• 5 Posts
  • 164 Comments
Joined 5M ago
cake
Cake day: May 26, 2021

help-circle
rss

Just a bunch of stupid bugs can turn your well behaved code into malware. You should not trust any code to do what you think it does, especially if you have written it yourself. If it’s possible to enforce fine grained access control and isolation then it should be done.

the web would be pretty much unusable without javascript.

Imo it would be a better place without it


Imo thats the most comfortable solution. Just be sure to keep multiple such backups (ideally at different locations) and check them regularly.


Not that I know of. HTTP uses TCP connections, so why don’t you want to use it? Sounds like you are trying to solve the wrong problem.


I don’t think I ever had KDE crash on me on normal desktop use (in nearly 20 years of Linux deskop use)

You should play the lottery :D


keylogging mostly mitigated by the better security of Wayland?

Yes and no, programs can’t keylog or record the screen of other programs via the wayland interface as they can in X. Wayland (and pipewire) have mechanisms for access control builtin. Thats a good start but it’s pretty useless if you don’t have proper access control / “sandboxing” for the other parts of your system. I remember reading some PoC code for a wayland keylogger that just injected a library (edit: into user programs) and there are probably some other (more creative) ways to do it.


the user has to look for alternative methods to passwords

Why? Quantum computers only really break “conventional” asymmetric encryption and there are mature “quantum safe” alternatives.


In a democracy you also put up with right, extreme and or stupid people

Personal freedom stops where everybody elses freedom begins. Extremists don’t have a place in a (modern) democracy as soon as they try to hurt other peoples freedom that doesn’t infringe on theirs in any way. Same sex marriage opposition, racial segregation, anti-secularism, etc. are not to be “put up” with. They are not democratic in any way shape or form, even if they claim to be and even if they are in the majority.

But it’s probably alarming that alternative platforms could be associated with those people.

For some reason fediverse stuff (esp mastodon) has in-your-face branding that can only be replaced by editing templates. So instances are automatically associated with the project. Nobody would associate a specific forum software with an instance of it because they usually restrict the branding to the footer and let admins edit the theme from the control panel at least a little bit.


Same, when I need to buy a mouse I choose them partially by how good their MMB works :D


Yeah, if you don’t have proper sandboxing and use sudo or similiar getting root on a desktop probably isn’t that hard.

if you’re running malicious, unprivileged code on your desktop computer, you’re pretty much screwed regardless

Maybe someone should tell browser developers :D


They did replace the install-default search provider for random installs with “studies” enabled. How would you word that?


They could have privilege escalation bugs or help hiding and/or running unwanted code.




What is the harm in having extra packages installed, if you don’t use them?

Wasted disk space and bigger attack surface.


So any advice?

The Documentation/Book on the website is super useful for people new to void. (The software recommendations below are all included there too) The new grub should be able to decrypt luks2, so the “full disk” encryption guide is outdated. (I didn’t try it out though, if I had, I’d also updated the guide) You probably don’t want the musl version for a Desktop system since it breaks in subtle ways, for a (simple) server it’s feasible imo.

How is package manager?

Fast.

Softwares?

Connman is easier (simpler) than network manager. Metalog lets you easily sort syslog by perl-regex. (Can be used to build alerting scripts) Elogind if you need logind replacement.


I don’t wanna hide myself from companies or governments or anything

Why not?

Crypto isn’t an option; Sending/handing cash isn’t an option

Gift or debit cards, anonymous accounts with (foreign) banks (might be illegal or suspicious), things that can be easily resold (some countrys require disclusing the source for large amounts of e.g. gold though)


Session ID’s could be stolen (XSS, malware) or guessed (bad implementation of the id generation). Sites that want you to be logged-in all the time know of that risk and will use (invasive) techniques to assess how likely it is that the use of a given session is legit. (GeoIP, Fingerprinting)




your sessions should be gone anyway when you open it again

Your session cookie will be gone, but your session is still valid until the server decides to invalidate it by a time-out. (Unless they save the whole session in the cookie)


I wish they would make them not so god damn giant…


How about just don’t do it unless necessary? Around here only supermarkets do it and I hate it when they are refridgerators in the summer and saunas in the winter.


The list was left accessible on an Elasticsearch cluster that had no password on it. …


Thats cool and all, but could be even better if they asked about their Matomo…


USBGuard: Black- or Whitelist USB Devices

Protect your Linux machine from being plug-and-pwned by malicious USB devices. They have a command line program which allows you to easily write your own scripts for showing notifications, controlling what devices are allowed etc…