From 6632e435e5f11d2f94c888152b168a1ed85d3a91 Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Sun, 17 Jul 2022 18:44:06 -0400
Subject: [PATCH] Minor updates

Signed-off-by: Tommy <contact@tommytran.io>
---
 content/donate.md                       |  6 +++++-
 content/os/Linux Insecurities.md        | 22 +++++++++++++++++-----
 public/donate/index.html                |  3 ++-
 public/os/index.html                    |  2 +-
 public/os/linux-insecurities/index.html |  2 +-
 public/tags/linux/index.html            |  2 +-
 public/tags/operating-system/index.html |  2 +-
 public/tags/security/index.html         |  2 +-
 8 files changed, 29 insertions(+), 12 deletions(-)

diff --git a/content/donate.md b/content/donate.md
index 1a056c7..e3b444e 100644
--- a/content/donate.md
+++ b/content/donate.md
@@ -7,7 +7,11 @@ The domain costs us $12/year to renew from Google. We got our repository hosted
 The real cost is the time and energy we put into writing, testing, and fact checking the content. Some of our members may want accept donation, and you can donate to them individually.
 
 ### June
-**XMR**: `49b1PUPeHJEDwZqaaQm4MQUjycY8ckEko53jvTcPB5yE2QKoS5haNe3Fnbg1Le7nSkgUkm4tcpj4Z2YmtaT3j6KVUVgBGw2`
+**Monero**: `49b1PUPeHJEDwZqaaQm4MQUjycY8ckEko53jvTcPB5yE2QKoS5haNe3Fnbg1Le7nSkgUkm4tcpj4Z2YmtaT3j6KVUVgBGw2`
+
+### Randomhydrosol
+**Bitcoin**: `bc1qchel9lzhuv3ayfp58yfdu7sxsjw2svgugtvj4v`
+**Monero**: `49yB5DPXK9TJVj5Jq5DkvrXd4wkFnoeC56mPED85bf5wHTUYmSyoYFEbVyyTciKzjFTo1kxMJMiCpLwuR96fT2NWS1hPVFG`
 
 ---
 
diff --git a/content/os/Linux Insecurities.md b/content/os/Linux Insecurities.md
index 0c1a4eb..54611b0 100644
--- a/content/os/Linux Insecurities.md	
+++ b/content/os/Linux Insecurities.md	
@@ -8,16 +8,28 @@ There is a common misconception among privacy communities that Linux is one of t
 
 There is already a very indepth technical blog explaning the various security weaknesses of Linux by Madaidan, [Whonix](https://www.whonix.org/)'s Security Researcher. This page will attempt to address some of the questions commonly raised in reaction to his blog post. You can find the original article [here](https://madaidans-insecurities.github.io/linux.html).
 
-### Why is Linux used on servers if it is so insecure?
+## Why is Linux used on servers if it is so insecure?
 
 On servers, while most of the problems referenced in the article still exists, they are somewhat less problematic. 
 
 On Desktop Linux, GUI applications run under your user, and thus have access to all of your files in `/home`. This is in contrast to how system daemons typically run on servers, where they have their own group and user. For example, NGINX will run under `nginx:nginx` on Red Hat distributions, or `www-data:www-data` on Debian based ones. Discreationary Access Control does help with filesystem access control for server processes, but is useless for desktop applications.
 
-Another thing to keep in mind is that Mandatory Access Control is also somewhat effective on servers, as commonly run system daemons are confined. 
+Another thing to keep in mind is that Mandatory Access Control is also somewhat effective on servers, as commonly run system daemons are confined. In contrast, on desktop, there is virtually no AppArmor profile to confine even regularly used apps like Chrome or Firefox, let alone less common ones. On SELinux systems, these apps run in the UNCONFINED SELinux domain.
 
-Work in progress
+Linux servers are lighter than Desktop Linux systems by order of magnitude, without hundreds of packages and dozens of system daemons running like X11, audio servers, printing stack, and so on. Thus, the attack surface is much smaller.
 
-### Can't Linux be configured to be most secure operating system?
+## Linux Hardening Myths
 
-### Isn't it impossible to backdoor Linux because it is open source?
\ No newline at end of file
+There is a common claim in response to Madaidan that Linux is only insecure by default, and that an experience user can make it the most secure operating system out there, surpassing the likes of macOS or ChromeOS. Unfortunately, this is wishful thinking. There is no amount of hardening that one can reasonably apply as a user to fix up the inherent issues with Linux.
+
+### Lack of verified boot
+
+macOS, ChromeOS, and Android have a clear distinction between the system and user installed application. In over simplified terms, the system volume is signed by the OS vendor, and the firmware and boot loader works to make sure that said volume has the authorized signature. The operating system itself is immutable, and nothing the user does will need or be allowed to tamper with the system volume.
+
+On Linux, there is no such clear distinction between the system and user installed applications. Linux distributions are a bunch of packages put together to make a system that works, and thus every package is treated as part of said system. The end result is that binaries, regardless of whether they are vital for the system to function or just an extra application, are thrown into the same directories as each other (namely `/usr/bin` and `/usr/local/bin`). This makes it impossible for an end user to setup a verification mechanism to verify the integrity of "the system", as said "system" is not clearly defined in the first place.
+
+### Lack of application sandboxing
+
+Operating systems like Android and ChromeOS have full system mandatory access control, every process from the init process is strictly confined. Regardless of which application you install or how you install them, they have to play by the rules of an untrusted SELinux domain.
+
+On Linux, it is quite the opposite. 
\ No newline at end of file
diff --git a/public/donate/index.html b/public/donate/index.html
index c4fed09..bc51460 100644
--- a/public/donate/index.html
+++ b/public/donate/index.html
@@ -1,5 +1,6 @@
 <!doctype html><html lang=en dir=auto><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=robots content="index, follow"><title>Donate | PrivSec.dev</title><meta name=keywords content><meta name=description content="The domain costs us $12/year to renew from Google. We got our repository hosted for free on GitHub. We got our site hosted for free with Firebase. It costs Tommy ~$20/month to run the mail server, but that server is used for a bunch of his projects, not just PrivSec, and we doubt it will be used that much anyways. The point is, this website does not cost much to run, and as such we will not be accepting donation as a project."><meta name=author content="PrivSec Team"><link rel=canonical href=https://privsec.dev/donate/><link crossorigin=anonymous href=/assets/css/stylesheet.8b523f1730c922e314350296d83fd666efa16519ca136320a93df674d00b6325.css integrity="sha256-i1I/FzDJIuMUNQKW2D/WZu+hZRnKE2MgqT32dNALYyU=" rel="preload stylesheet" as=style><script defer crossorigin=anonymous src=/assets/js/highlight.f413e19d0714851f6474e7ee9632408e58ac146fbdbe62747134bea2fa3415e0.js integrity="sha256-9BPhnQcUhR9kdOfuljJAjlisFG+9vmJ0cTS+ovo0FeA=" onload=hljs.initHighlightingOnLoad()></script>
-<link rel=icon href=https://privsec.dev/%3Clink%20/%20abs%20url%3E><link rel=icon type=image/png sizes=16x16 href=https://privsec.dev/%3Clink%20/%20abs%20url%3E><link rel=icon type=image/png sizes=32x32 href=https://privsec.dev/%3Clink%20/%20abs%20url%3E><link rel=apple-touch-icon href=https://privsec.dev/%3Clink%20/%20abs%20url%3E><link rel=mask-icon href=https://privsec.dev/%3Clink%20/%20abs%20url%3E><meta name=theme-color content="#2e2e33"><meta name=msapplication-TileColor content="#2e2e33"><noscript><style>#theme-toggle,.top-link{display:none}</style></noscript><meta property="og:title" content="Donate"><meta property="og:description" content="The domain costs us $12/year to renew from Google. We got our repository hosted for free on GitHub. We got our site hosted for free with Firebase. It costs Tommy ~$20/month to run the mail server, but that server is used for a bunch of his projects, not just PrivSec, and we doubt it will be used that much anyways. The point is, this website does not cost much to run, and as such we will not be accepting donation as a project."><meta property="og:type" content="article"><meta property="og:url" content="https://privsec.dev/donate/"><meta property="article:section" content><meta name=twitter:card content="summary"><meta name=twitter:title content="Donate"><meta name=twitter:description content="The domain costs us $12/year to renew from Google. We got our repository hosted for free on GitHub. We got our site hosted for free with Firebase. It costs Tommy ~$20/month to run the mail server, but that server is used for a bunch of his projects, not just PrivSec, and we doubt it will be used that much anyways. The point is, this website does not cost much to run, and as such we will not be accepting donation as a project."