Post AFuPrGmNtFfxOG5kbw by Seirdy@pleroma.envs.net
(DIR) More posts by Seirdy@pleroma.envs.net
(DIR) Post #AFuLvQSTRktkkaVNfk by Seirdy@pleroma.envs.net
2022-01-28T18:53:46.976415Z
13 likes, 10 repeats
it sucks having nuanced views on the internet"systemd has the right goals but also has poor architecture: i like operating it but i don't like its underlying design" is so much harder to digest than "systemd good" or "systemd bad""sandboxing is good when done in a way that gives users the ability to control how their programs run, and doesn't have to make your computer locked down like iOS" is harder to digest than "sandboxing good' or "sandboxing bad"."verified boot that lets users control the signing key allows users to verify that the boot sequence is what they want it to be, ensuring that their FDE isn't compromised; however, most existing implementations give vendors control that should belong to users" is harder to digest than "verified boot good" or "verified boot == DRM".it's hard not to sound like a corporate shill, which is the opposite of what I'm trying to be whenever I start talking about security. Fossbros have given the entire FLOSS community these warped preconceived notions on what sandboxing, verified boot, and even Systemd are and aren't.
(DIR) Post #AFuPrGmNtFfxOG5kbw by Seirdy@pleroma.envs.net
2022-01-28T19:37:50.809087Z
0 likes, 0 repeats
Even more annoyingly nuanced security views:“Google has too much control over the web platform, yet Chromium is head and shoulders above Firefox and Webkit2GTK from a security perspective (yes, I know about fission and rlbox). I want Chromium alternatives to succeed and I don’t want Google to dominate the Web, but I see others who share my views recommend Firefox without understanding or explaining the trade-offs involved. This results in people making less informed decisions. I personally use both browsers for different use-cases.” is like 10000 times harder to digest than “chromium bad”. Like, I agree, but I also disagree. I love to hate it from an ideological POV, and hate to kind of like its technical approach to isolation and hardening.I love OpenBSD; it’s such a simple and understandable well-designed OS. It’s way too underappreciated. But people should use it for the right reasons. Don’t use it because your threat model calls for a more secure OS; use it because you love UNIX and simple operating systems. OBSD has some very well-designed components, like a secure malloc design and great userspace tools. It was one of the first distros to go full ASLR. But some of its most significant mitigations (e.g. W^X) are easily bypassable and it’s missing some modern mitigations (MAC, CFI, etc). HardendBSD and (imo) certain Linux distros are ahead on these fronts. Despite this it’s my favorite place to thinker and will be for the forseeable future.The server, desktop, and mobile computing models are all quite different. The desktop involves giving programs the same user privileges and giving them free reign over all a user’s data; the server model splits programs into different unprivileged users isolated from each other, with one admin account configuring everything; the mobile model gives programs private storage and ensures that programs can’t read each others’ data and need permission to read shared storage. Each has unique benefits. I like the Pinephone because it give me the desktop model in my pocket, which is optimized for some tasks that mobile isn’t good at. I don’t see it as an Android replacement because it doesn’t give me the security benefits of the mobile model. I’ll probably not use it for 2fa but I’d be happy to use it for tinkering, testing cross-platform programs, and cool use-cases like running a temporary web server on mobile data. Linux-phone devs should focus on being the best pocket Linux distros and doing things that the mobile computing model is bad at, not competing with Android.Software freedom/FLOSS is critical step for giving users autonomy over their computing; being able to understand a program’s high-level architecture/design, patch it, and share it are necessary to be able to own it. But FLOSS isn’t necessary to understand what a program does; binary analysis and run-time analysis (e.g. using strace) combine well to accomplish that. Nowadays, FLOSS projects like libcurl, openssl, and Linux depend on black-box testers like fuzzers to find vulns, not source code analysis; this is ! FLOSS is necessary for control, not security; support it for the right reasons. Binary obfuscation and DRM are terrible, though; those actually do impede analysis.
