I was imagining this being in some advanced setting with a "here be dragons" warning. Or even a bit more relaxed like Firefox's strict or custom tracking protection. It comes with warnings and I feel pretty confident to say that most users don't touch these settings.
> On Linux GNOME already has USBGuard support btw.
Yeah I know there are plenty of hardening tools out there, but I was suggesting that they come pre-installed. There's so much bloatware on most systems these days that this seems minor. Or maybe someone could put together a bundling script to make adding all this (e.g. USBGuard + Fail2Ban + Faillock + Firejail + etc) easy to install and configure. I'm not aware of any such tool. But maybe even an Ansible script could go a long way.
> I was imagining this being in some advanced setting ... most users don't touch these settings
That just leaves most users unprotected.
> I was suggesting that they come pre-installed
GNOME's support for USBGuard is installed by default, but USBGuard itself may not be depending on the distro. Agreed that it and other security/safety/robustness (for eg SMART disk warnings need to be supported) stuff (should be enabled by default. GNOME should use Flatpak-style sandboxing for natively installed apps too.
Aren't these users already unprotected? I don't think this is a security concern for most people and turning on by default would frustrate them more. It'd be like shipping Firefox or Chrome with NoScript on my default. Sure, more protection, but it would turn away more people than it would pull in. Better as optional.
Firefox is ratcheting up the tracking protection for normal users and GNOME enabled Thunderbolt protection by default, so there is definitely precedent for protecting regular users too. Also with the rise of stalkerware, normal users are definitely targets too. I think the interface I proposed would be reasonable enough for most people and you could make it easy to turn off with the right UX.
I was imagining this being in some advanced setting with a "here be dragons" warning. Or even a bit more relaxed like Firefox's strict or custom tracking protection. It comes with warnings and I feel pretty confident to say that most users don't touch these settings.
> On Linux GNOME already has USBGuard support btw.
Yeah I know there are plenty of hardening tools out there, but I was suggesting that they come pre-installed. There's so much bloatware on most systems these days that this seems minor. Or maybe someone could put together a bundling script to make adding all this (e.g. USBGuard + Fail2Ban + Faillock + Firejail + etc) easy to install and configure. I'm not aware of any such tool. But maybe even an Ansible script could go a long way.