• 1 Post
  • 46 Comments
Joined 9 months ago
cake
Cake day: February 20th, 2024

help-circle



  • Alright. Thank you for reporting back!

    Uhmm…, so, the good thing is that it’s reproducible, a bug report has already been issued for it and should (therefore) eventually get a fix in upstream. The bad news, however, is that you may experience the same issue on every other relatively bleeding edge distro until then… But, there are two ways around it:

    1. Just reboot by shutting off 🤣.
    2. Or…, switch to Nobara. Some users reported the bug to its maintainer and they’ve fixed the issue on Nobara since. It’s conceivable that the fix may already be found on other distros as well, but it’s definitely fixed on Nobara. Thankfully, Nobara is based on Fedora. So you shouldn’t feel too far away from home ;).



  • Pushing aside that the last paragraph isn’t as carefully written as the first, I feel very conflicted with the main recommendation. On one hand, the Linux enthusiast in me absolutely agrees with it. While on the other hand, I remember how ‘second-day-on-Linux’-me (while not using any of the recommended distros for beginners) struggled hard to fight against the temptation of returning back to Windows.

    IMO, if anything, we need better platforms that function as guided tours for newcomers.


  • Until now, I had been under the impression that KDE was just arch Linux itself.

    Like others have already noted, KDE Plasma[1] is widely available and thus not only limited to Arch Linux. Heck, the same applies to 99% of the available software on Linux; universal package managers[2] have been vital to this.

    Would you happen to know a good way for me to learn more about Linux, and how to put it to good use from a beginner’s perspective?

    As you already own a Steam Deck, I assume you want to look into how you may improve your mileage out of it. Others have already noted how you may do so for more traditional systems. But the way Linux is utilized on the Steam Deck is rather unique. It utilizes immutability[3] (i.e. the inability to make certain (permanent) changes) which makes it rather harsh to change certain parts of the system; SteamOS’ implementation might even require you to redo some of these changes every so often… which is probably not what you were expecting. To circumvent this, perhaps it’s worth exploring other SteamOS-like distributions that are more friendly towards tinkerers. There are many to choose from; perhaps this breakdown may help you with making an informed decision (even if it’s found on a page dedicated to the Legion Go).


    1. That is, the desktop environment (i.e. the piece of software responsible for how you visually interact with your system) that team KDE works on. They’re also responsible for many other projects; like Kate, Kdenlive and Krita etc (these are often easily recognized by their names that start with a “K”).
    2. We may refer to package managers as the original App/Play Stores; a piece of software used to find, install and upgrade software. For a long time, every major distribution (like Arch, Debian and Fedora) had its own repository (i.e. set of installable software through the package manager). This meant that, it was very conceivable that software may be packaged (i.e. distributed and maintained through the repository) on some distros (abbreviation for distributions) but not on others. In the last couple of years, so-called universal package managers (like AppImage, Distrobox (technically this doesn’t belong here, but it does allow access to packages found on (other) distros), Flatpak, Guix, Nix and Snap) have become alternative package managers that are distro-agnostic. And have slowly, but surely, ridden Linux distros from concerns related to package availability.
    3. There’s a lot to say about immutability. But for now, it’s most important to note that not all systems that are (sometimes falsely) referred to as immutable are created equally. For example, the respective implementations for Bazzite, Jovian NixOS and SteamOS differ immensely from one another. Arguably, referring to Bazzite and Jovian NixOS as immutable with ‘unchanging’ being what’s implied, would be a major disservice to both projects.

  • A quick search revealed that others have experienced issues that may be related. In order to disclose that this is different from the issue reported by others, please consider the following:

    After updating to the latest kernel, shut off instead of reboot. After which you turn your device back on. If strict adherence to ‘rebooting’ like this prevents the issue from coming up, then it’s likely the aforementioned known issue with the latest generation of AMD GPUs and recent kernel updates.

    Please consider to report back on your findings.


  • Thanks for the conversation! 😊

    Yeah for sure the not-badness-enumeration approach would be to not use the GPU and set a defined screen size and pixel density.

    Hopefully one day.

    ungoogled chromium is likely less secure, no 1 is to have regular updates.

    Agreed.

