Post ASlsl0uWHLOn77IMcq by cryptologer@defcon.social
(DIR) More posts by cryptologer@defcon.social
(DIR) Post #ASks5m4EMoW02yDH2e by beardstack@defcon.social
2023-02-14T17:52:27Z
1 likes, 1 repeats
Anyone checked out this project? I find the whole ecosystem very interesting. https://github.com/oxen-io/lokinet/
(DIR) Post #ASks7GyQwW8YBvDSPw by jeff@federated.fun
2023-02-17T01:24:35.938498Z
0 likes, 0 repeats
@beardstack is it stored in the balls?
(DIR) Post #ASlsl0uWHLOn77IMcq by cryptologer@defcon.social
2023-02-14T18:20:56Z
0 likes, 0 repeats
@beardstack I just signed up to find and share info on mixnets and anonymous protocols, and the first post I see in my feed is this one!Lokinet is like Tor on steroids. Siblings like Ygdrassil, I2P, Zeronet, and IPFS are creative attempts to ameliorate some problems with mixnets and addressing. I too find it all very interesting. Lokinet needs more users to boost the unmasking resistance. I recommend the FAQ for starters for anyone already familiar with Tor Browser: https://lokinet.org/
(DIR) Post #ASlsl1LSfAwwSftscS by beardstack@defcon.social
2023-02-14T18:25:26Z
0 likes, 0 repeats
@cryptologer i know right? I am too busy at the moment but I was trying to get a dockerized version working - but using namespaces for enhanced security, I didn't get far. I love the project though. I was wondering if anyone has been auditing the code or has anything bad to say about it.
(DIR) Post #ASlsl1pEsSljx1pf28 by cryptologer@defcon.social
2023-02-14T18:29:54Z
0 likes, 0 repeats
@beardstack The barrier to entry is high for mere mortals and the toolchain uses too many components IMHO. I know of nobody doing a serious code audit.
(DIR) Post #ASlsl2If74IxQHb9tY by beardstack@defcon.social
2023-02-14T20:04:35Z
0 likes, 0 repeats
@cryptologer yeah definitely high barrier to entry when it comes to the code. They are doing some refactoring lately which IMO is going to make things easier in the future to contribute.
(DIR) Post #ASlsl4g8GmGcneavku by jeff@federated.fun
2023-02-17T13:06:24.718934Z
0 likes, 0 repeats
@beardstack @cryptologer docker's networking stack is too opaque to integrate lokinet into it. it's got that webshit way of architecture things that is filled with technical ignorance of the domains of operations that exist outside of the google walled garden of the web.
(DIR) Post #AT1SaetvlXifg4mRO4 by beardstack@defcon.social
2023-02-25T00:03:20Z
0 likes, 0 repeats
@jeff @cryptologer what's a better way to containerize? LXC?
(DIR) Post #AT1SafRbkKerMWXKsb by jeff@federated.fun
2023-02-25T01:28:34.277178Z
0 likes, 0 repeats
@beardstack @cryptologer literally anything else. i like lxc.
(DIR) Post #AT4MhVOJVOiDxXkkBU by cryptologer@defcon.social
2023-02-26T06:27:55Z
0 likes, 0 repeats
@beardstack @jeff I think Docker used to be a sort of wrapper for LXC and has gone another path with its expanding feature set.LXC is great for fine-grained control over many elements of the system. LXC is especially strong if you are doing complex network shaping inside or between many containerized applications and want it all locked down tightly with remote administration features. I don't think Lokinet is complex enough that you _need_ the level of granularity that LXC provides. You just need to make sure any potential zero-day in the jailed application doesn't escalate to your RAM or filesystem or tty devices.Something simpler would be Debian Jailkit or Firejail, set up under a new user account. Jailkit is a bit more work than Firejail but not a ton more. You can even write a Firejail calling command and just invoke it with shell using the parameter switches you want. Create a systemd service stub or init script to run the jailed app on boot and respawn on failure.
(DIR) Post #AT4MhVvHWp5FbnB4ZU by jeff@federated.fun
2023-02-26T11:06:44.968771Z
0 likes, 0 repeats
@cryptologer @beardstack containers wont protect you against zero days. people need to accept this. the best use case i have seen for containers is a way to do user namespaces. docker hides the usefulness of that with a wretched npm flavored interface that makes non web people throw up in thier mouth.
