0xtero

@0xtero@beehaw.org

Glorified network janitor. Perpetual blueteam botherer. Friendly neighborhood cyberman. Constantly regressing toward the mean. Slowly regarding silent things.

This profile is from a federated server and may be incomplete. Browse more on the original instance.

0xtero,

Economy 2.0 is next week I think (hope!) - so this is just vanilla breakage.

0xtero,

The obvious recommendation is Gentoo stage1 tarball running in Windows Linux Subsystem.

(on a serious note: whatever you’re running on your daily driver)

0xtero,

Been using Nebula for a while now. Going to miss some YouTube creators, but I’ll expect to get over it.

0xtero,

So, is this the type of SLAM you’d typically see in a moshpit? Or are we talking about wrestling slams?

0xtero,

Manor Lords all the way. There’s a big Cities Skylines II patch coming out this week (I hope). I might fire it up and check it out. It’s getting close to “release quality” after pretty crappy release.

Is it impossible to be private online? (yewtu.be)

In sharing this video here I’m preaching to the choir, but I do think it indirectly raised a valuable point which probably doesn’t get spoken about enough in privacy communities. That is, in choosing to use even a single product or service that is more privacy-respecting than the equivalent big tech alternative, you are...

0xtero, (edited )

Every time I talk about privacy online, the pessimists always come out. "It’s impossible to have any online privacy.

My experience is actually completely opposite. While mainstream “normies” don’t seem to care, most of them are using readily available privacy tools in their communication daily. Things like WhatsApp, Signal and iMessage. Most websites these days are HTTPS enabled. Governments are so concerned about this loss of monitoring capability, they’re trying to craft laws which allow them to backdoor devices before encryption happens. And they’re meeting resistance, despite all the lobbying (see Chat Control2.0). We’ve never had as widely adopted privacy tools as we have today.

Big tech and advertising are two problems that still create trouble. A lot of this stems from completely different, non-privacy related reasons (the lax US policies concerning anti-consumer and monopoly laws) but even here policies around the world are slowly catching up. GDPR gives Europeans quite a bit of control over our data and while this is still just one baby step - it’s much better than it used to be. There’s a lot of global inequality here though. Facebook/Meta is synonymous to Internet in the developing world, because they’ve used their monopoly money to exploit the situation. Digital imperialism is still strong.

I’m not going to harp too much on SMTP privacy, Proton has a bunch of nice services. If that’s where your MX happens to point at is, then great, but we do also need to slowly move away from these old protocols that offer no privacy choice (yeah I know, SMTP is here to stay).

What I’d like to see more, is talk about threat modeling in this space. Because that’s where it all starts and threat models are quite personal. There’s no “one size fits all” privacy, because our needs vary. Political dissident living in exile from hostile government has completely different needs for privacy compared to a person who doesn’t like YouTube ads. We should try to foster easily digestible discussion around personal threat modeling - right now we (the privacy crowd) come across as loonies since lot of the advice we give starts from the wrong end of the model.

I don’t see digital privacy as a pessimistic space. But what do I know, I’m not a content creator.

0xtero,

I notice you quoted the sentence from the description - did you watch the video itself?

No, I’m afraid I didn’t.

0xtero,

Ah, well. Maybe that saves a click and 10 minutes of someones life.

0xtero,

What else am I missing?

Large scale manufacturers pre-installing Linux? Readily available multi-language support for home users? Coherent UI regardless of computer and distro underneath. Billions on lobbying money spent on politicians for favorable policy crafting? Billions spent on marketing campaigns to actually sell the idea to the masses who simply don’t care any of your points (or any technical reasons, privacy or anything else that might be top of mind of the current Linux userbase).

I’d say Linux has a good chance of capturing 5-6% of the market in the coming years if lucky (I believe we’re somewhere around 4% at the moment), unless one of the big tech monopolies decides to start throwing money into it (Like Google did with Android)

0xtero,

This is the moment in Scooby-Doo where the gang unmasks the person they’ve just caught and underneath is just the Microsoft Bing logo

0xtero,

The only AI function I could see myself using is one that would summarize 15 minute youtube videos into coherent readable text in blog format. That would be nice. Especially when they’re posted like this, just links without much context.

