Broke (cause you have to pay): Win11

Woke: Wine11

I think having a TPM enables a number of worthwhile security features.

But most of those security features place the TPM at the root of trust, something that is SEVERELY undermined by the fact that it is not open source, meaning it is inherently untrustworthy.

Is it not the one chip we should demand and accept nothing less than complete openness in its implementation and complete control by the person who owns the device? I also think the types of protections it grants in theory are very good, but the fact that it’s proprietary means it’s terrible at actually granting you those protections.

Hmm, basically make a container with the VPN client and proxy server, and expose the proxy port through it? Not sure how to route the host server’s traffic through that but I suppose I can just point all the important stuff to the local container’s proxy port. I’ll see if that’s more reliable than modifying the host network configurations. Thanks!

I’ve also been thinking of switching to Nix so I can just configure it once and rebuild the entire system with all the condigurations at any time without going through manually setting everything back up with individual commands/file edits. Though I’m not sure if that’d be more reliable given it’s broken randomly on Fedora when I didn’t even change any network configurations.

I don’t have custom firmware on my router and frankly don’t trust the stock one to handle VPN connections securely without sending “analytics” back to the manufacturer.

I’m thinking about seeing if I can get OpenWrt on it though, but I’m worried it won’t be reliable enough and I really don’t want to be in a situation where I have no internet period after my experiences with just the proxy server breaking. The only reason I’ve been able to troubleshoot it is because the internet itself still works.

TIL companies have Mac fleets

My biggest issue with Windows is the lack of control I have of the actual hardware I own. I don’t own my work computer to begin with nor am I entitled to have full control over it so it doesn’t matter.

I do use WSL, but mainly because I’m more familiar with Bash than Powershell and don’t have to constantly figure out how Powershell does things I already know how to do.

It’s the same reason I have no problem using my company’s OneDrive for work files when I go out of my way to avoid putting any of my personal data on the cloud. It’s their data and they don’t care so I don’t care either.

It’s also nice because I can set up a Linux-only file server at home with things like SSHFS and the Windows computer can’t even see it since it has no SSH access doesn’t even support the network share protocol. If I had an SMB share it would show up on my work computer because it autodetects it.

parallel, easy multithreading right in the command line. This is what I wish was included in every programming language’s standard library, a dead simple parallelization function that takes a collection, an operation to be performed on the members of that collection, and optionally the max number of threads (should be the number of hardware threads available on the system by default), and just does it without needing to manually set up threads and handlers.

inotifywait, for seeing what files are being accessed/modified.

tail -F, for a live feed of a log file.

script, for recording a terminal session complete with control and formatting characters and your inputs. You can then cat the generated file to get the exact output back in your terminal.

screen, starts a terminal session that keeps running after you close the window/SSH and can be re-accessed with screen -x.

Finally, a more complex command I often find myself repeatedly hitting the up arrow to get:

find . -type f -name '*' -print0 | parallel --null 'echo {}'

Recursively lists every file in the current directory and uses parallel to perform some operation on them. The {} in the parallel string will be replaced with the path to a given file. The '*' part can be replaced with a more specific filter for the file name, like '*.txt'.

Is it possible to use LUKS with a password with a Windows NTFS partition and just have GRUB decrypt it to let Windows boot? Don’t intend to dual boot Windows ever but just curious.

Frankly I trust a password stored in my brain way more than whatever keys the TPM is storing. No way something being pushed this hard by Westoid tech corporations doesn’t have a backdoor that just unlocks everything for “approved” parties.

Pff you know how many layers of abstraction HolyC still has? Real computing enthusiasts write their OS in machine code. Not assembly, that’s an abstraction too, literally tapping out high and low electrical pulses like you’re in the Marconi room on the Titanic.

Yeah ambiguity is for C code /s

KDE is second-class to GNOME on Fedora.

It is? I ask because I’ve always used Fedora KDE and honesty it’s been the best KDE experience I’ve had. Now I’m curious how much better the Fedora GNOME experience might be if it’s prioritized so much more, but I’ve never seriously used GNOME so I don’t think I can make a fair assessment. In what ways is KDE deprioritized?

What’s the appeal of Bazzite over regular Fedora immutable version? I’ve personally never had an issue running Steam on Fedora, then again I wouldn’t consider myself a “gamer,” certainly not my biggest requirement as far as computing is concerned.

Thank you for the in depth explanation of hard drive noises! I have everything I care about backed up and will keep listening for changes. Hopefully it’s just an OS thing.

