content(opsec): add Secure Operating Systems guide

docs/pages/opsec/secure-operating-systems.mdx

@@ -0,0 +1,198 @@
+---
+title: "Secure Operating Systems | Security Alliance"
+description: "Secure operating systems for Web3 teams: Qubes OS for isolation, Tails for ephemeral sessions, GrapheneOS for mobile. Defend against infostealers, DPRK malware, and key material theft."
+tags:
+  - Security Specialist
+  - Operations & Strategy
+  - Engineer/Developer
+contributors:
+  - role: wrote
+    users: [dickson]
+  - role: reviewed
+    users: []
+  - role: fact-checked
+    users: []
+---
+
+import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components'
+
+<TagProvider>
+<TagFilter />
+
+# Secure Operating Systems
+
+<TagList tags={frontmatter.tags} />
+<AttributionList contributors={frontmatter.contributors} />
+
+> 🔑 **Key Takeaway:** Use compartmentalized operating systems to isolate sensitive operations from everyday browsing.
+> Qubes OS for desktop, GrapheneOS for mobile, Tails for ephemeral sessions.
+
+Infostealer malware is among the most common initial access vectors in Web3 compromises. A single infected machine can exfiltrate
+browser sessions, wallet keys, SSH credentials, and authentication tokens in seconds. Standard operating systems
+(Windows, macOS, mainstream Linux) run all applications in the same trust domain — one compromised app can access
+everything.
+
+Secure operating systems address this through **isolation**: sensitive operations run in separate compartments that
+cannot see each other, so a compromised browser cannot reach your wallet or signing keys.
+
+
+## When to Use a Secure OS
+
+Not every team member needs Qubes OS. Use the right tool for the right threat:
+
+| Role | Recommended Setup | Why |
+|------|-------------------|-----|
+| Key holders / signers | Qubes OS or dedicated air-gapped machine | Isolation of signing from browsing |
+| Mobile wallet users | GrapheneOS on a Pixel device | Hardened Android with per-app isolation |
+| Incident responders | Tails for forensic/ephemeral sessions | No persistent state, Tor-routed |
+| General team members | Hardened macOS/Linux + endpoint security | Sufficient with good hygiene |
+| Travel / high-risk contexts | Tails on USB or dedicated travel device | Leaves no trace on borrowed hardware |
+
+
+## Desktop: Qubes OS
+
+[Qubes OS](https://www.qubes-os.org/) is a security-focused operating system that runs each application group in an
+isolated virtual machine (called a "qube"). If one qube is compromised, others remain unaffected.
+
+### Why It Matters for Web3
+
+- **Wallet isolation**: Run your hardware wallet interface in a dedicated qube with no network access. Even if your
+  browser qube is compromised, the attacker cannot reach your signing environment.
+- **Infostealer containment**: Malware in your browsing qube cannot access files, credentials, or clipboard contents in
+  other qubes.
+- **DPRK threat model**: North Korean threat actors target Web3 developers with trojanized packages and fake job offers.
+  Qubes prevents lateral movement from a compromised development environment to signing infrastructure.
+
+### Recommended Qube Layout for Web3 Teams
+
+| Qube | Purpose | Network | Notes |
+|------|---------|---------|-------|
+| `vault` | GPG keys, passwords, seed backups | None | Air-gapped, no network ever |
+| `signing` | Hardware wallet interface | None or restricted | Only connects to hardware wallet USB |
+| `work` | Email, Slack, general browsing | Firewalled | Standard daily driver |
+| `dev` | Code, git, IDE | Firewalled | Isolated from signing |
+| `untrusted` | Clicking unknown links, testing | Disposable | Destroyed after use |
+
+### Getting Started
+
+1. Check [hardware compatibility](https://www.qubes-os.org/doc/system-requirements/) — Qubes requires VT-x/VT-d and at
+   least 6GB RAM (16GB recommended for comfortable multi-qube usage)
+2. Download from [qubes-os.org](https://www.qubes-os.org/downloads/) and verify the signature
+3. Install on a dedicated machine (not a VM)
+4. Create qubes following the layout above, adjusting to your workflow
+
+### Limitations
+
+- **Hardware requirements**: Needs a powerful machine with Intel VT-d support. Not all laptops are compatible.
+- **Learning curve**: Managing multiple qubes takes practice. Budget a week for initial setup and adaptation.
+- **Performance**: Running multiple VMs uses more resources than a standard OS.
+- **No macOS/Windows apps**: Qubes runs Linux and Windows VMs, but macOS applications are not available.
+
+
+## Mobile: GrapheneOS
+
+[GrapheneOS](https://grapheneos.org/) is a hardened Android OS for Google Pixel devices. It provides strong sandboxing
+and exploit mitigations while maintaining Android app compatibility.
+
+### Why It Matters for Web3
+
+- **App sandboxing**: Each app runs in a hardened sandbox. A malicious app cannot access other apps' data, clipboard, or
+  files without explicit permission.
+- **Verified boot**: Cryptographic verification ensures the OS has not been tampered with — detectable via remote
+  attestation.
+- **Reduced attack surface**: Disables NFC, Bluetooth, and USB data transfer when locked. Native debugging is disabled
+  for all apps.