><script type=application/ld+json>{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":2,"name":"Donate","item":"https://privsec.dev/donate/"}]}</script><script type=application/ld+json>{"@context":"https://schema.org","@type":"BlogPosting","headline":"Donate","name":"Donate","description":"The domain costs us $12/year to renew from Google. We got our repository hosted for free on GitHub. We got our site hosted for free with Firebase. It costs Tommy ~$20/month to run the mail server, but that server is used for a bunch of his projects, not just PrivSec, and we doubt it will be used that much anyways. The point is, this website does not cost much to run, and as such we will not be accepting donation as a project.","keywords":[],"articleBody":"The domain costs us $12/year to renew from Google. We got our repository hosted for free on GitHub. We got our site hosted for free with Firebase. It costs Tommy ~$20/month to run the mail server, but that server is used for a bunch of his projects, not just PrivSec, and we doubt it will be used that much anyways. The point is, this website does not cost much to run, and as such we will not be accepting donation as a project.\nThe real cost is the time and energy we put into writing, testing, and fact checking the content. Some of our members may want accept donation, and you can donate to them individually.\nJune XMR: 49b1PUPeHJEDwZqaaQm4MQUjycY8ckEko53jvTcPB5yE2QKoS5haNe3Fnbg1Le7nSkgUkm4tcpj4Z2YmtaT3j6KVUVgBGw2\nAlternatively, please consider donating to the projects below. These are projects which we rely on for our own digital safety and recommend to our readers. They are vital for the privacy, security, and safety of thousands of people.\nGrapheneOS Donation Link: grapheneos.org/donate\n","wordCount":"161","inLanguage":"en","datePublished":"0001-01-01T00:00:00Z","dateModified":"0001-01-01T00:00:00Z","author":{"@type":"Person","name":"PrivSec Team"},"mainEntityOfPage":{"@type":"WebPage","@id":"https://privsec.dev/donate/"},"publisher":{"@type":"Organization","name":"PrivSec.dev","logo":{"@type":"ImageObject","url":"https://privsec.dev/%3Clink%20/%20abs%20url%3E"}}}</script></head><body class=dark id=top><script>localStorage.getItem("pref-theme")==="light"&&document.body.classList.remove("dark")</script><header class=header><nav class=nav><div class=logo><a href=https://privsec.dev accesskey=h title="PrivSec.dev (Alt + H)">PrivSec.dev</a><div class=logo-switches><button id=theme-toggle accesskey=t title="(Alt + T)"><svg id="moon" xmlns="http://www.w3.org/2000/svg" width="24" height="18" viewBox="0 0 24 24" fill="none" stroke="currentcolor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M21 12.79A9 9 0 1111.21 3 7 7 0 0021 12.79z"/></svg><svg id="sun" xmlns="http://www.w3.org/2000/svg" width="24" height="18" viewBox="0 0 24 24" fill="none" stroke="currentcolor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="5"/><line x1="12" y1="1" x2="12" y2="3"/><line x1="12" y1="21" x2="12" y2="23"/><line x1="4.22" y1="4.22" x2="5.64" y2="5.64"/><line x1="18.36" y1="18.36" x2="19.78" y2="19.78"/><line x1="1" y1="12" x2="3" y2="12"/><line x1="21" y1="12" x2="23" y2="12"/><line x1="4.22" y1="19.78" x2="5.64" y2="18.36"/><line x1="18.36" y1="5.64" x2="19.78" y2="4.22"/></svg></button></div></div><ul id=menu><li><a href=https://privsec.dev/knowledge/ title="Knowledge Base"><span>Knowledge Base</span></a></li><li><a href=https://privsec.dev/os/ title="Operating Systems"><span>Operating Systems</span></a></li><li><a href=https://privsec.dev/apps/ title=Applications><span>Applications</span></a></li><li><a href=https://privsec.dev/providers/ title=Providers><span>Providers</span></a></li></ul></nav></header><main class=main><article class=post-single><header class=post-header><div class=breadcrumbs><a href=https://privsec.dev>Home</a></div><h1 class=post-title>Donate</h1><div class=post-meta>1 min&nbsp;·&nbsp;161 words&nbsp;·&nbsp;PrivSec Team&nbsp;|&nbsp;<a href=https://github.com/PrivSec-dev/privsec.dev/blob/main/content/donate.md rel="noopener noreferrer" target=_blank>Suggest Changes</a></div></header><div class=toc><details><summary accesskey=c title="(Alt + C)"><span class=details>Table of Contents</span></summary><div class=inner><ul><li><a href=#june aria-label=June>June</a></li><li><a href=#grapheneos aria-label=GrapheneOS>GrapheneOS</a></li></ul></div></details></div><div class=post-content><p>The domain costs us $12/year to renew from Google. We got our repository hosted for free on GitHub. We got our site hosted for free with Firebase. It costs Tommy ~$20/month to run the mail server, but that server is used for a bunch of his projects, not just PrivSec, and we doubt it will be used that much anyways. The point is, this website does not cost much to run, and as such we will not be accepting donation as a project.</p><p>The real cost is the time and energy we put into writing, testing, and fact checking the content. Some of our members may want accept donation, and you can donate to them individually.</p><h3 id=june>June<a hidden class=anchor aria-hidden=true href=#june>#</a></h3><p><strong>XMR</strong>: <code>49b1PUPeHJEDwZqaaQm4MQUjycY8ckEko53jvTcPB5yE2QKoS5haNe3Fnbg1Le7nSkgUkm4tcpj4Z2YmtaT3j6KVUVgBGw2</code></p><hr><p>Alternatively, please consider donating to the projects below. These are projects which we rely on for our own digital safety and recommend to our readers. They are vital for the privacy, security, and safety of thousands of people.</p><h3 id=grapheneos>GrapheneOS<a hidden class=anchor aria-hidden=true href=#grapheneos>#</a></h3><p><strong>Donation Link</strong>: <a href=https://grapheneos.org/donate>grapheneos.org/donate</a></p></div><footer class=post-footer><ul class=post-tags></ul></footer></article></main><footer class=footer><span>&copy; 2022 <a href=https://privsec.dev>PrivSec.dev</a></span>
+<link rel=icon href=https://privsec.dev/%3Clink%20/%20abs%20url%3E><link rel=icon type=image/png sizes=16x16 href=https://privsec.dev/%3Clink%20/%20abs%20url%3E><link rel=icon type=image/png sizes=32x32 href=https://privsec.dev/%3Clink%20/%20abs%20url%3E><link rel=apple-touch-icon href=https://privsec.dev/%3Clink%20/%20abs%20url%3E><link rel=mask-icon href=https://privsec.dev/%3Clink%20/%20abs%20url%3E><meta name=theme-color content="#2e2e33"><meta name=msapplication-TileColor content="#2e2e33"><noscript><style>#theme-toggle,.top-link{display:none}</style></noscript><meta property="og:title" content="Donate"><meta property="og:description" content="The domain costs us $12/year to renew from Google. We got our repository hosted for free on GitHub. We got our site hosted for free with Firebase. It costs Tommy ~$20/month to run the mail server, but that server is used for a bunch of his projects, not just PrivSec, and we doubt it will be used that much anyways. The point is, this website does not cost much to run, and as such we will not be accepting donation as a project."><meta property="og:type" content="article"><meta property="og:url" content="https://privsec.dev/donate/"><meta property="article:section" content><meta name=twitter:card content="summary"><meta name=twitter:title content="Donate"><meta name=twitter:description content="The domain costs us $12/year to renew from Google. We got our repository hosted for free on GitHub. We got our site hosted for free with Firebase. It costs Tommy ~$20/month to run the mail server, but that server is used for a bunch of his projects, not just PrivSec, and we doubt it will be used that much anyways. The point is, this website does not cost much to run, and as such we will not be accepting donation as a project."><script type=application/ld+json>{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":2,"name":"Donate","item":"https://privsec.dev/donate/"}]}</script><script type=application/ld+json>{"@context":"https://schema.org","@type":"BlogPosting","headline":"Donate","name":"Donate","description":"The domain costs us $12/year to renew from Google. We got our repository hosted for free on GitHub. We got our site hosted for free with Firebase. It costs Tommy ~$20/month to run the mail server, but that server is used for a bunch of his projects, not just PrivSec, and we doubt it will be used that much anyways. The point is, this website does not cost much to run, and as such we will not be accepting donation as a project.","keywords":[],"articleBody":"The domain costs us $12/year to renew from Google. We got our repository hosted for free on GitHub. We got our site hosted for free with Firebase. It costs Tommy ~$20/month to run the mail server, but that server is used for a bunch of his projects, not just PrivSec, and we doubt it will be used that much anyways. The point is, this website does not cost much to run, and as such we will not be accepting donation as a project.