I tried using smartctl but it doesn’t seem to like the fact that it’s in a USB enclosure and says “unknown USB bridge”. Trying smartctl -d sat does give some SMART information and says that the “overall-health self-assessment test result” is passed for both based on “Attribute checks”, but I’m not sure if it’s actually passed or it just can’t see the actual failing information. It also says “SMART status not supported: Incomplete response, ATA output registers are missing” above the passed result which seems to indicate that it’s missing the information it needs for a full assessment.

I run Pi-Hole and Ollama in containers, but neither have mount points or volumes on the hard drives, only the system SSD.

One drive is a fairly new Seagate IronWolf Pro, but the other is a refurbished server hard drive so if one is dying it’s probably that one, though the stuff I actually care about is copied on both drives and a third one that’s offline and unplugged.

The weird thing is that this only started happening when I reinstalled the OS, but like I said I reinstalled with newer version so that might be the cause? Maybe some disk/fs implementation changed and now does things automatically when the drives are idle that 42 didn’t do? But I feel like that would still trigger the indicators.

My next step is probably to use inotify to look at file accesses, experiment with only mounting one drive at a time to see which one clicks or if they all do, maybe even connect the drives to another computer over SATA to do a full SMART check.

Thank you!

Fail2Ban is a popular tool for things like SSH.

I’ve never heard Mandrake it but gave it a quick search and it seems they’ve been discontinued for a while.

KDE is alive and well! It honestly feels a bit like Windows 7 which was why I as a former Windows user like it. I personally use Fedora KDE and would recommemd it.

I need to be able to “RDP” into remote machines. I think that one is probably easy and built-in from decades ago.

KDE has a built in RDP server you can enable!

If you’re using X server and not Wayland, xrdp is also good.

Remmina is a good RDP client.

I also need to be able to setup a Hyper-V equivalent, to run other machines from my main laptop- haven’t figured that one out yet.

GNOME Boxes might be what you’re looking for? KVM if you need a full blown hypervisor.

Is there a good resource for determining how “effective” your donation to any given open source org is? As in how much of it is going to be paid to the actual devs, QA, and other related workers vs higher management?

IIRC that’s a major complaint with Mozilla and a lot of other large open source orgs.

If you’re willing (and/or able) to disassemble the phone and solder to the main board, you should be able to replace the battery with a 3.7v DC power supply.

Unless there’s some protocol that communicates with the battery controller to validate it that I’m not aware of which will refuse to accept power input otherwise? I feel like that shouldn’t be the case if the battery is internal and they don’t expect you to replace it anyway?

Definitely helps if it’s like a Fairphone or something with the battery contacts already exposed and easy to access. Actually, someone should 3D print a Fairphone battery dummy that just has wires coming out of it to hook up to your own power supply. Maybe with an ATTiny chip to spoof whatever digital signals it wants from the battery if that’s required.

it sounds like a Linux password is a red herring, and a secure password even more so

Yes and no. A secure password is extremely important against some security threats, but completely useless against others. It’s like vitamin C. If you don’t get enough, that’s a massive problem and opens you up to a ton of serious issues, same as if you don’t have enough complexity in your password. But even if you do, it won’t effectively protect you from, say, cancer or unprivileged malware respectively.

There’s nothing stopping any program from attempting to bruteforce your Linux password, literally running through possibilities hoping to guess it. Modern password implementations usually have some form of bruteforce protection. If you’ve ever entered your password wrong in sudo or KDE’s lock screen, it usually hangs for a few seconds before telling you your password is wrong, even though any modern computer will have determined it was wrong in literally an instant. This is to prevent a malicious program from endlessly trying random guesses until it gets it by making the time it would take to guess a sufficiently unique password too long to be practical. Your phone and optional software available for Linux go a step further, imposing longer and longer delays with each subsequent failed password attempt, and also prevents malicious programs from spawning many threads each independently calling sudo to bruteforce in parallel by completely disabling access until the time penalty elapses. Though you absolutely do need a sufficiently secure password, making it overly long has diminishing returns past a certain point, it doesn’t matter how many millions of years it would take to bruteforce with a 1 second delay for wrong attempts, but the upgrade from millions of seconds with a simple password like “hunter2” to years is the important part.

Also, a password with no encryption is like a padlock on a wooden box. Even if they don’t have the key, they can still just cut the box open. In computer terms this would be like if someone accessed the files in your SSD directly and injected malware with root privileges, since both completely bypass the check that’s “normally” supposed to stop unauthorized users. Encryption can help but like you said, physical access is generally considered game over anyway unless they found your computer while it’s off and it is never returned to you for you to enter your password. A computer with encrypted everything wouldn’t be able to boot. Your EFI partition and especially your BIOS/firmware have to be unencrypted, and anything unencrypted can be tampered with by a sufficiently skilled attacker with physical access to add things like keyloggers and backdoors that sit dormant until you graciously decrypt everything for them.