(DIR) Post #AT7GKArFfHplMieyTA by beardstack@defcon.social
2023-02-27T17:51:59Z
1 likes, 0 repeats
@jeff @cryptologer I wasn't really aware of this. I've been trying to containerize using docker because it is popular and well documented.I use namespaces with docker to limit what would happen if a breach occurred. I'm still learning. I wanted to do something with lokinet as a way to further anonymize my traffic. I selfhost certain applications for my everyday use in order not to use big tech without getting tracked.I linked to an example docker compose stack I route to route some traffic through proton. I use something like this for my internet queries and share it with friends. I reviewed it with the docker people who told me it was good and followed best practices. I wanted to do something similar which would have a .loki address but I haven't had time to do it yet. Input is welcomehttps://github.com/beardstack/whoogle-protonvpn
(DIR) Post #AT7GtqPl9OAsO0oFii by jeff@federated.fun
2023-02-27T20:45:53.042258Z
0 likes, 0 repeats
@beardstack @cryptologer docker is a clusterfuck, all that wrestling of that infra just to do such a basic thing. it boggle the mind why this is seen as "sensible" in docker.
(DIR) Post #AT7H9wRiUcjZj5OuKO by alyssa@meowing.online
2023-02-27T20:44:40.719768Z
0 likes, 0 repeats
@jeff @beardstack i like containers as a way of shipping code. it's really easy to push/pull from a docker registry instead of having to set up a package repo or somewhere else to pull binaries fromalso i don't need to install dependencies on the host that might end up needing to be updated or removed or might conflict with some other package installed on the host, though a chroot would also work fine for that use case
(DIR) Post #AT7H9wzOTPflPX9nou by jeff@federated.fun
2023-02-27T20:48:46.149745Z
0 likes, 0 repeats
@alyssa @beardstack i would mind all of it if docker had sensible defaults. it hides all of the usefulness that container tech has and as a result gives the entire family of solutions using containers a bad rep. it's literally the worst container solution.
(DIR) Post #AT7J2zO5MGoOjKVygy by 7666@comp.lain.la
2023-02-27T20:59:40.906961Z
0 likes, 0 repeats
@jeff @beardstack @alyssa hey here's a wild idea - just use single-purpose VMs and your config management of choice (ansible, salt, txt file full of shell commands, whatever)it will amaze you how flexible, reliable, and secure it can be with meaningful abstraction and control when you're just running a full OS virtualized, instead of piddling around with possible container security woes!(yes i know hypervisor escapes exist but they're way harder)
(DIR) Post #AT7J306kgCXaxrPeJU by jeff@federated.fun
2023-02-27T21:09:57.011215Z
0 likes, 0 repeats
@7666 @beardstack @alyssa i prefer systemd as my system layer because it has a superior set of features and doesn't need me to login with facebook to access dockerhub when updating. dont even start with the private registry shit ,that is the most garbage daemon i have ever had the misfortune of setting up. literally worse than postfix.
(DIR) Post #AT7Jkt3IH3Xrp5ioC0 by uguu@rneetup.com
2023-02-27T21:11:18.147629Z
1 likes, 0 repeats
@jeff @7666 @beardstack @alyssa for me its systemd-nspawn the best container management solution
(DIR) Post #AT7Jrsc0JDaiU8I8uW by jeff@federated.fun
2023-02-27T21:19:09.775230Z
0 likes, 0 repeats
@uguu @7666 @beardstack @alyssa virt-manager for frontend, qemu for backend, accessed over ssh. each vm running a few lxc. cozy af.
