mikey

joined 1 year ago
[–] mikey 16 points 2 weeks ago

Unfortunately, this is probably because of the apps started using the Play Integrity API, which is a hardware-based attestation and can only be faked in two ways that GrapheneOS isn't interested in:

  • you can fake an older device that didn't support hardware attestation yet, or had a broken implementation
  • or you can try getting leaked vendor keys and emulate the crypto with those until they get revoked
[–] mikey 18 points 3 weeks ago* (last edited 3 weeks ago) (3 children)

It's only backwards because you're looking at it from the outside from the front. When it's in you, the left is on your left.

[–] mikey 4 points 8 months ago

Have you heard of social engineering and phishing? I consider those to be analogous to uploading new rules for ChatGPT, but since humans are still smarter, phishing and social engineering seems more advanced.

[–] mikey 6 points 8 months ago

Whew, there's a lot to unpack here.

First, microkernels being the future: This is a sentence that was said time and time again, but while microkernels definitely have some advantages in separating components which could yield better security, in practice it also introduces other security concerns, not present with monolithic kernels, mostly with the communication between the kernel services.

Second, about the no secure Linux distros thing: As many others have mentioned, there are security-conscious Linux distros, mostly the "immutable" distros. You can use Fedore Silverblue (or even better, SecureBlue) as a daily driver, with Flatpak for your apps. That way, your main OS is read-only, thus harder to infect and all system updates are signed and verified. Using Flatpak helps enforce permissions on apps in a manner similar to Android permission (you can deny an app the right to see your files, for example).

Third, I don't really understand what you mean by "Linux's security holes". Of course it's not bug free, but no kernel of this magnitude is. Also, GrapheneOS uses Linux as well, albeit with a hardening patchset, but you can also get that with desktop Linux distros. If you think Linux (being a monolithic kernel) is automatically less secure than microkernel and hybrid kernel based systems, take a look at Windows and macOS, which both use non-monolithic kernels, but most security experts will tell you that you're better off using Linux.

Fourth, about all the niche, mostly hobby OSes you listed: A big part of security is about having more eyes on the source code. Even if you write a kernel in a "safe" programming language, there will be bugs. Something as advanced as a kernel that's ready for daily desktop use and provides advanced isolation between processes is going to be so complex that you won't be able to see what bugs arised from the different parts interacting with each other. Safe programming languages make it easier to write safe code, but don't stop you from messing up the logic that defines what apps have which permissions. Your best bet is to stick to software that has had time to mature and had more people and companies look through it. Linux is regularly audited by all tech giants, because all clouds use Linux to some extent. If it's secure enough to isolate the workloads in Google Cloud, and Amazon's AWS, it's going to be secure enough for your desktop, provided you use it well (make use of it's security features and don't shoot yourself in the foot by disabling mitigations and the like). This is partly why I think the idea that OpenBSD is more secure than Linux is somewhat outdated. Yes, they advertise it as such, but it has seen much-much less auditing than Linux did in the cloud era.

Of course, there's nothing wrong with playing around with alternatives operating systems, just don't think you'll be more secure just because something is written in Rust, or is a microkernel. Those can help, but there's much more to security than the guardrails a programming language or software architecture can provide, especially with something as complex as a modern kernel.

[–] mikey 2 points 8 months ago

For me, as an SRE:

  • Mullvad VPN
  • Google Drive (until I set up my NAS)
  • YouTube Premium
  • ChatGPT (but I am thinking of trying out Claude 3 instead)

Other, non-tech subscriptions:

  • Public transport
  • Public bike sharing
  • Food delivery

Things I might pay for if my employer didn't:

  • IntelliJ Ultimate
  • GitHub Copilot

Random IT-adjacent services I occasionally donate to:

  • Codeberg
  • Wikipedia
[–] mikey 10 points 9 months ago

That depends on your Mac. The older the Mac, the older the version. On most M1 Macs, you can go back even to Big Sur, on M2 it's usually Monterey and so on. It might be different with the Pro/Max/Ultra variants though.

[–] mikey 5 points 9 months ago

Good luck, Dude! I'm sooo looking forward to seeing what I previously upvoted.

[–] mikey 15 points 10 months ago (2 children)

This change only brings speed & stability, which is essential, but hard to see for us, end users. The bigger one is going to happen on Thursday, where Lemmy itself is going to be updated. After Thursday's update, any users will be able to block entire instances and see our upvotes, along with many other Lemmy updates.

[–] mikey 23 points 11 months ago (6 children)

In Hungarian it says "segglyuk", but that means "asshole". It should be "segg" to match "ass".

[–] mikey 6 points 11 months ago* (last edited 11 months ago) (3 children)

Well, the routes might manifest somewhere as files, but I don't expect anyone to be able to viably parse them without commands like ip or ifconfig (or know where the files even are).

Some devices (like disks for example) are very straightforward to use as files, while some other special files (like USB devices) are so weird/ugly to use that everyone uses tools/libraries to access them (like libusb).

This is very off-topic, but there's a great talk by Benno Rice that talks about this (among many others): https://youtu.be/9-IWMbJXoLM

[–] mikey 6 points 11 months ago (5 children)

They aren't asking about changes to a file describing the routing config, rather the actual in-use routing config. Unless the routing rules are modified through a couple of files (which I doubt), this doesn't answer the question.

Cool commands though.

[–] mikey 10 points 11 months ago

I don't know anything about how Firefox is packaged for snap, but snap's "sandboxing" might interfere with getting all fonts.

You might want to try using Firefox without snap (which has some other benefits, especially around startup time) or adding ~/.local/share/fonts (which is where fonts are supposed to be installed for users) to some sort of allowlist.

view more: next ›