Skip Navigation

N.E.P.T.R

@ Neptr @lemmy.blahaj.zone

Posts
8
Comments
543
Joined
1 yr. ago

I'm the Never Ending Pie Throwing Robot, aka NEPTR.

Linux enthusiast, programmer, and privacy advocate. I'm nearly done with an IT Security degree.

TL;DR I am a nerd.

  • Why isn't there a Windows community? Is Linux winning?

    Jump

  • They have the best ARM CPUs in any consumer product and very good software/hardware security. I hate Apple because their shit is overpriced and locked-down but that doesnt mean its garbage.

  • I'm installing Graphene OS this Monday!

    Jump

  • Same problem pretty sure.

  • Now With 100% More /snap Mount Points.

    Jump

  • Snap has a far better permission system and avoids many of the security pitfalls of Flatpak, but it being hardcoded to use Canonical's proprietary server is BS. Also forcing people to use Snap is BS.

  • Signal Founder Moxie Marlinspike: Telegram is not private. There is nothing private about it. They've done a really amazing job of convincing the world that this is an encrypted messaging app

    Jump

  • It is a denial of service attack. He discloses all vulnerabilities ahead of time. The only reason he released the previous one so quickly is because the Matrix team said it "wasnt a real vulnerability".

  • Signal Founder Moxie Marlinspike: Telegram is not private. There is nothing private about it. They've done a really amazing job of convincing the world that this is an encrypted messaging app

    Jump

  • Understood.

  • Signal Founder Moxie Marlinspike: Telegram is not private. There is nothing private about it. They've done a really amazing job of convincing the world that this is an encrypted messaging app

    Jump

  • Signal Founder Moxie Marlinspike: Telegram is not private. There is nothing private about it. They've done a really amazing job of convincing the world that this is an encrypted messaging app

    Jump

  • People keep finding significant vulnerabilities in its cryptography and the Matrix team tries to deflect or create strawmans for why it isnt actually a vuln. Soatok found a vulnerability in 2024 by just browsing the source code for tiny bit of time, and again just two weeks ago after looking for a couple hours. In both cases, Matrix then responded to his vuln report with hostility, saying it wasnt actually a vulnerability. He is sitting on another vulnerability.

    Having a cleartext mode is a security downgrade and no secure messenger should support cleartext. It only barely got functional forward secrecy recently. VoIP in most Matrix clients (and servers) still use Jitsi backend which isn't E2EE, even with the release of the newer (secure) Element call protocol. Matrix leaks tons of metadata, such as usernames, room names, emoji reactions, generate URL embedded previews. Rooms arent encrypted by default. It is also a UX nightmare and often times you cant decrypt your messages.

    Matrix is not secure. You'd be better off with XMPP and OMEMO which has its own problems and isn't secure either. Sill better than Matrix.

  • Signal Founder Moxie Marlinspike: Telegram is not private. There is nothing private about it. They've done a really amazing job of convincing the world that this is an encrypted messaging app

    Jump

  • Session is a security downgrade. It doesnt support forward secrecy which is hella important.

  • AI slop repository with 8k stars on Github that doesn't even compile

    Jump

  • Also the repo image

  • Virtual Machines vs LXC vs Docker: What’s the Real Difference?

    Jump

  • Yes, I understand what GVisor does. Cgroups2 are for isolation of system resources, bit arent even the main sandbox feature used for isolation by Docker. I am pretty sure namespaces significantly more important for these containers' security.

    GVisor helps with one of the main risks in a container setup which is the shared kernel by hosts and guests. I understand it comes with a performance penalty (and I didnt know it was incompatible with SELinux), but that does change my original point that GVisor is a security improvement to default Docker. I understand there is more nuance, even when I wrote my original comment I understood (just like any other security feature) it cant be used in every scenario. I was being intentionally general, and in my second comment I was pretty specific about what it protects against: Kernel vulnerabilities and privilege escalation.

    I researched cgroups2 more and I still dont understand why you brought it up in the first place. Cgroups2 and gvisor provide very different security benefits. Cgroups help to keep a system available (lessening the risk DoS attacks) by controlling access to some system resources (io, devices, cpu, memory) and grouping processes of a similar type. It seems rather optimized to solve resource control on a container host. I mentioned gvisor because it is mostly just a drop-in replacement container runtime which doesnt need setup to be used.s

    Now for a different container runtime which provides significantly more features (than gvisor) with less downsides (if configured correctly for a specific workload), Sydbox provides syd-oci which id an application kernel runtime which uses a permission config file to create a sandbox, isolating using namespaces, seccomp, landlock, and more. It can sandbox in many different categories (often times leveraging multiple features to provide a multilayer sandbox), you can see the categories at the syd manpage. The biggest downside is that you must really understand what your container application needs otherwise it will prevent it from running. It is a "secure by-default" sandbox which can be softened through config.

