Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - la xasop

Pages: [1] 2 3 ... 100  Next >
Technology & Information / Re: New laptop
« on: January 10, 2021, 07:22:18 PM »
So yeah, I returned the hunk of shit and bought an M1 Macbook Air.

How can you return something before buying it?

Technology & Information / Re: Who loves or hates their VPN?
« on: December 28, 2020, 07:58:42 PM »
Very interesting. I've tried the IP Blocker in the Cpanel to block the IPs and their ranges but it does nothing to stop the hits. They're not really hurting anything but these 'GET's are consuming bandwidth and showing up in my metrics as traffic. It's annoying.

Speaking as a professional computer somebody for the past decade, this is just the Internet. If you are going to put services on the public Internet, you will need to get used to the fact that this happens.

Technology & Information / Re: Who loves or hates their VPN?
« on: December 28, 2020, 02:44:32 AM »
Don't get me wrong - I don't actually disagree with you here. It's just that... Yeah, things that shouldn't happen happen all the time. I see no merit in just saying "but it shouldn't happen" - I'd rather mitigate the effect of it happening. It is extremely important to address these flaws in the general use case as they crop up, but the paranoid use case of "I'm doing something I shouldn't be doing" warrants a few more layers of hardening.

That's fair, I suppose. I guess where I differ is that I don't consider this protection to be worth the added complexity, but then I was also looking at it as a way of running a web browser, where elevating privileges to root is basically never needed.

You explicitly stated that you don't like pre-made solutions in the field of security. I know you, and thus I have a good idea of what you meant, but I am going to be relatively unique to see your meaning despite your choice of words.

Well, to be more specific for the benefit of others: I prefer general-purpose tools that can be easily configured and composed to work the way I want them to, rather than tools that come pre-configured the way someone else thinks they should work. I don't think of configuration to suit your needs as reinventing the wheel, and I would never in any situation advocate reinvention of wheels in security. (Reinvention of wheels in other fields is sometimes, though rarely, justified.)

I suppose the 5 users of OpenBSD might indeed be restricted there. I know for a fact that OP is not one of them, so I didn't concern myself with it when making my recommendation.

OpenBSD is but one example. I actually edited my last post while you were replying, so to expand upon that, the Whonix installation instructions for Linux provide options for Virtualbox and what they call "KVM" (which is actually libvirt managing KVM guests). My Linux systems with VMs do use KVM, but they do not use libvirt, in part because libvirt does not support using the isolation features of QEMU that I use to mitigate the risk of VM escape attacks. It is a tad ironic that a project based on security by isolation would force me to reduce the isolation of my system in order to install it.

Other situations in which this is limiting are that you cannot use it on non-x86 hardware, or on old x86 CPUs without virtualisation extensions, or on a VM without nested virtualisation support (which is its own can of worms). In case you think I am contriving scenarios that will not arise in practice, I have personally encountered users who wanted to run VMs for isolation but could not for all three of these reasons.

Granted, this likely does not apply to the OP, but it is one of my concerns about using multiple VMs for this. (If it were a single VM, it could — at least in principle — be installed onto bare hardware as a workaround.) Even if we accept that the approach improves security, it does so at the cost of portability, which reduces the number of users that can take advantage of the improved security.

Yeah - I am working with limited information, and I filled the gaps in what OP told us with my own experience with similar activities. I have some confidence in my guessed, but it obviously does not replace a well-defined spec. However, I also suspect that OP doesn't exactly know what he wants - hence my suggestion of looking at a tool and seeing if it feels right.

Agreed on that point, which is why I suggested OpenBSD as well, as an option that comes with a privacy- and security-enhanced Firefox installation by default (albeit without Tor). Hopefully one of these options will suit.

Technology & Information / Re: Who loves or hates their VPN?
« on: December 28, 2020, 02:05:12 AM »
You're massively overthinking this and consequently missing the point. By the time you need to ask yourself which software you "trust", you already have problems big enough that you should be wiping your entire computer and moving to Argentina.

The very existence of such a setup is contingent on not trusting some of your software, otherwise you could just trust the web browser (or whatever other tools you're running) not to leak information about your client.

This design decision can be, arguably only slightly, beneficial in case of user error.

For certain classes of user error, which I'm still not convinced are significantly more likely than the user revealing personal information directly over the "private" transport.

If you install malware on your computer, it doesn't matter how much you "trust" your kernel.

It does if you are running that malware as an unprivileged user, which should always be the case in this scenario.

This, by the way, is why we generally teach people not to reinvent the wheel when it comes to security. It usually ends very, very badly, because a single person, no matter how smart, is more likely to miss some holes than a team of dedicated people working on a solution for years.