+- **User profiles**: Create separate profiles for personal use and crypto operations. Each profile has its own isolated
+  app data and encryption keys.
+
+### Setup Recommendations
+
+- [ ] Use a **dedicated Pixel device** for crypto operations (not your daily phone)
+- [ ] Create a **separate user profile** for wallet apps — keep it isolated from messaging and browsing
+- [ ] **Disable network access** for wallet apps that don't need it (GrapheneOS supports per-app network toggles)
+- [ ] Enable **auto-reboot** after a period of inactivity to clear RAM
+- [ ] Use a **strong alphanumeric passcode**, not a PIN or pattern
+- [ ] Keep the device updated — GrapheneOS ships security patches within days of upstream releases
+
+### Limitations
+
+- **Pixel-only**: GrapheneOS only supports Google Pixel devices (Pixel 4a and newer; Pixel 6+ recommended for Titan M2 hardware security).
+- **No Google Play Services by default**: Sandboxed Google Play is available as an option, but some apps may not work
+  without it.
+
+
+## Ephemeral Sessions: Tails
+
+[Tails](https://tails.net/) is a live operating system that boots from a USB drive, routes all traffic through Tor, and
+leaves no trace on the host machine.
+
+### When to Use Tails
+
+- **Incident response**: Investigating a compromise from a clean, ephemeral environment
+- **Travel**: Booting on hotel or conference hardware without trusting the host machine
+- **Anonymous research**: Investigating threats or active incidents without revealing your identity
+- **Emergency access**: Accessing recovery tools or communications when your primary device is compromised
+
+### Key Properties
+
+- **Amnesia**: All state is lost on shutdown (unless you explicitly configure persistent storage)
+- **Tor by default**: All network traffic is routed through Tor
+- **No installation**: Boots entirely from USB — the host machine's disk is never touched
+
+### Limitations
+
+- **Not for daily use**: The amnesia property means you lose everything on reboot.
+- **Tor performance**: Network connections are slower due to Tor routing.
+- **Limited hardware support**: Some Wi-Fi adapters and GPUs may not work.
+- **Not a substitute for Qubes**: Tails provides ephemeral isolation, not persistent compartmentalization.
+
+
+## Decision Matrix
+
+| Factor | Qubes OS | GrapheneOS | Tails |
+|--------|----------|------------|-------|
+| **Platform** | Desktop/laptop | Mobile (Pixel) | Any PC (USB boot) |
+| **Isolation model** | VM-based compartments | App sandboxing + profiles | Ephemeral session |
+| **Persistence** | Yes (per-qube) | Yes | No (by design) |
+| **Daily driver?** | Yes (with learning curve) | Yes | No |
+| **Best for** | Key holders, developers | Mobile wallet users | IR, travel, emergency |
+| **Hardware cost** | $800-1500 (compatible laptop) | $400-900 (Pixel device) | Any USB drive |
+
+
+## Hardening Standard Operating Systems
+
+If a dedicated secure OS is not feasible, harden your existing setup:
+
+### macOS
+
+- [ ] Enable [FileVault](https://support.apple.com/guide/mac-help/protect-data-on-your-mac-with-filevault-mh11785/mac)
+  full-disk encryption
+- [ ] Enable the built-in firewall (System Settings > Network > Firewall)
+- [ ] Keep macOS and all applications updated
+- [ ] Use a non-admin account for daily work
+- [ ] Disable automatic login and require password on wake
+- [ ] Review and restrict app permissions (Full Disk Access, Accessibility, Input Monitoring)
+
+### Linux
+
+- [ ] Enable full-disk encryption (LUKS) at install time
+- [ ] Use a distribution with timely security updates (Fedora, Debian Stable, Ubuntu LTS)
+- [ ] Enable a firewall (`ufw` or `firewalld`)
+- [ ] Use [Firejail](https://firejail.wordpress.com/) or Flatpak sandboxing for browser and untrusted applications
+- [ ] Disable SSH password authentication — use key-based only
+- [ ] Consider [Kicksecure](https://www.kicksecure.com/) as a hardened Debian derivative
+
+
+## Further Reading
+
+> **Note:** For a general overview of privacy-focused operating systems and tools (including Whonix, Tor Browser, VeraCrypt), see [Privacy-Focused Operating Systems and Tools](/privacy/privacy-focused-operating-systems-tools). This page focuses on Web3-specific threat models and deployment configurations.
+
+- [Qubes OS Documentation](https://www.qubes-os.org/doc/)
+- [GrapheneOS Features](https://grapheneos.org/features)
+- [Tails Documentation](https://tails.net/doc/)
+- [NIST SP 800-123: Guide to General Server Security](https://csrc.nist.gov/pubs/sp/800/123/final) (OS hardening
+  reference)
+- [DPRK IT Workers](/dprk-it-workers/overview) — Threat context for why OS isolation matters in Web3
+
+</TagProvider>
+<ContributeFooter />

vocs.config.tsx

@@ -82,6 +82,7 @@ const config = {
                 { text: 'Web3 considerations', link: '/opsec/core-concepts/web3-considerations' },
               ]
             },
+            { text: 'Secure Operating Systems', link: '/opsec/secure-operating-systems', dev: true },
             { text: 'Endpoint Security', link: '/opsec/endpoint/overview', dev: true },
             { text: 'Browser Security', link: '/opsec/browser/overview', dev: true },
             { text: 'Multi-Factor Authentication', link: '/opsec/mfa/overview', dev: true },