Robert, Mac and/or Linux, out of the box are safer because they implement most of your user-sandbox-execution restrictions natively, forced well within all levels of the system, without having to do anything. There's essentially no need for me to worry that an anonymous downloaded app can access kernel-related files and tamper with them: they are property of the root user, and not even I can modify them directly. Since applications run on the user level, they can't do everything unless granted permission to do so (and in Mac OS you can query exactly what permission they are asking.) Likewise for most of your setup: in Linux/Mac OS or any other Unix-derived operating system (even Plan9) most of it comes for granted, and doesn't require a huge, time-costly setup investment. Essentially you are mimicking user groups and execution restrictions in an operating system that wasn't initially designed for them, and we say that our operating systems (which were designed first and foremost for it) are safer because of it.

In any case, I think we've had this discussion before, and since it works for you and you are happy with it, I don't think we all *nix zealots need to keep forcing the bitter medicine down your throat. If it works, it's usually better not to change it.

_________________
Geek of all trades, master of none: the motto for my blog mostlymaths.net

Yes, that! Exactly.

But, if you (RJ) rather go through lengthy setups, manual registry cleaning, and 2-page procedures for copying files, suit yourself. people just try to offer you advice here, if you take it or not - its your problem.

Personally, I rather use a system with less hassle than have hassle to try to imperfectly mimic such system and then have to go through more hassle to use that system. But whatever rocks your boat, its all good.

_________________
- Bantari
______________________________________________
WARNING: This post might contain Opinions!!

As a matter of fact - I want to say much more that that.
What I want to sat is that out-of-the-box Mac is at least as safe as the Windows system you have, with all your precautions and restrictions and multiple drives and whitelists and sandboxes and whatnot.

Here is why I think so:

I assume you felt the need to implement all your precautions because you either had or expected problems which could only be prevented by taking all these measures. I also assume that since you implemented all that you implemented, you had no problems.

Well, on my out-of-the-box Mac I also have had no problems, ever since I started using it six or seven years ago. I bet that my computer usage is at least as heavy and "dangerous" as yours - it is often in the course of my work that I have to download and test 3rd-part applications or code libraries, or various plugins and addons. I also do that in the course of my non-work-related functions, i.e. for fun and pleasure. I feel free to browse the web indiscriminately without worry of viruses or malware/spyware/adware/whatever. I also feel free to open my email attachments, and store my emails in binary format, and all that. All the stuff that you caution to be cautious about, I simply don't (need to) worry about.

Still - not a single problem. Which is on par with your system!

The difference is - absolutely no hassle on my part!
I never once had to manually adjust anything because I was afraid or suspected something amiss. I never once had to even look at the registry, let alone manually clean it up (guess what - no registry.) I never once had to clean up after uninstalling an application - its all a matter of just deleting a single folder, and bye-bye. I never once had to worry about copying a file from one folder to another, I do not need multiple drives or partitions, and so on, all the way down your very long and complicated list.

And still, with respect to any problems, my system is at least on par with yours - which means: no problem!

So, this is pretty much what I was trying to say.
But, as RBerenguel says - I am not trying to cram Linux or Mac down your throat. If you like Windows and all its twisted ways, if you like following 2-page procedure to copy files, its all good with me, carry on and have fun.

_________________
- Bantari
______________________________________________
WARNING: This post might contain Opinions!!

Every OS has bugs, and, ALA they are not fixed by OS updates, they are a security gap - unless additional security configuration has taken precaution.

Windows registry: you confuse Windows 95 days (when registry cleaning tools were popular) with Windows NT 6.x days. Nowadays, registry settings need to be changed a) if a power user wants a particular arcane setting, b) a program's deinstallation routine is crap (I agree that the Mac's simply delete a folder approach is much preferable) or c) a program is outrageous and takes more rights than it should (then manual refinement can be needed to get security right again).

If you are careless about email attachments etc., then you can be hit by a malware exploiting an OS bug. So far, you have been lucky mainly because such malware is scarce for the Mac. No NSA backdoor introduced by Angry Birds yet? Sure?:) On my Windows system, I am sure, because I check system files' integrity etc.

Which 2 page instruction to copy files? Such is needed only for new external, executable files. That you do not apply similar precautious leads to 0-day-exploit risks.

How about this. Let me make a suggestion.

1. Not every single file in your computer needs to be protected or be unseen by others.
2. Suppose there is an important text file 'haha.txt' which has your bank card PIN number and email password written down.
3. You don't want others to be able to access this information.
4. Encrypt 'haha.txt' using some modern cryptographic algorithms.
5. You can do this with some freeware programs or also by yourself with enough programming skills and algorithm understanding.
6. Keep your own key required for decryption in mind.
7. You might worry about some brute-force key guessing methods, but there are plenty of ways to prevent it.
8. Unless someone tortures you to spit out the correct key, or the key is your birthday, 1234, 1111 et cetera, then everything is safe.

_________________
Wait, please.

Rootkits, keyloggers, physical tampering can bypass this easily (technically I think Robert's setup can't prevent physical tampering though).

_________________
Geek of all trades, master of none: the motto for my blog mostlymaths.net

Dynamic encryption is a useful additional means if the more basic means of security are given, so that malware cannot watch or manipulate the encryption process.

Static encryption prevents physical access to a PC from being directly useful.

Important passwords should not be protected (only) by encryption, but it is better to not store them on the PC permanently.

Its just like you to "conveniently overlook" the most important part: NO HASSLE!
Of course, you can add minimal hassle to have my system much more secure.
You seem to like hassle.

PS>
Never played Angry Bird, don't even know what it is, really. From what I read, it is hyped to introduce a bug which allows NSA to watch what I do. Personally, I don't really mind them watching if they do. If it helps them do their jobs, not sure why people are so frantically scared of it. But this is a topic for another discussion.

_________________
- Bantari
______________________________________________
WARNING: This post might contain Opinions!!

Oops wrong thread.

I meant to say here that I play on some servers using an Android VM. It's kinda fun.

I feel obliged to mention that an attacker with physical access to a machine is widely considered to have free reign over it. Call this a computer security proverb, if you will.

Merely the inability to natively execute PE-code protects Linux from 99% of the threats in the wild. (I presume the same holds for Macintosh) It also won't execute VB-script and doesn't feature the Windows Registry or COM or its evil nephew, ActiveX, or Office Automation or Internet Explorer. Linux is definitely more secure, out-of-the-box.