Protecting against rogue devices in openSUSE with Full Disk Encryption openSUSE have now multiple ways to configure a Full Disk Encryption (FDE) installation...
Is it possible to configure the kernel to allow access to decrypted contend only through the user session?
Theoretically, kernel keys can be set to be readable only by the user session, and in an uncompromised root is not able to read those keys. I can imagine a filesystem encryption design that uses a user session key to en/decrypt data on the fly using a user session key, such that not even root or a process in another user session could read the mounted filesystem.
Does such a system exist? As I understand, this is not the way dm-crypt or LUKS work. FDE and TPM are still vulnerable to hacking while everything is running, unlocked, and mounted.
Ok, I went and read some more about it, and you can manage keys with the kernel user session keyring. So it's possible.
It brought me back around to why systemd is so shitty.
Session Keyring (Rejected)
This strategy involves placing all keys for fscrypt in KEY_SPEC_SESSION_KEYRING. Using the current session keyring means that fscrypt will not need elevated privileges to place keys in this keyring, eliminating the need for a setuid binary. It also means that if something like pam_keyinit is used, the keys will be inherited across things like sudo.
However, this strategy has a few significant downsides that led to it not being used. The first issue is that keys unlocked in one session for a user are (sometimes) not accessible to the user in other sessions. This can create confusion for users unable to access certain directories. However, the bigger problem is that systemd is incompatible with use of the system keyring. The systemd maintainers are of the reasonable position that the session keyring just shouldn’t be used.
Emphasis mine. Because the user session keyring is incompatible with systemd, the Poetterites say it shouldn't be used.
The only way to handle keys securely Ok base Linux shouldn't be used because it's incompatible with systemd. What a way to see the world: so convinced in the superiority of your monolithic monster system that you argue against an immediately available way of improving security.
It's incompatible, by the way, because systemd doesn't run user jobs in the user's session, but in parallel sessions. This means that, if you use systemd, you can't use the most secure way of handling secrets with fscrypt, the kernel user session keyring.
fscrypt – Design Document (PUBLIC) November 2nd, 2016 Status: Released Author: Joe Richey (joerichey@google.com) Contributors: Ted Ts'o (tytso@google.com), Eric Biggers (ebiggers@google.com), Michael Halcrow (mhalcrow@google.
TPM unlocking FDE is complicated for me. I fully understand measured boot and support it, but it seems less secure to me than manually unlocking the disk.
Once the disk is unlocked and you’re put onto the display manager, I feel like there are many more vulnerabilities that could be exploited to gain access to your data.
With manually entering the disk password, the data is locked. You either need to brute force it or use the XKCD wrench method.
So I feel TPM+Pin is the best for security. Unfortunately Aeon, which is based on OpenSUSE and implements TPM, doesn’t support TPM+Pin. I think it’s mainly due to how poor and widespread TPM support is. It could lock you out entirely.
As I understand it the TPM is for people who have physical access. It prevents them from cloning your disk.
I think with an adequately long password (or an adequately resource-intensive encryption algorithm) you can secure your disk enough to prevent unauthorized access. But the TPM would prevent them from removing your hard-drive and shunting it into a super-computer (so all password attempts wouldn't need to be on the crummy 10-year old laptop CPU) so a TPM + password is more secure.
I've read the arguments and trust the people who know far more than I do about this, but... I just find it difficult to think of "unlocks automatically" as more safe than "is locked until I enter my password". I'm open for it, but it just feels strange to me.
What makes TPM+pin safer than just having a normal LUKS password? I would think it would be the same amount of security just with more chance of data loss if your computer gets damaged
TPM is used for measured boot. Measured boot can check various parts of the system to ensure they are the expected values haven’t been tampered with. You don’t want a part of the system to be replaced with malware and not realize it.
If it detects something changed, it won’t release its secret. It may signal to you that something malicious was done or something benign that the OS updated didn’t account for.
Tech giant Meta has apologized and said it has fixed an auto-translation issue that led one of its social media platforms to mistakenly announce the death of Indian politician Siddaramaiah.
