randomise your web interface port

Randomized interface ports change nothing except for stopping automated scanners. They don’t really help. Just lock it behind ssh, physical access or similar, and then never worry about it again.

Yeah only if you enable their cloud api

No, all of the local web interfaces have had problems too. Literally every router or network appliance has had similar issues.

ts not an isp or consumer router

ISP, consumer, and enterprise routers have all the same issues due to the same architecture. All of them.

have also pen tested my router remotley.

Me too. But it’s just not about my router being secure today, it’s about it being secure tomorrow. I want to be able to rest easy knowing that if a new vulnerability appears in xyz component then I don’t have to worry about it.

Every issue with tp link has been. You need to have acces to the router physically to implement.

Come on, this is not true and you know it. Finding a counterexample was easy:

https://www.anavem.com/en/news/cybersecurity/tp-link-patches-critical-router-flaws-enabling-rce

Auth bypass + auth rce flaw. Literal remote code execution, instant own.

The problem with network appliances/routers is that they all have web ui’s, and management api’s or something of the sort. Web UI’s are extremely complex services, with lots of difficult to secure attack surface. In a router, that attack surface is now running as root (because it has to be, to manage linux (or freebsd, routers are usually based on one of the two) kernel routing and networking.

So literally every single network appliance and router has had it’s own critical vulnerabilities, even open source ones like openwrt.

The real solution here is to recognize that web interfaces are a security nightmare, and to either disable them or lock them behind ssh.

(Open)ssh, is known for having extremely few vulnerabilities, only 2.5 critical ones over it’s 25+ years of existence. That’s a big difference compared to some of these network appliances/routers which have 2+ critical vulns every quarter.

I’m so tired of news articles that hype up fairly mundane stuff, acting like it’s the next big bomshell.

In addition to that, by misrepresenting what is happening, it’s literally actively harmful to consume this kind of news, which is so common on the cybersecurity news cycle.

Yet another cyberslop article.

Not really. Immutability can be overriden by root, who can then edit files.

And in addition to that, /etc/, system config files, including pam files mentioned here, are not immuable even in immutable distros.

SIX. SEVEN.

Frantically does hand gesture

https://archipelago.gg/

Yes this is the best way.

On Linux I’ve never had to install drivers for any printers, it comes with a “generic” driver that works for a ton of brands,

The original person you replied was commenting that nix was less vulnerable to supply chain attacks. Your reply is essentially completely off topic, talking about CVE’s. They are not the same type of issue. Having an actively running piece of malware on your system is vastly more concerning than a vulnerability someone has yet to exploit, and the supply chain security techniques needed to protect against the former are different as well.

Immutability is an extremely poor defense against any form of attack. Immutability is literally a filesystem feature where a flag, chatttr -i is set on files or folders. Any program with root can adjust this flag, and any program running as a user could download additional binaries to or modify the users home directory. This is how the nix daemon works.

Now, if nixos followed (or you configured it to follow) a model where only binaries in the nix store could be executed, and nothing else could be executed (in addition to maybe say, using selinux to enforce that only the nix daemon is editing the nix store), that would be much more secure and very interesting. But it’s not doing that.

Edit: correction, the nix store is not actually immutable on the filesystem level. It merely holds immutable “outputs”, the packages and functions it generates. You’re not supposed to edit them… but nothing stops you (if you’re root or the nix daemon user). You can verify the nix store pretty easily, but it’s not an ongoing process, that is to say it wouldn’t catch malicious changes.

What I said above about a theoretical applocker enabled like system based on Nix still applies, however.

This is not the same. The AUR was a supply chain attack, where good packages where replaced with malicious one’s.

Nix is better at stopping things like that from happening, becuase they have a monorepo, where most package updates or changes are reviewed by another person. The AUR is just a collection of individual git repos (or branches), where each maintainer can make updates or changes with no oversight.

Just start writing and upload chapters as lemmy posts.

https://en.wikipedia.org/wiki/Web_fiction

It’s also possible to transition to an actual book if you want. Huh, the wikipedia page mentions that the martian by andy weir started out as web fiction. Cool.

https://lutris.net/games/league-of-legends/

My favorite pro is league of legends support.

Yes

https://wiki.archlinux.org/title/Wireless_bonding

EDIT: oh wait, you configured them both with the same static ip address. Can you use a tool like iftop to check that both interfaces are actually being used? You can also use tcpdump -i interfacename or similar tools.

