← Back to context

Comment by crmd

2 years ago

Same here. I use linux VMs and containers for all my "hacking" where I need total control and customizability of the OS. On my workstation and phone, where I do my banking and read emails, I'm willing to trade control and customizability for an extremely locked down high trust operating environment. I feel like Apple's closed ecosystem, despite all its flaws, gets this compromise right.

11 comments

crmd

Reply
oooyay  2 years ago

> I use linux VMs and containers for all my "hacking" where I need total control and customizability of the OS

> On my workstation and phone, where I do my banking and read emails, I'm willing to trade control and customizability for an extremely locked down high trust operating environment.

Excuse my French, but uh what? A browser accessing a bank in a Linux virtual machine running on bare metal is by far more secure than desktop MacOS running on bare metal.

At the end of the day, for the activity you described (browsing), what you must be able to defend against is the inherent insecurity of the browser. Linux provides all manners of process, network, etc isolation via CGroups and can be enhanced by SecComp to limit the usage of typical exotic syscalls used in kernel exploits.

MacOS has what for that? The best opportunity you have for defense is to run qemu so that you can run... Linux. The corporation you work for doesn't use Apple because of their stellar security posture, it uses Apple because they can buy mobile devices (phones, laptops) preconfigured with MDM which saves a lot of money.

  • kiitos  2 years ago

    > Excuse my French, but uh what? A browser accessing a bank in a Linux virtual machine running on bare metal is by far more secure than desktop MacOS running on bare metal.

    Facts are most definitely not in evidence for this claim.

  • astrange  2 years ago

    > MacOS has what for that?

    It has sandboxing, which does all that stuff.

    (iOS has even more, like JIT protections.)

kmeisthax  2 years ago

I'd kill for an Apple-sanctioned way to load Linux VMs on my iPad and have them run at full speed. It's got an M1 in it, the virtualization hardware is there, Apple just doesn't want me using it.

As it currently stands, the options for Linux VMs on an iPad are:

- iSH, a Linux kernel ABI compatible user-mode x86 emulator that uses threaded code (ROP chains) as a substitute for a proper JIT, but doesn't support all x86 applications[0].

- UTM, a port of QEMU that requires JIT (and thus, either an external debugger or a jailbreak) to run a full x86 or ARM OS.

- UTM SE (Slow Edition), which is UTM but using the threaded code technique from iSH, which is not only slower than iSH because it runs both kernel and user mode, but also got banned from TestFlight before they could even make an App Store submission (probably because it can get to a desktop while iSH can't).

All of these suck in different ways.

[0] Notably, rustc gives an illegal instruction error and mysql crashes trying to do unaligned atomics

12345hn6789  2 years ago

Nothing like arguing against software freedom because of "checks notes", security by obscurity. I thought I'd read higher effort content on HN.

mderazon  2 years ago

I don't buy into this narrative. I have a Pixel phone, you can do quite a lot of privacy "hardening" just by going over the Google settings and turning off a lot of tracking (which they were probably forced to put in by regulators). The rest you can achieve by using Firefox instead of Chrome and choose a different search engine.

I get a lot of hard to solve Google CAPTCHA on many websites I visit so I know Google is having a hard time tracking me :-)

In terms of security, I don't think Pixel is less secure than the iPhone. It gets security updates regularly, Google invests a lot in security and I don't think the Pixel has more zero days than the iPhone...

So all in all, I don't buy into the "iPhone is more secure and handles your privacy better than Android" narrative

paulddraper  2 years ago

You don't do banking on a laptop?

  • vundercind  2 years ago

    Nerd here who started on MS-DOS and later spent nearly a decade running Linux on a laptop as my main computing device. Gentoo, for about half that time. Various other stuff in between, developed software targeting probably a seven or eight different operating systems and/or platforms, et c., et c. I've got a reasonable amount of computer-dork cred, is the point, though around these parts, nothing all that remarkable.

    Very nearly every halfway serious computer-involved activity I do these days (=last seven or eight years) that matters in my actual, real life takes place on my phone, including approximately all banking. All the other computers—even the "real" ones—in my life are basically toys. 90% of my real-life important or meaningful stuff I do with computers happens on my phone, 9% on a tablet, and at-most 1% on everything else.

    (in my personal life, I mean—unfortunately I still have to try to use "real" computers to accomplish allegedly-important things at work)

  • cmorgan31  2 years ago

    Not often, no. What’s banking in this context mean for you? I’m assuming viewing accounts and depositing checks?

    • loup-vaillant  2 years ago

      Exclusively, yes. Except for that second factor authentication they forced me to install on my phone (without which doing online payments would be a pain). I like and trust my Ubuntu laptop.

      I do avoid Windows for those things, though.