    With CI/CD those patches should be applied automatically. Would be a cool project but not for me, I prefer Firefox.

    Hehe, fair.


  • I am aware that Homebrew has become the go-to solution for installing CLI applications on Bluefin. Which is exactly why I feel compelled to ask the question in my previous comment.

    Btw, I don’t really understand why you felt the need to share Jorge Castro’s blog post on Homebrew? AFAIK it doesn’t go over any security implications. Sharing the article would only make sense if Jorge Castro is regarded as some authority that’s known to be non-conforming when security is concerned. While I haven’t seen any security related major mishaps from him or the projects he works on, the search for the CLI-counterpart to Flatpak seemed to be primarily motivated by facilitating (what I’d refer to as) ‘old habits’; which is exactly what Homebrew allows. It’s worth noting that, during the aforementioned search process, they’ve made the deliberate choice to rely on Wolfi (which is known for upholding some excellent security standards) rather than Alpine (which -in all fairness- has also been utilized by Jorge for boxkit). IIRC, people working on uBlue and related projects have even contributed to upstream (read Distrobox) for patches related to Wolfi. So, there’s reason to believe that the uBlue team takes security seriously enough to work, contribute and deliver on more secure alternatives as long as it doesn’t come with a price to be paid by convenience. Which, in all fairness, is IMO exactly why Homebrew is used for in the first place (besides their recent utilization of technologies that have similarities to the ‘uBlue-way’ of doing things)…



  • Yeah know that deleting post fun. Jerboah is very good at recovering them.

    TIL about Jerboa. Thank you!

    If you use your GPU that model is fingerprintable through WebGL stuff. There is a firefox addon that spoofs random values though. Same for screen size.

    IIRC, so-called ‘naive scripts’ will indeed be spoofed. However, it has been shown at great length that JavaScript is not even required to to acquire screen size in the first place. Furthermore, methods that rely on badness enumeration are deemed inferior.

    Secureblue does not implement privacy over security, but if patches make a browser stay just as securely I think that would be fine.

    That would require someone to put effort into showing that ungoogled-chromium is at least as secure as Chromium. Is that even established in the first place?

    The thing is, for example we had some arguments about manifest v2 extensions (which can download stuff they then use, i.e. no control by Google and thus “less secure”). If Chromium does things like Connect to Google for security stuff like Safe Browsing, this will totally not be removed.

    Perhaps the desire to minimize attack surface is what’s been decisive.

    Secureblue is not GrapheneOS too. It is just a (huge) compilation of patches and patched images. Basically every Desktop with Wayland support, currently 86 (!!!) images.

    Surely, it would take a lot more effort to get it to GrapheneOS levels. However, I don’t find any fault with the desire to be inspired from GrapheneOS’ methods and implementations.



  • First of all, apologies for the late response. I had written a response, but something happened before I sent it and the cache of my phone wasn’t able to recollect my writing. I got so discouraged by this that I didn’t bother with it right away.

    QubesOS is interesting, I think overcomplex but needed until better systems are in place.

    Well said!

    Bubblejail would be an alternative that runs on normal hardware.

    I hope Bubblejail will indeed reach the level of sandboxing solutions we find on e.g. mobile devices. Though, a lot of work has to be put into portals (and others) before a feat as such is achieved.

    I dont know how resistant Vanadium is, it for sure doesnt send critical data, but screen size, hardware specs etc cant be not send without having no GPU acceleration and a letterboxed screen.

    Would you be so kind to elaborate upon the bolded part? I’m simply unaware of the link between GPU acceleration and protection against fingerprinting.

    Furthermore, just to be clear. I would like to retract my earlier statements that I’ve made regarding Vanadium and that were negative in nature. While there’s definitely truth in the fact that it does not provide fingerprinting protection (or spoofing) like what we find on Firefox (or Brave), but they have spoken out their ambitions and intentions to improve that. It’s simply that they haven’t put a lot of resources yet to the cause. And this is not for saving efforts or whatsoever, but rather because they intend to offer a more robust solution (eventually). We should also not disregard that, as is, GrapheneOS does offer some level of anonymity (in combination with best practices; i.e. VPN etc) merely by the virtue of only a select number of devices being supported by GrapheneOS and thus if two users are in relatively close proximity to one another and have their VPNs enabled and use the same device with GrapheneOS, then it might be hard for others to distinguish them from one another. Finally, at least regarding this topic, I don’t see them implementing letterboxing as we find on Firefox (as screen sizes are small anyways and only select number of screen sizes exist anyways, because only few devices are supported). Thus, as screen dimensions are not obfuscated, there’s less need to obfuscate the GPU in the first place.

    mobile browsers have limited screens size and every SOC has a different GPU basically. So if you avoid hardware rendering, you would still need to pretend to be the smallest phone comparable, and pixel density etc. may still be different.