(DIR) Post #AFuPyFL3e468wtdXdI by Seirdy@pleroma.envs.net
2022-01-28T19:39:06.820943Z
1 likes, 0 repeats
On verified boot: users are typically given the choice of locking away some control in favor of improved security (to varying degrees), or having full control but needing to be more vigilant because they're given fewer guarantees. I can't blame users for making either choice *as long as they do so for the right reasons*. Things get really fucking problematic when fossbros start saying "secure boot is evil, let's get rid of verified boot".Secure boot is a problematic implementation of a good idea, and it sucks that people have to choose their poison. Don't campaign for eliminating secure boot, campaign for *a better implementation* of verified boot that gives users control.
(DIR) Post #AFuQ0QjsELAAsxHlYW by huntra@mastodon.technology
2022-01-28T19:07:47Z
1 likes, 0 repeats
@Seirdy i enjoy reading opinions like this. I am still very new to foss world so i prefer someone gives me pros and cons list instead "one of the devs picked their nose on a livestream the app is evil"
(DIR) Post #AFv1L3GMPBu4SeB2oq by orangestar1@mastodon.social
2022-01-29T01:59:28Z
1 likes, 0 repeats
@Seirdy This whole thread is brilliantly written. Kudos.
(DIR) Post #AMpdUmW37Fvh6Txcf2 by neo@pl.comfysnug.space
2022-08-23T21:21:49.680714Z
0 likes, 1 repeats
@Seirdy The problem is that we've allowed ourselves to become *okay* with a race to the bottom. We engage more when someone simply says "sandboxing good" than a post with a more nuanced take like "sandboxing is good when done well"
(DIR) Post #AVWRjcpzI9Poj6KJVI by icedquinn@blob.cat
2023-05-10T19:59:24.890044Z
0 likes, 0 repeats
@Seirdy i run a non-systemd distro. whether it has any merit or not, it's too big and upstream doesn't seem to know what saying "no" to scope expansion means.
(DIR) Post #AVpNg7rWFGd0ObQLdw by jeffcliff@shitposter.club
2023-05-19T23:13:30.152791Z
2 likes, 0 repeats
giving microsoft the ability to have 'verified boot' agreements with OEMs restricting what OS you can/cannot boot, and expecting them to not use it is like letting them hold a loaded gun to your head with their finger on the trigger and expecting them to not pull the triggeri guess you *could* be that trusting of them
(DIR) Post #AWZ21UVkQJyniTTBD6 by strypey@mastodon.nzoss.nz
2023-06-10T23:47:30Z
0 likes, 0 repeats
@SeirdyI know the feeling. Remember when 5 boosts on a post here counted as "going viral"? ; )
(DIR) Post #AWZ2io79PmHKy0cSmW by freja@freja.zone
2023-05-20T06:58:20Z
0 likes, 0 repeats
@Seirdy The one that has historically bothered me is when I say phones shouldn't be "rooted". I don't mean mean you shouldn't have full control and ownership of your device, I just mean Android has a well developed security model and giving random processes root privileges throws all that out the window. The OS already has ways to modify it that fit into the security model.When "discussing" this in FOSS phone rooms, I've sometimes gotten "just don't run malware" as an argument. Okay?
