Mike @ mikey @sh.itjust.works

Posts

0

Comments

24

Joined

2 yr. ago

Strange that google is the only option for the only "secure" operating system.

The have their reasons: https://grapheneos.org/faq#future-devices

Hey, do you know what is Ring Level minus One ?

I know you're only trolling here and I'm feeding into it, but you nerd sniped me just right to explain why your question is stupid on multiple fronts.

First of all, "Ring -1" is the hypervisor, at least on virtualization-capable devices (which modern Pixels are), and the hypervisor will be Linux's KVM in this case, which is open source and compiled by the Graphene team as part of the kernel from source.

Secondly, Arm (which is the architecture basically all phone chips use, including Pixels) has a slightly different model of security, where apps are Exception Level 0, the OS is EL1, the hypervisor is EL2, and the "secure monitor" (or management firmware) is EL3 (and is probably what you were trying to refer to).

So yeah, I don't think you know what "Ring -1" is. At least not enough to warrant a snarky comment.

On Pixel 8 and above, you can plug in external displays, but it will only mirror your phone screen. Supposedly, Android 16 will allow you to "extend" the screen, ie. treat it as a separate screen. Also, the GUI stuff for the Linux Terminal will only drop in Android 16, so yeah, I'm stoked for that release.

Are you sure you're talking about the Linux Terminal app that's available in developer options and not Termux? For me, all Gnome things and Xfce things are present in the repos (and it's using the deb.debian.org default Debian repos, so it makes sense)

I mean... This is kinda close. The "Linux Terminal" app is running a full Debian install in a KVM VM. On the newest version of the app (like on Android beta or on GrapheneOS), you even have a full GUI that you can use.

In theory, we should be able to boot any mainline Linux distro in a VM, if someone writes an app for it, as AVF (Android Virtualization Framework) is just a wrapper around Linux KVM with some restrictions. (for now the built-in app only supports Debian)

in the latest preview build

i assume you didn't install today's beta release a month ago 😉

EDIT: nevermind, i re-read your comment... it's mandatory in some regions, I know for sure it's mandatory in the US and in Hungary (EU).

One other thing is that if you created the installer with Rufus, that adds some magic optionally that can bypass it. I wonder if that still works with this beta.

still water

Oh wow, cool story about Yasuke. Is that where Yakuake got its name from?

Most people dont use dark mode on Linux because most apps look horrible in Linux under dark mode

Among my friends, dark mode users hugely outnumber light mode users, I really don't have any apps that struggle to support it. LibreOffice used to be really bad, but I don't really edit documents anymore, so I don't use it often, but when I do, I don't see issues (although the document background is white, because paper, so the contrast is a bit weird). I'm curious about which apps didn't work for you.

Unfortunately, this is probably because of the apps started using the Play Integrity API, which is a hardware-based attestation and can only be faked in two ways that GrapheneOS isn't interested in:

• you can fake an older device that didn't support hardware attestation yet, or had a broken implementation
• or you can try getting leaked vendor keys and emulate the crypto with those until they get revoked

It's only backwards because you're looking at it from the outside from the front. When it's in you, the left is on your left.

Have you heard of social engineering and phishing? I consider those to be analogous to uploading new rules for ChatGPT, but since humans are still smarter, phishing and social engineering seems more advanced.

Whew, there's a lot to unpack here.

First, microkernels being the future: This is a sentence that was said time and time again, but while microkernels definitely have some advantages in separating components which could yield better security, in practice it also introduces other security concerns, not present with monolithic kernels, mostly with the communication between the kernel services.

Second, about the no secure Linux distros thing: As many others have mentioned, there are security-conscious Linux distros, mostly the "immutable" distros. You can use Fedore Silverblue (or even better, SecureBlue) as a daily driver, with Flatpak for your apps. That way, your main OS is read-only, thus harder to infect and all system updates are signed and verified. Using Flatpak helps enforce permissions on apps in a manner similar to Android permission (you can deny an app the right to see your files, for example).