    You may find some of my thoughts in the previous paragraph.

    Ungoogled Chromium is a set of patches. These should totally be applied to Secureblue chromium, but currently it is saving effords by just using Fedora chromium and a few policies

    Is it strictly beneficial for security? IIRC, privacy is (unfortunately) not regarded as a design goal for secureblue.

    Btw, apologies if my sentences were more convoluted and confusing than they are otherwise. Thank you for your attention and consideration!



  • Was the restart due to annoying OS features (e.g. Windows used to restart immediately without asking, iOS restarts if your phone is locked and it’s night time, etc.)

    Actually, I am not sure why it happened 😅. It was connected to the charger and I didn’t do anything that would otherwise be a direct cause to the phone to shutting off. To be honest, I don’t recall it ever happen before 😅. Kinda spooky… Or just technology being derpy at times 🤣.

    No, I’m just blind :,) I found it now

    Hahaha, glad to hear that you found it!

    Edit: Here it is!

    Thank you!

    Until the Rexodus (by the way, I’m apparently the only one to call it that. Please, people, it’s such a good name!),

    I’d argue that Rexxit is just plain better 😜.

    I had simply kept current with every post on r/privacy. I had occasionally read a few old posts, but it was mostly just keeping an eye on what the community was posting about and reading the discussions to learn as much as possible. I have a few old screenshots, like from this post and this one, but besides that it was just miscellaneous posts.

    Thank you for the answer! I started out following r/privacy diligently until I noticed that my threat model didn’t quite align with some of the more common echo chambers found there. To be more elaborate; it seems as if I was more absolutist when security was concerned, while the community was more absolutist when privacy was concerned. To be fair, it’s r/privacy, so it makes sense for it to be that way. Though I had hoped that security wasn’t treated like a second-class citizen; at least that’s how I felt*. Regardless, it seems that I’ve missed some gems along the way. Hopefully I will be able to catch up.


  • Computing practices (like installing packages from trusted maintainers and the deliberate use (through filling in passwords) for granting privileged access etc.) on Linux are different than on Windows. This already ensures that -simply by the virtue of using Linux as it’s intended- a Linux user is protected from complete classes of attacks.

    Furthermore, the average Linux user is a lot more computer savvy compared to the average Windows user. And I haven’t even mentioned the focus on FOSS, the security benefits through obscurity etc.

    Of course, Linux isn’t impenetrable. In fact, one might argue that its security frameworks on desktop are lacking compared to macOS and perhaps even to Windows (S mode).

    Nonetheless, Qubes OS (i.e. the worlds most secure desktop OS) heavily relies and utilizes Linux to do its bidding.

    To conclude, there’s a lot of nuance to secure computing on Linux. But as long as its user (i.e. the biggest attack vector) holds on to best practices, it should be more than safe. Unless…, you seek protection against sophisticated adversaries and their targeted attacks. At that point, I wouldn’t trust any desktop OS besides Qubes OS anyways.


  • Those are just Firefox. Using some other routing doesnt improve security.

    Never said or implied they were. Security is achieved through

    Tor Browser or Mullvad Browser in a disposable qube on Qubes OS

    Tor and Mullvad are only for preferred for the sake of anonymity as every user runs the exact same config on the same type of network.

    Vanadium might be degoogled and not send critical platform data, but it is not fingerprint resistant afaik.

    Hmm, you might be right. TIL. Thank you! Somehow, I was having high expectations for it… *sigh*

    On mobile, browsers cant really be that though.

    Do you happen to know why that’s the case?

    On Desktop there only is ungoogled Chromium which is a beginning. But especially secureblue doesnt use it for some reason.

