Basically
- Sandboxing is bad, bubblewrap (used in Flatpak) is a really good implementation though. Firefox and other apps are not very well sandboxed though
- The kernel is endangered through user namespaces (used in Flatpak and Podman/Docker containers i.e. in Distrobox and Toolbox too)
- the root password can be extracted veeery easily, especially when entering it through a terminal. Windows “okay” button might actually be more secure!
- X11 is insecure, okay we know that
- the kernel is very bloated and everything in there has all the permissions, which is not needed
- Kernel bugs are often not fixed quickly or at all
- Stable Distros are insecure if only CVE bugs are backported, as many security bugs dont get a CVE
I am currently experimenting with the hardened Kernel and hardened_malloc, I use GrapheneOS since over a year.
On Linux its a bit more difficult though, as Flatpak and Distrobox dont work anymore.
This would mean user namespaces need to be enabled again, which I can’t seem to make work with
sudo sysctl -w kernel.unprivileged_users_clone=1
But the file doesnt exist and creating it doesnt work, probably needs to be a karg or something?
I am testing all this using the hardened mod of Ublue (a slight Fedora deviation using its image-based distribution model):
https://github.com/qoijjj/hardened-images
The images are rather opinionated though and have things like Flatpak removed, making them nearly unusable.
Maybe nix is a solution? Would this be a good idea?
Another point, bubblejail is not yet in the Fedora repos, which would be a way to make secure sandboxing accessible. Here is a spec file from rusty-snake.
What do you know about this?
“This connection is untrusted” “SSL_ERROR_BAD_CERT_DOMAIN”
The irony.
I mean the origin is still legit, so there is no real problem with it, right?
One cannot just register a site as github.com
I’m not sure if at this point the browser verifies whether the cert is even legit for github.com
As far as I recall, it never was relevant. It was generally viewed as a rant written by a non-professionnel. Perhaps I am wrong? Sorry if I am wrong?? Don’t start reporting me, please.
I remember reading there, when it wasn’t on github pages but it’s own website, the recommendation to keep your critical dotfiles permissioned to a different user account of yours. I don’t think that’s bad advice. Yes it is probably not needed if you use the system as a pro sysadmin for server purposes, but for desktop use it’s just natural that you’ll run a lot more programs in a much less controlled manner.
Of course there were ones that I thought they went overboard, but it has at least a few good pieces, if not more, I don’t really remember.
Not really relevant, but I’ve got a “rule of thumb” for all security-related issues;
“If it doesn’t nuke my PC, then I’m good. If it does, then I’m still good since backups and logs exist, and if it was related to the latest seucirty issue? Then I make a quick patch and/or update. Then back to 1.”