Info on the SEPIO Operating System
I have received a lot of questions regarding the SEPIO laptop and operating system, which run from "how is this system more secure than any other linux system?" to "what the heck is the SEPIO OS?"
So let me try to answer some of the questions...
First off my mission goals with this system:
To create an easy to use yet extremely secure OS that anyone can easily migrate to from Windows or Mac. The defensive measures of the system should require little to no user intervention in order to keep the system safe from outside attack. The applications should cover all the users basic needs (video, music, editing, email, browsing, messaging, documents, etc) without having to search for extra software. It must have a full suite of security tools such as encryption software, crypto-currency wallets and tools, TOR/I2P/VPN access, peer 2 peer secure messaging.
We use the model of Anonymity + Security = Privacy and personal privacy is a cornerstone of individual liberty.
Now the questions:
1) What makes this more secure than any other linux distribution?
To start with, Linux is open source (no hidden code), which lends itself to security as it is auditable and transparent. Linux also has some powerful security abilities baked into the kernel although they are often not utilized by most distros. I compile my own kernel with Grsecurity and PaX patches. What is Grsecurity? From their website -
"Grsecurity® is an extensive security enhancement to the Linux kernel that defends against a wide range of security threats through intelligent access control, memory corruption-based exploit prevention, and a host of other system hardening that generally require no configuration. It has been actively developed and maintained for the past 15 years."
"Only grsecurity provides protection against zero-day and other advanced threats that buys administrators valuable time while vulnerability fixes make their way out to distributions and production testing. This is made possible by our focus on eliminating entire bug classes and exploit vectors, rather than the status-quo elimination of individual vulnerabilities."
"Grsecurity has been developed and maintained since 2001, from the very first 2.4 Linux kernel to the latest and greatest 4.x. In addition to tracking the latest stable kernel, we provide stable releases for both the 3.14 and 4.4 kernels with additional security backports.
We stay on top of -- and in many cases drive -- the state of the art in security research. While the security teams of Linux distributions react to the latest widespread exploit simply by fixing the associated vulnerability, we quickly work in addition to close down any new exploit vectors, reduce the chance of similar vulnerabilities, and insert additional roadblocks for ancillary techniques that made the exploit possible or reliable.
As a result of this extensive approach, it is not uncommon to find in the event of a published exploit, particularly against the kernel, that the exploit's success is prevented by several separate features of grsecurity."
I write custom firewall rules that guard against outside intrusion tactics. I lockdown traditional attack vectors like SSH, Telnet, Ping. I block IPv6 traffic as it can lead to potential VPN leaks.
I employ restrictive sandboxing on any web facing applications as well as many other commonly used apps. This applies another layer of protection if an application becomes compromised by keeping it containerized.
On demand ant-virus scanning is built in as well as rootkit and trojan scanning.
I provide pre-configured virtual router and virtual workstations, for isolated and anonymous TOR browsing with randomized MAC addresses and spoofed IPs.
Common exploit avenues such as single-user login, BIOS attacks and bootloader exploits are blocked. Bootloader is password protected and password is stored hashed.
Full disk encryption (including swap)with strong AES-256-XTS as well as secondary encryption of user folders and tertiary encryption available as needed.
Secure delete function (DoD and Gutman standards).
Browser and Email client are extremely hardened against attacks and data leaking.
Approved VPN clients are built in as well as a preconfigured free VPN option.
Non-logging DNSsec DNS servers are enforced as opposed to the standard "google" DNS which log every search you make and store it indefinitely.
Security updates are delivered as soon as they are released from the Debian/Ubuntu/Mint teams.
I could go on, but that covers the primary security differences between SEPIO and something like Ubuntu, Fedora or Suse....not to mention the massive security chasm between SEPIO and Windows/Mac.
2) What is SEPIO OS?
Well, besides what was already answered above, SEPIO is a security focused distro built on top of Linux Mint. It uses a customized version of the Cinnamon desktop environment. It is a pleasant and easy to use desktop with support for just about every type of video and music format, as well as full photo and document support. You can plug in your email accounts and be off and running in no time. You can easily and safely visit all your favorite websites without fear of compromise. You can enjoy your digital life without the spying and intervention of big corporations, hackers and governments gone crazy.
3) Can I just get the SEPIO OS and install it on my own laptop?
At present, no. Besides installing the system I have to do a great deal of custom configuration and hardware setup on each build. This would prove a daunting if not frustrating task for even a competent linux enthusiast.