Avatar

Throwaway1234

Throwaway1234@sh.itjust.works
Joined
1 posts • 50 comments
Direct message

I am aware that Homebrew has become the go-to solution for installing CLI applications on Bluefin. Which is exactly why I feel compelled to ask the question in my previous comment.

Btw, I don’t really understand why you felt the need to share Jorge Castro’s blog post on Homebrew? AFAIK it doesn’t go over any security implications. Sharing the article would only make sense if Jorge Castro is regarded as some authority that’s known to be non-conforming when security is concerned. While I haven’t seen any security related major mishaps from him or the projects he works on, the search for the CLI-counterpart to Flatpak seemed to be primarily motivated by facilitating (what I’d refer to as) ‘old habits’; which is exactly what Homebrew allows. It’s worth noting that, during the aforementioned search process, they’ve made the deliberate choice to rely on Wolfi (which is known for upholding some excellent security standards) rather than Alpine (which -in all fairness- has also been utilized by Jorge for boxkit). IIRC, people working on uBlue and related projects have even contributed to upstream (read Distrobox) for patches related to Wolfi. So, there’s reason to believe that the uBlue team takes security seriously enough to work, contribute and deliver on more secure alternatives as long as it doesn’t come with a price to be paid by convenience. Which, in all fairness, is IMO exactly why Homebrew is used for in the first place (besides their recent utilization of technologies that have similarities to the ‘uBlue-way’ of doing things)…

permalink
report
parent
reply

But then again some people use things like Homebrew and pacstall unironically so …

Thank you for mentioning this! Unfortunately a quick search on the internet didn’t yield any pointers. Would you mind elaborating upon the security problems of Homebrew(/Linuxbrew)? Thanks in advance 😊!

permalink
report
parent
reply

Yeah know that deleting post fun. Jerboah is very good at recovering them.

TIL about Jerboa. Thank you!

If you use your GPU that model is fingerprintable through WebGL stuff. There is a firefox addon that spoofs random values though. Same for screen size.

IIRC, so-called ‘naive scripts’ will indeed be spoofed. However, it has been shown at great length that JavaScript is not even required to to acquire screen size in the first place. Furthermore, methods that rely on badness enumeration are deemed inferior.

Secureblue does not implement privacy over security, but if patches make a browser stay just as securely I think that would be fine.

That would require someone to put effort into showing that ungoogled-chromium is at least as secure as Chromium. Is that even established in the first place?

The thing is, for example we had some arguments about manifest v2 extensions (which can download stuff they then use, i.e. no control by Google and thus “less secure”). If Chromium does things like Connect to Google for security stuff like Safe Browsing, this will totally not be removed.

Perhaps the desire to minimize attack surface is what’s been decisive.

Secureblue is not GrapheneOS too. It is just a (huge) compilation of patches and patched images. Basically every Desktop with Wayland support, currently 86 (!!!) images.

Surely, it would take a lot more effort to get it to GrapheneOS levels. However, I don’t find any fault with the desire to be inspired from GrapheneOS’ methods and implementations.

permalink
report
parent
reply

Aight. Feel free to inform me whenever you stumble upon something on secureblue which you may have questions about.

permalink
report
parent
reply

First of all, apologies for the late response. I had written a response, but something happened before I sent it and the cache of my phone wasn’t able to recollect my writing. I got so discouraged by this that I didn’t bother with it right away.

QubesOS is interesting, I think overcomplex but needed until better systems are in place.

Well said!

Bubblejail would be an alternative that runs on normal hardware.

I hope Bubblejail will indeed reach the level of sandboxing solutions we find on e.g. mobile devices. Though, a lot of work has to be put into portals (and others) before a feat as such is achieved.

I dont know how resistant Vanadium is, it for sure doesnt send critical data, but screen size, hardware specs etc cant be not send without having no GPU acceleration and a letterboxed screen.

Would you be so kind to elaborate upon the bolded part? I’m simply unaware of the link between GPU acceleration and protection against fingerprinting.