It’s very possible that this setup doesn’t break, but isn’t true bonding, where both connections can be used at once for more bandwidth. Although, maybe this is an easy, reliable way to get a failover type system, where when the ethernet is disconnected it automatically uses the wifi. Or maybe it’s been using only the wifi this whole time.

When on God’s green earth would someone want to delete the partition table and not immediately create a new partition?

counterpoint: https://wiki.archlinux.org/title/Btrfs#Partitionless_Btrfs_disk

Btrfs can occupy an entire data storage device, replacing the MBR or GPT partitioning schemes,

I really like this take on it: https://forgejo.org/docs/latest/user/actions/github-actions/#familiarity-instead-of-compatibility

For all of these reasons, Forgejo Actions strives for familiarity instead of compatibility. We want users of GitHub actions to feel familiar using Forgejo Actions, even if there are some small changes here and there. Workflows should work with some minimal changes.

I think the same thing applies to Linux DE’s. Linux is not and never will be a 1 for 1 to windows workflows. If we chase perfect compatibility, we will be perpetually behind on a wild goose chase.

But, doing things like what KDE does, where most of the common keyboard shortcuts are the same, and things like virtual desktops allow for similar workflows with very little adaptation, is very reasonable.

The chess com engine analysis sucks. It’s too focused on glazing you and not enough on being honest. It certainly feels better than the lichess engine, but it doesn’t actually share more information.

For example, it used to be that a “brilliant move” was any move that you spotted but that the engine didn’t. But now, it’s been changed so that any sacrifice is a “brilliant move”.

Further, the LLM based analysis is also pretty bad. It only seems to explain moves, but like most LLM’s, it actually hallucinates and recommends nonsensical stuff, or incorrectly makes other claims about the position. If you search on r/chess you can find plenty of examples of this:

• https://www.reddit.com/r/Chesscom/comments/1p7n8js/can_something_new_explain_why_chesscom_ai_thinks/
• https://www.reddit.com/r/chessbeginners/comments/1ko6snm/is_chesscom_ai_useless/
• https://www.reddit.com/r/Chesscom/comments/1o2j3rg/is_the_ai_text_in_the_game_analysis_just_plainly/

etc etc.

As an alternative, if you really want that type of UI, you can also use Lichess’ server based engine analysis (you get 40 free per day unlike chess com’s paid stuff):

But it doesn’t tell you why a move is bad. If you really want to learn why a move is bad, the local analysis lets you play your moves against stockfish and experiment and see why they are lacking.

Just learn to use the Lichess local analysis. It’s designed to actually facilitate improvement instead of glazing users and getting them to keep paying.

Switch to lichess.org (open source, has all of chess com’s paid features available for free, plus no ads or trackers).

Start with the chess basics set: https://lichess.org/learn

Then the basic tactics set: https://lichess.org/practice

And then do puzzles: https://lichess.org/training (chess com makes you pay for more than a few per day). Do a lot of them.

Then, you can also analyze your games on lichess using it’s analysis engines (which chess com makes you pay for). Uh I can’t find a good guide how to do this right now, check back later.

Kind of.

Copyfail would punch through user namespaces to get root straight on the host. User namespaces only really protect you against vulnerabilities in non kernel applications.

Limited capibilities/seccomp policies did help, though. In my admittedly limited testing, some of the vulnerabilities wouldn’t work in podman, but they would work in docker. This wasn’t due to user namespaces, but this was due to podman having stricter capibilities/seccomp policies than docker by default.

This implies that even if you were using docker rootless, they still would have been able to break out and get root in one go.

User namespaces don’t add that much security, in my opinion. Assuming your container has a non root user inside, adding user namespaces just changes the amount of cve’s/zerodays from 2 to maybe 3:

With a rootful container it’s:

• Escalate to root (can be done after or before container escape)
• Escape container (can be done after or before escalation to root)

With user namespaces it becomes:

• Maybe escalate to root within the container first to get privileges or access to binaries needed to take advantage of a container escape exploit
• Escape container
• Escalate to root

User namespaces are like every other Linux security solution, they are extremely complex, hard to configure, and they don’t actually add that much security for the trouble The article I linked above has a section about them:

Another example of these features is user namespaces. User namespaces allow unprivileged users to interact with lots of kernel code that is normally reserved for the root user. It adds a massive amount of networking, mount, etc. functionality as new attack surface. It has also been the cause of numerous privilege escalation vulnerabilities, which is why many distributions, such as Debian, had started to restrict access to this functionality by default

Their complexity makes them difficult to secure and execute properly, and adds a ton of attack surface to the kernel.

