bsergay

joined 1 month ago
sorted by: new top controversial old
So what did it take for you to go to Linux? in c/linux@lemmy.ml
[–] bsergay@discuss.online 9 points 4 days ago

The pursuit of Freedom led me to Linux.

Is Qubes any more efficient in resource usage than a typical VM? in c/linux@lemmy.ml
[–] bsergay@discuss.online 3 points 4 days ago

Are you referring to Qubes OS? If so, what do you mean exactly with hardware support?

CreepJS - Creepy device and browser fingerprinting in c/privacyguides@lemmy.one
[–] bsergay@discuss.online 7 points 1 week ago

IIRC, it stops working whenever you disable JavaScript.

Niche Distro Users: Why? in c/linux@lemmy.ml
[–] bsergay@discuss.online 1 points 1 week ago (1 children)

I think we’ve probably already spoken on the matter.

That's definitely possible. Unfortunately, I don't recall it 😅.

Indeed, Lemmy has a serious dearth of users interested and using secure distros over the averages.

It's definitely better at this than the platform that starts with an "R" and rhymes with "shit".

Thanks for your efforts; I do not know how to follow users on Lemmy but if I did I’d follow you. Do you have a blog/any other forum you’re more active on?

That's such a compliment. This is definitely one of the nicest things I've read on Lemmy. I really appreciate it.

Unfortunately, I'm only somewhat active on Lemmy. FWIW, consider checking out the following places if you haven't yet:

  • dataswamp.org/~solene
  • privsec.dev
  • tech.michaelaltfield.net/

And, of course, Qubes OS' forums.

Personally, I find it difficult to justify the time to learn Secureblue (especially the immutable part) or NixOS on Qubes because custom DispVMs with curated salt states work so well already. I’m interested in use-cases that will improve my security but I haven’t found any dialogue on this yet. If you do have opinions on this and know where I can look, I would greatly appreciate it!

As I've previously alluded to, I don't have any hands-on experience with Qubes OS yet. So, I don't think I can contribute meaningfully in this discussion. However, IIRC, there are some discussions found on the forums/discussions page for Qubes OS.

Niche Distro Users: Why? in c/linux@lemmy.ml
[–] bsergay@discuss.online 2 points 1 week ago

Aight. I'm glad to hear that that has been resolved. I'd love to hear about your experiences on secureblue, so consider to report back. Finally, note that as a hardened distro, some things might work differently from what you'd expect. So be prepared to relearn a thing or two 😉.

Niche Distro Users: Why? in c/linux@lemmy.ml
[–] bsergay@discuss.online 4 points 1 week ago

Whonix is an OS exclusively meant to be used within a VM; at least, until Whonix-Host is released. Therefore, I didn't include it as it's not actually competing within the same space; as it can be run on any of the aforementioned systems within a VM. Finally, it's worth noting that by its own documentation, it's desirable to do so with Qubes OS.

Niche Distro Users: Why? in c/linux@lemmy.ml
[–] bsergay@discuss.online 2 points 1 week ago (3 children)

Please allow me to link to an earlier comment of mine that goes over this in more length. You may also find it copied-and-pasted down below:

First of all, apologies for delaying this answer.

Disclaimer:

  • I'm not an expert. While I try to verify information and only accept it accordingly, I'm still human. Thus, some falsehoods may have slipped through, my memory may have failed me, and/or what's found below could be based on outdated data.
  • Additionally, I should note that I'm a huge nerd when it comes to 'immutable' distros. As a result, I'm very much biased towards secureblue, even if Kicksecure were to address all of their 'issues'.
  • Furthermore, for the sake of brevity, I've chosen to stick closely to the OOTB experience. At times, I may have diverged with Qubes OS, but Qubes OS is so far ahead of the others that it's in a league of its own.
  • Finally, it's important to mention that -ultimately- these three systems are Linux' finest when it comes to security. In a sense, they're all winners, each with its use cases based on hardware specifications, threat models, and priorities. However, if forced to rank them, I would order them as:

Qubes OS >> secureblue >~ Kicksecure

Context: Answering this question puts me in a genuinely conflicted position 😅. I have immense respect for the Kicksecure project, its maintainers and/or developers. Their contributions have been invaluable, inspiring many others to pursue similar goals. Unsurprisingly, some of their work is also found in secureblue. So, to me, it feels unappreciative and/or ungrateful to criticize them beyond what I've already done. However, I will honor your request for the sake of providing a comprehensive and balanced perspective on the project's current state and potential areas for improvement.

