The take away of that story is: don't post a message from Tor that gives out the network that you're entering Tor from.
They're talking about the attack surface to get accidental code execution from opening files that try to exploit vim. Integrating shell commands with vim/less is a valid feature.
>namespaces (which have been a frequent source of vulnerabilities)... Unprivileged user namespaces sure, but I don't think that applies to namespaces in general (which without unprivileged user namespaces can only be…
Yeah I was wrong about that, I confused it with socket-activation passing. The systemd-side socket is available from the process.
Services may be in a different mount namespace from systemd for sandboxing or other reasons (also means you have to worry about filesystem permissions I suppose). Passing an fd from the parent (systemd) is a nice direct…
Use Invidious, use RSS, use yt-dlp, use Tor.
The vast majority of services and user programs don't need to escalate privileges by invoking SUID/SGID binaries. no_new_privs should be used on them so that the "setuid with libc/LD programs" security boundary is…
It could be a FOSS portable binary that runs outside of a web browser.
They aren't preventing you from using a content filter nor are they making it difficult to scrape the site. The counter measures against this are the problem.
I agree, I don't even care about ads in specific. I primarily use the tor browser which doesn't block ads due to fingerprinting (it's ok for casual browsing, though some sites are actually obnoxious and slow down the…
For faster session establishment in OpenSSH consider ControlMaster in ssh_config(5), which multiplexes multiple sessions in one connection instead of creating a new connection for each session.
Lots of games won't ever be converted to Wayland (maybe some unofficially by replacing libraries with updated ones that still work with the game), we'll need some nested X server like xwayland in rootful mode once…
Also, malicious code can be pushed to the website if you are logging in through that. You have to trust that their infrastructure is safe.
You can mark individual files as No_COW in btrfs, and No_COW + preallocation is a requirement for swapfiles anyway due to how the swap subsystem works.
>affected 100% of the connections to XMPP STARTTLS port 5222 (not 5223) Why did they only target the STARTTLS port? On a related note, I would never use the STARTTLS port (opportunistic encryption) if I knew that the…
Instead of replacing the md5sum on the download page an attacker could replace the infohash/magnet link/.torrent file.
There's at least some differences, such as HTTP/2 usage, or maybe algorithm usage/bugs in newer versions. Whether or not most tracker staff actually bother to attempt fingerprinting, IDK.
The article linked includes OOB verification as a scenario in TOFU. From the perspective of the ssh client it's TOFU (no CA chain for the client to perform a check), sure, that just means it's up to the user to do the…
systemd.directives(7) is useful if you know what directive you want to read about but not in what manual it's in.
I recommend programs using Tor to be run in an empty network namespace then set http/HTTPS/ALL_PROXY to a Unix domain socket created in torrc (or use socat to get it on the namespaces' 127.0.0.1 if not supported by the…
If I'm allowed to use a software implementation (like with TOTP) so that my private keys can be stored in for e.g. a KeePassXC database so that I can back it up by having multiple copies, then I'm okay with it. Is it…
The captcha on this page takes a few seconds then says "Failure", with no message, then restarts itself, when using Tor Browser on the Safer mode. edit: Was able to get a mix of a few successes and a few failures upon…
They have a couple more joke physical JP input methods: https://github.com/google/mozc-devices
What in particular needs to be upstreamed and to what projects?
Most of it is open source similarly to the Chrome/Chromium situation. But you're right that many Linux desktop users won't care about it due to it being locked down and limited, which was demonstrated in the article.…
The take away of that story is: don't post a message from Tor that gives out the network that you're entering Tor from.
They're talking about the attack surface to get accidental code execution from opening files that try to exploit vim. Integrating shell commands with vim/less is a valid feature.
>namespaces (which have been a frequent source of vulnerabilities)... Unprivileged user namespaces sure, but I don't think that applies to namespaces in general (which without unprivileged user namespaces can only be…
Yeah I was wrong about that, I confused it with socket-activation passing. The systemd-side socket is available from the process.
Services may be in a different mount namespace from systemd for sandboxing or other reasons (also means you have to worry about filesystem permissions I suppose). Passing an fd from the parent (systemd) is a nice direct…
Use Invidious, use RSS, use yt-dlp, use Tor.
The vast majority of services and user programs don't need to escalate privileges by invoking SUID/SGID binaries. no_new_privs should be used on them so that the "setuid with libc/LD programs" security boundary is…
It could be a FOSS portable binary that runs outside of a web browser.
They aren't preventing you from using a content filter nor are they making it difficult to scrape the site. The counter measures against this are the problem.
I agree, I don't even care about ads in specific. I primarily use the tor browser which doesn't block ads due to fingerprinting (it's ok for casual browsing, though some sites are actually obnoxious and slow down the…
For faster session establishment in OpenSSH consider ControlMaster in ssh_config(5), which multiplexes multiple sessions in one connection instead of creating a new connection for each session.
Lots of games won't ever be converted to Wayland (maybe some unofficially by replacing libraries with updated ones that still work with the game), we'll need some nested X server like xwayland in rootful mode once…
Also, malicious code can be pushed to the website if you are logging in through that. You have to trust that their infrastructure is safe.
You can mark individual files as No_COW in btrfs, and No_COW + preallocation is a requirement for swapfiles anyway due to how the swap subsystem works.
>affected 100% of the connections to XMPP STARTTLS port 5222 (not 5223) Why did they only target the STARTTLS port? On a related note, I would never use the STARTTLS port (opportunistic encryption) if I knew that the…
Instead of replacing the md5sum on the download page an attacker could replace the infohash/magnet link/.torrent file.
There's at least some differences, such as HTTP/2 usage, or maybe algorithm usage/bugs in newer versions. Whether or not most tracker staff actually bother to attempt fingerprinting, IDK.
The article linked includes OOB verification as a scenario in TOFU. From the perspective of the ssh client it's TOFU (no CA chain for the client to perform a check), sure, that just means it's up to the user to do the…
systemd.directives(7) is useful if you know what directive you want to read about but not in what manual it's in.
I recommend programs using Tor to be run in an empty network namespace then set http/HTTPS/ALL_PROXY to a Unix domain socket created in torrc (or use socat to get it on the namespaces' 127.0.0.1 if not supported by the…
If I'm allowed to use a software implementation (like with TOTP) so that my private keys can be stored in for e.g. a KeePassXC database so that I can back it up by having multiple copies, then I'm okay with it. Is it…
The captcha on this page takes a few seconds then says "Failure", with no message, then restarts itself, when using Tor Browser on the Safer mode. edit: Was able to get a mix of a few successes and a few failures upon…
They have a couple more joke physical JP input methods: https://github.com/google/mozc-devices
What in particular needs to be upstreamed and to what projects?
Most of it is open source similarly to the Chrome/Chromium situation. But you're right that many Linux desktop users won't care about it due to it being locked down and limited, which was demonstrated in the article.…