Physical separation is more preferable, and with PC miniaturisation such as PC's on a stick (USB stick sized) devices 'multi core' setups should instead strive towards multi-processors. Running Linux programs in effect under a Windows host is only as secure as that Windows host. Locally, the argument for running a personal single user desktop system as root fundamentally distils down to data and both user and root having authority to read/change/delete that data. Network wise, online accounts, financial transactions etc. have vastly more attack points, Even if your local end is secure, the connection between and/or remote hosts could just as equally have you compromised. Personally I use online email and only pull down (copy) the text for the emails I desire to be kept relatively private for local storage. I use a hosts file instead of a adblock plugin. And I use the latest version of browser, cleanly booted from a cleanly booted OS (Fatdog at present). For when (note - not if) that is pwned, then its a liveCD (DVD) with no HDD physically attached - no saves (persistence, other than when I freshly boot to reconfigure things and make a new savefile). For data storage I run a OpenBSD box, base system only, that using a limited userid reverse sshfs mounts one of its folders as a mountpoint (folder) on Fatdog. All inbound ports are closed on that OBSD box (so no ssh into it etc.). That box takes regular snapshots of the Fatdog mounted data content into another OBSD box folder, which in turn is periodically backed up.jamesbond wrote:You have taken good precaution. But it takes one bug in Palemoon and your defense is broken. AV is a second line of defense. You might say that well that's the same thing could happen in Linux; and I would totally agree. The only difference is that - as greengeek pointed out - we're not being targeted (yet) because we're too small.bark_bark_bark wrote:You don't need anti-virus for that, you just need a secure browser (like Pale Moon), and a good ad-blocker. Also, my mail program blocks remote content by default and I set it to view all emails in plaintext.
Exactly my point - to live AV free on Windows, you need constant vigilance because one oops means you're pwned.BTW, speaking of drive-by downloads, Chrome (and chromium/chrome-based browsers) are all vulnerable to drive-by downloads.
In my case that OBSD box is a single core celeron, but it could just as equally be a PC on a stick type device, perhaps using MMC/SD cards for storage. Broadly that is relatively 'safe'. De-pwning is simple/quick/easy. The greater risk is having online accounts pwned and to reduce that risk I prefer to use a updated/latest browser. On my Fatdog LiveCD system for instance I have the base savefile - around 7MB in save file size of my changes/customisations and after booting I add a gtk3 sfs - as chrome needs that and a chrome sfs (that I create using fatdogs install chrome option that creates a .tgz, that I then right mouse click and convert to sfs before saving that to /data (outside of the OS) and reboot without saving. So each reboot has me back at a clean OS and browser, but where shortly after booting /data pops up so I have access to limited amounts of data/data storage, but where more important data is stored in other OBSD box folders that are totally out of reach of Fatdog - excepting if I so choose to open them up to Fatdog (typically when I also ensure there are no external/WAN connections). As for online accounts, well I can secure banking transactions by clean booting a pristine OS and clean latest browser and go directly to that bank, nowhere else before or after ... and that's relatively safe. For everything else, general browsing you just have to accept that certain sites might be pwned, as might online transaction details (so use a dedicated card with low limits for online purchasing).
With regard to WSL, I have no need for it and would opt for multi-processor instead if I did (or even running Windows from under 'nix rather than the other way around). As for stripping out ssh, curl ...etc. well for me they are programs I use regularly, and in the case of ssh, heavily (I just use curl for local weather reports).
Security isn't a product, its a process. Yes you can adopt multiple security products that collectively aid in that process. Similarly no defence (security) is impenetrable given sufficient desire - excepting the most extreme cases (usability and security tend to be inversely correlated) where usability is zero.