Verified footage shows large explosions unleashing plumes of dust and debris, as Israeli forces carry out controlled demolitions on tower blocks, schools and other infrastructure.
Multiple legal experts told BBC Verify that Israel may have committed war crimes under the Geneva Convention, which largely prohibits the destruction of infrastructure by an occupying power.
An Israel Defense Forces (IDF) spokesperson said it operated in accordance with international law; that Hamas concealed "military assets" in civilian areas, and that the "destruction of property is only performed when an imperative military necessity is demanded".
Investigation by BBC Verify using satellite images and verified footage to show the extent of destruction in Gaza, where the Israeli military have carried out demolitions to raze entire towns and suburbs
In criminal law, mens rea (/ˈmɛnz ˈreɪə/; Law Latin for "guilty mind"[1]) is the mental stateof a defendant who is accused of committing a crime. In common law jurisdictions, most crimes require proof both of mens rea and actus reus ("guilty act") before the defendant can be found guilty.
All caught up? Good. Because a) OP is an asshat for not contextualizing this thing they felt we should all hear them say in public / b) I also have no idea what they mean by it either
Yes, you can still use PHP to create your website. But you can also build an enterprise-grade web app with Laravel or Symfony. While some still see PHP through WordPress, it has one of the most mature web frameworks.
I wonder if there were bad hidden things in the bill again? (I know most of the US congress is bought by AIPAC)
Like in the US, a bill often gets to congress that is named something like "the children are the future protections act" that provides free meals and better education for kids or something universally good, and then clause 7.1.2.5 says "all people of color are stripped of all rights and Lockheed Martin gets an extra 200 billion per year and a on-demand hit squad provided by the CIA and is immune to prosecution, and the police have the right to spy on every citizen and steal their wallets without a warrant."
Because the majority of members of US congress have admitted to not actually reading the bills.
This was not a vote on the whole bill. It was a vote to change a part of the bill and strip out funding for some free weapons to Israel. It was voted on seperately.
It could also just be that it's MTG's bill and she's introducing it because she's explicitly antisemitic. It's like if a well-known white supremacist introduced articles of impeachment for Clarence Thomas because they can't stand having a black man on the court. Maybe if this is the one shot that can get it done you bite the bullet and do it because the result is worthwhile even if you're going to get asked why you teamed up with the white supremacist, but for a doomed bill that's only going to be a statement of principles, the benefit is limited and the person who introduced it is part of the statement.
MTG's problematic aspect isn't her being a Republican. It's not even that she's a particularly bad person (she is). The perceived motivation for this messaging bill is antisemitism. This is Jewish space lasers lady.
I suppose you could pretend that context and pretext simply don't exist. Poll taxes were just about raising money and English only laws are about government standardization.
I'm also not of the opinion that the people voting for it made a heinous choice either. They were just willing to take questions about MTG's antisemitism in exchange for a minor messaging vote. Nothing anyone did here is important. AOC has put out statements much more critical of Israel than being vote 7 on a muddled messaging bill.
AOC is voting to send weapons to a genocide here. You deem that optically worse than voting for an amendement against it because the person who filed the amendement is antisemitic?
She's already getting called out by a human rights lawyer for complicity in genocide. Way to go. https://x.com/CraigMokhiber/status/1946593970148249744
Ahh now that it fits the division you seek you're all about human rights lawyers but once they talk about subjects hexbear doesn't like it's all color revolution and slander?
I disagree but again that's politics. I think it's easy to throw shit from the audience but when it comes to navigating these things it's far more than just ideals and instead of progress we drag any sense of it through the mud because it's imperfect.
Y'all had a different tune to play when Ukraine was unfolding
I’m pretty sure a large contingent of her constituency is New York Jews, many of whom are probably Orthodox… It’s not a stretch to believe that many of those voters are also Zionists
This looks like a bad-faith AOC attack piece. I'm sure she's not perfect. I'm also sure that she's a better, more ethical politician than most in the USA (which isn't saying much, you guys have awful politicians).
One might wonder why you choose to post this, instead of focusing on the way, way, way worse things also going on over there.
