"burning" to usb will make it bootable.

What is being referred to as "burning" the ISO (I haven't actually seen this terminology) will overwrite the boot sector, partition table, and filesystem metadata; as a result, the USB drive might not be readable normally on Windows, but it can be booted from.

Simply copying the file does not allow booting.

By the way, if you are unable to make the bootable USB drive yourself, you can purchase one online. https://www.osdisc.com/ is one site that sells them (note that I haven't actually purchased anything from this site, as I have not had a need to).

Another option, of course, is to get a Raspberry Pi and use that to write the image, but that can be a bit more expensive (especially since you will need to buy an SD card with an OS (like Raspbian) anyway, since if you can't write the image to a USB drive, you probably can't write one to an SD card, either.

There's also the possibility of just using a friend's computer for this task, or if the computer comes with a different OS (like Windows), using that to write the image.

Heartbleed was found during a source code review. So yes, somebody is reading that code.

and yes that security audit took place two years after the code was added, but I'd argue that it would have remained hidden even longer if the reviewer would have to painfully step through the code disassembly.

The real eye opener was how criminally underfunded the openssl project was. Large parts of the internet relied on a big library maintained by 1 and a half people on a shoestring budget.
Producing and maintaining good code costs a lot of manpower/time == money.
Whether that code is open or closed isn't really that relevant.

Dealing with security issues is an issue with many open source projects. You don't want to publicly announce it but you don't want it to be ignored either.

A few years ago, we got email spam with a link to a hacked file on the Gallery website. A couple of us set on their website looking for a security contact or method and could never find one. Finally just joined their mail list and announced it along with a mention of all the problems we had figuring out the correct method of reporting a security issue. Got a t shirt out of it.

I always get a chuckle when reading a developer sprouting off on the importance of ethical hacking and then head over to a 0-day or cve tracking website, pulling up their software, and seeing all those "Discovered issue, Reported to Developer/ Security contact/ whatever, waited 24 (or whatever) hours, no response, Public announcement" listings. Done a few of those myself.

edit: Hmmm, OpenSSL appears to have stopped asking for donations:

https://www.openssl.org/support/donations.html

Point is, not anywhere near as much as they should. Not enough to say "look this is open source, so it must be secure, so many eyeballz!" Heartbleed triggered a major audit, and a sickening amount of problems was found in OpenSSL. There is much more open source software that receives way, way less attention.

The amount of attention it had gotten for such a critical piece of infrastructure was minuscule; there's plenty of far less critical but still important (esp. from a desktop security standpoint) software that isn't secure and nobody's looking much. And well, when someone wants to look, like for a presentation at some security focused conference, bugs are a dime a dozen. Yeah but that's a straw man. Fuzzing, reverse engineering & black box testing aside, nobody's auditing software in a disassembler. If companies want their non-open source software audited, they do it or they hire someone to do it, and they will give source access to that party. And then the code is either well audited or not -- whether open or not --, and a lot of open source is poorly audited, if at all. Same goes for non-open source software of course.

EDIT: Fun thing is, quite often I see supposedly smart people (developers) on sites like Hacker News recommend some piece of software. Then I go and look at the source code and there's plenty of obvious, low-hanging fruit if anyone wants to do a basic security audit... these developers are *not* auditing the code they recommend. And that is sadly the case for a lot of the software that people run on distros like Ubuntu. The other question is, when they have funding, what do they spend it on? Evidently a lot of companies & projects get funding and they do cool trendy stuff, not security... Yeah, that's what I am saying. "It must be secure because it's open sauce! Someone else must've audited it! (I'm never going to read the code!)" is a meme that should just die. People who genuinely care about security -- to the extent that they're actively auditing code, fixing code, researching & applying mitigations, etc. -- are few and far between. And I think these people for most part acknowledge and admit that the state of security in mainstream computing is pretty sad. There aren't enough of us, and there's hardly any money in it (unless you're serving big corps). But for some reason there are lots of people who like to proclaim that this and that is really secure!

