Advanced Security Linux Mint Xfce practical maximum setup

[LinuxFan58]

Bummer, Windows Defender is not working on Linux, should I call Microsoft Windows support?

Edit: I did and I was guided to a website to download "remote-repair" and I clicked on it, but exe's don't execute. It does nothing? Nothing, right click execute as admin the support operator told me. I don't have that option. Then the tele-operator asked whether I was on a corporate computer, so I said no an a HP computer. A little annoyed he asked whether it was from my company. No it is from the internet cafe I am in right now. Oh ask the manager from the internet cafe to come over. The guy at the counter says I am not allowed to change anything. biep biep biep.

 

[LinuxFan58]

Latest Windows 11 - Linux Mint Xfce comparison on nearly identical HP laptops (Ryzen7 with 16GB) with Windows 2TB SSD and Linux 1 TB SSD

Wife's laptop with Windows 11 achieves a Speedometer 3.1 benchmark from 19.2 to 19.4
- security: standard user, SAC, SRP blocking scipts in user folders and lolbins for standard user, Defender in MAX mode (ConfigureDefender)
- browser: Chrome with advanced security, MBAM Browsr Guard (with ads off), uBol

My Laptop with Linux Mint Xfce achieves a Speedometer 3.1 benchmark from 18.6 to 18.8
- security: no-root user, Linux sandboxing (print in AppArmor, accessories in Firejail, applications in Flatpak)
- browser: Brave with standard security. MBAM Browser Guard (ads off), uBol

 

[Sampei.Nihira]

Latest Windows 11 - Linux Mint Xfce comparison on nearly identical HP laptops (Ryzen7 with 16GB) with Windows 2TB SSD and Linux 1 TB SSD

Wife's laptop with Windows 11 achieves a Speedometer 3.1 benchmark from 19.2 to 19.4
- security: standard user, SAC, SRP blocking scipts in user folders and lolbins for standard user, Defender in MAX mode (ConfigureDefender)
- browser: Chrome with advanced security, MBAM Browsr Guard (with ads off), uBol

My Laptop with Linux Mint Xfce achieves a Speedometer 3.1 benchmark from 18.6 to 18.8
- security: no-root user, Linux sandboxing (print in AppArmor, accessories in Firejail, applications in Flatpak)
- browser: Brave with standard security. MBAM Browser Guard (ads off), uBol

All you have to do is cheat:

Spoiler: Poker

Disable JIT optimization in the browser your wife uses.....

 

[LinuxFan58]

According to previous ChatGPT assessment my setup was rated 9.8 out of 10 (and described as "practical attack resistant for every day use"). Being moderated constantly (meaning my post take some time to show up) I dug a little deeper in what the real word threats of the remaining 0,2 were. Chat answered social engineering and chained exploit attacks (a chain which escapes the browser's sandbox, flatpak sandbox and the no-root OS limitation) were the reason for the 0.2 risk gap.

I told Chat that being a security hobbyist (because I have worked in the security industry in a commercial role) when we would take social engineering out of the equation for discussion sake, what are or would be the risks of encountering a staged exploit attack

Focusing on the "who you are" aspect, ( a retired 67 year old still teaching for fun in his old trade) ChatGPT concluded that the risk of becoming victim of a high cost staged exploit attack on a OS with marginal market share is zero.

So ChatGPT basiically told me I am safe, because I am of no interest being a nobody


@Sampei.Nihira Could you ask ChatGPT what your risk percentage is when you rule out social engineering?
You probably guessed it (with your years of investigating experience) without social engineering my rating increases from 9.8 to 99,9999%

 

[Sampei.Nihira]

According to previous ChatGPT assessment my setup was rated 9.8 out of 10 (and described as "practical attack resistant for every day use"). Being moderated constantly (meaning my post take some time to show up) I dug a little deeper in what the real word threats of the remaining 0,2 were. Chat answered social engineering and chained exploit attacks (a chain which escapes the browser's sandbox, flatpak sandbox and the no-root OS limitation) were the reason for the 0.2 risk gap.

I told Chat that being a security hobbyist (because I have worked in the security industry in a commercial role) when we would take social engineering out of the equation for discussion sake, what are or would be the risks of encountering a staged exploit attack

View attachment 296694
Focusing on the "who you are" aspect, ( a retired 67 year old still teaching for fun in his old trade) ChatGPT conclued that the risk of becoming victim of a high cost staged exploit attack on a OS with marginal market share is zero.
View attachment 296699

So ChatGPT basiically told me I am safe, because I am of no interest being a nobody


@Sampei.Nihira Could you ask ChatGPT what your risk percentage is when you rule out social engineering?
You probably guessed it (with your years of investigating experience) without social engineering my rating increases from 9.8 to 99,9999%

The user's experience with the PC and their professional role are both important factors in the assessment.
I was much more curious about the security score the AI assigned to each component of my security setup.