\nThe real cost is the time and energy we put into writing, testing, and fact checking the content. Some of our members may want accept donation, and you can donate to them individually.\nJune Monero: 49b1PUPeHJEDwZqaaQm4MQUjycY8ckEko53jvTcPB5yE2QKoS5haNe3Fnbg1Le7nSkgUkm4tcpj4Z2YmtaT3j6KVUVgBGw2\nRandomhydrosol Bitcoin: bc1qchel9lzhuv3ayfp58yfdu7sxsjw2svgugtvj4v Monero: 49yB5DPXK9TJVj5Jq5DkvrXd4wkFnoeC56mPED85bf5wHTUYmSyoYFEbVyyTciKzjFTo1kxMJMiCpLwuR96fT2NWS1hPVFG\nAlternatively, please consider donating to the projects below. These are projects which we rely on for our own digital safety and recommend to our readers. They are vital for the privacy, security, and safety of thousands of people.\nGrapheneOS Donation Link: grapheneos.org/donate\n","wordCount":"166","inLanguage":"en","datePublished":"0001-01-01T00:00:00Z","dateModified":"0001-01-01T00:00:00Z","author":{"@type":"Person","name":"PrivSec Team"},"mainEntityOfPage":{"@type":"WebPage","@id":"https://privsec.dev/donate/"},"publisher":{"@type":"Organization","name":"PrivSec.dev","logo":{"@type":"ImageObject","url":"https://privsec.dev/%3Clink%20/%20abs%20url%3E"}}}</script></head><body class=dark id=top><script>localStorage.getItem("pref-theme")==="light"&&document.body.classList.remove("dark")</script><header class=header><nav class=nav><div class=logo><a href=https://privsec.dev accesskey=h title="PrivSec.dev (Alt + H)">PrivSec.dev</a><div class=logo-switches><button id=theme-toggle accesskey=t title="(Alt + T)"><svg id="moon" xmlns="http://www.w3.org/2000/svg" width="24" height="18" viewBox="0 0 24 24" fill="none" stroke="currentcolor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M21 12.79A9 9 0 1111.21 3 7 7 0 0021 12.79z"/></svg><svg id="sun" xmlns="http://www.w3.org/2000/svg" width="24" height="18" viewBox="0 0 24 24" fill="none" stroke="currentcolor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="5"/><line x1="12" y1="1" x2="12" y2="3"/><line x1="12" y1="21" x2="12" y2="23"/><line x1="4.22" y1="4.22" x2="5.64" y2="5.64"/><line x1="18.36" y1="18.36" x2="19.78" y2="19.78"/><line x1="1" y1="12" x2="3" y2="12"/><line x1="21" y1="12" x2="23" y2="12"/><line x1="4.22" y1="19.78" x2="5.64" y2="18.36"/><line x1="18.36" y1="5.64" x2="19.78" y2="4.22"/></svg></button></div></div><ul id=menu><li><a href=https://privsec.dev/knowledge/ title="Knowledge Base"><span>Knowledge Base</span></a></li><li><a href=https://privsec.dev/os/ title="Operating Systems"><span>Operating Systems</span></a></li><li><a href=https://privsec.dev/apps/ title=Applications><span>Applications</span></a></li><li><a href=https://privsec.dev/providers/ title=Providers><span>Providers</span></a></li></ul></nav></header><main class=main><article class=post-single><header class=post-header><div class=breadcrumbs><a href=https://privsec.dev>Home</a></div><h1 class=post-title>Donate</h1><div class=post-meta>1 min&nbsp;·&nbsp;166 words&nbsp;·&nbsp;PrivSec Team&nbsp;|&nbsp;<a href=https://github.com/PrivSec-dev/privsec.dev/blob/main/content/donate.md rel="noopener noreferrer" target=_blank>Suggest Changes</a></div></header><div class=toc><details><summary accesskey=c title="(Alt + C)"><span class=details>Table of Contents</span></summary><div class=inner><ul><li><a href=#june aria-label=June>June</a></li><li><a href=#randomhydrosol aria-label=Randomhydrosol>Randomhydrosol</a></li><li><a href=#grapheneos aria-label=GrapheneOS>GrapheneOS</a></li></ul></div></details></div><div class=post-content><p>The domain costs us $12/year to renew from Google. We got our repository hosted for free on GitHub. We got our site hosted for free with Firebase. It costs Tommy ~$20/month to run the mail server, but that server is used for a bunch of his projects, not just PrivSec, and we doubt it will be used that much anyways. The point is, this website does not cost much to run, and as such we will not be accepting donation as a project.</p><p>The real cost is the time and energy we put into writing, testing, and fact checking the content. Some of our members may want accept donation, and you can donate to them individually.</p><h3 id=june>June<a hidden class=anchor aria-hidden=true href=#june>#</a></h3><p><strong>Monero</strong>: <code>49b1PUPeHJEDwZqaaQm4MQUjycY8ckEko53jvTcPB5yE2QKoS5haNe3Fnbg1Le7nSkgUkm4tcpj4Z2YmtaT3j6KVUVgBGw2</code></p><h3 id=randomhydrosol>Randomhydrosol<a hidden class=anchor aria-hidden=true href=#randomhydrosol>#</a></h3><p><strong>Bitcoin</strong>: <code>bc1qchel9lzhuv3ayfp58yfdu7sxsjw2svgugtvj4v</code>
+<strong>Monero</strong>: <code>49yB5DPXK9TJVj5Jq5DkvrXd4wkFnoeC56mPED85bf5wHTUYmSyoYFEbVyyTciKzjFTo1kxMJMiCpLwuR96fT2NWS1hPVFG</code></p><hr><p>Alternatively, please consider donating to the projects below. These are projects which we rely on for our own digital safety and recommend to our readers. They are vital for the privacy, security, and safety of thousands of people.</p><h3 id=grapheneos>GrapheneOS<a hidden class=anchor aria-hidden=true href=#grapheneos>#</a></h3><p><strong>Donation Link</strong>: <a href=https://grapheneos.org/donate>grapheneos.org/donate</a></p></div><footer class=post-footer><ul class=post-tags></ul></footer></article></main><footer class=footer><span>&copy; 2022 <a href=https://privsec.dev>PrivSec.dev</a></span>
 <span>Powered by
 <a href=https://gohugo.io/ rel="noopener noreferrer" target=_blank>Hugo</a> &
         <a href=https://github.com/adityatelange/hugo-PaperMod/ rel=noopener target=_blank>PaperMod</a></span></footer><a href=#top aria-label="go to top" title="Go to Top (Alt + G)" class=top-link id=top-link accesskey=g><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 12 6" fill="currentcolor"><path d="M12 6H0l6-6z"/></svg></a><script>let menu=document.getElementById("menu");menu&&(menu.scrollLeft=localStorage.getItem("menu-scroll-position"),menu.onscroll=function(){localStorage.setItem("menu-scroll-position",menu.scrollLeft)}),document.querySelectorAll('a[href^="#"]').forEach(e=>{e.addEventListener("click",function(e){e.preventDefault();var t=this.getAttribute("href").substr(1);window.matchMedia("(prefers-reduced-motion: reduce)").matches?document.querySelector(`[id='${decodeURIComponent(t)}']`).scrollIntoView():document.querySelector(`[id='${decodeURIComponent(t)}']`).scrollIntoView({behavior:"smooth"}),t==="top"?history.replaceState(null,null," "):history.pushState(null,null,`#${t}`)})})</script><script>var mybutton=document.getElementById("top-link");window.onscroll=function(){document.body.scrollTop>800||document.documentElement.scrollTop>800?(mybutton.style.visibility="visible",mybutton.style.opacity="1"):(mybutton.style.visibility="hidden",mybutton.style.opacity="0")}</script><script>document.getElementById("theme-toggle").addEventListener("click",()=>{document.body.className.includes("dark")?(document.body.classList.remove("dark"),localStorage.setItem("pref-theme","light")):(document.body.classList.add("dark"),localStorage.setItem("pref-theme","dark"))})</script><script>document.querySelectorAll("pre > code").forEach(e=>{const n=e.parentNode.parentNode,t=document.createElement("button");t.classList.add("copy-code"),t.innerHTML="copy";function s(){t.innerHTML="copied!",setTimeout(()=>{t.innerHTML="copy"},2e3)}t.addEventListener("click",t=>{if("clipboard"in navigator){navigator.clipboard.writeText(e.textContent),s();return}const n=document.createRange();n.selectNodeContents(e);const o=window.getSelection();o.removeAllRanges(),o.addRange(n);try{document.execCommand("copy"),s()}catch{}o.removeRange(n)}),n.classList.contains("highlight")?n.appendChild(t):n.parentNode.firstChild==n||(e.parentNode.parentNode.parentNode.parentNode.parentNode.nodeName=="TABLE"?e.parentNode.parentNode.parentNode.parentNode.parentNode.appendChild(t):e.parentNode.appendChild(t))})</script></body></html>
\ No newline at end of file
diff --git a/public/os/index.html b/public/os/index.html
index aa7558b..f38be86 100644
--- a/public/os/index.html
+++ b/public/os/index.html
@@ -5,7 +5,7 @@ For frozen distributions, package maintainers are expected to backport patches t
 - Hey, your software doesn’t work…
 - Sorry, it works on my computer! Can’t help you.