I don't have all the info she does. I do abhor the war on Gaza and am against violence, especially the genocidal kind we see here. I also don't think there's an easy solution to the problem, nor that MTG's proposal would have done anything good.
Let's just say we're mostly on the same side of this matter, nitpicking over details.
People who say you should criticize AOC less because there are way worse members of congress act like she’s just passively sitting there being a mediocre lawmaker. She’s not. She’s actively anchoring the leftmost edge of the Overton window of US politics to militarism, capitalism, colonialism, and genocide. She’s actively stopping American politics from moving any further left than the nightmare we see before us.
Leftists shouldn’t hate AOC less than the politicians to her right, they should hate her much more. It isn’t Mike Johnson’s responsibility to move the US government to the left, and it’s not Nancy Pelosi’s job. It’s hers. That’s what she was elected to do. That’s what she framed the goals of her entire political career as being. And she’s taking her stand firmly bracing against any leftward movement from America’s genocidal, warmongering, unjust, exploitative, tyrannical status quo.
I mean, yeah, I don't disagree, but surely its more important for this specific article to note that there are only 6 representatives in the house who care about reducing the money going to Israel?
This is intentionally misleading, and it's framed in such a way as to make AOC look bad regardless of how she voted.
The bill removed "offensive" weapons, but left in "defensive" weapons. The distinction is meaningless; defensive weapon systems allow Israel to continue to prosecute it's genocide without other countries (notably Iran) being able to act against them, so it still enables genocide.
If she votes against the bill: AOC opposes cutting military aid to Israel!
If she votes for the bill: AOC voted to keep sending weapons to Israel!
The propaganda spin from tankies will make it seem like she's in favor of genocide regardless of what she did in this instance; she certainly didn't have to power to introduce and amendment that would have stripped ALL Israel funding from the bill, so no matter what she does, it's going to be 'wrong' to tankies.
$10 says that saying this gets me muted and/or banned from .ml.
Can you tell me which sentence in that statement clearly says, "I support sending weapons to Israel"? Or are you making a lot of inferences based on you a priori beliefs?
...And so it's not enough that she voted against the appropriations bill that would have entirely funded the Israel war machine, she also needed to vote for the amendment to the bill that would have cut 'offensive weapons' in a bill that she was going to vote against...? source for the bill, source for vote record
Whilst we should be fighting Zionism, let's not celebrate MTG, as she did this likely because of geniune antisemitism as opposed to a concern for Palestinians. Remember the Jewish Space Laser thing.
Social media is full of these half baked justifications like the ones you've responding to here makes it clear that aoc actions are just as uncritically accepted as any of her fellow Democrats as they continue supporting the genocide.
Can you show me where I implied that the bill contained JSL? Where I justified the bill being voted against? I just said "hey MTG doesn't have good interests at heart and if this bill is good it might be broken clock moment" but sure, go off
TEHRAN, Jul. 18 (MNA) – Ex-Pentagon adviser Douglas Macgregor added that President Donald Trump should be briefed on how low the US missile stockpile "really is."
Col. Douglas Macgregor USA (Ret.) is a decorated combat veteran with a PhD in international relations from the University of Virginia. He is the author of five books and is the executive vice president of Burke-Macgregor Group LLC, a defense and foreign policy consulting firm in Northern Virginia.
Yep, PHP is turning 30 this year! Wondering if "PHP is still relevant?" Ever since we have been hearing that PHP is dead. It was “dead” 10 years ago, 5 years ago, and “is dead” today. But somehow - it isn’t. Anyway... happy birthday!
Yep, PHP is turning 30 this year!
Wondering if "PHP is still relevant?"
Ever since we have been hearing that PHP is dead.
It was “dead” 10 years ago, 5 years ago, and “is dead” today.
But somehow - it isn’t.
Anyway... happy birthday!
In PHPs defense, it keeps evolving in positive, meaningful ways. If you are up to date with it, it’s quite sophisticated and enjoyable. Doubly so if you use a framework like Laravel.
