BigHeadMode

@ BigHeadMode @lemmy.frozeninferno.xyz

Posts

11
Comments

26
Joined

2 yr. ago

1mo ago

Follow Up: PGP vs. HTTPS for Software Authenticity

1mo ago

Threat model for PGP signed software vs. HTTPS

BigHeadMode @lemmy.frozeninferno.xyz 1mo ago

That's Plan D in my OP. I still find hashes more convenient than PGP, but I'll give PGP another try.

1mo ago

Threat model for PGP signed software vs. HTTPS

BigHeadMode @lemmy.frozeninferno.xyz 1mo ago

Not sure what you're getting at.

plan A in my OP goes great. ubuntu.com has rarely if ever been compromised. They provide sha256 hashes over HTTPS via that site, see here. It's signed with Lets Encrypt which updates every 90 days. In theory the Ubuntu PGP keys are more secure (less moving parts /attack surface) than their server, but in practice a compromise of Ubuntu.com lasting longer than 90 days would be extraordinary. Most times I see mirrors, the hashes are provided on the main site, which renders the mirrors obviously correct or incorrect. I can download an Ubuntu ISO from malware.ru and verify that it's authentic with the sha hash.

The only flaw I have found in plan A is plan D.

❌ plan D

bad guy owns software.org
did not compromise the public key (created years prior by the true owner)
they cannot distribute software that matches the public key
software is malware, served over valid https, and verifiable with malware hashes served by bad guy

With a hash, assuming you can verify it properly, you know ubuntu.com served you what it wanted to serve you.

Getting an md5 or sha-1 hash is pretty easy even on Windows. There's some BS md5 or sha function built in to Windows if you know where to look. It's built in to most unixes with commands like md5sum and shasum. Those algorithms have few if any real-world flaws, but sha256 is plenty popular now and has no(?) known flaws.

If this is some comment in the vein of "Reflections on Trusting Trust" -- there are tons of hash programs out there that can be run offline that will predate software to be hashed by years if not decades. I trust these myriad programs to provide accurate hashes.

2mo ago

Threat model for PGP signed software vs. HTTPS

Cybersecurity @sh.itjust.works

BigHeadMode @lemmy.frozeninferno.xyz 2mo ago

HTTPS is super convenient. If you’re paranoid, or the entire chain is not HTTPS (HTTPS links to HTTP downloads), you can use a hash program.

2mo ago

Threat model for PGP signed software vs. HTTPS

3mo ago

Linux Hardening Guide / Linux is Insecure

a solution in wide use in several Linux distros, meaning the compartmentalization of apps in constrained environments is already a mechanic used in flatpack, snap, even docker

Not a good argument. Several distros use it, but most mainstream distros are not focused on sandboxed apps. If you look up "should I use Snap on Ubuntu" the responses are around 80% no.

3mo ago

Linux Hardening Guide / Linux is Insecure

no one was writing malware targeted at us

Probably not true now. It took some digging but I found e.g. BPFdoor https://attack.mitre.org/software/S1161/ which "does not need root to run" https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis

The silver lining is that a lot of these backdoors are nation-state level so you might not be targeted by them. If I had data on my computer worth a dang, I'd be more concerned.

3mo ago

The ChromeOS of Linux: Basic use cases, impossible to break, ~1,000 happy(?) users, Nix based. Nixbook OS.

It's controlled by a major corporation that tightens up all the time (e.g. the manifest v3 changes conveniently hurting ublock origin, the weird app interests thing that only Google supports, the conflicts of interest between Chrome, Google, and Chrome users [webP vs JPEG-XL]). Stock Chrome/ChromeOS is a massive data harvesting operation that gets more insistent with each update. Once Google stops supporting them they can become paperweights if you don't have alternate OS support (not every model does). Goes against the libre philosophy of mainline linux. ChromeOS running Linux is an implementation detail, for how much use it provides the average user.

3mo ago

Linux Hardening Guide / Linux is Insecure

Graphene has options to restrict that [user storage availability] but you have to set it up that way.