 Whether we like them or not, containers are here to stay. Their expressiveness and semantics allow for an abstraction of the OS dependencies that a software has, the latter being often dynamically linked against certain libraries....</p></div><footer class=entry-footer>19 min&nbsp;·&nbsp;3925 words&nbsp;·&nbsp;Wonderfall</footer><a class=entry-link aria-label="post link to Docker and OCI Hardening" href=https://privsec.dev/os/docker-and-oci-hardening/></a></article><article class=post-entry><header class=entry-header><h2>Linux Insecurities</h2></header><div class=entry-content><p>There is a common misconception among privacy communities that Linux is one of the more secure operating systems, either because it is open source or because it is widely used in the cloud. This is however, a far cry from reality.
-There is already a very indepth technical blog explaning the various security weaknesses of Linux by Madaidan, Whonix’s Security Researcher. This page will attempt to address some of the questions commonly raised in reaction to his blog post....</p></div><footer class=entry-footer>2 min&nbsp;·&nbsp;238 words&nbsp;·&nbsp;Tommy</footer><a class=entry-link aria-label="post link to Linux Insecurities" href=https://privsec.dev/os/linux-insecurities/></a></article><article class=post-entry><header class=entry-header><h2>Securing OpenSSH with FIDO2</h2></header><div class=entry-content><p>Passwordless authentication with OpenSSH keys has been the de facto security standard for years. SSH keys are more robust since they’re cryptographically sane by default, and are therefore resilient to most bruteforce atacks. They’re also easier to manage while enabling a form of decentralized authentication (it’s easy and painless to revoke them). So, what’s the next step? And more exactly, why would one need something even better?
+There is already a very indepth technical blog explaning the various security weaknesses of Linux by Madaidan, Whonix’s Security Researcher. This page will attempt to address some of the questions commonly raised in reaction to his blog post....</p></div><footer class=entry-footer>3 min&nbsp;·&nbsp;589 words&nbsp;·&nbsp;Tommy</footer><a class=entry-link aria-label="post link to Linux Insecurities" href=https://privsec.dev/os/linux-insecurities/></a></article><article class=post-entry><header class=entry-header><h2>Securing OpenSSH with FIDO2</h2></header><div class=entry-content><p>Passwordless authentication with OpenSSH keys has been the de facto security standard for years. SSH keys are more robust since they’re cryptographically sane by default, and are therefore resilient to most bruteforce atacks. They’re also easier to manage while enabling a form of decentralized authentication (it’s easy and painless to revoke them). So, what’s the next step? And more exactly, why would one need something even better?
 Why? The main problem with SSH keys is that they’re not magic: they consist of a key pair, of which the private key is stored on your disk....</p></div><footer class=entry-footer>5 min&nbsp;·&nbsp;863 words&nbsp;·&nbsp;Wonderfall</footer><a class=entry-link aria-label="post link to Securing OpenSSH with FIDO2" href=https://privsec.dev/os/securing-openssh-with-fido2/></a></article></main><footer class=footer><span>&copy; 2022 <a href=https://privsec.dev>PrivSec.dev</a></span>
 <span>Powered by
 <a href=https://gohugo.io/ rel="noopener noreferrer" target=_blank>Hugo</a> &
diff --git a/public/os/linux-insecurities/index.html b/public/os/linux-insecurities/index.html
index 180bc61..02ad572 100644
--- a/public/os/linux-insecurities/index.html
+++ b/public/os/linux-insecurities/index.html
@@ -2,7 +2,7 @@
 There is already a very indepth technical blog explaning the various security weaknesses of Linux by Madaidan, Whonix&rsquo;s Security Researcher. This page will attempt to address some of the questions commonly raised in reaction to his blog post."><meta name=author content="Tommy"><link rel=canonical href=https://privsec.dev/os/linux-insecurities/><link crossorigin=anonymous href=/assets/css/stylesheet.8b523f1730c922e314350296d83fd666efa16519ca136320a93df674d00b6325.css integrity="sha256-i1I/FzDJIuMUNQKW2D/WZu+hZRnKE2MgqT32dNALYyU=" rel="preload stylesheet" as=style><script defer crossorigin=anonymous src=/assets/js/highlight.f413e19d0714851f6474e7ee9632408e58ac146fbdbe62747134bea2fa3415e0.js integrity="sha256-9BPhnQcUhR9kdOfuljJAjlisFG+9vmJ0cTS+ovo0FeA=" onload=hljs.initHighlightingOnLoad()></script>
 <link rel=icon href=https://privsec.dev/%3Clink%20/%20abs%20url%3E><link rel=icon type=image/png sizes=16x16 href=https://privsec.dev/%3Clink%20/%20abs%20url%3E><link rel=icon type=image/png sizes=32x32 href=https://privsec.dev/%3Clink%20/%20abs%20url%3E><link rel=apple-touch-icon href=https://privsec.dev/%3Clink%20/%20abs%20url%3E><link rel=mask-icon href=https://privsec.dev/%3Clink%20/%20abs%20url%3E><meta name=theme-color content="#2e2e33"><meta name=msapplication-TileColor content="#2e2e33"><noscript><style>#theme-toggle,.top-link{display:none}</style></noscript><meta property="og:title" content="Linux Insecurities"><meta property="og:description" content="There is a common misconception among privacy communities that Linux is one of the more secure operating systems, either because it is open source or because it is widely used in the cloud. This is however, a far cry from reality.
 There is already a very indepth technical blog explaning the various security weaknesses of Linux by Madaidan, Whonix&rsquo;s Security Researcher. This page will attempt to address some of the questions commonly raised in reaction to his blog post."><meta property="og:type" content="article"><meta property="og:url" content="https://privsec.dev/os/linux-insecurities/"><meta property="article:section" content="os"><meta name=twitter:card content="summary"><meta name=twitter:title content="Linux Insecurities"><meta name=twitter:description content="There is a common misconception among privacy communities that Linux is one of the more secure operating systems, either because it is open source or because it is widely used in the cloud. This is however, a far cry from reality.