Third, I don't really understand what you mean by "Linux's security holes". Of course it's not bug free, but no kernel of this magnitude is. Also, GrapheneOS uses Linux as well, albeit with a hardening patchset, but you can also get that with desktop Linux distros. If you think Linux (being a monolithic kernel) is automatically less secure than microkernel and hybrid kernel based systems, take a look at Windows and macOS, which both use non-monolithic kernels, but most security experts will tell you that you're better off using Linux.

Fourth, about all the niche, mostly hobby OSes you listed: A big part of security is about having more eyes on the source code. Even if you write a kernel in a "safe" programming language, there will be bugs. Something as advanced as a kernel that's ready for daily desktop use and provides advanced isolation between processes is going to be so complex that you won't be able to see what bugs arised from the different parts interacting with each other. Safe programming languages make it easier to write safe code, but don't stop you from messing up the logic that defines what apps have which permissions. Your best bet is to stick to software that has had time to mature and had more people and companies look through it. Linux is regularly audited by all tech giants, because all clouds use Linux to some extent. If it's secure enough to isolate the workloads in Google Cloud, and Amazon's AWS, it's going to be secure enough for your desktop, provided you use it well (make use of it's security features and don't shoot yourself in the foot by disabling mitigations and the like). This is partly why I think the idea that OpenBSD is more secure than Linux is somewhat outdated. Yes, they advertise it as such, but it has seen much-much less auditing than Linux did in the cloud era.

Of course, there's nothing wrong with playing around with alternatives operating systems, just don't think you'll be more secure just because something is written in Rust, or is a microkernel. Those can help, but there's much more to security than the guardrails a programming language or software architecture can provide, especially with something as complex as a modern kernel.

For me, as an SRE:

• Mullvad VPN
• Google Drive (until I set up my NAS)
• YouTube Premium
• ChatGPT (but I am thinking of trying out Claude 3 instead)

Other, non-tech subscriptions:

• Public transport
• Public bike sharing
• Food delivery

Things I might pay for if my employer didn't:

• IntelliJ Ultimate
• GitHub Copilot

Random IT-adjacent services I occasionally donate to:

• Codeberg
• Wikipedia

That depends on your Mac. The older the Mac, the older the version. On most M1 Macs, you can go back even to Big Sur, on M2 it's usually Monterey and so on. It might be different with the Pro/Max/Ultra variants though.

Good luck, Dude! I'm sooo looking forward to seeing what I previously upvoted.

This change only brings speed & stability, which is essential, but hard to see for us, end users. The bigger one is going to happen on Thursday, where Lemmy itself is going to be updated. After Thursday's update, any users will be able to block entire instances and see our upvotes, along with many other Lemmy updates.

In Hungarian it says "segglyuk", but that means "asshole". It should be "segg" to match "ass".

Well, the routes might manifest somewhere as files, but I don't expect anyone to be able to viably parse them without commands like ip or ifconfig (or know where the files even are).

Some devices (like disks for example) are very straightforward to use as files, while some other special files (like USB devices) are so weird/ugly to use that everyone uses tools/libraries to access them (like libusb).

This is very off-topic, but there's a great talk by Benno Rice that talks about this (among many others): https://youtu.be/9-IWMbJXoLM

They aren't asking about changes to a file describing the routing config, rather the actual in-use routing config. Unless the routing rules are modified through a couple of files (which I doubt), this doesn't answer the question.

Cool commands though.

I don't know anything about how Firefox is packaged for snap, but snap's "sandboxing" might interfere with getting all fonts.

You might want to try using Firefox without snap (which has some other benefits, especially around startup time) or adding ~/.local/share/fonts (which is where fonts are supposed to be installed for users) to some sort of allowlist.

Also, USB4 can optionally support PCIe tunneling, which is a fancy way of saying it supports plugging more advanced types of hardware in (like GPUs, high-speed network cards or NVMe SSDs) at speeds of up to 40Gbps.

And there is USB4 v2 (not kidding, that's the name) which extends USB4 to up to 80Gbps, but there are no devices that support that yet.