Most memes or jokes referencing a direct problem in PHP, are old or made by people who haven't touched the language in a decade(version 7 was in 2015, and it removed/fixed a lot of issues and added needed features).
There's also the huge looming thing that a lot of programmers forget: Websites like Wikipedia run on PHP, not to mention the amount of WordPress and similar websites are out there. Which means it will keep going strong. And for a while Facebook also used quite a lot of it, to the point where they made a rudimentary compiler instead of rewriting parts in more efficient languanges.
Let's be honest though. The early PHP versions were absolute dog shit. And the definition of how not to design a programming language. That said, that never stopped anyone in web development from using it apparently. No clue what modern PHP looks like, apparently it's better now.
The publicly accessible bucket contained data from the iOS app FlirtAI - Get Rizz & Dates. It mainly included private chats that users wanted the AI wingman to help them reply to.
EU officials have decided to cancel permission for the Czech Republic to import oil from Russia via the Druzhba pipeline. ‘The Council decided to cancel the import authorisation,’ the EU said in a related document.
So they need all EU states to sanction Israel but they can non-concensually sanction a country which does not want to participate in a sanction against Russia.
A document format is a tool for sharing knowledge and, as such, should be as simple and accessible as possible in relation to the complexity of the document content itself.
La settimana scorsa (che sento come fosse l’altro giorno, e infatti stavo per dire così… ops?), quando cercavo di mettere in fretta Pignio online, e quindi non c’era il tempo di creare un’icona vera (anche se comunque poi sarebbe servita), cercavo almeno l’emoji della pigna, da usare come finta favicon, come faccio sempre… e ho […]
pignaggio grafico non ufficialmente concesso (non esiste emoji della pigna…)
La settimana scorsa (che sento come fosse l’altro giorno, e infatti stavo per dire così… ops?), quando cercavo di mettere in fretta Pignio online, e quindi non c’era il tempo di creare un’icona vera (anche se comunque poi sarebbe servita), cercavo almeno l’emoji della pigna, da usare come finta favicon, come faccio sempre… e ho scoperto che non esiste. Eppure giurerei su qualsiasi cosa che io me la ricordo benissimo, e negli stili di diversi vendor per giunta… ma no, è un’allucinazione della mia memoria, a quanto pare. 😱😨
Se non fosse una battuta scontata, direi che ci sono rimasta completamente di pigna… ma qui non c’è nulla da scherzare in realtà; questa cosa è una fottuta tragedia!!! E, come sempre, non so se gioire di non essere sola a soffrire, oppure se concludere che la situazione è ancora più grave di quanto mi aspettassi, ma sembra proprio che io non sia la sola a fare i conti con questa triste realtà. Magari farò un danno anche alla vostra integrità spirituale con questo post, chissà. 💔
There is no pine cone emoji: old.reddit.com/r/Mandela_Effec… (e maledizione, nemmeno io, essere semi-supremo, sono immune all’effetto Mandela…)
Why is there no pinecone emoji what the fuck: projectsekai.fandom.com/f/p/44… (non capisco cosa c’entri il thread con il sito ma ok)
Comunque, per quanto sempre in fretta e furia perché io non ho pazienza, alla fine l’icona per la app l’ho fatta e… caspita se sarebbe stata meglio la pigna. Ho chiesto a gipiti di fare una cosa, e (…dopo 3 passaggi) ok… ma mi sa che poi, con le mie modifiche manuali, concesse dalle mie smisurate competenze in bitmap editing, l’ho peggiorata. A parte spostare il colore leggermente su un magenta, ho tolto lo sfondo quadrato e reso quindi l’icona trasparente… ma mi sa che non è troppo il caso, tra contrasto potenzialmente basso su sfondi diversi e forma della pigna che così sembra troppo alta. 😩 Vabbé, per ora questa qui la considererò temporanea, che comunque è meglio di niente… però mah, mi sa che vorrei qualcosa di più texturato… Tipo, cosa accadrebbe se questa emoji della pigna (?!?!?!) in PNG, non ufficiale (…uffa), che un po’ ricorda lo stile grafico di Haiku, si fondesse con una puntina, come già succede nel design attuale? (E, forse forse, una pigna che non è color pigna è una pigna marcia, quindi mi sa che ‘ste tinte rosse manco vanno bene…) 🍂
After years of innovation and community collaboration, we’re ending support for Clear Linux OS. Effective immediately, Intel will no longer provide security patches, updates, or maintenance for Clear Linux OS, and the Clear Linux OS GitHub repository…
Intel has been struggling overall, and lately has been letting some of its Linux engineers go. Nothing absolutely fundamental has been affected yet (AFAICT) but I guess Clear Linux didn't make the cut.