Considerations: It's important to approach this critique with nuance. Kicksecure has been around for over a decade, and their initial decisions likely made the most sense when they started. However, the Linux ecosystem has changed dramatically over the last few years, causing some of their choices to age less gracefully. Unfortunately, like most similar projects, there's insufficient manpower to retroactively redo some of their earlier work. Consequently, many current decisions might be made for pragmatic rather than idealistic reasons. Note that the criticisms raised below lean more towards the idealistic side. If resources allowed, I wouldn't be surprised if the team would love to address these issues. Finally, it's worth noting that the project has sound justifications for their decisions. It's simply not all black and white.

With that out of the way, here's my additional criticism along with comparisons to Qubes OS and secureblue:

  • Late adoption of beneficial security technologies: Being tied to Debian, while sensible in 2012, now presents a major handicap. Kicksecure is often late to adopt new technologies beneficial for security, such as PipeWire and Wayland. While well-tested products are preferred for security-sensitive systems, PulseAudio and X11 have significant exploits that are absent from PipeWire and Wayland by design. In this case, preferring the known threat over the unproven one is questionable.
    • Qubes OS: Its superior security model makes direct comparisons difficult. However, FWIW, Qubes OS defaults for its VMs to Debian and Fedora. The latter of which is known to push new technologies and adopt them first.
    • secureblue: Based on Fedora Atomic, therefore it also receives these new technologies first.
  • Lack of progress towards a stateless^[1]^ system: Stateless systems improve security by reducing the attack surface and making the system more predictable and easier to verify. They minimize persistent changes, impeding malware's ability to maintain a foothold and simplifying system recovery after potential compromises. While this is still relatively unexplored territory, NixOS's impermanence module is a prominent example.
    • Qubes OS: There's a community-driven step-by-step guide for achieving this.
    • secureblue: Based on Fedora Atomic, which has prioritized combating state since its inception^[2]^. Its immutable design inherently constrains state compared to traditional distros, with ongoing development promising further improvements.
  • Deprecation of hardened_malloc: This security feature, found in GrapheneOS, was long championed by Kicksecure for Linux on desktop. However, they've recently chosen to deprecate it.
    • Qubes OS: Supports VMs with hardened_malloc enabled OOTB, for which Kicksecure used to be a great candidate.
    • secureblue: Continues to support hardened_malloc and has innovatively extended its use to flatpaks.
  1. This paper provides a comprehensive (albeit slightly outdated) exposition on the matter. Note that it covers more than just this topic, so focus on the relevant parts.
  2. Colin Walters, a key figure behind Fedora CoreOS and Fedora Atomic, has written an excellent blog post discussing 'state'.
Niche Distro Users: Why? in c/linux@lemmy.ml
[–] bsergay@discuss.online 1 points 1 week ago (2 children)

What are the main advantages of using this, that make it more secure?

More secure compared to your average distro? Or more secure compared to a specific set of distros? Unless, this is properly specified, this comment could become very unwieldy 😅.

Thanks in advance for specifying!

Niche Distro Users: Why? in c/linux@lemmy.ml
[–] bsergay@discuss.online 14 points 1 week ago (11 children)

I daily drive secureblue; or, to be more precise, its bluefin-main-userns-hardened image.

"Why?", you ask. Because security is my number one priority.

I dismiss other often mentioned hardened systems for the following reasons:

  • Qubes OS; my laptop doesn't satisfy its hardware requirements. Otherwise, this would have been my daily driver.
  • Kicksecure; primary reason would be how it's dependent on backports for security updates.
  • Tails; while excellent for protection against forensics, its security model is far from impressive otherwise. It's not really meant as a daily driver for general use anyways.
  • Spectrum OS; heavily inspired by Qubes OS and NixOS, which is a big W. Unfortunately, it's not ready yet.
How have you automated configuring your machines in terms of packages and dotfiles so it works cross-distro? in c/linux@lemmy.ml
[–] bsergay@discuss.online 20 points 1 week ago (3 children)

Nix, the package manager, is distro-agnostic. Add Home Manager on top of it and you're good to go; both packages and dotfiles are dealt with.

