N.E.P.T.R

N.E.P.T.R@lemmy.blahaj.zone · 1 day ago

Thanks for the info! Didn’t realize it was dash.

N.E.P.T.R@lemmy.blahaj.zone · 1 day ago

Rust (Golang or any mem-safe lang) is/are useful for designing secure applications, but not the reason Syd is so great. It is impressive because it is unprivileged, simple yet very granular, has tons of exploit mitigations and hardening options, defaults to hardened_malloc (on arm64 and x64), it’s multilayered sandbox (using landlock, seccomp, namespaces, and more), but of course being written in a memory safe language is an important plus (as memory corruption vulnerabilities are a very large class of common vuln). It abstracts the complexity of working with low-level sandboxing API (such as landlock) while allowing you still construct complicated sandboxes). The dev is also very open to add new ideas.

N.E.P.T.R@lemmy.blahaj.zone · edit-2 3 days ago

I thought about it (and I might still) but the project is still in beta and implementing sysctl and MAC would slow everything down development-wise. Switching to Fish would be easy and cool though.

N.E.P.T.R@lemmy.blahaj.zone · 4 days ago

I am excited to see Chimera Linux mature because iy seems like a distro which prioritizes a simple but modern software stack.

Features of Chimera that I like include:

Not run by fascists
Not SystemD (dinit)
Not GNU coreutils (BSD utils)
Not glibc (musl)
Not jemalloc (mimalloc)
Proper build system, not just Bash scripts in a trenchcoat

What I would like:

MAC (SELinux)
Switch to Fish over Bash (because it is a much lighter codebase)
Switch from mimalloc to hardened_malloc (or mimalloc built with secure flag). Sadly hardened_malloc is only x64 or aarch64
Hardened sysctl kernel policy

N.E.P.T.R@lemmy.blahaj.zone · 4 days ago

What I want out of a secure Linux (or BSD) system is full (top-to-bottom) sandboxing of all components to enforce least privilege. I am want to learn how to make my own distro (most likely for personal use) which uses strong SELinux policies, in conjunction with syd-3 sandboxing, which seems like the most robust and feature rich, unprivileged sandbox in both the Linux/BSD worlds (also it’s totally in safe Rust from what i can tell).

Another thing that I would love to make is a drop-in replacement for Flatpak that is backwards compatible but uses syd-3 instead. It has much better exploit protections than Bubblewrap, and is actually an OOTB secure sandbox. I dont know much about the internals of Flatpak, or how to use xdg-desktop-portal, but I am going to start more simple with a Bubblejail alternative. One major advantage of syd is that you can modify an already running sandbox, so theoretical you could show a popup that says something like “App1 is requesting microphone access.”, where you could toggle on without needing to restart the app.

Need to get better at coding tho lol

N.E.P.T.R@lemmy.blahaj.zone · edit-2 5 days ago

Kagi requires an account, therefore associating all your searches to your account. With DuckDuckGo HTML, you can restrict it so it can’t access JavaScript (which it doesn’t do anyways), therefore reducing the risk of fingerprinting or other tracking.

N.E.P.T.R@lemmy.blahaj.zone · 8 days ago

Combine this with Librera Reader and you can listen to eBooks easily.

N.E.P.T.R@lemmy.blahaj.zone · 13 days ago

Poopy

N.E.P.T.R@lemmy.blahaj.zone · 13 days ago

Poppy

N.E.P.T.R@lemmy.blahaj.zone · 15 days ago

Yeah np. Good luck.

N.E.P.T.R@lemmy.blahaj.zone · 15 days ago

You can use both through the browser, which is the safest way of doing things because the browser sandboxes the web apps, isolating them from your system. If you prefer an app for Messenger, look on Flathub, though I advise against it. The two apps I found for Messenger are Franz and Ferdium (a fork of Franz with more features).

To mitigate the privacy risks:

Firefox with uBlock Origin (or Librewolf)
Avoid sharing anything sensitive.

Nothing much you can do sadly.

N.E.P.T.R@lemmy.blahaj.zone · 16 days ago

Good Dinosaur reference?

N.E.P.T.R@lemmy.blahaj.zone · 17 days ago

Thanks

N.E.P.T.R@lemmy.blahaj.zone · 17 days ago

I couldnt upload as an image :(

N.E.P.T.R@lemmy.blahaj.zone · 17 days ago

https://static.wikia.nocookie.net/deeprockgalactic_gamepedia_en/images/c/c1/BF_Breather.png/revision/latest?cb=20190312184131

N.E.P.T.R@lemmy.blahaj.zone · 18 days ago

Everything evolves over time. Ginko just hasn’t changed visibly in structure.

N.E.P.T.R@lemmy.blahaj.zone · edit-2 19 days ago

While I do find GOS drama a bit annoying, they aren’t wrong about the lacking security of many AOSP forks. iode and /e/OS have a history late patches for security vulnerabilities in both the OS (https://web.archive.org/web/20241231003546/https://divestos.org/pages/patch_history) and for the forked apps they bundle with it. Each Android monthly and Chromium patches usually contains dozens High Risk CVEs, so taking a month or 2 is unacceptable. Neither are good for privacy or security.

See a comparison between some Android ROMs here, especially noting the update speed section: https://eylenburg.github.io/android_comparison.htm

N.E.P.T.R@lemmy.blahaj.zone · 21 days ago

Yes, which is why i very much like what GrapheneOS does with Storage and Contacts Scopes.

N.E.P.T.R@lemmy.blahaj.zone · 21 days ago

One word: Kudzu

N.E.P.T.R@lemmy.blahaj.zone · 22 days ago

Understandable. Though the security difference between Flatpak and Xen VMs, or even between Flatpak and Snap, is pretty big. Flatpak is mostly sandboxed to provide a consistent run environment to apps across distros, and id say 50% or more of the Flathub apps seem to have weak default sandbox security settings. Snap does a better job security-wise of reducing sandbox escape potential, but is still a far cry away from the containerization of Qubes.