  • Virtual Machines vs LXC vs Docker: What’s the Real Difference?

    Jump

  • I dont really understand what you mean in your last sentence.

    My reason for saying GVisor is safer is because it is an application kernel which provides traps and emulates most Linux syscalls in the guest with a far smaller set of syscalls to the host kernel, helping to prevent container escapes and privilege escalation. GVisor also fully drops privileges early into start up (before running any significant logic), helping to prevent privilege escalation.

    Cgroups is not a really a security feature (from what I understand). It is about controlling process priority, hierarchy, and resources limiting (among other things). You can not use GVisor with LXC.

  • Firefox’s AI Kill Switch is a Trap: How Mozilla Made AI Your Problem

    Jump

  • Firefox’s AI Kill Switch is a Trap: How Mozilla Made AI Your Problem

    Jump

  • It was posted in like 5 different communities, some not even close to related (for example 3 Linux communities), some posted twice (eg. the Linux previously mentioned communities). They could have just crossposted it using the feature. Either way it is still a lot of spam. It isnt even that important of news because anyone who cares about this (anti or pro LLM) has already made up their mind and would already have formed an opinion on this feature without a random article.

  • Firefox’s AI Kill Switch is a Trap: How Mozilla Made AI Your Problem

    Jump

  • The UI is proprietary.

  • Virtual Machines vs LXC vs Docker: What’s the Real Difference?

    Jump

  • In order of most to least secure

    VM > Docker+GVisor > Docker/LXC

    Docker+GVisor is good middle ground because it provides the guest container with an application kernel in a memory safe language and reduced syscall attack surface to avoid kernel container escapes. Docker/LXC share the kernel with the host.

  • Whats the flaw of the "Nothing to Hide" argument?

    Jump

  • One of my gotos is that they may have nothing to hide, but their friends and family (or people who they know who are at risk) might like having privacy. People don't (unusually) live in isolation and others are affected by their actions/choices.

  • security and blobs

    Jump

  • They disregard the risk from the vendor because you are already using their hardware. The hardware has firmware already included which is proprietary, the hardware itself is proprietary, and hardware effectively runs as root anyways. You should already trust your hardware or you shouldn't be using it. Linux-libre is a purity test, that is it. It is security theater which actually, definitely, really makes you vulnerable without doing anything meaningful. The only time it makes any sense is if you only use open source hardware.

  • Q: how to detect hidden cams and mics?

    Jump

  • security and blobs

    Jump

  • They disregard the risk from the vendor because you are already using their hardware. The hardware has firmware already included which is proprietary, the hardware itself is proprietary, and hardware effectively runs as root anyways. You should already trust your hardware or you shouldn't be using it. Linux-libre is a purity test, that is it. It is security theater which actually, definitely, really makes you vulnerable without doing anything meaningful. The only time it makes any sense is if you only use open source hardware.

  • 196 @lemmy.blahaj.zone
    N.E.P.T.R @lemmy.blahaj.zone

    Jeff the kicker rule

  • 196 @lemmy.blahaj.zone
    N.E.P.T.R @lemmy.blahaj.zone

    Beatles rule

  • 196 @lemmy.blahaj.zone
    N.E.P.T.R @lemmy.blahaj.zone

    HD2 Rule

  • Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ @lemmy.dbzer0.com
    N.E.P.T.R @lemmy.blahaj.zone

    What is the URL for AudioBookBay?

  • 196 @lemmy.blahaj.zone
    N.E.P.T.R @lemmy.blahaj.zone

    does not rule (also fuck the police and corporate news)

  • 196 @lemmy.blahaj.zone
    N.E.P.T.R @lemmy.blahaj.zone

    #1 Rule of USA Healthcare: discriminate against poor people.

  • 196 @lemmy.blahaj.zone
    N.E.P.T.R @lemmy.blahaj.zone

    The GOAT (rule)

  • 196 @lemmy.blahaj.zone
    N.E.P.T.R @lemmy.blahaj.zone

    mr(ule) boner