It's also a bit of a pain to manage as an end user. I wish it shipped with a toggle that was a step up from stock Android but also not in the way constantly. Like "we went through the top 50 apps on Play Store and FDroid, we classified them as media player, social media, etc., and we made rules for each category that reasonably isolates it while still allowing core functionality."

Linux @lemmy.ml

madaidans-insecurities.github.io /guides/linux-hardening.html

3mo ago

Linux Hardening Guide / Linux is Insecure

3mo ago

Confession: I don't know what passwords in Linux are for

Your phone and optional software available for Linux go a step further [for bruteforce prevention]

Do you have specifics for Linux?

3mo ago

The ChromeOS of Linux: Basic use cases, impossible to break, ~1,000 happy(?) users, Nix based. Nixbook OS.

Cheers to this guy for what he’s doing, but the name is a little confusing. This approach works but it is not nearly as robust as the immutable distro paradigm implied by the name.

Good point. It's a 1000 person PoC and not yet a titan. He's doing in-the-field testing and even has his two kids daily driving it (one on testing branch, haha).

Linux @lemmy.ml

trl.org /blogs/post/closing-the-digital-divide-qa-with-local-computer-upcycler-mike-kelly/

3mo ago

The ChromeOS of Linux: Basic use cases, impossible to break, ~1,000 happy(?) users, Nix based. Nixbook OS.

3mo ago

Your old android phone is begging to be a cheap home server!

It's great to reduce ewaste, but from a practical perspective I strongly suggest finding a phone that can do postmarketOS. This is becoming more of a trend and postmarket at least has a handful of guides from people who have put servers on PMOS. I suspect all phones lead to pain when self hosting, but postmarket leads to less pain.

4mo ago

Confession: I don't know what passwords in Linux are for

Any modern operating system is so complex and has so many parts interacting with each other that it’s always possible to hide something malicious somewhere in the Rube Goldberg machine which most people will never notice.

100%. From what you're saying, though, it sounds like a Linux password is a red herring, and a secure password even more so. If SSH is disabled the class of attacks to be prevented are users 'voluntarily' running malware pretending to be goodware.

Never ever run any untrusted program or script, not even unprivileged. The biggest thing Linux has over Windows in this regard is the package manager, which is actively moderated by your distro maintainers, so you don’t have to download random installers from the internet like on Windows.

True, but does anyone operate this way? At that point it becomes an iPad or a Chromebook. (It does look like flatpaks or docker containers isolate behavior, so that's a win.)

Linux @lemmy.ml

4mo ago

Confession: I don't know what passwords in Linux are for

4mo ago

Handled a ThinkPad today. What distro should I go with? Ubuntu? Arch?

https://lemmy.frozeninferno.xyz/post/58612395

For a PC from around 2010-2018: Mint Cinnamon, Ubuntu 24.04, Lubuntu 24.04, MX Linux, in that order. Not Kubuntu, apparently it's the lost sheep of the family. Until you've used Linux for a few years, always aim for LTS (long term support) or similar terms. Never use an OS billed as a "beta" or "release candidate". "Rolling release" is suspect. It's all fun and games until your OS doesn't boot or you lose your data. Stability matters (and back up your data). Once you learn how Linux works, and if you become an enthusiast, you can do what you want. I highly, highly doubt you'll find Arch as painless as what I recommend.

400+ installs in the past four years - discarded/donated business laptops that get fixed, cleaned, upgraded with cheapest SSDs and donated to predominantly tech illiterate users.

99% is ubuntu lts + ansible playbook that removes snap, disables A TON of update naggings, installs flatpak, coupla apps and systemd timer to autoupdate all flatpaks. this is the only thing that has low support requests, everything else we tried (mint, debian, fedora) has a disproportionately higher support request frequency (reinstalls, wifi, fix this, remove that, etc).

I'd say Ubuntu as #1 but it's not known for maximum performance. Debian installer is a total mess and Linux fans don't realize how foreign it is to a newbie. It feels like the Debian installer was last updated in 2004. I have a soft spot for Lubuntu and its classic Windows 2000 look. Runs fast too if that matters to you.