-There is already a very indepth technical blog explaning the various security weaknesses of Linux by Madaidan, Whonix&rsquo;s Security Researcher. This page will attempt to address some of the questions commonly raised in reaction to his blog post."><script type=application/ld+json>{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":2,"name":"Operating Systems","item":"https://privsec.dev/os/"},{"@type":"ListItem","position":3,"name":"Linux Insecurities","item":"https://privsec.dev/os/linux-insecurities/"}]}</script><script type=application/ld+json>{"@context":"https://schema.org","@type":"BlogPosting","headline":"Linux Insecurities","name":"Linux Insecurities","description":"There is a common misconception among privacy communities that Linux is one of the more secure operating systems, either because it is open source or because it is widely used in the cloud. This is however, a far cry from reality.\nThere is already a very indepth technical blog explaning the various security weaknesses of Linux by Madaidan, Whonix\u0026rsquo;s Security Researcher. This page will attempt to address some of the questions commonly raised in reaction to his blog post.","keywords":["operating system","security","linux"],"articleBody":"There is a common misconception among privacy communities that Linux is one of the more secure operating systems, either because it is open source or because it is widely used in the cloud. This is however, a far cry from reality.\nThere is already a very indepth technical blog explaning the various security weaknesses of Linux by Madaidan, Whonix’s Security Researcher. This page will attempt to address some of the questions commonly raised in reaction to his blog post. You can find the original article here.\nWhy is Linux used on servers if it is so insecure? On servers, while most of the problems referenced in the article still exists, they are somewhat less problematic.\nOn Desktop Linux, GUI applications run under your user, and thus have access to all of your files in /home. This is in contrast to how system daemons typically run on servers, where they have their own group and user. For example, NGINX will run under nginx:nginx on Red Hat distributions, or www-data:www-data on Debian based ones. Discreationary Access Control does help with filesystem access control for server processes, but is useless for desktop applications.\nAnother thing to keep in mind is that Mandatory Access Control is also somewhat effective on servers, as commonly run system daemons are confined.\nWork in progress\nCan’t Linux be configured to be most secure operating system? Isn’t it impossible to backdoor Linux because it is open source? ","wordCount":"238","inLanguage":"en","datePublished":"0001-01-01T00:00:00Z","dateModified":"0001-01-01T00:00:00Z","author":{"@type":"Person","name":"Tommy"},"mainEntityOfPage":{"@type":"WebPage","@id":"https://privsec.dev/os/linux-insecurities/"},"publisher":{"@type":"Organization","name":"PrivSec.dev","logo":{"@type":"ImageObject","url":"https://privsec.dev/%3Clink%20/%20abs%20url%3E"}}}</script></head><body class=dark id=top><script>localStorage.getItem("pref-theme")==="light"&&document.body.classList.remove("dark")</script><header class=header><nav class=nav><div class=logo><a href=https://privsec.dev accesskey=h title="PrivSec.dev (Alt + H)">PrivSec.dev</a><div class=logo-switches><button id=theme-toggle accesskey=t title="(Alt + T)"><svg id="moon" xmlns="http://www.w3.org/2000/svg" width="24" height="18" viewBox="0 0 24 24" fill="none" stroke="currentcolor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M21 12.79A9 9 0 1111.21 3 7 7 0 0021 12.79z"/></svg><svg id="sun" xmlns="http://www.w3.org/2000/svg" width="24" height="18" viewBox="0 0 24 24" fill="none" stroke="currentcolor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="5"/><line x1="12" y1="1" x2="12" y2="3"/><line x1="12" y1="21" x2="12" y2="23"/><line x1="4.22" y1="4.22" x2="5.64" y2="5.64"/><line x1="18.36" y1="18.36" x2="19.78" y2="19.78"/><line x1="1" y1="12" x2="3" y2="12"/><line x1="21" y1="12" x2="23" y2="12"/><line x1="4.22" y1="19.78" x2="5.64" y2="18.36"/><line x1="18.36" y1="5.64" x2="19.78" y2="4.22"/></svg></button></div></div><ul id=menu><li><a href=https://privsec.dev/knowledge/ title="Knowledge Base"><span>Knowledge Base</span></a></li><li><a href=https://privsec.dev/os/ title="Operating Systems"><span>Operating Systems</span></a></li><li><a href=https://privsec.dev/apps/ title=Applications><span>Applications</span></a></li><li><a href=https://privsec.dev/providers/ title=Providers><span>Providers</span></a></li></ul></nav></header><main class=main><article class=post-single><header class=post-header><div class=breadcrumbs><a href=https://privsec.dev>Home</a>&nbsp;»&nbsp;<a href=https://privsec.dev/os/>Operating Systems</a></div><h1 class=post-title>Linux Insecurities</h1><div class=post-meta>2 min&nbsp;·&nbsp;238 words&nbsp;·&nbsp;Tommy&nbsp;|&nbsp;<a href=https://github.com/PrivSec-dev/privsec.dev/blob/main/content/os/Linux%20Insecurities.md rel="noopener noreferrer" target=_blank>Suggest Changes</a></div></header><div class=toc><details><summary accesskey=c title="(Alt + C)"><span class=details>Table of Contents</span></summary><div class=inner><ul><li><a href=#why-is-linux-used-on-servers-if-it-is-so-insecure aria-label="Why is Linux used on servers if it is so insecure?">Why is Linux used on servers if it is so insecure?</a></li><li><a href=#cant-linux-be-configured-to-be-most-secure-operating-system aria-label="Can&amp;rsquo;t Linux be configured to be most secure operating system?">Can&rsquo;t Linux be configured to be most secure operating system?</a></li><li><a href=#isnt-it-impossible-to-backdoor-linux-because-it-is-open-source aria-label="Isn&amp;rsquo;t it impossible to backdoor Linux because it is open source?">Isn&rsquo;t it impossible to backdoor Linux because it is open source?</a></li></ul></div></details></div><div class=post-content><p>There is a common misconception among privacy communities that Linux is one of the more secure operating systems, either because it is open source or because it is widely used in the cloud. This is however, a far cry from reality.</p><p>There is already a very indepth technical blog explaning the various security weaknesses of Linux by Madaidan, <a href=https://www.whonix.org/>Whonix</a>&rsquo;s Security Researcher. This page will attempt to address some of the questions commonly raised in reaction to his blog post. You can find the original article <a href=https://madaidans-insecurities.github.io/linux.html>here</a>.</p><h3 id=why-is-linux-used-on-servers-if-it-is-so-insecure>Why is Linux used on servers if it is so insecure?<a hidden class=anchor aria-hidden=true href=#why-is-linux-used-on-servers-if-it-is-so-insecure>#</a></h3><p>On servers, while most of the problems referenced in the article still exists, they are somewhat less problematic.</p><p>On Desktop Linux, GUI applications run under your user, and thus have access to all of your files in <code>/home</code>. This is in contrast to how system daemons typically run on servers, where they have their own group and user. For example, NGINX will run under <code>nginx:nginx</code> on Red Hat distributions, or <code>www-data:www-data</code> on Debian based ones. Discreationary Access Control does help with filesystem access control for server processes, but is useless for desktop applications.</p><p>Another thing to keep in mind is that Mandatory Access Control is also somewhat effective on servers, as commonly run system daemons are confined.</p><p>Work in progress</p><h3 id=cant-linux-be-configured-to-be-most-secure-operating-system>Can&rsquo;t Linux be configured to be most secure operating system?<a hidden class=anchor aria-hidden=true href=#cant-linux-be-configured-to-be-most-secure-operating-system>#</a></h3><h3 id=isnt-it-impossible-to-backdoor-linux-because-it-is-open-source>Isn&rsquo;t it impossible to backdoor Linux because it is open source?<a hidden class=anchor aria-hidden=true href=#isnt-it-impossible-to-backdoor-linux-because-it-is-open-source>#</a></h3></div><footer class=post-footer><ul class=post-tags><li><a href=https://privsec.dev/tags/operating-system/>operating system</a></li><li><a href=https://privsec.dev/tags/security/>security</a></li><li><a href=https://privsec.dev/tags/linux/>linux</a></li></ul><nav class=paginav><a class=prev href=https://privsec.dev/os/docker-and-oci-hardening/><span class=title>« Prev</span><br><span>Docker and OCI Hardening</span></a>