    If I recall correctly, ungoogled-chromium has (at least in the past) been slacking on security. Don’t know if that’s still a thing though.


  • Preface: this is written with less care than I do usually. I was writing one of my usual replies, but my phone chose to restart while the text was being written in its browser.

    No, sorry. Some Reddit/Lemmy commenter.

    Np. FWIW, I’m using virt-manager anyways.

    No, although invisible ink would be somewhat cool.

    Definitely! Thanks for the inspiration!

    Have any ideas for a “password pen”?

    Unfortunately not. I have been completely reliant on KeePass* plus the aforementioned (‘algorithmic’) ‘salt’. But I think a password card and/or invisible pen is definitely worth exploring for passwords I don’t use daily. So, once again, thank you for mentioning those!

    You can also thank whoever on [email protected] posted it (I wish there was a search box…)

    Was that rhetorical 😅? I actually found the (presumably) original poster through the search capabilities found on Lemmy.

    Yikes, any reason for that?

    For a complete answer, let’s go for a trip back in time. Qubes OS’ alpha release happened in April of 2010. The Linux landscape was vastly different then to how it’s today. But, regardless, out of all possible options, a distro would have to be chosen for dom0. And, while none of us has the capability to look into the future, the chosen distro still had to be future-proof (i.e. not be abandoned any time soon). The second criterion was that it should be close to upstream (i.e. not a distro with outdated packages and kernel) for the sake of hardware compatibility (the very same reason for which Linux Mint has recently launched its Edge release). And, on that note, be excellent in terms of hardware/device support. Out of the then prevalent distros, Fedora simply fit all criteria best; Fedora being the community-driven distro to industry giant Red Hat, definitely played a huge role. And, in retrospect, it’s undeniable that picking Fedora was (and still is) a great decision. Honestly, I can’t even think of a better pick… Which is (perhaps) better understood by answering the second question; namely: Why Fedora 37 and not Fedora 38 or Fedora 39? Both of which were already released, while Fedora 37 had just gone EOL release. For that, we need to understand that Qubes OS actually does allow the installation of select packages in dom0, even if it’s regarded as a feature that only more advanced users should look into. As Qubes OS is (by default) a sensibly secure desktop OS, it only makes sense that they have to ensure that packages installed on dom0 are 100% safe and secure. But Qubes OS doesn’t want to waste resources on checking the security integrity of a moving system (i.e. a non-stable/non-EOL release). Thus, by necessity, it has to resort to an EOL release for Fedora. Going back to them picking Fedora in the first place; if we add the criteria that user repositories are undesired and that security should be handled very seriously by the maintainers, then Fedora was and still is the distro to pick.

    More backstory time! I have never used a cellular carrier, and only watched that video about a month ago (because it didn’t exist prior). The first part of my life was spent electronicless (because kids really shouldn’t have phones… look at me now mom, I’m talking to strangers on the internet by routing through a global censorship circumvention network!). The next part was spent somewhat disconnected, only had access to a non mainstream social media (it has since been merged with another one made by the same company, and became paid. Capitalism.) through WiFi + never went out much. I then finally had unrestricted access, but still never went out much. Then I started to go out much more, and the places I went to didn’t have WiFi. That, in turn, led me to take up network hacking as a hobby. I never managed to hack the network in question (WPA2-E).

    Thank you so much for the elaborate answer!

    Finally, I got my first job around the same time I learned about privacy. That meant I had the money to get a cell plan, but I had the knowledge to know why that was a bad idea.

    I thought I was well integrated into the privacy communities. But it seems that I was wrong; for I was unaware of the specifics until Naomi’s video. Would you mind sharing blogs/sites etc that you find exceptionally useful for finding out about these things?

    It’s funny, my mother recently called me because she was stressing about trying to find me a carrier (apparently?) and started saying “Your sister offered to add you to her plan if-” and I told her “I don’t want a carrier, but thank you!” and she said “Oh… Well that solves that problem.” and looked very relieved.

    Hehe, 🤣.

    Edit: I guess your question is asking ultimately why I don’t want a carrier, and it is due to the points that were also brought up in that video, yes.

    Thanks for the clarification!