Agreed. I can't tell if you're implying that I've suggested reinventing the wheel or not.

You're also making this assessment based on one short remark I've made about a single design decision, without having read anything else about the project. This is extremely unhelpful to this discussion, and you're potentially scaring people away from a tool which appears to be a near-perfect match to their needs.

Indeed — I don't know anything about the project and I had never heard of it until you mentioned in this thread. My reaction was based on the all-too-common approach of "put it in a VM, then it will be perfectly secure" from people with no understanding of what they are talking about, and that does make me initially sceptical of projects which rely heavily on virtualisation for isolation. I accept that it may not be warranted in this specific case — I simply don't have enough information to express anything more than wariness.

The approach has flaws (though I disagree that you identified one), but it's the least-worst option available for a relatively competent computer user who doesn't do professional-computer-somebody work for a living.

I would not go so far as to say I identified a flaw. I have concerns — and I would not personally use this project without more research to answer the questions that come to mind. But it also doesn't seem to run on my OS — actually, it doesn't have instructions to run on any system I use, since its Linux instructions assume that you use either Virtualbox or libvirt (while calling libvirt "KVM") — so there is no sense in me doing that research. This, by the way, is one of my concerns about using VMs for this, as it means they can only feasibly target a fairly narrow range of host system configurations.

Also, whether or not it is the best option depends on exactly what you want to isolate. I still think that restricting a web browser's access to OS resources is a better approach to improving privacy on the web specifically, but Whonix seems to aim for isolation of a complete OS. Depending on user needs, this may be overkill if they just need a privacy-enhanced Firefox, or it may indeed be a perfect fit.

Also, can we please just agree that, regardless of our disagreements, Thork shouldn't be further engaged in this thread?

That much is patently obvious.

Technology & Information / Re: Who loves or hates their VPN?
« on: December 27, 2020, 10:31:04 AM »
And memeing OpenBSD as the answer to every problem is hardly much help either.  ::)


Technology & Information / Re: Who loves or hates their VPN?
« on: December 27, 2020, 09:45:27 AM »
What a mess . The tl;dr

@Dr Nostrand ... spent $30 and do it right.

This does not address all of the concerns raised in this thread, but thanks for trying. It turns out that "just throw a VPN at it" is not a complete solution to privacy online.

Technology & Information / Re: Who loves or hates their VPN?
« on: December 27, 2020, 01:52:54 AM »
There is a lot of opportunity for me to fuck up permissions and own myself even without any inherent architectural issues.

If we aren't taking user caution for granted, there is also a lot of opportunity for you to send personal information over Tor or a VPN, which applies no matter what technical solution is used.

But still, don't you need IP addresses if you don't want people to see your face?

Well, this thread was asking about VPNs in general, and my initial reply was in response to that. It only became clear later that you meant using a VPN as your gateway. Also, I don't understand your question.

Also, to clarify my previous post: No work is needed to use pledge and unveil for privilege restriction, that happens for Firefox on OpenBSD by default. The work involved is to set up routing domains and pf to block non-Tor traffic, if that's a thing you want to do.

Technology & Information / Re: Who loves or hates their VPN?
« on: December 27, 2020, 12:59:21 AM »
I don't know about "good", but the reasoning is that if you manage to compromise the client/workstation, you still have very little information about its network setup. The gateway is not meant to be used interactively by the user, which mitigates some routes of compromise.

I'm very sceptical of such arguments because any network clients on the workstation VM should be running unprivileged, so escaping a network namespace sandbox would require a root privilege escalation vulnerability in the kernel. It's difficult to imagine a scenario in which consumer virtualisation software is trusted, but the Linux kernel is not. To me, just throwing more VMs at a problem seems like security by people who don't understand security, which is why I'm very wary of such off-the-shelf solutions.

An alternative to consider is OpenBSD, which I've been using as my daily driver for the past 5 years now. Without diving deeply into details (there are plenty on the website), OpenBSD has two complementary mechanisms to restrict process access — pledge(2) for system calls, and unveil(2) for filesystem paths. Firefox on OpenBSD makes use of these to severely restrict what things it can do, so even without network isolation, it should not be able to inquire about hardware details or network interface configuration, nor read any of your files other than those necessary for it to function. (It is, of course, possible to add or remove capabilities to/from the default set, if you need it to access some specific files or want to remove the ability to play sound, for example.) It is straightforward to couple this with rdomain(4) and pf(4) to block any network access from Firefox to the outside world, forcing it to proxy via Tor (or wherever else you may want it to go).