EDIT2: Ilja van Sprundel finds well over a hundred bugs (including plenty of low-hanging fruit) in the big three BSD kernels over three months. Defcon presentation slides: https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Ilja-van-Sprundel-BSD-Kern-Vulns.pdf

no disagreement there :). I was just put off by your resolute "nobody ever looks at that code anyway"
If you compare today to the state of things from like 10-15 years ago, we have many bugs that are found (and fixed) by people studying the code and trying to find holes in it.

key phrase: "if companies want" :p
if we'd have to wait until the OpenSSL project decided to hire somebody for a security audit .....
But since it is open source, google could just go ahead saying: "well, this had quite a few bugs in the recent past, reason enough to take a deeper look". et viola, there was Heartbleed
That can't happen with the windows network stack ...

I absolutely agree with you that the simple claim "it's open source, so it must be secure" is bullshit.
But I still think that, mid- to long-term, the open source model is the better evolutionary model of software development. If there is somebody in the wider community that wants to audit, fix or improve some piece of code, they can just do that. That is why we have something like grsecurity. You won't find something like that for windows.

obviously first you need (at least some)people who are interested in more secure software. And I think you are right that in that regard things don't look as brightly as people like to believe.

surprised to hear that. always thought the whole security industry is booming like mad.
At least from what I heard there are really good employment opportunities if you are in that field.
(but that's just second-hand "knowledge" from some old acquaintances from university)

Regarding security and open source software, here is a good article (a response an old, now-fixed, security bug) that describes the advantage of open source software in this regard:

https://www.fsf.org/news/free-software-foundation-statement-on-the-gnu-bash-shellshock-vulnerability

A quote from the article:

Um, they're no longer contributing to the Open Source community:

https://grsecurity.net/passing_the_baton_faq.php

Well, computer engineers do… I mean, I guess they have the permission, rights, and source code…

However, software freedom doesn't matter to the everyday person who is not a computer engineer. They still have to wait, just like they do for all the features and applications they can't make for themselves. Better off watching the sunrise or a gentle misting rain. Companies can sometimes afford to hire a computer engineering department, but that's ridiculous to expect of the everyday person. Computers aren't for the everyday person, they should never buy one.

Looking at computers made nowadays, even computer engineers (software and hardware) apparently have trouble making anything that they themselves can handle. Same old 20th century junk, just more spaghetti code on top older spaghetti code, with a typewriter keyboard. Oh, and then they make hardware without any keyboard at all and then supplement it with a picture of a typewriter keyboard on a flat screen upon which touch-typing is near impossible. *sigh*

but they did for 15+ years. and all that good work that they did in that time is still there to use.
projects come and go ...

I know. You made the comment about windows and from reading that FAQ, it sounds like to me that's the path they went.

Not saying Open Source projects shouldn't add in a money making side. Just rather surprised they went completely that way and abandoned their Open Source roots.

Software freedom, however, is nice for the average person who just wants to dabble in programming, or sees programming as a hobby, rather than a profession. In particular, being able to see the code means you can learn from it, study it, and even play around with it some. Generally, only people who work on computers for a living get to see the source code of closed source software, but anyone can get the source code of open source software.

So yes, being able to loot at the source code can be useful for the average person.

As far as firewalls go, as you're already heard, the Linux kernel comes with a built-in firewall - in order to manage it, you have multiple options, but here is one that is pretty simple yet configurable as hell when needed (UFW).

It also comes with a UI.

I recommend Mint; it's what I started out with & continue to use because it works great for me and does everything I need. Check out my Linux Mint beginner's guide for more info about it :)

Ubuntu, Linux Mint and other Ubuntu-based distros are recommended for their wide support and ease of use, making it effectively the "standard" desktop Linux distro. Because of this it's also relatively easy to get help for Ubuntu based distros when needed.