Dirty frag, for example, was using user namespaces as one of the ways it would escalate. Most container runtimes restrict user namespace creation within user namespaced containers (via seccomp/capabilities), so running dirtyfrag in a container wouldn’t have worked. But, at the same time, dirtyfrag is only possible in the first place because of the attack surface user namespaces cause.

I mostly use docker and rootfull podman for everything. You already need a CVE/zeroday to do a container break out in the first place, so just keep your runtimes up to date and you should be good. If you really care about being proactive with security, and trying to preemptively prevent issues, user namespaces are not really a good solution, better is just to use a VM container runtime like kata or microvm, or a userspace kernel like gvisor or syd. They are pretty easy to use. You can just set them as your container runtime, in docker, podman, or kubes, and things will mostly just work. Those (and other kernel isolation solutions) would have actually beaten dirtyfrag, copyfail, and the like of recent vulns.

Unfortunately, the browser extension is proprietary. They used to have an open source one but they stopped maintaining it.

Proprietary was a dealbreaker for me. There is no way to verify that it isn’t selling everything I type even if I do have it configured to point at a local server.

I’m also concerned that the extension may eventually no longer work against local servers as well.

https://github.com/languagetool-org/languagetool-browser-addon/issues/247

As an alternative, there is harper by wordpress: https://github.com/Automattic/harper

It is webassembly and runs entirely in your browser.

EDIT:

I will add that the rest of the languagetool ecosystem continues to work fine. Libreoffice now has a built in client, which you can point at your own hosted server. VSCode [1] also has their own languagetool extension. I use those and those work great. But in the browser I use harper nothing. I should probably install harper.

[1] Well, technically I use [code-oss]https://wiki.archlinux.org/title/Visual_Studio_Code), which gets the extension from https://open-vsx.org/

1. It’s extraordinarily complex.

The reality is that security is not just technical implementation, but also actually getting people to use the solutions. “Stop disabling SELinux” is not a real answer to when people disable it, like we have one person in this thread.

Another problem with complex security solutions is they are hard to get right. Even if you enable them and configure them, without being an expert, it’s possible you left a gap here or there, and holes and gaps in these solutions.*

2. Like so many other complex linux security solutions, it is lacking effectiveness due to still sharing the same kernel.

There is a good, but bit dated writeup here about the problems with Linux security, from an architecturual perspective: https://madaidans-insecurities.github.io/linux.html . But, the short version is that the Linux kernel is large and complex, and has a lot of attack surface. And it’s a frequent source of vulnerabilities because attackers can hit it as long as they access to the kernel, even if they are in a container/sandbox. Like, copyfail and dirtyfrag would punch through containers, but also punch through SELinux.

For example, just earlier on lemmy someone dropped a zero day that punches through SELinux: https://programming.dev/post/51103657

Now, SELinux can be used to restrict what a root shell could do after escalating… but that’s further complexity you have to learn to configure, and configure it correctly as well.

Ultimately, none of the Linux security solutions come anywhere near the isolation of simply running something in a virtual machine. Which, also happens to be a lot simpler and actually possible to get people to use.

*(putting this at the bottom because it veers off topic) I have a greater argument and problem with mentalities like this. I have noticed a pattern, where many of the more effortfull and toil intensive security solutions are recommended by people who have the time, energy, and skills to execute them. They have a bias/blindspot to the realities, which is that not everyone is in the same situation as them.

For example, updating/patching software. Linux distros like RHEL or Debian, have a policy where they only do security updates, and don’t do feature updates or bugfixes. This enables them to ship automatic updates, so that security issues are automatically handled.

On the other hand software like Windows, likes to bundle in breaking changes along with security updates. So automatic updates get disabled because “They might break something”. And then, people don’t update them, and environments get horrifically out of date, because not enough money/time/people is put into regular IT people who are in charge of maintaining them.

But some environments, have heroes, people who go around patching everything and keeping everything up to date and secure. And when they see these environments that don’t have everything patched, they usually give the advice of “You should patch everything” (while simultaneously advising against auto updates), not understanding that these environments are lacking a key ingredient: Themselves.

Sure, I could be a hero. I could “patch” everything manually. I could deploy SELinux. But that would only last until I get burnt out, or leave. Once I’m gone, SELinux, the patches, any similar security solutions are gone. I’ve met so many people, even in cybersecurity, that are apathetic about security, even though they might have cared once upon a time.