Furthermore, just to be clear. I would like to retract my earlier statements that I’ve made regarding Vanadium and that were negative in nature. While there’s definitely truth in the fact that it does not provide fingerprinting protection (or spoofing) like what we find on Firefox (or Brave), but they have spoken out their ambitions and intentions to improve that. It’s simply that they haven’t put a lot of resources yet to the cause. And this is not for saving efforts or whatsoever, but rather because they intend to offer a more robust solution (eventually). We should also not disregard that, as is, GrapheneOS does offer some level of anonymity (in combination with best practices; i.e. VPN etc) merely by the virtue of only a select number of devices being supported by GrapheneOS and thus if two users are in relatively close proximity to one another and have their VPNs enabled and use the same device with GrapheneOS, then it might be hard for others to distinguish them from one another. Finally, at least regarding this topic, I don’t see them implementing letterboxing as we find on Firefox (as screen sizes are small anyways and only select number of screen sizes exist anyways, because only few devices are supported). Thus, as screen dimensions are not obfuscated, there’s less need to obfuscate the GPU in the first place.

mobile browsers have limited screens size and every SOC has a different GPU basically. So if you avoid hardware rendering, you would still need to pretend to be the smallest phone comparable, and pixel density etc. may still be different.

You may find some of my thoughts in the previous paragraph.

Ungoogled Chromium is a set of patches. These should totally be applied to Secureblue chromium, but currently it is saving effords by just using Fedora chromium and a few policies

Is it strictly beneficial for security? IIRC, privacy is (unfortunately) not regarded as a design goal for secureblue.

Btw, apologies if my sentences were more convoluted and confusing than they are otherwise. Thank you for your attention and consideration!

permalink
report
parent
reply

Thank you for the great reply! I think I will be paying more attention to c/privacy going forward. Btw, how is secureblue going?

permalink
report
parent
reply

Was the restart due to annoying OS features (e.g. Windows used to restart immediately without asking, iOS restarts if your phone is locked and it’s night time, etc.)

Actually, I am not sure why it happened 😅. It was connected to the charger and I didn’t do anything that would otherwise be a direct cause to the phone to shutting off. To be honest, I don’t recall it ever happen before 😅. Kinda spooky… Or just technology being derpy at times 🤣.

No, I’m just blind :,) I found it now

Hahaha, glad to hear that you found it!

Edit: Here it is!

Thank you!

Until the Rexodus (by the way, I’m apparently the only one to call it that. Please, people, it’s such a good name!),

I’d argue that Rexxit is just plain better 😜.

I had simply kept current with every post on r/privacy. I had occasionally read a few old posts, but it was mostly just keeping an eye on what the community was posting about and reading the discussions to learn as much as possible. I have a few old screenshots, like from this post and this one, but besides that it was just miscellaneous posts.

Thank you for the answer! I started out following r/privacy diligently until I noticed that my threat model didn’t quite align with some of the more common echo chambers found there. To be more elaborate; it seems as if I was more absolutist when security was concerned, while the community was more absolutist when privacy was concerned. To be fair, it’s r/privacy, so it makes sense for it to be that way. Though I had hoped that security wasn’t treated like a second-class citizen; at least that’s how I felt*. Regardless, it seems that I’ve missed some gems along the way. Hopefully I will be able to catch up.

permalink
report
parent
reply

Computing practices (like installing packages from trusted maintainers and the deliberate use (through filling in passwords) for granting privileged access etc.) on Linux are different than on Windows. This already ensures that -simply by the virtue of using Linux as it’s intended- a Linux user is protected from complete classes of attacks.

Furthermore, the average Linux user is a lot more computer savvy compared to the average Windows user. And I haven’t even mentioned the focus on FOSS, the security benefits through obscurity etc.

Of course, Linux isn’t impenetrable. In fact, one might argue that its security frameworks on desktop are lacking compared to macOS and perhaps even to Windows (S mode).

Nonetheless, Qubes OS (i.e. the worlds most secure desktop OS) heavily relies and utilizes Linux to do its bidding.

To conclude, there’s a lot of nuance to secure computing on Linux. But as long as its user (i.e. the biggest attack vector) holds on to best practices, it should be more than safe. Unless…, you seek protection against sophisticated adversaries and their targeted attacks. At that point, I wouldn’t trust any desktop OS besides Qubes OS anyways.

permalink
report
reply

Those are just Firefox. Using some other routing doesnt improve security.

Never said or implied they were. Security is achieved through

Tor Browser or Mullvad Browser in a disposable qube on Qubes OS

Tor and Mullvad are only for preferred for the sake of anonymity as every user runs the exact same config on the same type of network.

Vanadium might be degoogled and not send critical platform data, but it is not fingerprint resistant afaik.