Is Privacy Worth It? (blog.thenewoil.org)

When I announced I would be closing my communities earlier this year, a curious thing happened: a surprising number of regulars replied with some variation of “I think this is my exit.” While some were specifically talking about Matrix, claiming that mine was the only room they were really active in and therefore they saw no...

0xtero,

Well, that was extremely long winded way to say “depends on your threat model”. Which it does.

So nothing new under the sun.

0xtero,

In conclusion, Fuck EA. End of message.

0xtero, (edited )

So your requirement with cellular calling (eSIM) is already fairly restrictive and depends on which market we’re talking about. Where I live (.se) you get to choose between Apple and Samsung and since Apple was out of the question, you’re stuck with Samsung.

Not entirely sure if your second requirement with long battery life can be fulfilled. You’ll be charging the watch every day, probably more often if you take calls on it.

There’s some rumors that Garmin Forerunner/epix will get eSIM support, but that will be also carrier dependent.

These wearables are pretty complicated high end devices, I wouldn’t really give them to elderly parents who stuggle using a normal mobile.

I think it might be better to look into other tyoe of devices like pager systems from caregivers, if you’re worried about health issues.

0xtero,

Yeah, well just go ahead and see if it works for you now. I doubt much has changed, but some bits are probably more polished these days.
Most distros support some kind of LiveCD, so you can try it out without having to reinstall your machine, it’s painless and quick to evaluate before you take the plunge.

zenbook duo pro

A quick search reveals this. Might be helpful. davejansen.com/asus-zenbook-duo-and-fedora-linux/

0xtero,

I thought it was funny as well. Sometimes FOSS communities are so very uptight, we should relax a bit.

0xtero,

Looks like AI wrote the article

Novel attack against virtually all VPN apps neuters their entire purpose (arstechnica.com)

Pulling this off requires high privileges in the network, so if this is done by intruder you’re probably having a Really Bad Day anyway, but might be good to know if you’re connecting to untrusted networks (public wifi etc). For now, if you need to be sure, either tether to Android - since the Android stack doesn’t...

0xtero, (edited )

I also don’t get much value out of the statement that “every” OS except Android is vulnerable. Do they really mean all other OSes, or just what would come to mind for most people, i.e. Windows, macOS, Linux, iOS? What about the various BSDs for example?

It’s a DHCP manipulation attack, so every RFC 3442 compliant DHCP implementation implementing option 121 would be “vulnerable” (it’s not vulnerability though). Android apparently doesn’t implement it, so it’s technically impossible to pull off against Android device. There might be others, but I’d guess most serious server/desktop OS’es implement it.

The title isn’t misleading at all, even though the “neutering their entire purpose” is a bit of a click-bait. This doesn’t affect ingress VPN at all.

It’s an attack that uses DHCP features (according to RFC).

It’s a clever way to uncloak egress VPN users, therefore it does have privacy impact since most of us use VPN for purposes of hiding out traffic from the local network and provider and there’s no “easy” fix since it’s just a clever use of existing RFC.

0xtero,

Knowing history, that’s a one tape I have no intention of listening. RIP the crew and all other early space flight pioneers who perished pushing the boundaries of our planet.

0xtero, (edited )

I mean… why would people downvote you for that?
I have a todo.txt which I update. If I need to “be mobile” I just stuff some notes into Signal note to myself.
During meetings, I still take notes with paper and pen, because that’s much faster than digital notes.

0xtero,

Average Bethesda experience I guess

0xtero,

It’s missing quite a few features and it’s buggy. Still ten times better than Cities Skylines 2.

0xtero, (edited )

Ente Photos - Google Photos replacement with encryption and privacy
Ente Auth - Good multiplatform authenticator.
^^ These are paid for service (you get both with same sub), but extremely good.

AntennaPod - Podcatcher
K-9 email

0xtero,

Someone being enraged about snap on behalf of Windows users was certainly a take I didn’t know I needed.