i remember working on Intel when this was still on the works how it had so many issues. Also worked better with AMD. Intel is been struggling a lot lately with all this
Ry Cooder passa per un intellettuale, un ricercatore, un ottimo session man, del quale è universalmente conosciuta (e lui non ne ha certo fatto mistero) la fede “progressista”. Ma ha quell'aria un po' grigia, da “professionista”, che non ce lo fa immaginare in prima fila sulle barricate, al limite nelle retrovie a studiare strategie... Leggi e ascolta...
Ry Cooder passa per un intellettuale, un ricercatore, un ottimo session man, del quale è universalmente conosciuta (e lui non ne ha certo fatto mistero) la fede “progressista”. Ma ha quell'aria un po' grigia, da “professionista”, che non ce lo fa immaginare in prima fila sulle barricate, al limite nelle retrovie a studiare strategie. E, invece, eccolo qua, in prima fila, a seguire le orme del suo mentore Woody Guthrie, l'uomo la cui chitarra era “una macchina che uccide i fascisti”, con questo “Election Special”, la cui data di uscita ha preceduto di poco la convention repubblicana, che avrebbe nominato sfidante di Barack Obama nella corsa alla Casa Bianca il mormone plurimiliardario Mitt Romney... distorsioni.net/canali/dischi/…
After a ProPublica investigation revealed how Microsoft’s “digital escort” tech support service could expose sensitive government data to cyberattacks, the company says China-based engineers will no longer provide assistance on DOD cloud services.
I see 12ft.io is down and has been for a day or 2. Any alternatives that work as well (tried a few over the years). I have no interest in removing loads of paywalls just the odd thing or 2 now and again
Allied capabilities now allow NATO to "take that (Kaliningrad) down from the ground" faster than ever before, U.S. Army Europe and Africa commander General Chris Donahue said.
Having looked at various browsers and what calls they make, I noticed on Firefox and other android browsers that when Bypass Paywall Clean is installed from main source: gitflic.ru/project/magnolia123…
It makes calls to gitflic.ru quite often wether using a bypass website or not.
Anyone know on what the calls are about and if they are legitimate and or what telemetry is being shared?
Japanese diplomats told company risk officers that “you are on your own if you put significant assets in Taiwan”, said one person present at one of the conversations.
Foreign direct investment by Japanese companies — traditionally Taiwan’s third-largest source of FDI, after the EU and US — slumped 27 per cent last year to $452mn, and is down from a peak of $1.7bn in 2022.
Sensible. Each company should prepare it's own risk assessment and manage the risk. Taxpayers shouldn't have to bail them out for their stupid/greedy decisions.
The Rockchip Developer Conference 2025 (RKDC!2025) is now taking place in Fuzhou, China, with some interesting announcements such as the Rockchip RK3668 10-core Arm Cortex-A730/A530 processor with a 16 TOPS NPU and the RK182X RISC-V co-processor with support for up to 7B parameters LLM (large Language Model)or VLM (Vision Language Model).
I've always said. It's not good that cloudfare (or any single entity) "owns" half the internet.
For my self hosted stuff I refuse to use their services. I prefer to invest a little more time securing it from my side instead of giving them more control over internet.
It's not good that cloudfare (or any single entity) "owns" half the internet.
100% this^. Even if they aren't actively doing anything terrible that we know of, it still totally undermines people's privacy, even those of us who try to be careful about that sort of thing. Cloudflare is fingerprinting you when you visit sites that use their services for security, and like google, their sheer ubiquity across the web means they can effectively watch and track you wherever you go.