43
An Initial Benchmark Of Bcachefs vs. Btrfs vs. EXT4 vs. F2FS vs. XFS On Linux 6.11 (www.phoronix.com)
136
An Initial Benchmark Of Bcachefs vs. Btrfs vs. EXT4 vs. F2FS vs. XFS On Linux 6.11 (www.phoronix.com)
Manjaro Immutable Out Now for Community Testing in c/linux@programming.dev
[–] bsergay@discuss.online 7 points 2 weeks ago (3 children)

I could probably summarize your experience as "skill issue".

I don’t understand the hype of immutables, or usability even.

I suppose this article/blogpost by Lennart Poettering should suffice. Though, this article/blogpost by Colin Walters is also cool.

I tried Bazzite today after Nobara nuked itself, and I couldn’t even paste my old Firefox profile since the actual folder apparently sits within the immutable folder structure.

This is simply false as pointed out by others already.

I didn’t even have time to reach the software limitations with how fast I tried the next distro.

You will have a very hard time on Linux with that mindset. And, to be honest, literally any OS you aren't already familiar with.

Still hopping though, because apparently Fedora just nukes itself when you try to install codecs

I wouldn't be surprised if you just searched this through your favorite search engine and settled with whatever random solution you came across instead of relying upon RPM Fusion's documentation on the matter.

and I think I have about every major distro tested by now.

While this could be true, I wonder what prevented you from sticking with any one of them.

Linux is cursed.

It's definitely a lot harder if you've got major skill issues.

Switching back to Windows. For now. in c/linux@lemmy.ml
[–] bsergay@discuss.online 1 points 3 weeks ago

Thanks for clarifying!

IMO immutable distros aren’t a best fit for a desktop computer. It can do so much more than gaming and turning it into a dedicated console is a step back if a normal linux distro can do just as well.

I would personally nuance this to: "Current iterations of 'immutable distros' that have evolved from traditional distros haven't matured sufficiently yet to tackle 99.99% of the use cases 'easily'." The exact number on the percentage I don't know. I believe most people that use their PCs as a glorified app launcher should be more than fine. But we start experiencing major difficulties the very moment that (a)kmods are involved; some of which are 'supported'~ish, while others certainly aren't.

But, I simply fail to see why a future iteration would not be able to solve related issues.

24
Linux Distros Evolution over time - July 2024 Snapshot (boilingsteam.com)
30
Linux Distros Evolution over time - July 2024 Snapshot (boilingsteam.com)
69
Sell us on your favorite exotic/niche distro (discuss.online)
 

The Linux ecosystem is vast and diverse, offering a multitude of distributions to suit every need and preference. With hundreds of distros to choose from, it’s a pity that most are rarely mentioned while the popular ones are constantly being regurgitated.

This thread aims to celebrate this diversity and shine a light on smaller projects with passionate developers. I invite you to pitch your favorite underappreciated distro and share your experiences with those lesser-known Linux distributions that deserve more attention.

While there are no strict rules or banlists, I encourage you to focus on truly niche or exotic distributions rather than the more commonly discussed ones. Consider touching upon what makes your chosen distro unique:

  • What features or philosophies set it apart?
  • Why do you favor it over other distros, including the popular ones? (Beyond “It just works.”)
  • In what situations would you recommend it to others?

Whether it’s a specialized distro for a particular use case or a general-purpose OS with a unique twist, let’s explore the road less traveled in the Linux landscape. Your insights could introduce fellow enthusiasts to their next favorite distribution!

107
Sell us on your favorite exotic/niche distro (discuss.online)
 

The Linux ecosystem is vast and diverse, offering a multitude of distributions to suit every need and preference. With hundreds of distros to choose from, it's a pity that most are rarely mentioned while the popular ones are constantly being regurgitated.

This thread aims to celebrate this diversity and shine a light on smaller projects with passionate developers. I invite you to pitch your favorite underappreciated distro and share your experiences with those lesser-known Linux distributions that deserve more attention.

While there are no strict rules or banlists, I encourage you to focus on truly niche or exotic distributions rather than the more commonly discussed ones. Consider touching upon what makes your chosen distro unique:

  • What features or philosophies set it apart?
  • Why do you favor it over other distros, including the popular ones? (Beyond "It just works.")
  • In what situations would you recommend it to others?

Whether it's a specialized distro for a particular use case or a general-purpose OS with a unique twist, let's explore the road less traveled in the Linux landscape. Your insights could introduce fellow enthusiasts to their next favorite distribution!