0xtero,

I don’t and the energy consumption of public AI services is a stopper for “testing and playing around”. I think I’ll just wait until it takes over the world as advertised.

0xtero,

This sounds like average Bethesda experience. I always get hyped by their pre-releases, but I find the actual games to be tedious and boring slogs.

I know it’s down to personal taste, but I think I enjoy a bit more rail-roading and bit less sandbox. Witcher 3 and Cyberpunk 2077 are “just right” for me, the story is tight. Bethesda games a bit loosey-goosey (ha!) with their storytelling.

How to make it so frequently used sites don't constantly require 2FA? [SOLVED]

EDIT: After reading all the responses, I’ve decided to allow cookies to persist after they close the browser, which I expect will make it so that 2FA doesn’t kick in as often, at least not on their most frequently used web sites. I may also look into privacy oriented browser extensions that might offer some protection, such...

0xtero,

I’ve configured Firefox on their Linux laptop not to keep any cookies after the browser is closed. I know this isn’t a Linux/Firefox issue

It’s you issue.

Block third-party cookies, but allow cookies from the site itself. I’m not sure why you’d filter those out in the first place?

Ask: How do you handle your résumés?

Usually I rely on my network & haven’t needed this kind of document in ages, but I’ve been tasked with creating a résumé for myself. I’ve grown more privacy-conscious every year & I think it’s weird that we are expected to give out so much information about ourselves to companies that lie about their culture & don’t...

0xtero,

I’m a consultant so whenever I’m applying for a new gig I need to provide a consultant profile, which is very similar to resume.

Over the years I’ve learned that most customers are not very interested in the “personal stuff” sections - they just want to know you have the skills required, so try to minimize the amount of personal data and concentrate on skills and past gigs (anonymizing customers/companies) etc.

But - unfortunately you have to tell something about yourself and your ability to work together with others, there’s really no way around it. It’s also more and more customary that (for some reason) they want your photo. Stuff like education, certifications need to be there, but keep it very short. Think about “social media profile page”.

Provide stuff like contact info, address, phone, date of birth (if required) and references separately - don’t put them into your resume. You can add something like “Personal information and references provided separately by request” in there, that way, even if the document is shared, all they get is something resembling a LinkedIn profile.

You can also try to add “confidential” to the document header, but I’ve noticed it’s not respected very often.

0xtero,

Gamers are so fucking weird. Really enjoyed the show. Hope they make 2nd season.

0xtero,

But if it was reality

“In a future, post-apocalyptic Los Angeles brought about by nuclear decimation, citizens must live in underground bunkers to protect themselves from radiation, mutants and bandits.”

And you picked a girl punching a guy the exact moment to suspend your belief at? Damn dude.

0xtero,

A symlink is a file that contains a shortcut (text string that is automatically interpreted and followed by the operating system) reference to another file or directory in the system. It’s more or less like Windows shortcut.

If a symlink is deleted, its target remains unaffected. If the target is deleted, symlink still continues to point to non-existing file/directory. Symlinks can point to files or directories regardless of volume/partition (hardlinks can’t).

Different programs treat symlinks differently. Majority of software just treats them transparently and acts like they’re operating on a “real” file or directory. Sometimes this has unexpected results when they try to determine what the previous or current directory is.

There’s also software that needs to be “symlink aware” (like shells) and identify and manipulate them directly.

You can upload a symlink to Dropbox/Gdrive etc and it’ll appear as a normal file (probably just very small filesize), but it loses the ability to act like a shortcut, this is sometimes annoying if you use a cloud service for backups as it can create filename conflicts and you need to make sure it’s preserved as “symlink” when restored. Most backup software is “symlink aware”.

How the xz backdoor highlights a major flaw in Nix (shadeyg56.vercel.app)

The main issue is the handling of security updates within the Nixpkgs ecosystem, which relies on Nix’s CI system, Hydra, to test and build packages. Due to the extensive number of packages in the Nixpkgs repository, the process can be slow, causing delays in the release of updates. As an example, the updated xz 5.4.6 package...