Your password strength matters a lot more with encryption though. If you’re going to the trouble of full disk encrypting your computer, make the password as long and random as you can practically remember. If someone is trying to decrypt your computer’s drive, they’ve probably imaged it and are using a separate machine with no rate limiting whatsoever, and modern GPUs can do a ton of cryptographic operations in a short time. And don’t use that password for your user account once decrypted.

If SSH is disabled the class of attacks to be prevented are users ‘voluntarily’ running malware pretending to be goodware.

More or less as far as I know, provided you don’t have any other way of remote access (VNC, RDP, Anydesk/Teamviewer and similar, that weird Steam remote desktop app, a server running vulnerable software on an open port that can be hijacked, etc). In computing, the general rule to follow is if you don’t need it, don’t enable it, otherwise it’s ripe for abuse. That being said, your router should be configured to block local port access from the internet anyway, but if you have another infected device on your network, that’s a major threat. If you do want SSH, configure it to only accept the keys of your trusted devices and not just respond with a password prompt to any device that comes knocking.

True, but does anyone operate this way? At that point it becomes an iPad or a Chromebook.

“Trust” in computing is fickle and complicated, just like real life. At the end of the day, you have to make a decison on who and what you personally trust. An iPad or Chromebook would be the least trustworthy computers in my mind because they’re locked down and administered by companies I absolutely do not trust, and though the locked down architecture does prevent other malware from infecting it, there’s probably already malware by any other name on it with proper Google or Apple security signatures that came with the device from the factory.

This is the same as if your distro maintainer is untrustworthy. They could slip in malware into the official package manager or installer ISO and you’d never know. I personally trust a reputable Linux distro over the literal biggest tech corporations in the world, but I’m still putting my faith in an organization I do not control nor personally know the people in control.

Open source is more trustworthy than proprietary software because the source code is available, but even that isn’t completely guaranteed to stop malicious code from making it in. The recent xz backdoor comes to mind. You’re still trusting that the other people looking at the source code actually catch the malicious part, and that’s not guaranteed even with the most trustworthy people when everyone working on it are overworked, stressed, and in the grip of tunnel vision to get their small part of it done like software developers tend to be, and even when that happens, it might be months or years down the line after the damage has already been done. There’s a reason a full security audit of an app can cost anywhere from thousands to millions of dollars depending on how big the codebase is. Also, because the vast majority of software aren’t compiled in a reproducible way, you don’t really have a guarantee that the actual binary executable that’s on your computer exactly matches the source code unless you go through the (usually difficult and frustrating) process of actually compiling it yourself. Sure, you can probably assume that the official binary released by the source code authors and signed with their cryptographic keys matches the source code since both come from the same place, but that’s not guaranteed and you’re still trusting a person or organization.

But wait, there’s more! The compiler you use is itself a program that needed to be compiled by another compiler, and so on and so fourth until you literally reach the stage decades back when someone manually wrote the individual bits for the very first compiler in that chain. A malicious compiler can be made to obfuscate the fact that it’s malicious, and only a manual review and reverse engineering of the raw binary (without reverse engineering software, mind you) can prove or disprove it’s compromised.

Finally, there’s hardware. Even if you audit every single literal bit of software, the processor itself has immense complexity that you can’t audit without, 1, extremely expensive scientific equipment, and 2, destroying it in the process, and that’s only one chip out of the tens of chips in a computer. Your processor could have secret instructions that bypass all security and your only real hope is to bruteforce every possible input to see what happens. And proving existence of a backdoor is intrinsically much easier than proving absence.

I’m not trying to scare you, but I do want to illustrate just how hard it is to have absolute trust in any computer. At the end of the day, you can never have a computer you completely trust unless you manually assembeled it from raw materials (not aided by any existing computer) and hand wrote every bit that goes into it. Like I said, we all need to make a decision to have faith in some person or organization we do not know. You can spend every waking minute auditing every last part of your computer, hardware and software, but then you wouldn’t have time to actually use it for the things you want to do. There’s no solution to this, there’s only higher and lower degrees of trust and security, which only you can determine for yourself.

So no, no one operates that way, because it’s impossible.

It does look like flatpaks or docker containers isolate behavior, so that’s a win.

Generally, yes, but remember there’s always the possibility of a bug that allows containers to break out of containers. This is not unique to Docker, any sandbox or hypervisor can be breached if there’s an exploit, just like any other software. Doesn’t invalidate the value of containerization, but it must be kept in mind that nothing guaranteed to be completely safe and “malware proof.”