(DIR) Post #AT7LZV8L3wAAMbmQOu by alyssa@meowing.online
2023-02-27T21:07:49.169733Z
0 likes, 0 repeats
@7666 @beardstack @jeff i want to do this on my laptop! a VM is somewhat slower to boot than a container, but firecracker is an improvement to that (and has less of an attack surface than qemu)
(DIR) Post #AT7LZVfJ5MXC0rCkmu by 7666@comp.lain.la
2023-02-27T21:09:46.909588Z
0 likes, 0 repeats
@alyssa @beardstack @jeff i suggest a dedicated hypervisor machine - ideally with ECC RAM and a bunch of cores, and then for extra security your first VM should be PfSense so you can firewall off the whole bloody thing
(DIR) Post #AT7LZWGWqyJBsIcTo0 by alyssa@meowing.online
2023-02-27T21:11:45.172327Z
0 likes, 0 repeats
@7666 @beardstack @jeff it's kinda hard to bring a dedicated hypervisor machine around everywhere i want to use my laptop
(DIR) Post #AT7LZWn8tiOdVRsWdk by silhouette@lainchan.gay
2023-02-27T21:21:25.864763Z
1 likes, 0 repeats
@alyssa @7666 @beardstack @jeff have you heard about our lord and savior, KVM+Qemu
(DIR) Post #AT7LcNcHT1sVv19qme by 7666@comp.lain.la
2023-02-27T21:21:09.978288Z
0 likes, 0 repeats
@jeff @beardstack @alyssa @uguu vmm on qemu is way too light for me, i'd have to go full proxmox at minimum for clusters, redundant networking, iSCSI targets, VLAN tagging, live VM migration, etc
(DIR) Post #AT7LcODVEdeVmSZZnk by jeff@federated.fun
2023-02-27T21:38:49.703614Z
0 likes, 0 repeats
@7666 @beardstack @alyssa @uguu libvirt does that and i love it so much
(DIR) Post #AT7LgLE0Iiczexgw64 by 7666@comp.lain.la
2023-02-27T21:12:49.260099Z
0 likes, 0 repeats
@alyssa @beardstack @jeff stick the box anywhere you want and remote to it (SSH? VPN?)
(DIR) Post #AT7LgLn6CEhVPo6xnc by alyssa@meowing.online
2023-02-27T21:17:46.366014Z
0 likes, 0 repeats
@7666 @beardstack @jeff mobile internet is expensive as fuck here, and latency for GUI apps can't be greatreally what i'm looking for is more like qubes os except customized how i want it, rather than something for hosting network services. now i realise it's a bit off-topic for the thread lol
(DIR) Post #AT7LgMR9nIk9Q2qxEm by 7666@comp.lain.la
2023-02-27T21:18:48.293382Z
0 likes, 0 repeats
@alyssa @beardstack @jeff i use freerdp for remote desktops where needed, but that won't solve the network problems yea
(DIR) Post #AT7LgN0xeBNpD5bY2q by beardstack@defcon.social
2023-02-27T21:28:04Z
0 likes, 0 repeats
@7666 @jeff @alyssa Bruh the point is to be able to move quickly from one cloud provider to another. Ansible can make sense but I pay per server not per container. I'm not exactly rolling in money so setting up my own private data center with hardware firewalls is really overkill. Ansible may be worthwhile but there is so much to configure that it's not quite the idea.. Containers help compartmentalizing things, they make sense to save on costs. It's just one dude and a couple of his buddies trying not to share their entire life history with google, facebook and their ISP.
(DIR) Post #AT7LgNYdcyK0tXMRXM by jeff@federated.fun
2023-02-27T21:39:32.633989Z
0 likes, 0 repeats
@beardstack @7666 @alyssa ansible is what docker should be
(DIR) Post #AT7M4hI7uT8p31EYAC by 7666@comp.lain.la
2023-02-27T21:33:03.408298Z
0 likes, 0 repeats
@beardstack @jeff @alyssa if you want to move between VPS providers easily, then ansible makes even more sense to replicate your configurations and deployment work elsewhereor just cheat and grab .bash_history and run awayeither way, it's not sounding like deploying a container is easier/more secure than just installing this directly
(DIR) Post #AT7M4kB9AsLC0EzWCW by beardstack@defcon.social
2023-02-27T21:41:49Z
0 likes, 0 repeats
@7666 @jeff @alyssa It makes more sense when you run 30-40 containers on one machine.
(DIR) Post #AT7M4kcRXOAvMtlJkO by jeff@federated.fun
2023-02-27T21:43:51.887686Z
0 likes, 0 repeats
@beardstack @7666 @alyssa which is what serious workloads usually operate at.
(DIR) Post #AT8cRnZiVR0bcaSVVY by uguu@rneetup.com
2023-02-28T06:10:44.542325Z
1 likes, 0 repeats
@jeff @7666 @beardstack @alyssa for me it's centos 8 with llbvirt + bhyve ontop of esxi inside of systemd-nspawn network namespace over wiregaurd using nfs to zfs all the way from chicago to berlin