+There is already a very indepth technical blog explaning the various security weaknesses of Linux by Madaidan, Whonix&rsquo;s Security Researcher. This page will attempt to address some of the questions commonly raised in reaction to his blog post."><script type=application/ld+json>{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":2,"name":"Operating Systems","item":"https://privsec.dev/os/"},{"@type":"ListItem","position":3,"name":"Linux Insecurities","item":"https://privsec.dev/os/linux-insecurities/"}]}</script><script type=application/ld+json>{"@context":"https://schema.org","@type":"BlogPosting","headline":"Linux Insecurities","name":"Linux Insecurities","description":"There is a common misconception among privacy communities that Linux is one of the more secure operating systems, either because it is open source or because it is widely used in the cloud. This is however, a far cry from reality.\nThere is already a very indepth technical blog explaning the various security weaknesses of Linux by Madaidan, Whonix\u0026rsquo;s Security Researcher. This page will attempt to address some of the questions commonly raised in reaction to his blog post.","keywords":["operating system","security","linux"],"articleBody":"There is a common misconception among privacy communities that Linux is one of the more secure operating systems, either because it is open source or because it is widely used in the cloud. This is however, a far cry from reality.\nThere is already a very indepth technical blog explaning the various security weaknesses of Linux by Madaidan, Whonix’s Security Researcher. This page will attempt to address some of the questions commonly raised in reaction to his blog post. You can find the original article here.\nWhy is Linux used on servers if it is so insecure? On servers, while most of the problems referenced in the article still exists, they are somewhat less problematic.\nOn Desktop Linux, GUI applications run under your user, and thus have access to all of your files in /home. This is in contrast to how system daemons typically run on servers, where they have their own group and user. For example, NGINX will run under nginx:nginx on Red Hat distributions, or www-data:www-data on Debian based ones. Discreationary Access Control does help with filesystem access control for server processes, but is useless for desktop applications.\nAnother thing to keep in mind is that Mandatory Access Control is also somewhat effective on servers, as commonly run system daemons are confined. In contrast, on desktop, there is virtually no AppArmor profile to confine even regularly used apps like Chrome or Firefox, let alone less common ones. On SELinux systems, these apps run in the UNCONFINED SELinux domain.\nLinux servers are lighter than Desktop Linux systems by order of magnitude, without hundreds of packages and dozens of system daemons running like X11, audio servers, printing stack, and so on. Thus, the attack surface is much smaller.\nLinux Hardening Myths There is a common claim in response to Madaidan that Linux is only insecure by default, and that an experience user can make it the most secure operating system out there, surpassing the likes of macOS or ChromeOS. Unfortunately, this is wishful thinking. There is no amount of hardening that one can reasonably apply as a user to fix up the inherent issues with Linux.\nLack of verified boot macOS, ChromeOS, and Android have a clear distinction between the system and user installed application. In over simplified terms, the system volume is signed by the OS vendor, and the firmware and boot loader works to make sure that said volume has the authorized signature. The operating system itself is immutable, and nothing the user does will need or be allowed to tamper with the system volume.\nOn Linux, there is no such clear distinction between the system and user installed applications. Linux distributions are a bunch of packages put together to make a system that works, and thus every package is treated as part of said system. The end result is that binaries, regardless of whether they are vital for the system to function or just an extra application, are thrown into the same directories as each other (namely /usr/bin and /usr/local/bin). This makes it impossible for an end user to setup a verification mechanism to verify the integrity of “the system”, as said “system” is not clearly defined in the first place.\nLack of application sandboxing Operating systems like Android and ChromeOS have full system mandatory access control, every process from the init process is strictly confined. Regardless of which application you install or how you install them, they have to play by the rules of an untrusted SELinux domain.\nOn Linux, it is quite the opposite.\n","wordCount":"589","inLanguage":"en","datePublished":"0001-01-01T00:00:00Z","dateModified":"0001-01-01T00:00:00Z","author":{"@type":"Person","name":"Tommy"},"mainEntityOfPage":{"@type":"WebPage","@id":"https://privsec.dev/os/linux-insecurities/"},"publisher":{"@type":"Organization","name":"PrivSec.dev","logo":{"@type":"ImageObject","url":"https://privsec.dev/%3Clink%20/%20abs%20url%3E"}}}</script></head><body class=dark id=top><script>localStorage.getItem("pref-theme")==="light"&&document.body.classList.remove("dark")</script><header class=header><nav class=nav><div class=logo><a href=https://privsec.dev accesskey=h title="PrivSec.dev (Alt + H)">PrivSec.dev</a><div class=logo-switches><button id=theme-toggle accesskey=t title="(Alt + T)"><svg id="moon" xmlns="http://www.w3.org/2000/svg" width="24" height="18" viewBox="0 0 24 24" fill="none" stroke="currentcolor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M21 12.79A9 9 0 1111.21 3 7 7 0 0021 12.79z"/></svg><svg id="sun" xmlns="http://www.w3.org/2000/svg" width="24" height="18" viewBox="0 0 24 24" fill="none" stroke="currentcolor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="5"/><line x1="12" y1="1" x2="12" y2="3"/><line x1="12" y1="21" x2="12" y2="23"/><line x1="4.22" y1="4.22" x2="5.64" y2="5.64"/><line x1="18.36" y1="18.36" x2="19.78" y2="19.78"/><line x1="1" y1="12" x2="3" y2="12"/><line x1="21" y1="12" x2="23" y2="12"/><line x1="4.22" y1="19.78" x2="5.64" y2="18.36"/><line x1="18.36" y1="5.64" x2="19.78" y2="4.22"/></svg></button></div></div><ul id=menu><li><a href=https://privsec.dev/knowledge/ title="Knowledge Base"><span>Knowledge Base</span></a></li><li><a href=https://privsec.dev/os/ title="Operating Systems"><span>Operating Systems</span></a></li><li><a href=https://privsec.dev/apps/ title=Applications><span>Applications</span></a></li><li><a href=https://privsec.dev/providers/ title=Providers><span>Providers</span></a></li></ul></nav></header><main class=main><article class=post-single><header class=post-header><div class=breadcrumbs><a href=https://privsec.dev>Home</a>&nbsp;»&nbsp;<a href=https://privsec.dev/os/>Operating Systems</a></div><h1 class=post-title>Linux Insecurities</h1><div class=post-meta>3 min&nbsp;·&nbsp;589 words&nbsp;·&nbsp;Tommy&nbsp;|&nbsp;<a href=https://github.com/PrivSec-dev/privsec.dev/blob/main/content/os/Linux%20Insecurities.md rel="noopener noreferrer" target=_blank>Suggest Changes</a></div></header><div class=toc><details><summary accesskey=c title="(Alt + C)"><span class=details>Table of Contents</span></summary><div class=inner><ul><li><a href=#why-is-linux-used-on-servers-if-it-is-so-insecure aria-label="Why is Linux used on servers if it is so insecure?">Why is Linux used on servers if it is so insecure?</a></li><li><a href=#linux-hardening-myths aria-label="Linux Hardening Myths">Linux Hardening Myths</a><ul><li><a href=#lack-of-verified-boot aria-label="Lack of verified boot">Lack of verified boot</a></li><li><a href=#lack-of-application-sandboxing aria-label="Lack of application sandboxing">Lack of application sandboxing</a></li></ul></li></ul></div></details></div><div class=post-content><p>There is a common misconception among privacy communities that Linux is one of the more secure operating systems, either because it is open source or because it is widely used in the cloud. This is however, a far cry from reality.</p><p>There is already a very indepth technical blog explaning the various security weaknesses of Linux by Madaidan, <a href=https://www.whonix.org/>Whonix</a>&rsquo;s Security Researcher. This page will attempt to address some of the questions commonly raised in reaction to his blog post. You can find the original article <a href=https://madaidans-insecurities.github.io/linux.html>here</a>.</p><h2 id=why-is-linux-used-on-servers-if-it-is-so-insecure>Why is Linux used on servers if it is so insecure?<a hidden class=anchor aria-hidden=true href=#why-is-linux-used-on-servers-if-it-is-so-insecure>#</a></h2><p>On servers, while most of the problems referenced in the article still exists, they are somewhat less problematic.