Of course, that approach involves a bit more work, and probably a lot of learning if you are not already familiar with Unix, but the great benefit is that you end up with a system you understand, rather than a product somebody else created with dubious design choices. The other bonus, if you run it on bare metal, is that instead of accessing all hardware via a virtual machine — which tends to make things like hardware-accelerated graphics difficult or impossible — Firefox has direct access to only the hardware it needs. But the extra work involved means it may or may not suit you, so consider carefully whether it's a trade-off you want to make.

Technology & Information / Re: Who loves or hates their VPN?
« on: December 27, 2020, 12:17:25 AM »
In a nutshell, you run 2 VMs: one acting as a Linux box that routes all network traffic through the other - a gateway that routes all Internet traffic through Tor.

Is there a good reason to use two VMs instead of just using network namespaces to isolate the client and gateway on one Linux system?

Technology & Information / Re: Who loves or hates their VPN?
« on: December 19, 2020, 10:47:08 PM »
Of course, the traffic is from Russia.


Russians sending out dodgy requests to random web servers? Must be a Tuesday.

Technology & Information / Re: Who loves or hates their VPN?
« on: December 15, 2020, 10:18:54 PM »
This is something I've also wondered about. Even a amateur geolocator can tell you're on a VPN. There are all kinds of fingerprints from the originating computer and application layer in a deep packet analysis. Can a civilian VPN really hide all that shit?

Using a VPN as a proxy to the public Internet can't hide anything except network addresses — and even then, some application protocols may provide ways to elicit this information from the client. Whether a VPN will be sufficient for your requirements, or be able to form part of a solution that is, depends on what your requirements actually are.

Technology & Information / Re: Who loves or hates their VPN?
« on: December 15, 2020, 07:30:05 PM »
I've been playing with tinc. My main reason for using it is that it is the only VPN that will run on every OS I use, but it's also a lot easier to set up than OpenVPN. Also, it's a mesh VPN, which means that once you connect to any node in the network, it will automatically route traffic along the most efficient route it can.

Arts & Entertainment / Re: Cyberpunk 2077 E3
« on: December 10, 2020, 12:18:13 AM »

Arts & Entertainment / Re: Star Citizen
« on: December 06, 2020, 03:46:09 AM »

Nice stealing my find

<xasop> oh my dog
<xasop> This is my favourite image of all time
<Rushy> this image needs a "you wouldn't understand, you're not a game dev"
<Rushy> and a "your computer just isn't good enough"
<Rushy> but yes this image is amazing

Arts & Entertainment / Re: Star Citizen
« on: November 20, 2020, 05:54:56 PM »
Imagine spending $6000 on a computer game! Nay, some jpegs! Cyberpunk 2020 is going to cost $50. How did you imagine that this space game would be 120 times more enjoyable? Or that this one game would be worth 120 other AAA titles? Or that any computer game is worth $6000?

It's not only the game. Rushy also has a physical card saying he's been very scammed. Merchandise like that is invaluable.

Arts & Entertainment / Re: Star Citizen
« on: November 19, 2020, 02:45:12 PM »
It's almost that time again. What are you getting this year boys?

Arts & Entertainment / Re: Star Citizen
« on: October 28, 2020, 10:49:42 AM »
I'm pretty sure I was the first person to call him Rubberts.

The logs validate Crudblud's story. In fact, he coined it while I was sitting opposite him at a nice Dalwhinnie B&B on 10 October 2015:

<Crudblud> Cress Rubberts

Snupes and Blanko then both used it a few times before Rushy finally cottoned on nearly two full months later, making him the fourth person to adopt it.

Arts & Entertainment / Re: Star Citizen
« on: October 15, 2020, 06:15:48 PM »
And now I'm getting 30k crashes every 15 minutes. It was becoming fun.

Welcome to Scam Shitizen.

Suggestions & Concerns / Re: #justiceforRonJ
« on: September 18, 2020, 07:08:46 PM »
As has been stated numerous times in the past, bans are issued for patterns of behaviour, not isolated incidents. RonJ can either demonstrate good faith by improving his behaviour, or he can continue doing what he just did and keep getting banned for it. The choice is his.

Technology & Information / Re: New laptop
« on: September 16, 2020, 03:56:20 PM »
If trackpad quality is a big deal, nothing is even in the same realm of existence as the MacBook.

I keep seeing people say this, and having used both ThinkPads and MacBooks, I just don't see it. MacBook trackpads are absolutely awful to use. Maybe it's just about what you're used to.

Pages: [1] 2 3 ... 100  Next >