I think this is a Most Excellent question and I'd like to help in any way I can.
Originally Posted by Soul-Sing
The First Thing I'd add to what we have now would be to put Firefox under AppArmor -- "out of the box" It's simple enough to disable the profile in case of trouble. I noticed that an AppArmor profile for Firefox came with Ubuntu
the profile came disabled. last night i enabled it and put it in complain mode. just now, checking, I got one error
I didn't know what to do with this flag so I selected "Finish"; perhaps there will be a comment on this ??
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
(I)nherit / (P)rofile / (C)hild / (N)ame / (U)nconfined / (X)ix / (D)eny / Abo(r)t / (F)inish
A Study of hack attacks clearly shows that for the desk-top/client end-point computer, browser attacks are #1. E/mail would be #2 but these would include "phishing" attacks which attempt to persuade the user to make a bad move. This is another topic which requires a study of reputable sources and hopefully PGP Trust Models.
So: My initial contribution is (1) distribute Ubuntu with Firefox and Thunderbird under AppArmor, and (2) Caution every new user: stick to the stuff in the Ubuntu Software Library
I think if we do a little more work on Software Recommendations we can improve that last part.
This is really a very important thread. It has been 10 days now since I moved my Win7 system to the basement and shifted my daily activity to Ubuntu
So far the 2 programs that I feel I've had to take downgrades on are MusicBee and CDBurnerXP. I'm using Audacious and K3B
Offering a system that is difficult to hack and has good programs is huge. And I think we're getting there. Dell is already offering systems with Ubuntu installed,-- my brother's business selected that option!
in protecting the browser we should ask: what are we protecting: "droppers" -- which attempt to install some kind of RAT into your O/S (Linux won't allow this ) -- or (2) snooping/exfiltrating sensitive data ? this latter will be a harder question as we must prevent installation of any type of plug-in modification to the browser