 

[lokamoka820]

Latest Windows 11 - Linux Mint Xfce comparison on nearly identical HP laptops (Ryzen7 with 16GB) with Windows 2TB SSD and Linux 1 TB SSD

Wife's laptop with Windows 11 achieves a Speedometer 3.1 benchmark from 19.2 to 19.4
- security: standard user, SAC, SRP blocking scipts in user folders and lolbins for standard user, Defender in MAX mode (ConfigureDefender)
- browser: Chrome with advanced security, MBAM Browsr Guard (with ads off), uBol

My Laptop with Linux Mint Xfce achieves a Speedometer 3.1 benchmark from 18.6 to 18.8
- security: no-root user, Linux sandboxing (print in AppArmor, accessories in Firejail, applications in Flatpak)
- browser: Brave with standard security. MBAM Browser Guard (ads off), uBol

What about comparing performance? Linux generally uses fewer resources, but what about CPU usage in particular? I tested LMDE yesterday, and even though the RAM usage is very low, the CPU spikes to 100% when I watch a YouTube video with Firefox. Is this a common occurrence, or was it because it was using the NVIDIA open-source driver?

 

[LinuxFan58]

What about comparing performance? Linux generally uses fewer resources, but what about CPU usage in particular? I tested LMDE yesterday, and even though the RAM usage is very low, the CPU spikes to 100% when I watch a YouTube video with Firefox. Is this a common occurrence, or was it because it was using the NVIDIA open-source driver?

The Windows laptop seems to run substantially longer on batteries when looking TV or streaming media, so it seems Windows11 also runs more efficiently. I did not look at ram usage since that is a non issue even on 16GB laptops (when you ar doing normal office and internet related stuff).

 

[LinuxFan58]

Moving my applications from flatpak to firejail because of Security News - Flatpak 1.16.4 Fixes Critical Sandbox Escape Vulnerability en Linux Mint LTS users are stuck on 1.14-6. Succesfully changed form Brave in Flatpak to Chromiun in Firejail. Manually tightening the sandbox Next will be Evolution.

 

[Miravi]

The Windows laptop seems to run substantially longer on batteries when looking TV or streaming media, so it seems Windows11 also runs more efficiently. I did not look at ram usage since that is a non issue even on 16GB laptops (when you ar doing normal office and internet related stuff).

The biggest issue for battery efficiency when relying on open Chromium browsers (instead of Google Chrome) is that hardware acceleration is not always ready to go out of the box. Software decoding is dramatically less efficient than GPU decoding, which will make or break your battery life.

Open chrome://gpu. Under Graphics Feature Status, look for Video Decode—it tells you if hardware acceleration is working. Also note that Firejail has been known to cause hardware acceleration to fail. Flatpak is better about GPU processing, but neither are totally optimal when dealing with Chromium.

Recently, Chromium has greatly improved integration with Landlock, the modern Mandatory Access Control sandbox built into the Linux kernel. If you want further security hardening for Chromium, I recommend SELinux or AppArmor.

 

[Miravi]

Athena OS—a specialized distro for pentesting, ethical hacking, and cybersecurity education—has a good introductory article on sandboxing. It provides an explanation of the problem with modern browsers in Firejail:

Do not use Firejail as the primary sandbox for browsers:
Modern browsers (Firefox, Chromium) implement a broker-architecture sandbox that isolates every renderer process individually - a far stronger model than what any wrapper sandbox can provide. Wrapping Firefox in Firejail puts a weak outer perimeter around a much stronger inner one. More critically, if Firejail’s seccomp profile blocks syscalls that Firefox needs to build its own internal sandbox, you end up with worse security than running Firefox normally.

Never run a browser with --no-sandbox or equivalent options to satisfy Firejail’s requirements. Use AppArmor enforce instead - see AppArmor integration below.

The SUID tradeoff:
Firejail is an SUID binary. It temporarily holds elevated privileges to set up the sandbox. This means Firejail itself is an attack surface - 18 CVEs in its history are directly attributable to this design, most involving privilege escalation. This does not make Firejail useless, but it means it is not a zero-cost addition. For applications you run constantly (browsers, email), AppArmor profiles are a better choice: same filesystem isolation, no SUID surface.

 

[lokamoka820]

Moving my applications from flatpak to firejail because of Security News - Flatpak 1.16.4 Fixes Critical Sandbox Escape Vulnerability en Linux Mint LTS users are stuck on 1.14-6. Succesfully changed form Brave in Flatpak to Chromiun in Firejail. Manually tightening the sandbox Next will be Evolution.

