As I've mentioned before, Linux is the way to go when you don't want to be spied on by your laptop. Perhaps you'd like Tails, as described in a previous section of this Chapter, if you are paranoid and don’t care that you don’t have a OS where you can boot up and continue from where you left off.
No worries as there is better news with perhaps the best daily usage drive, if you are willing to go the extra mile, as this isn't a totally 'out of the box' solution, although it is all you need once you get to understand it.
I am talking about QubesOS, which is one of the best Linux distros for privacy and security. It is Fedora based, but also has a twist in that it isolates Virtual Machines (VMs), with so-called.'Security by isolation'. This ensures that any risky app runs separately and separated from your Banking or Gaming Apps.
It even has Qubes (or virtual machines which runs in a one time Sandbox!). To make things easier, Qubes runs each virtual machine in a different color, so you can easily see if you're in your Bitcoin or your personal space or even in your Vault which is completely off the internet.
Qubes runs the WiFi driver in a dedicated & unprivileged network, NetVM. This reduces the attack surface and additionally QubesOS is fire-walled by default with no incoming ports open. TCP and ICMP timestamps are also disabled by default.
You can have Fedora Virtual Machines, but also Debian and even Windows VMs.
But one of the best ways is if you can have a Whonix based VM, which runs the entire VM over the Tor Network. Whonix is based on Debian and Tor and basically uses two VMs, one a gateway and the other a workstation. Qubes's security architecture utilizes Whonix’s isolation by having the gateway as a Proxy VM to route all network traffic through Tor whilst the workstation is employed to make App VMs.
Mullvad also has a good explanation on how to run your own VM or any number of VMs over Mullvad VPN servers.
Bear in mind that Mullvad is one of only two VPN providers which we would recommend.
In other words, you could have your Banking Virtual Machine in your actual country, your Football VM in England or Germany to watch the Premier League or Bundesliga uninterrupted and for free and your daily research and communication VMs over the Tor Network. And another one for Bitcoin and so on and so on!
Best of all, none of these VMs are able to touch each other, yet you can still share files between them. The power is endless. Sadly not every hardware is supporting it, so first check on the official website for more information and to ensure it can run and support it.
Here are some of the best additional features that help make this system so secure and private when you're networking In Qubes,
Protect against data leaks by setting up a dummy (empty) NetVM field for the corresponding VM.
Protect against the possibility of malware attacks across VM reboots by having Qubes ServiceVMs set up as a Static DisposableVM which can rapidly open un-trusted apps, attachments, links, or anything else deemed to be risky.
Additionally, hardware risk mitigation ensures that microphones are never attached to VMs by default.
Users can chose to use a Yubikey for authorization purposes which protects against password snooping and bolsters USB keyboard security. It is also possible to isolate the USB stack in a dedicated USB VM which provides protection for the admin domain (dom0) from un-trusted USB devices.
Finally, Qubes implements full-disk encryption by default using LUKS dm-crypt and users can manually configure their own encryption parameters if they so choose.
As is the case with many Linux Distros, Qubes appears difficult to master and is probably not for the casual consumer. That said, you can install Qubes directly, as opposed to rebooting it every time via a CD, which does make it better for daily usage than, say, Tails.
I personally run this on a purism notebook which is smooth, secure and open source. I will probably review Purism hardware in a separate blog-post soon.
Qubes is the best OS for security and privacy and makes efficient use of system resources. It will, however, involve a pretty steep learning curve but by no means impossible.
If you're serious about security, @QubesOS is the best OS available today. It's what I use, and free. Nobody does VM isolation better.
Stay safe, people!