N.E.P.T.R @ Neptr @lemmy.blahaj.zone

I'm the **N**ever **E**nding **P**ie **T**hrowing **R**obot, aka NEPTR.

---

Read more

Posts

4

Comments

242

Joined

8 mo. ago

Linux just isnt transparent about some things. Beginners most have problems when they use a GUI tool and then have to still edit a file. Like dirt example, adding a new drive using GUI disk utility and then sometime in the future disconnecting the drive and being forced into emergency mode.

I had a friend jump ship from Windows and they said that Debian felt barebones. I personally dont have any problem with it, I use it all the time for VMs, server, and I used to main it. I still think it is missing a lot of user-friendly small things that i never noticed on my own because I am very comfortable with Linux.

Mostly the same, and if not all it has taken for me to figure it out was searching "fedora $pkgname"

For work, you could also try Fedora Workstation or Linux Mint Debian Edition. Debian is pretty barebones, but if that isnt a bother then do whatever.

Not really needed on Android or in general. If all you want to know is whether your system is compromised, use Auditor by GOS.

Check out Maxima as a replacement for the EA app.

You can layer packages using rpm-ostree install $pkgname. It uses fedora repos. You can also (preferably) use a distrobox or toolbox container with a non-atomic distro and then install the desired package. Generally better to avoid layering packages but it works fine in my experience.

See if RTranslator meets your needs for a gtranslate alternative.

Also, Heliboard has swipe/glide typing and can use other STT/voice type apps. I recommend Heliboard + FUTO Voice Input.

Manjaro is notorious for being a shit distro with breakage and out dated packages from their repos. Instead check out CachyOS or EndeavourOS for easy arch-based distros.

To add to your list: openSUSE Tumbleweed, VanillaOS

I watched the video. Yes, if your sandbox config is weak then it will allow sandbox escapes. I agree the should default should be a secure sandbox. Bubblewrap offers the opportunity to shoot yourself in the foot. Look into the others tools I mentioned if you want to see different implementations. Sydbox is the one I think is the most interesting.

The only way I know to harden Linux Mint is using the Debian edition. Using LMDE, you can (unofficial) use Kicksecure to harden the base system. This isnt a great solution since the Linux Mint software is untested with Kicksecure and may/will reduce the security of the overall hardening.

Hardening is not useless, but it doesnt fix the architectural issues with Linux and its outdated threat model. That article says the same thing. It isnt an all-or-nothing situation, hardening still improves Linux security. Projects exist like SELinux, Bubblewrap, Crablock, Sydbox, and Landlock. Efforts to harden GNU/Linux have been made, like Kicksecure (Debian) and Secureblue (Fedora Silverblue), which protect against many threat vectors, but not perfect obviously.

If all you want to do is run VMs, Qubes is not what you are looking for. Even virtual machine manager (and other abstractions over libvirt and KVM) need to be hardened to avoid compromising the host.

Example: By default virt-manager uses a NAT bridge to allow for the guest VM to access the host and the LAN. A couple of weeks ago vulnerability was found in CUPS print server, allowing a hacker to do RCE. If a guest VM was compromised (previously or because of the vulnerability), since the host also likely has CUPS the hacker could use the guest system to compromise the host. This is avoided on Qubes because the host has minimal software.

Virt-manager offers no where near the same Security as Qubes. Qubes has a security hardened host and strong Desktop security model. Everything runs in VMs (aka qubes) including different parts of the system to further improve isolation. Sure, you could replace Qubes OS with an off the shelf Linux distro and run VMs, but that is nothing like Qubes, offers none of the convenience, and isn't hardened or debloated (reducing host attack surface).

No Linux distro comes close. Qubes is designed for a specific job. I am not saying Qubes is the "best OS ever" when I say Linux distros dont come close, I specifically mean that no Linux distro is designed with as strong of a focus on Desktop security model and isolation-based workflow.

/e/os is often behind on Android monthly security patches (sometimes up to a month or more!) and the apps they fork I have heard also often lag behind upstream. It also doesnt do much to deblob the ROM if proprietary binary blobs.

Comparison table of Android ROMs: https://eylenburg.github.io/android_comparison.htm

IIRC, they block 3rd Android ROMs (eg GrapheneOS) using Google's Safety net service verification.

That is generally called the principle of least privilege.

Check out Cromite (a continuation of Bromite)

Using a VPN should defeat the attack by having a different data center cache the media file.

Fitejail is a large SETUID binary which weakens security and can aid in privilege escalation. Use Bubblewrap (preinstalled on most Linux systems cus of Flatpak) which runs unpriveleged. Bubblejail is a program that makes it easier to make sandboxes profiles for apps.

Very interesting read.