4mo ago

KDE's start menu bugs make it feel 100x slower than it is

https://kde.org/distributions/

Per some feedback, I tried on another distro. Fedora 43 (hot off the presses) only has some of these bugs. I couldn't reproduce 1, 2, and 4 here on Fedora 43 KDE live.

The first mistake is using Kubuntu. It’s always been a buggy mess.

Considering my experience with Kubuntu 24.04, I'm inclined to agree. But it gets top billing on kde.org because (it seems) Ubuntu pays more money than SUSE.

4mo ago

KDE's start menu bugs make it feel 100x slower than it is

What distro? I was on Kubuntu 25.10. Did you record it? It's hard to see in real time.

4mo ago

Valve's new Steam Machine and Steam Frame and implications for Linux

https://social.linux.pizza/@BigHeadMode/115402987550130007

Windows 95, 2000/XP, and 7 were all very nice OSs. DirectX and whatever other APIs helped PC gaming. Windows Phone 8/10 are an interesting paradigm I wish still existed. The Xbox 360 blades dashboard (and later the NXE) ushered in an era we're arguably still living in. WSL.

4mo ago

Valve's new Steam Machine and Steam Frame and implications for Linux

https://social.linux.pizza/@BigHeadMode/114843921051139964

Embarrassingly, make a Windows 10-like OS. (More specifically, a window manager, probably.) Or have an affirmative vision for the future (non-Windows 95-derived) like Niri or (fascist-adjacent) Omarchy. 15+ years ago I booted my first distro. I ran Ubuntu with Unity on a side PC for years. Good for single screen use. I daily drove Debian for 3 months in 2018 but never got it to look more modern than Windows 2000. I never "enjoyed" it. This matches my thoughts. https://www.theregister.com/2025/11/10/deduplicating_the_desktops/

Going to try out https://www.anduinos.com/ and Zorin. Have done distro hop roulette for months and a lot of them are unsatisfying. KDE looks close to how I want but runs slow e.g. https://lemmy.frozeninferno.xyz/post/58790510

I'm big on super+arrow to move windows from one screen to another. I rarely need more than 4 active windows per display. But my big problem with tiling is that I like seeing the windows I have open at the bottom of my screen. (this was for my laptop but similar points https://lemmy.frozeninferno.xyz/post/58681232 )

My side OS on my main PC is Mint with MATE, but I also don't gel with it. Ran it on a family PC for years and it did the job for casual use. Random gripe off the top of my head I think applies in MATE: sorting is in byte order, not in brain order. Many linuxes sort 10, 1, 2 instead of 1, 2, 10. MATE and Xfce (iirc) have terrible file operation handling compared to Windows or (the gold standard?) Teracopy in Windows.

Every default GUI archive/extract program in Linux sucks, that I could find. I prefer Peazip but even 7z-gui (the stock one) is good. Even native windows zip support feels more pleasant. This goes back to a bazzite/omarchy philosophy of shipping software that is good, instead of defaults that suck.

Oddly enough I kind of respect AntiX + IceWM, as well as Lxqt / Lubuntu more than most of the crap modern WMs I've used.

SSH key exchange / setup is a fucking nightmare and I don't know why I'm copy pasting keys into text files or piping multiple commands together for the 50% odds that my OS setup allows it. I still don't really understand the Linux threat model where passwords on a local account make sense. (Is it to prevent local scripts from escalating to admin?)

I've run Linux servers for 5 years and I run WSL, but nothing clicks per se. I'm always more at home in Windows. Niri feels close to what I want, but too high a learning curve. I may make a post about it someday.

4mo ago

Uses for a 2 GB internal USB flash module?

Total tangent, but IMO this is the state of the art in data retention: https://superuser.com/questions/374609/what-medium-should-be-used-for-long-term-high-volume-data-storage-archival/873260#873260

4mo ago

Valve's new Steam Machine and Steam Frame and implications for Linux