experience and not only on the specifications of the manufacturers and the offers in their app stores.

Do not use a fancy name for your PC that can be associated with you. Instead, use names like there are surely millions of them in the world. For example, “MacBook” on a MacBook or “Desktop” on a Windows system.

Use a “standard” user account without administrator rights for your daily work.

The current practice of granting admin rights to the standard user for admin tasks via password query (under Linux via “sudo”) carries risks. If you accidentally install malware with it, you can infect your entire computer.

What do I have to do?

Create another administrator account and change your current account to a restricted or standard user account. Use only your default account for daily work.

Use a strong user password or better one
Password phrase
with 5-6 words. Do not use this password anywhere else and make sure that you never repeat it.

Save your accounts and passwords with a trusted password manager.

Encrypt your hard disk. If someone should get physical access to your PC, they will not be able to do anything with your data.

• Windows: BitLocker – Microsoft Support – Enabling Device Encryption
  Unfortunately, Bitlocker is only included in the Pro versions of Windows.

• macOS: FileVault –
  
  Encrypt the startup volume of your Mac with FileVault

  
  I recommend to create only one manual recovery key and to keep it safe and physical. You should refuse to restore with the iCloud account.

• Linux Mint or Ubunto: LUKS – Encryption with Linux
  Encryption of the hard disk(s) is already standard with most Linux distributions during installation

Configure your system so that the firmware, operating system and all programs used by you are updated regularly and promptly.

Install only necessary applications and operating system components. Each additional component provides an additional attack surface and must be updated regularly, among other things. Start cleaning up and uninstall and delete unused stuff.

Most Linux distributions offer you the possibility to install only the required base system during the installation. This way you have an easy start and don’t have to figure out for X applications if you even need them.

Set up a regular backup with an external hard drive. Of course, you can “classically” backup your entire system with operating system, applications and your data. This takes a very long time and is very unwieldy. Since you can reinstall the operating system and applications with finite effort, I recommend backing up only your data (documents, pictures, movies, export from the password manager, etc.) at first.

Store the hard disk in a safe place (e.g. in a safe deposit box). Play through what to do to restore this backup in case of an emergency.

Recommendation from the CloudPirat Privacy Toolbox:

• Install
  Mullvad
  as VPN, protection from advertisements and trackers, maleware and as encrypted DNS. Configure Mullvad so that it is also started at system startup.

• Use as default browser
  Brave
  and not Edge, Safari or Firefox

• Use Brave-Search as search engine

• Use Bitwarden as a password manager if you want to synchronize your accounts and passwords with other devices. If you want to store your password database only on one PC for security reasons, use KeyPassXC

• Use LibreOffice instead of Microsoft Office, so that no one is “looking over your shoulder” when you write. LibreOffice is an “open source” software developed and maintained by a worldwide community. The aim of the project is to give everyone access to powerful, open and free office software.

• Use
  Signal
  as desktop messenger

• Use ProtonMail as email and calendar system. Alternatively, you can always send confidential information via Signal

• Video Conferencing:
  Jitsi-Meet
  or simply signal

Hardening Windows

The most important activity in improving Windows security is enabling Windows Security (also Windows Defender).

Activate your firewall there and make sure that your PC does not allow incoming connections.

Activate the antivirus and malware protection there as well.

Here is how to do it –



Micrososft- Stay protected with Windows security

Do not use any additional third-party Internet security software (e.g. antivirus). Windows Security is by design an Internet security suite specialized for Windows. If you install a third-party Internet security solution alongside Windows Security, the vendor will get deep insights into your system. This is an unnecessary threat to you.

Turn off unwanted features in Windows

O&O ShutUp10++ – You don’t want your keyboard entries to be logged? Or that Windows sends your Wi-Fi password to your Facebook friends? With O&O, you decide when sharing your data is going too far. Through a simple user interface, you define how Windows 10 and Windows 11 should respect your privacy. You can deactivate unwanted functions with a mouse click. O&O ShutUp10++ The AntiSpy Tool for Windows

Privacy is sexy – is a website with a rich tweak pool to protect the security and privacy of the operating system and other software on it. You don’t need to run any software on your system, just run the generated scripts. You have full transparency about what the tweaks do while you activate them. Privacy is Sexy – Privacy & Security for Windows and macOS.

Windows 11 S Secured Core PC’s – Microsoft offers Windows 11 S, a version of Windows with special, certified hardware. The so-called Secures-Core PC’s. As of today, you can only download software from the Microsoft Store in Windows 11 S mode and have to use the Edge browser.

Hardening macOS

For older Mac’s without M1 or M2 processor (Apple Silicon) it is recommended to set the Mac firmware password .

Setting the Mac firmware password prevents your Mac from booting from a hard disk other than the specified boot disk. For example, an attacker will no longer be able to boot your Mac from a USB stick.

Apple – Set firmware password on Mac

Activate the Mac Firewall and configure it so that no incoming connections are possible. Also set the so-called Stealth Mode to active. With this, your Mac will not respond to connection requests from the Internet.

Apple – Turn on Stealth Mode

Minimize iCloud usage – I recommend not using Apple’s iCloud if possible.

You should not synchronize your contacts and calendar etc. via iCloud. Email providers like Mailbox.org can synchronize calendars and contacts via so-called CalDAV and CardDav interfaces. Apple supports this on all devices.

I recommend not to store the data, pictures or backups in iCloud, but rather to use a trusted cloud storage.

You should not allow your apps to use the iCloud for syncing with other devices or for data storage.

Privacy is sexy – is a website with a rich tweak pool to protect the security and privacy of the operating system and other software on it.

You don’t need to run any software on your system, just run the generated scripts. You have full transparency about what the tweaks do while you activate them. Privacy is Sexy – Privacy & Security for Windows and macOS.

Antivirus or not? – Should I install an additional third-party Internet Security Suite on my Mac? This is controversial among security experts. The provider of such a solution gets deep insights into your system and your data. If he’s not trustworthy, that’s a threat to you.

Experts who care about your privacy therefore refer to external Internet security solutions such as those offered by Kaspersky, Norton or Bitdefender as “snake oil”. Similar to the traveling merchants who used to sell snake oil as an all-healing remedy in the “Wild West”.

Mac OS today, similar to Windows, includes protection features against antivirus and malware. They are also updated regularly regardless of updates. Apple – Protection against malware in macOS

But are these protection functions really sufficient to protect your Mac from viruses, malware and the like? To do this, you should honestly answer the following questions:

• Do you install the updates regularly and promptly?

• Have you fully implemented my recommendations / settings?

• Can you follow behavioral advice such as only installing app’s from the app store or secure sources or not opening unknown attachments in emails?

If you can confidently answer “yes” to all three questions, I think you should avoid using an additional Internet security solution on macOS.

Hardening Linux

Configuration Linux Firewall: Activate the ufw – “Uncomplicated Firewall” and forbid incoming connections.

Everything else that I think is important for beginners has already been explained under Basic Settings and Behaviors.