>>4107 Well, OSes are always made of many different parts, and the important part of is security is to identify the most vulnerable parts of your system and isolate them from the rest of the system or just don't use them. Once a competent attacker breaks past that first line of defense, 9 times out of 10 they can get access ti anything else they need. For instance, Web browsers tend to be extremely vulnerable, so it's a good idea to isolate them as much as possible and not use them when you don't have to. Another majorly vulnerable component t is usually the TCP/IP stack, so hardened kernels are a must.
BIOS strong passwords, and strong login passwords, and full disk encryption for physical attacks,
close unused ports and services for things you don't need (not so much a problem for desktops, but still) and keep everything up to date
if you are not using a piece of software (java, adobe flash and other common attack client side vectors) uninstall, and keep your attack surface low as possible
To avoid social engineering don't click attachments on emails or links. Senders can easily be spoofed with tools like SET, If you don't know and need to click, create a vm with snapshots to be safe.
if your browsing shady sites use a vm, for worst case scenario and always keep external backups in a safe location.
Location security, such as needing anonymity while not always need. vpn's and TOR or TOR like substitutes can be used, but make sure you check for leakage because it can happen. Also check vpn companies policy most say they don't check logs, but keep in mind they can start at anytime.
at the end of the day, there is so such thing as 100% security, it's all about getting it to acceptable range or, as low as reasonably possible.
Man, reading through this post made me realize that I don't do nearly enough netsec. While I don't encrypt my root and data partition, my personal cloud is encrypted and I try to self-host as much as possible. Other than that I block all ports by default and use VPNs. I've looked at grsec/PaX/SELinux in the past but I wasn't really convinced. Though it should be easy to install since Gentoo has profiles for that sort of thing.