This is because Linux Mint security updates depend on Ubuntu security, and Ubuntu is still determining whether the problem affects the currently supported version of Ubuntu or not. Here is the latest flatpak security issue on Ubuntu security.

Don't worry, Ubuntu takes security very seriously. It is a large distribution with many team members, which is why the majority of well-known distros are built on it. Even if the flatpak version is still outdated, they will provide a patch for it from the latest version. This is common for fixed distributions like Ubuntu and Debian. Here is an example from an earlier problem: https://forums.linuxmint.com/viewtopic.php?t=418294

 

[lokamoka820]

CPU spikes like this indicate that you're using inefficient software decoding for video, which I pointed out above. Historically, Firefox has really slacked on Linux hardware acceleration and better media playback. They only just improved that in early 2026 (v147–148), believe it or not. On my setup, if I watch a 4K video even in Firefox, I don't see any CPU spikes at all because the GPU is handling it.

Google Chrome has made a name for themselves on Linux by having everything set up for proprietary codecs and smooth media playback. So much so, it hasn't been uncommon for people to simply use Chrome for videos instead of their daily Firefox.

On Intel and AMD, VA-API is mostly enabled by default on modern distros. The modern Nouveau (NVK + Vulkan) driver should support VA-API. Both NVIDIA's proprietary and their new nvidia-open drivers support NVDEC for video decoding—I recently switched from proprietary to nvidia-open, so that's how I decode video.

Make sure your graphics driver, media codecs, and browser configuration are all aligned, and YouTube won't turn your CPU fan into a jet engine.

You're absolutely correct; I was testing LMDE from a USB drive using the NVIDIA GPU (hybrid mode disabled). Other distros would have given me a black screen in this situation, but LMDE used the (safe graphics) mode automatically, which I assume depends entirely on CPU power.

When I enable hybrid mode on my device or use a distribution that came with the NVIDIA proprietary driver or Nouveau pre-installed in the live ISO, I don't encounter this problem.

 

[LinuxFan58]

@lokamoka820 and @Miravi

Flatpak 14.6.6 landed which has the vulnabilities fixed according to AI. So went back to Flatpack except for Libre Office. Libre Office in Firejail does not has the large powerpoint problem which makes Libre Office in Flatpak unuseable for me. So went from Libre Office (Flatpak) to Only Office to Collabra Office to Libre Office (Firejail).

I moved to Firejail, because as far as I known Ubuntu favours Snaps in stead of Flatpaks and it was a Flatpak problem. It was usefull for one aspect, discovered how easy it is to create custom firejail profiles.

 

[LinuxFan58]

Currently only 0.1 behind on Linux plus Flatpak compared to same laptop with Windows 11 + SAC + SRP + Defender

 

[lokamoka820]

Flatpak 14.6.6 landed which has the vulnabilities fixed according to AI.

Are you sure your Linux Mint system has the latest version? They haven't fixed the issue yet on Ubuntu. To check, run the following code in your terminal:

flatpak --version

Another way to check is to run the following code in your terminal and check the "Version" section:

$ apt show flatpak

 

[LinuxFan58]

Before I posted I checked with: flatpak --version so yes I am 100% certain (I posted this earlier, but you will be seeing this much later )

 

[lokamoka820]

Before I posted I checked with: flatpak --version so yes I am 100% certain (I posted this earlier, but you will be seeing this much later )

I just noticed your post, and I'm not sure why I didn't receive a notification that you mentioned me. Given that Miravi didn't respond either, I believe there may be a problem with notifications.

 

[LinuxFan58]

posted 21.24 - visible 21.42

 

[LinuxFan58]

I have to check al lot of exams this weeks which is very boring work, so I started playing with my adblock setup again, I have two favorite setups
1. Running Privacy Badge all the time (for compatibility reasons) and Brave's build in on-demand to nuke annoying website.
2. Running Brave only a specific websites (website permissions and shield settings are not cleared at exit) with light adblocking of CloudFlare ZT ads category.

Today I thought of reversing my setup, running Brave with custom rules only and uBOL on demand (with only EP, Peter Low and uBO filters), while I was playing (using ChatGPT) told me to have a look at Kees1958 most used (see screen print) to accompany my own custom rules in Brave (and disable all other Brave filter lists).

The medium mode ChatGPT referred to is the that I complete strip the websites I visit a lot (zero trackers and ads). So medium mode applies only to the few websites I made custom rules for in uBlockOrigin Lite.

I followed Chat's advice and added Kees1958 most used EU-US DNR to custom rules, so according to ChatGPT I am now officially a power user

 

[Sampei.Nihira]

Brave Origin is free for Linux:

https://support.brave.app/hc/en-us/articles/38561489788173-What-is-Brave-Origin

With less code, your Speedometer 3.1 test will likely run faster.