244
Leaked Docs Show What Phones Cellebrite Can (and Can’t) Unlock (www.404media.co)
 
Leaked Docs Show What Phones Cellebrite Can (and Can’t) Unlock

The leaked April 2024 documents, obtained and verified by 404 Media, show Cellebrite could not unlock a large chunk of modern iPhones.

Cellebrite, the well-known mobile forensics company, was unable to unlock a sizable chunk of modern iPhones available on the market as of April 2024, according to leaked documents verified by 404 Media.

The documents, which also show what various Android handsets and operating system versions Cellebrite can access, provide granular insight into the very recent state of mobile forensic technology. Mobile forensics companies typically do not release details on what specific models their tools can or cannot penetrate, instead using vague terms in marketing materials. The documents obtained by 404 Media, which are given to customers but not published publicly, show how fluid and fast moving the success, or failure, of mobile forensic tools can be, and highlights the constant cat and mouse game between hardware and operating manufacturers like Apple and Google, and the hacking companies looking for vulnerabilities to exploit.

Analysis of the documents also comes after the FBI announced it had successfully gained access to the mobile phone used by Thomas Matthew Crooks, the suspected shooter in the attempted assassination of former President Donald Trump. The FBI has not released details on what brand of phone Crooks used, and it has not said how it was able to unlock his phone.

The documents are titled “Cellebrite iOS Support Matrix” and “Cellebrite Android Support Matrix” respectively. An anonymous source recently sent the full PDFs to 404 Media, who said they obtained them from a Cellebrite customer. GrapheneOS, a privacy and security focused Android-based operating system, previously published screenshots of the same documents online in May, but the material did not receive wider attention beyond the mobile forensics community.

For all locked iPhones able to run 17.4 or newer, the Cellebrite document says “In Research,” meaning they cannot necessarily be unlocked with Cellebrite’s tools. For previous iterations of iOS 17, stretching from 17.1 to 17.3.1, Cellebrite says it does support the iPhone XR and iPhone 11 series. Specifically, the document says Cellebrite recently added support to those models for its Supersonic BF [brute force] capability, which claims to gain access to phones quickly. But for the iPhone 12 and up running those operating systems, Cellebrite says support is “Coming soon.”

A SECTION OF THE IOS DOCUMENT. IMAGE: 404 MEDIA.

The iPhone 11 was released in 2019. The iPhone 12 was launched the following year. In other words, Cellebrite was only able to unlock iPhones running the penultimate version of iOS that were released nearly five years ago.

The most recent version of iOS in April 2024 was 17.4.1, which was released in March 2024. Apple then released 17.5.1 in May. According to Apple’s own publicly released data from June, the vast majority of iPhone users have upgraded to iOS 17, with the operating system being installed on 77 percent of all iPhones, and 87 percent of iPhones introduced in the last four years. The data does not break what percentage of those users are on each iteration of iOS 17, though.

Cellebrite offers a variety of mobile forensics tools. That includes the UFED, a hardware device that can extract data from a physically connected mobile phone. The UFED is a common sight in police departments across the country and world, and is sometimes used outside of law enforcement too. Cellebrite also sells Cellebrite Premium, a service that either gives the client’s UFED more capabilities, is handled in Cellebrite’s own cloud, or comes as an “offline turnkey solution,” according to a video on Cellebrite’s website.

That video says that Cellebrite Premium is capable of obtaining the passcode for “nearly all of today’s mobile devices, including the latest iOS and Android versions.”

That claim does not appear to be reflected in the leaked documents, which show that, as of April, Cellebrite could not access from locked iOS phones running 17.4.

The second document shows that Cellebrite does not have blanket coverage of locked Android devices either, although it covers most of those listed. Cellebrite cannot, for example, brute force a Google Pixel 6, 7, or 8 that has been turned off to get the users’ data, according to the document. The most recent version of Android at the time of the Cellebrite documents was Android 14, released October 2023. The Pixel 6 was released in 2021.

A SECTION OF THE ANDROID DOCUMENT. IMAGE: 404 MEDIA.