(DIR) Post #AWZ2ip2DzZvrp1K2k4 by smallcircles@social.coop
2023-05-21T09:01:24Z
0 likes, 0 repeats
@frejaYes, I bought an old model 2nd hand phone in a Used Products shop.. to find it was rooted. Now I can't trust it OOTB. Will reinstall with e/OS, so no problem. But not anyone can do that.Such 2nd hand shops are ideal vector for spreading malware. Shop will usually only do factory reset.@Seirdy
(DIR) Post #AWZ2ipyiU6iikQgkue by smallcircles@social.coop
2023-05-21T09:03:17Z
0 likes, 0 repeats
@frejaBtw, have to check, but reinstall process requires a connect to my laptop via USB, with old OS still active 😬@Seirdy
(DIR) Post #AWZ2iqmLVaQ3ELuOGm by strypey@mastodon.nzoss.nz
2023-06-10T23:55:12Z
0 likes, 0 repeats
@smallcircles> reinstall process requires a connect to my laptop via USB, with old OS still activeIf you're OS isn't secure enough to protect itself from being hijacked by anything plugged in via USB, you've got bigger problems...@freja @Seirdy
(DIR) Post #AWZ37NvTv2Tiz8sfB2 by gsuberland@chaos.social
2022-12-16T08:57:23Z
0 likes, 0 repeats
@Seirdy vociferously agree with this one, and am particularly baffled and frustrated by the "secure boot / ME is ultraevil so I'm going to run a laptop from 2004" crowd.
(DIR) Post #AWZ37OnMgha1gG5hAG by strypey@mastodon.nzoss.nz
2023-06-10T23:59:46Z
0 likes, 0 repeats
@gsuberland> am particularly baffled and frustrated by the "secure boot / ME is ultraevil so I'm going to run a laptop from 2004" crowdI'm one those, why do we frustrate you? 2004 is an exaggeration. In my experience, it's extremely uncommon for any computer to keep functioning usably after a decade or so. Putting aside boot issues, another good reason to keep using old, working laptops is... they already exist. Why spend scarce resources on a new one? @Seirdy
(DIR) Post #AWZ3DtNlsVYyHaDRiq by gsuberland@chaos.social
2023-06-11T00:00:52Z
0 likes, 0 repeats
@strypey @Seirdy feeling the need to show up in my replies 6 months later would be one of the reasons
(DIR) Post #AWZqqgpBOhL0NnAQDI by strypey@mastodon.nzoss.nz
2023-06-11T09:16:34Z
0 likes, 0 repeats
@SeirdyJust realized I was necro-posting on a thread from 2020. 100 boosts was massive back then, colour me impressed!
(DIR) Post #AWZrRcEVQog4rBcSye by strypey@mastodon.nzoss.nz
2023-06-11T09:22:43Z
0 likes, 0 repeats
@Seirdy> FRQ queue?
(DIR) Post #AWZuF3pVocWWXqdM36 by strypey@mastodon.nzoss.nz
2023-06-11T09:55:00Z
0 likes, 0 repeats
@gsuberland > feeling the need to show up in my replies 6 months later Sorry this bothered you. Only just realized how old this thread was. Someone must have boosted it, or maybe I did an obscure hashtag search? @Seirdy
(DIR) Post #AaeehMtnwQcsELnKPQ by newt@stereophonic.space
2023-10-11T08:22:28.183834Z
1 likes, 1 repeats
@Seirdy wow this is some kind of record right here
(DIR) Post #AaefazKckeovM0rQum by newt@stereophonic.space
2023-10-11T08:32:29.957682Z
1 likes, 0 repeats
@Seirdy nope.. not even top 10.
(DIR) Post #AaefphiaWJsr4R5Rsu by lina@eientei.org
2023-10-11T08:35:25.829601Z
0 likes, 0 repeats
@newt @Seirdy lol you thought :ryukocondescending: i think losers like that is why there's whitelist federation, isn't it
(DIR) Post #Aaeg2QFSmeOeeaWpWq by newt@stereophonic.space
2023-10-11T08:37:28.489048Z
3 likes, 0 repeats
@lina @Seirdy :akkowhy: Does your instance federate?:nerdthinking: Why, yes. But we block some servers.:akkowhat: How many do you block?:blobnerd: ALL OF THEM
(DIR) Post #AaegCHa9rKzofhuU76 by lina@eientei.org
2023-10-11T08:39:34.222413Z
1 likes, 0 repeats
@newt @Seirdy happens i think