0xtero,

Kinda tired of the constant flow of endless “analysis” of xz at this point.
There’s no real good solution to “upstream gets owned by evil nation state maintainer” - especially when they run it in multi-year op.

It simply doesn’t matter what downstream does if the upstream build systems get owned without anyone noticing. We’re fucked.

Debian’s build chroots were running Sid - so they stopped it all. They analyzed and there was some work done with reproducible builds (which is a good idea for distro maintainers). Pushing out security updates when you don’t trust your build system is silly. Yeah, fast security updates are nice, but it took multiple days to reverse the exploit, this wasn’t easy.

Bottom line, don’t run bleeding edge distros in prod.

We got very lucky with xz. We might not be as lucky with the next one (or the ones in the past).

0xtero,

I’m not sure why you think I didn’t? Sorry if it was unclear.

From the blog:

This incident has really made me wonder if running the unstable branch is a great idea or not.

My comment:

Bottom line, don’t run bleeding edge distros in prod.

Hope this clarified my opinion! Have a good day!

0xtero,

Yeah, I can get that. The xv situation probably wasn’t the best of examples though?

0xtero,

And thus begins the enshittification of Discord

0xtero,

I think they’re only worried about U.S class action. Don’t think American companies really care about the legality anywhere else

0xtero,

Only reason Discord has “a shop” in EU is for tax evasion. It’s a P.O Box at Schipol airport. I really don’t think they care very much.

0xtero,

I meant NL is one of the top 10 tax havens in the world due to their exemptions that allow corporate tax evasion.

0xtero,

I don’t think this one counts as a big win to be honest It was just freakish luck

0xtero,

Or found out in corporate code review / pentest. We just don’t know. I get that we want to say FOSS is great due to the “many eyes/shallow bugs” thing, but that didn’t work for OpenSSL or log4j. The fact that it did now is great, but let’s not get carried away. It was just pure luck.

0xtero,

SELinux has been GPL for 24 years.

It’s part of what was called Rainbow Books, but is known more widely these days as the Common Criteria.
en.wikipedia.org/wiki/Common_Criteria

It’s the “Government setting standards” sort of scenario.

Backdoor found in widely used Linux utility breaks encrypted SSH connections | Ars Technica (arstechnica.com)

TL;DR there was a backdoor found in the XZ program. All major distros have been updated but it is recommended that you do a fresh install on systems that are exposed to the internet and that had the bad version of the program. Only upstream distros were affected.

0xtero,

Catching this now is pretty huge, because it mainly targets distro build systems. Had this gone undetected, we’d be in shiznit creek couple of years down the line.

0xtero,

It mostly affects/targets the build systems of binary distros - infecting their build machines with this would result in complete compromise of released distro down the line.

Meta gave Netflix and Spotify access to users private messages (arstechnica.com)

in 2018, Facebook told Vox that it doesn’t use private messages for ad targeting. But a few months later, The New York Times, citing “hundreds of pages of Facebook documents,” reported that Facebook “gave Netflix and Spotify the ability to read Facebook users’ private messages.”...

0xtero,

If you want private messaging - use Signal.
If you use any kind of messaging on commercial platforms, expect immediate loss of privacy. They call them “direct” messages for a reason.

0xtero, (edited )

Something something Privacy vs. Anonymity. But I invite you to try. Good luck getting into my phone!

0xtero,

Oh boy. Some of you people watch too many movies.

Let’s get some basic stuff established:

  • This thread is about commercial platforms selling your direct message data. That’s the threat model.
  • I don’t live in a country where the police SWAT teams throw flashbangs without court orders
  • If the authorities want to get to me (which, again, is not the threat model of this thread). They can. Easily. They know where I live. They just have to knock on the door. It’s not even locked.
  • I did, to my best knowledge, not reply to you in anywhere this thread. I’m not sure why you are replying to me.

But sure. I’ll give you this: If your threat model is dodging SWAT team flashbangs, I doubt using Signal is much use to you at that point. That just wasn’t what this thread was talking about.

0xtero,

Which was a response to this

  • All
  • Subscribed
  • Moderated
  • Favorites
  • fightinggames
  • All magazines
    •