Cellebrite confirmed the authenticity of the documents in an emailed statement to 404 Media. “Similar to any other software company, the documents are designed to help our customers understand Cellebrite’s technology capabilities as they conduct ethical, legally sanctioned investigations—bound by the confines of a search warrant or an owner’s consent to search. The reason we do not openly advertise our updates is so that bad actors are not privy to information that could further their criminal activity,” Victor Ryan Cooper, senior director of corporate communications and content at Cellebrite, wrote.

“Cellebrite does not sell to countries sanctioned by the U.S., EU, UK or Israeli governments or those on the Financial Action Task Force (FATF) blacklist. We only work with and pursue customers who we believe will act lawfully and not in a manner incompatible with privacy rights or human rights,” the email added. In 2021 Al Jazeera and Haaretz reported that a paramilitary force in Bangladesh was trained to use Cellebrite’s technology.

Cellebrite is not the only mobile forensics company targeting iOS devices. Grayshift makes a product called the GrayKey, which originally was focused on iOS devices before expanding to Android phones too. It is not clear what the GrayKey’s current capabilities are. Magnet Forensics, which merged with Grayshift in 2023, did not immediately respond to a request for comment.

Cellebrite’s Android-focused document also explicitly mentions GrapheneOS in two tables. As well as being an operating system that the privacy-conscious might use, 404 Media has spoken to multiple people in the underground industry selling secure phones to drug traffickers who said some of their clients have moved to using GrapheneOS in recent years.

Daniel Micay, founder of GrapheneOS, told 404 Media that GrapheneOS joined a Discord server whose members include law enforcement officials and which is dedicated to discussions around mobile forensics. “We joined and they approved us, with our official GrapheneOS account, but it seems some cops got really mad and got a mod to ban us even though we didn't post anything off topic or do anything bad,” Micay said.

There is intense secrecy around the community of mobile forensics experts that discuss the latest unlocking tricks and shortcomings with their peers. In 2018 at Motherboard, I reported that law enforcement officials were trying to hide their emails about phone unlocking tools. At the time, I was receiving leaks of emails and documents from inside mobile forensics groups. In an attempt to obtain more information, I sent public records requests for more emails.

“Just a heads up, my department received two public records request[s] from a Joseph Cox at Motherboard.com requesting 2 years of my emails,” a law enforcement official wrote in one email to other members. I learned of this through a subsequent leak of that email. (404 Media continues to receive leaks, including a recent set of screenshots from a mobile forensics Discord group).

Google did not respond to a request for comment. Apple declined to comment.

6
Linux Myths (linux-myths.pages.dev)
submitted 1 month ago* (last edited 1 month ago) by bsergay@discuss.online to c/linux@programming.dev
2 comments fedilink
 
Linux Myths

A compilation of linux myths and misconceptions, busted and explained

Purpose

To catalog and provide useful responses to common linux misconceptions and myths. To serve as a useful reference for new and old users alike.

I'm not affiliated with the website or its creator(s).

44
Linux Myths (linux-myths.pages.dev)
submitted 1 month ago* (last edited 1 month ago) by bsergay@discuss.online to c/linux@lemmy.ml
20 comments fedilink
 
Linux Myths

A compilation of linux myths and misconceptions, busted and explained

Purpose

To catalog and provide useful responses to common linux misconceptions and myths. To serve as a useful reference for new and old users alike.

I'm not affiliated with the website or its creator(s).

114
Is NixOS at the advent of an implosion? | Community inquiry on recent drama (discuss.online)
submitted 1 month ago* (last edited 1 month ago) by bsergay@discuss.online to c/linux@lemmy.ml
94 comments fedilink
 

NixOS' influence and importance at pushing Linux forward into the (previously) unexplored landscape of configuring your complete system through a single config file is undeniable. It's been a wild ride, but it was well worth it.

And although it has only been relatively recently that it has lost its niche status, the recent influx of so-called 'immutable' distros springing up like mushrooms is undeniably linked to and inspired by NixOS.

However, unfortunately, while this should have been very exciting times for what's yet to come, the recent drama surrounding the project has definitely tarnished how the project is perceived.

NixOS' ideas will definitely live on regardless. But how do you envision NixOS' own future? Any ETA's for when this drama will end? Which lessons have we learned (so far) from this drama? Are there any winners as a result of this drama? Could something like this happen to any distro?

In case you're out of the loop. Though, there's a lot that has transpired since but which hasn't been rigorously documented at a single place; like how 4 out of 5 NixOS board members have quit over the last 2 months or so.

view more: next ›