Hmm, you might be right. TIL. Thank you! Somehow, I was having high expectations for it… *sigh*

On mobile, browsers cant really be that though.

Do you happen to know why that’s the case?

On Desktop there only is ungoogled Chromium which is a beginning. But especially secureblue doesnt use it for some reason.

If I recall correctly, ungoogled-chromium has (at least in the past) been slacking on security. Don’t know if that’s still a thing though.

permalink
report
parent
reply

Preface: this is written with less care than I do usually. I was writing one of my usual replies, but my phone chose to restart while the text was being written in its browser.

No, sorry. Some Reddit/Lemmy commenter.

Np. FWIW, I’m using virt-manager anyways.

No, although invisible ink would be somewhat cool.

Definitely! Thanks for the inspiration!

Have any ideas for a “password pen”?

Unfortunately not. I have been completely reliant on KeePass* plus the aforementioned (‘algorithmic’) ‘salt’. But I think a password card and/or invisible pen is definitely worth exploring for passwords I don’t use daily. So, once again, thank you for mentioning those!

You can also thank whoever on privacy@lemmy.ml posted it (I wish there was a search box…)

Was that rhetorical 😅? I actually found the (presumably) original poster through the search capabilities found on Lemmy.

Yikes, any reason for that?

For a complete answer, let’s go for a trip back in time. Qubes OS’ alpha release happened in April of 2010. The Linux landscape was vastly different then to how it’s today. But, regardless, out of all possible options, a distro would have to be chosen for dom0. And, while none of us has the capability to look into the future, the chosen distro still had to be future-proof (i.e. not be abandoned any time soon). The second criterion was that it should be close to upstream (i.e. not a distro with outdated packages and kernel) for the sake of hardware compatibility (the very same reason for which Linux Mint has recently launched its Edge release). And, on that note, be excellent in terms of hardware/device support. Out of the then prevalent distros, Fedora simply fit all criteria best; Fedora being the community-driven distro to industry giant Red Hat, definitely played a huge role. And, in retrospect, it’s undeniable that picking Fedora was (and still is) a great decision. Honestly, I can’t even think of a better pick… Which is (perhaps) better understood by answering the second question; namely: Why Fedora 37 and not Fedora 38 or Fedora 39? Both of which were already released, while Fedora 37 had just gone EOL release. For that, we need to understand that Qubes OS actually does allow the installation of select packages in dom0, even if it’s regarded as a feature that only more advanced users should look into. As Qubes OS is (by default) a sensibly secure desktop OS, it only makes sense that they have to ensure that packages installed on dom0 are 100% safe and secure. But Qubes OS doesn’t want to waste resources on checking the security integrity of a moving system (i.e. a non-stable/non-EOL release). Thus, by necessity, it has to resort to an EOL release for Fedora. Going back to them picking Fedora in the first place; if we add the criteria that user repositories are undesired and that security should be handled very seriously by the maintainers, then Fedora was and still is the distro to pick.

More backstory time! I have never used a cellular carrier, and only watched that video about a month ago (because it didn’t exist prior). The first part of my life was spent electronicless (because kids really shouldn’t have phones… look at me now mom, I’m talking to strangers on the internet by routing through a global censorship circumvention network!). The next part was spent somewhat disconnected, only had access to a non mainstream social media (it has since been merged with another one made by the same company, and became paid. Capitalism.) through WiFi + never went out much. I then finally had unrestricted access, but still never went out much. Then I started to go out much more, and the places I went to didn’t have WiFi. That, in turn, led me to take up network hacking as a hobby. I never managed to hack the network in question (WPA2-E).

Thank you so much for the elaborate answer!

Finally, I got my first job around the same time I learned about privacy. That meant I had the money to get a cell plan, but I had the knowledge to know why that was a bad idea.

I thought I was well integrated into the privacy communities. But it seems that I was wrong; for I was unaware of the specifics until Naomi’s video. Would you mind sharing blogs/sites etc that you find exceptionally useful for finding out about these things?

It’s funny, my mother recently called me because she was stressing about trying to find me a carrier (apparently?) and started saying “Your sister offered to add you to her plan if-” and I told her “I don’t want a carrier, but thank you!” and she said “Oh… Well that solves that problem.” and looked very relieved.

Hehe, 🤣.

Edit: I guess your question is asking ultimately why I don’t want a carrier, and it is due to the points that were also brought up in that video, yes.

Thanks for the clarification!

permalink
report
parent
reply