utopiah @ utopiah @lemmy.ml

Posts

2

Comments

801

Joined

4 yr. ago

The instant any such report were to be made public anybody who cares about privacy would switch to another DNS.

I'm not saying it's not possible, or won't happen, but rather the barrier to switch is so low I have a hard time anybody would accept that "compromise".

Maybe I'm missing something but the EU isn't mandating ISPs to use this DNS.

Here it's up to anybody, if they want to, to use this DNS instead of their ISPs, or NextDNS, or corporate Americans alternatives e.g. Google Public DNS or Cloudflare's. I don't think any average citizen, in EU or elsewhere, is directly hitting on ICANN's servers.

Interesting, I'd be curious to know if they have quality of service reports, benchmarks against existing alternatives.

It's tempting but if performance, e.g. latency or reliability, sucks then despite the effort I wouldn't use it.

"dns0.eu is a French non‑profit organization founded in 2022 by Romain Cointepas and Olivier Poitrey — co-founders of NextDNS."

whereas

"Supported by the European Union Agency for Cybersecurity (ENISA), the European Union's DNS4EU secure-infrastructure project"

so AFAICT the 1st is by (EU) citizens with the technical expertise and selling a related product whereas the 2nd is by the public EU administration.

If you are not already aware of it you might be interested in SplinterCon.

That being said this service seems like option, an alternative to existing solutions, so in that sense I don't believe they are splintering more.

FWIW "Unfiltered option is a valid option for users who are confident their devices and connection are secure, and are looking for fast, reliable, and anonymised resolution service."

Someone who doesn’t need much experience can access the hard drive / SSD and replace the bootloader.

...

I probably sound paranoid af right?

Well, all your points are fair but IMHO the intersection does not exist.

Namely, yes, some people living with you might want to access your files somehow... but able to change the bootloader? Even knowing what a bootloader is? I don't know if your friends or parents are ICT professionals but otherwise, I would be that's not plausible.

Consequently I do recommend you protect yourself, yes, but IMHO the threats are much MUCH lower than that. Namely... maybe checking the last open files or even "just" your browser history is what a typical person might consider, not changing a bootloader.

So... I would personally start with that, e.g. encrypted disk yes, with strong password or even physical token login, e.g. NitroKey or YubiKey. They should never have access to your unlocked computer but once it's locked, in theory there should be no practical way to access files. I insist on the practical word because... I wouldn't imagine parents or flatmates to have access to a cluster of machines to crack encryption.

Debian stable.

I don't understand the "fetish" (for lack of a better word) with updates. Apologies for being provocative.

The only update one truly needs are :

• hardware support ... but then the process is flipped, namely buy hardware that IS already supported
• security updates for actually important problems e.g. Heartbleed, not theoretically fancy things like BluePilling out of containers

... that's it!

Everything else might "feel" nice but that's not up to the distribution. If you want the very latest Blender because you are a 3D artist who needs a very specific feature, get the latest Blender! Get it straight from them, NOT from your distribution. If you really REALLY want the bleeding age, get right from the code repository, get the binaries for your architecture, heck even build it yourself it's actually rarely that difficult. Maybe the first time you will need some dependencies but the 2nd time it will be way WAY easier.

Anyway... you get he idea, IMHO your system should be 99.99% boring, only necessary changes. For the few things you genuinely, actively, mindfully NEED (even if it's just due to curiosity) go wild, get the latest!

the average script-kiddie can’t just download some tampered bootloader online and easily replace the bootloader.

Can you provide me with an example of that threat with which setups are affected by that?

What about https://certification.oshwa.org/de000007.html then? Audits like https://www.nitrokey.com/news/2015/nitrokey-storage-got-great-results-3rd-party-security-audit have been done and you could run your own.

Check Nitrokey Storage 2 but note that 16GB will cost you 100EUR and 64GB 200EUR which makes for an expensive USB stick. That means it is ONLY for things you want encrypted. It's not for your stuff you could download back from the Internet (obviously) but also not for your holiday pictures. It's for the very few things, like your SSH keys to access other machines, that truly matters. In such cases then IMHO then it's actually a lot of space.

That being said it's :

• open source open hardware https://certification.oshwa.org/de000007.html
• hardware based (Storage encryption: AES-256, CBC mode / Secure key storage: 3 key slots, RSA 2048-4096 bit, ECC 256-512 bit)
• made in the EU (Germany)
• supported by NLNet https://nlnet.nl/project/Nitrokey/

Details https://shop.nitrokey.com/shop/nitrokey-storage-2-56#attr=2

If it’s not Linux from Scratch, then we don’t know exactly what is running, and we need to consider that.

What about Precursor? It's "just" RISC-V System-on-Chip (SoC) yet that's the entire premise, trying to know all the way to the processing unit instructions.

Maybe I misunderstood but the vulnerability was unknown to them but the class of vulnerability, let's say "bugs like that", are well known and published by the security community, aren't there?

My point being that if it's previously unknown and reproducible (not just "luck") is major, if it's well known in other projects, even though unknown to this specific user, then it's unsurprising.

Edit: I'm not a security researcher but I believe there are already a lot of tools doing static and dynamic analysis. IMHO It'd be helpful to know how those perform already versus LLMs used here, namely across which dimensions (reliability, speed, coverage e.g. exotic programming languages, accuracy of reporting e.g. hallucinations, computation complexity and thus energy costs, openness, etc) is each solution better or worst than the other. I'm always wary of "ex nihilo" demonstrations. Apologies if there is benchmark against existing tools and if I missed that.

Looks like another of those "Asked AI to find X. AI does find X as requested. Claims that the AI autonomously found X."

I mean... the program literally does what has been asked and its dataset includes examples related to the request.

Shocked Pikachu face? Really?

Been there, doing that, cf https://git.benetou.fr/utopiah/offline-octopus

I wouldn't say blindly, rather my heuristic is, the most long term and popular a project is, the less I'll bother.

If I do though get a random script from a random repository, rather than from say Debian official package manager from main contrib sources, then I will check.

If it's another repository, say Firefox from Mozilla or Blender then I won't check but I'll make sure it genuinely comes from there, maybe not a mirror or that the mirror does have a checksum that gets validated.

So... investment on verifying trust us is roughly proportional to how little I expect others to check.

Shit. Dark but fair.

Evil in what sense? Privacy? Ecology? Transaction fee? Reliance on FLOSS? Decentralization?

And here is transfer from my Web based wallet to my mobile wallet, again with the testing currency :

I warmly recommend anybody who didn't use GNU Taler yet to do so right now, for free, in minutes :

GNU Taler provides a well done demonstration https://demo.taler.net/ that one can try right here in the browser, going from a virtual bank to their wallet and buying items in "KUDOS". It does address quite a few points raised in different discussions here.