</p><p>On Desktop Linux, GUI applications run under your user, and thus have access to all of your files in <code>/home</code>. This is in contrast to how system daemons typically run on servers, where they have their own group and user. For example, NGINX will run under <code>nginx:nginx</code> on Red Hat distributions, or <code>www-data:www-data</code> on Debian based ones. Discreationary Access Control does help with filesystem access control for server processes, but is useless for desktop applications.</p><p>Another thing to keep in mind is that Mandatory Access Control is also somewhat effective on servers, as commonly run system daemons are confined. In contrast, on desktop, there is virtually no AppArmor profile to confine even regularly used apps like Chrome or Firefox, let alone less common ones. On SELinux systems, these apps run in the UNCONFINED SELinux domain.</p><p>Linux servers are lighter than Desktop Linux systems by order of magnitude, without hundreds of packages and dozens of system daemons running like X11, audio servers, printing stack, and so on. Thus, the attack surface is much smaller.</p><h2 id=linux-hardening-myths>Linux Hardening Myths<a hidden class=anchor aria-hidden=true href=#linux-hardening-myths>#</a></h2><p>There is a common claim in response to Madaidan that Linux is only insecure by default, and that an experience user can make it the most secure operating system out there, surpassing the likes of macOS or ChromeOS. Unfortunately, this is wishful thinking. There is no amount of hardening that one can reasonably apply as a user to fix up the inherent issues with Linux.</p><h3 id=lack-of-verified-boot>Lack of verified boot<a hidden class=anchor aria-hidden=true href=#lack-of-verified-boot>#</a></h3><p>macOS, ChromeOS, and Android have a clear distinction between the system and user installed application. In over simplified terms, the system volume is signed by the OS vendor, and the firmware and boot loader works to make sure that said volume has the authorized signature. The operating system itself is immutable, and nothing the user does will need or be allowed to tamper with the system volume.</p><p>On Linux, there is no such clear distinction between the system and user installed applications. Linux distributions are a bunch of packages put together to make a system that works, and thus every package is treated as part of said system. The end result is that binaries, regardless of whether they are vital for the system to function or just an extra application, are thrown into the same directories as each other (namely <code>/usr/bin</code> and <code>/usr/local/bin</code>). This makes it impossible for an end user to setup a verification mechanism to verify the integrity of &ldquo;the system&rdquo;, as said &ldquo;system&rdquo; is not clearly defined in the first place.</p><h3 id=lack-of-application-sandboxing>Lack of application sandboxing<a hidden class=anchor aria-hidden=true href=#lack-of-application-sandboxing>#</a></h3><p>Operating systems like Android and ChromeOS have full system mandatory access control, every process from the init process is strictly confined. Regardless of which application you install or how you install them, they have to play by the rules of an untrusted SELinux domain.</p><p>On Linux, it is quite the opposite.</p></div><footer class=post-footer><ul class=post-tags><li><a href=https://privsec.dev/tags/operating-system/>operating system</a></li><li><a href=https://privsec.dev/tags/security/>security</a></li><li><a href=https://privsec.dev/tags/linux/>linux</a></li></ul><nav class=paginav><a class=prev href=https://privsec.dev/os/docker-and-oci-hardening/><span class=title>« Prev</span><br><span>Docker and OCI Hardening</span></a>
 <a class=next href=https://privsec.dev/os/securing-openssh-with-fido2/><span class=title>Next »</span><br><span>Securing OpenSSH with FIDO2</span></a></nav></footer></article></main><footer class=footer><span>&copy; 2022 <a href=https://privsec.dev>PrivSec.dev</a></span>
 <span>Powered by
 <a href=https://gohugo.io/ rel="noopener noreferrer" target=_blank>Hugo</a> &
diff --git a/public/tags/linux/index.html b/public/tags/linux/index.html
index c56fc87..1d4193e 100644
--- a/public/tags/linux/index.html
+++ b/public/tags/linux/index.html
@@ -5,7 +5,7 @@ For frozen distributions, package maintainers are expected to backport patches t
 - Hey, your software doesn’t work…
 - Sorry, it works on my computer! Can’t help you.
 Whether we like them or not, containers are here to stay. Their expressiveness and semantics allow for an abstraction of the OS dependencies that a software has, the latter being often dynamically linked against certain libraries....</p></div><footer class=entry-footer>19 min&nbsp;·&nbsp;3925 words&nbsp;·&nbsp;Wonderfall</footer><a class=entry-link aria-label="post link to Docker and OCI Hardening" href=https://privsec.dev/os/docker-and-oci-hardening/></a></article><article class="post-entry tag-entry"><header class=entry-header><h2>Linux Insecurities</h2></header><div class=entry-content><p>There is a common misconception among privacy communities that Linux is one of the more secure operating systems, either because it is open source or because it is widely used in the cloud. This is however, a far cry from reality.
-There is already a very indepth technical blog explaning the various security weaknesses of Linux by Madaidan, Whonix’s Security Researcher. This page will attempt to address some of the questions commonly raised in reaction to his blog post....</p></div><footer class=entry-footer>2 min&nbsp;·&nbsp;238 words&nbsp;·&nbsp;Tommy</footer><a class=entry-link aria-label="post link to Linux Insecurities" href=https://privsec.dev/os/linux-insecurities/></a></article><article class="post-entry tag-entry"><header class=entry-header><h2>Securing OpenSSH with FIDO2</h2></header><div class=entry-content><p>Passwordless authentication with OpenSSH keys has been the de facto security standard for years. SSH keys are more robust since they’re cryptographically sane by default, and are therefore resilient to most bruteforce atacks. They’re also easier to manage while enabling a form of decentralized authentication (it’s easy and painless to revoke them). So, what’s the next step? And more exactly, why would one need something even better?
+There is already a very indepth technical blog explaning the various security weaknesses of Linux by Madaidan, Whonix’s Security Researcher. This page will attempt to address some of the questions commonly raised in reaction to his blog post....</p></div><footer class=entry-footer>3 min&nbsp;·&nbsp;589 words&nbsp;·&nbsp;Tommy</footer><a class=entry-link aria-label="post link to Linux Insecurities" href=https://privsec.dev/os/linux-insecurities/></a></article><article class="post-entry tag-entry"><header class=entry-header><h2>Securing OpenSSH with FIDO2</h2></header><div class=entry-content><p>Passwordless authentication with OpenSSH keys has been the de facto security standard for years. SSH keys are more robust since they’re cryptographically sane by default, and are therefore resilient to most bruteforce atacks. They’re also easier to manage while enabling a form of decentralized authentication (it’s easy and painless to revoke them). So, what’s the next step? And more exactly, why would one need something even better?
 Why? The main problem with SSH keys is that they’re not magic: they consist of a key pair, of which the private key is stored on your disk....</p></div><footer class=entry-footer>5 min&nbsp;·&nbsp;863 words&nbsp;·&nbsp;Wonderfall</footer><a class=entry-link aria-label="post link to Securing OpenSSH with FIDO2" href=https://privsec.dev/os/securing-openssh-with-fido2/></a></article></main><footer class=footer><span>&copy; 2022 <a href=https://privsec.dev>PrivSec.dev</a></span>
 <span>Powered by
 <a href=https://gohugo.io/ rel="noopener noreferrer" target=_blank>Hugo</a> &
diff --git a/public/tags/operating-system/index.html b/public/tags/operating-system/index.html
index 9bb6f21..28c2d13 100644
--- a/public/tags/operating-system/index.html
+++ b/public/tags/operating-system/index.html
@@ -2,7 +2,7 @@
 <a href=index.xml title=RSS aria-label=RSS><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentcolor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" height="23"><path d="M4 11a9 9 0 019 9"/><path d="M4 4a16 16 0 0116 16"/><circle cx="5" cy="19" r="1"/></svg></a></h1></header><article class="post-entry tag-entry"><header class=entry-header><h2>Choosing Your Desktop Linux Distribution</h2></header><div class=entry-content><p>Not all Linux distributions are created equal. When choosing a Linux distribution, there are several things you need to keep in mind.
 Release cycle You should choose a distribution which stays close to the stable upstream software releases, typically rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates.
 For frozen distributions, package maintainers are expected to backport patches to fix vulnerabilities (Debian is one such example) rather than bump the software to the “next version” released by the upstream developer....</p></div><footer class=entry-footer>7 min&nbsp;·&nbsp;1431 words&nbsp;·&nbsp;Tommy</footer><a class=entry-link aria-label="post link to Choosing Your Desktop Linux Distribution" href=https://privsec.dev/os/choosing-your-desktop-linux-distribution/></a></article><article class="post-entry tag-entry"><header class=entry-header><h2>Linux Insecurities</h2></header><div class=entry-content><p>There is a common misconception among privacy communities that Linux is one of the more secure operating systems, either because it is open source or because it is widely used in the cloud. This is however, a far cry from reality.
-There is already a very indepth technical blog explaning the various security weaknesses of Linux by Madaidan, Whonix’s Security Researcher. This page will attempt to address some of the questions commonly raised in reaction to his blog post....</p></div><footer class=entry-footer>2 min&nbsp;·&nbsp;238 words&nbsp;·&nbsp;Tommy</footer><a class=entry-link aria-label="post link to Linux Insecurities" href=https://privsec.dev/os/linux-insecurities/></a></article></main><footer class=footer><span>&copy; 2022 <a href=https://privsec.dev>PrivSec.dev</a></span>
+There is already a very indepth technical blog explaning the various security weaknesses of Linux by Madaidan, Whonix’s Security Researcher. This page will attempt to address some of the questions commonly raised in reaction to his blog post....</p></div><footer class=entry-footer>3 min&nbsp;·&nbsp;589 words&nbsp;·&nbsp;Tommy</footer><a class=entry-link aria-label="post link to Linux Insecurities" href=https://privsec.dev/os/linux-insecurities/></a></article></main><footer class=footer><span>&copy; 2022 <a href=https://privsec.dev>PrivSec.dev</a></span>
 <span>Powered by
 <a href=https://gohugo.io/ rel="noopener noreferrer" target=_blank>Hugo</a> &
         <a href=https://github.com/adityatelange/hugo-PaperMod/ rel=noopener target=_blank>PaperMod</a></span></footer><a href=#top aria-label="go to top" title="Go to Top (Alt + G)" class=top-link id=top-link accesskey=g><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 12 6" fill="currentcolor"><path d="M12 6H0l6-6z"/></svg></a><script>let menu=document.getElementById("menu");menu&&(menu.scrollLeft=localStorage.getItem("menu-scroll-position"),menu.onscroll=function(){localStorage.setItem("menu-scroll-position",menu.scrollLeft)}),document.querySelectorAll('a[href^="#"]').forEach(e=>{e.addEventListener("click",function(e){e.preventDefault();var t=this.getAttribute("href").substr(1);window.matchMedia("(prefers-reduced-motion: reduce)").matches?document.querySelector(`[id='${decodeURIComponent(t)}']`).scrollIntoView():document.querySelector(`[id='${decodeURIComponent(t)}']`).scrollIntoView({behavior:"smooth"}),t==="top"?history.replaceState(null,null," "):history.pushState(null,null,`#${t}`)})})</script><script>var mybutton=document.getElementById("top-link");window.onscroll=function(){document.body.scrollTop>800||document.documentElement.scrollTop>800?(mybutton.style.visibility="visible",mybutton.style.opacity="1"):(mybutton.style.visibility="hidden",mybutton.style.opacity="0")}</script><script>document.getElementById("theme-toggle").addEventListener("click",()=>{document.body.className.includes("dark")?(document.body.classList.remove("dark"),localStorage.setItem("pref-theme","light")):(document.body.classList.add("dark"),localStorage.setItem("pref-theme","dark"))})</script></body></html>
\ No newline at end of file
diff --git a/public/tags/security/index.html b/public/tags/security/index.html
index 03ab111..fcedd59 100644
--- a/public/tags/security/index.html
+++ b/public/tags/security/index.html
@@ -7,7 +7,7 @@ For frozen distributions, package maintainers are expected to backport patches t
 Whether we like them or not, containers are here to stay. Their expressiveness and semantics allow for an abstraction of the OS dependencies that a software has, the latter being often dynamically linked against certain libraries....</p></div><footer class=entry-footer>19 min&nbsp;·&nbsp;3925 words&nbsp;·&nbsp;Wonderfall</footer><a class=entry-link aria-label="post link to Docker and OCI Hardening" href=https://privsec.dev/os/docker-and-oci-hardening/></a></article><article class="post-entry tag-entry"><header class=entry-header><h2>F-Droid Security Analysis</h2></header><div class=entry-content><p>F-Droid is a popular alternative app repository for Android, especially known for its main repository dedicated to free and open-source software. F-Droid is often recommended among security and privacy enthusiasts, but how does it stack up against Play Store in practice? This write-up will attempt to emphasize major security issues with F-Droid that you should consider.
 Before we start, a few things to keep in mind:
 The main goal of this write-up was to inform users so they can make responsible choices, not to trash someone else’s work....</p></div><footer class=entry-footer>25 min&nbsp;·&nbsp;5298 words&nbsp;·&nbsp;Wonderfall</footer><a class=entry-link aria-label="post link to F-Droid Security Analysis" href=https://privsec.dev/apps/f-droid-security-analysis/></a></article><article class="post-entry tag-entry"><header class=entry-header><h2>Linux Insecurities</h2></header><div class=entry-content><p>There is a common misconception among privacy communities that Linux is one of the more secure operating systems, either because it is open source or because it is widely used in the cloud. This is however, a far cry from reality.
-There is already a very indepth technical blog explaning the various security weaknesses of Linux by Madaidan, Whonix’s Security Researcher. This page will attempt to address some of the questions commonly raised in reaction to his blog post....</p></div><footer class=entry-footer>2 min&nbsp;·&nbsp;238 words&nbsp;·&nbsp;Tommy</footer><a class=entry-link aria-label="post link to Linux Insecurities" href=https://privsec.dev/os/linux-insecurities/></a></article><article class="post-entry tag-entry"><header class=entry-header><h2>Multi-factor Authentication</h2></header><div class=entry-content><p>Multi-factor authentication is a security mechanism that requires additional verification beyond your username (or email) and password. This usually comes in the form of a one time passcode, a push notification, or plugging in and tapping a hardware security key.
+There is already a very indepth technical blog explaning the various security weaknesses of Linux by Madaidan, Whonix’s Security Researcher. This page will attempt to address some of the questions commonly raised in reaction to his blog post....</p></div><footer class=entry-footer>3 min&nbsp;·&nbsp;589 words&nbsp;·&nbsp;Tommy</footer><a class=entry-link aria-label="post link to Linux Insecurities" href=https://privsec.dev/os/linux-insecurities/></a></article><article class="post-entry tag-entry"><header class=entry-header><h2>Multi-factor Authentication</h2></header><div class=entry-content><p>Multi-factor authentication is a security mechanism that requires additional verification beyond your username (or email) and password. This usually comes in the form of a one time passcode, a push notification, or plugging in and tapping a hardware security key.
 Common protocols Email and SMS MFA Email and SMS MFA are examples of the weaker MFA protocols. Email MFA is not great as whoever controls your email account can typically both reset your password and recieve your MFA verification....</p></div><footer class=entry-footer>6 min&nbsp;·&nbsp;1223 words&nbsp;·&nbsp;Tommy</footer><a class=entry-link aria-label="post link to Multi-factor Authentication" href=https://privsec.dev/knowledge/multi-factor-authentication/></a></article><footer class=page-footer><nav class=pagination><a class=next href=https://privsec.dev/tags/security/page/2/>Next »</a></nav></footer></main><footer class=footer><span>&copy; 2022 <a href=https://privsec.dev>PrivSec.dev</a></span>
 <span>Powered by
 <a href=https://gohugo.io/ rel="noopener noreferrer" target=_blank>Hugo</a> &