More and more I've been running into the full-page error "please unblock challenges.cloudflare.com to proceed" while just browsing around the web. A site is completely locked to any user who runs into this error; it's not just a popup notification, its a blank page with nothing but the error message and the only way to "fix" it is to whitelist their fingerprinting scripts. I use extensions like uBlock Origin of course, but for more fine-tuned script blocking, also uMatrix, so it's usually because of one of those that I get the cloudflare error. I could of course whitelist it, but I never do, I just decide that page is not worth my time. But it's getting harder to stick with that principle as I run into it more all the time, even for sites that it never used to be an issue. It's also part of why it keeps getting more difficult to browse the web with TOR browser.
Fuck cloudflare. They've wormed their way into most of the web now but they've managed to do it in a quiet way that usually goes unnoticed if you're not a privacy nerd. Everyone knows google and amazon are evil and do all that they can to track anything and everything people do, but cloudflare is becoming just as insidious.
The European Commission paid €360,000 (about $428,000) for a study on how piracy impacts the sales of copyrighted music, books, video games, and movies.
I can understand why they decided to not publish the result. I live in Spain, I have no clue how is it in other European countries but here it's like they only take any action when something becomes very widespread or touches the football.
So it is a bit like as they read the report and decided to not spend too much on that.
Literally if not for music piracy I wouldn't have a massive vinyl library worth > $7,000, wouldn't have gone to 100+ live shows, wouldn't have paid $1000+ bucks for all the band merch I have, wouldn't have evangelized countless bands to all of my friends and social network for decades. Piracy is absolutely the thing that unlocked that whole obsession for me.
I would only download stuff I wasn't going to buy anyway, but if I do actually like it enough I then go and buy it, except if it's Nintendo. They can go fuck themselves in every way possible.
I appreciate that your title makes it clear that this is an old article. Certainly it's still relevant, but going into the article with knowledge of its age calibrates my mindset
I have purchased far more than I've ever obtained. In some cases I've double dipped and purchased multiple times.
The main issue is "can I obtain it legally and pay the original creators?" And secondary is "is this item reasonably priced and delivered in an accessible way?".
The last game I grabbed was the Sims 4 + dlc a very very long time ago. The last show i grabbed was probably an anime with fan subtitles.
Hey there, I'm trying to launch RDR2 on PC and keep getting this error message:\ "Red Dead Redemption 2 exited unexpectedly! Please visit support.rockstargames.com/ for more information."
So does someone knows how to fix it. I have read many forums and have watched many yt videos but nothing helped.
I have installed graphics tool from windows settings, updated my intel and nvidia graphics, disabled antivirus, set the .exe file to open by default on administrator mode, installed a certain mod type file and placed it inside the folder (a old reddit thread recommends that) and installed the vulkan.exe which was inside the rdr2 folder
After a ProPublica investigation revealed how Microsoft’s “digital escort” tech support service could expose sensitive government data to cyberattacks, the company says China-based engineers will no longer provide assistance on DOD cloud services.
Il primo bombardamento di Roma avvenne il 19 luglio 1943, durante la seconda guerra mondiale, ad opera di bombardieri statunitensi delle forze aeree alleate del Mediterraneo. Il quartiere San Lorenzo fu duramente colpito dalle bombe.
Pio XII in visita alla Basilica di San Giovanni in Laterano il 13 agosto 1943, in occasione del secondo bombardamento di Roma
Dopo un triennio di ipotesi intorno all'inserimento della capitale italiana nel novero degli obiettivi aerei alleati, San Lorenzo fu il quartiere più colpito dal primo bombardamento degli Alleati mai effettuato su Roma, insieme al Tiburtino, al Prenestino, al Casilino, al Labicano, al Tuscolano e al Nomentano. Le 4.000 bombe (circa 1.060 tonnellate) sganciate sulla città provocarono circa 3.000 morti e 11.000 feriti, di cui 1.500 morti e 4.000 feriti nel solo quartiere di San Lorenzo.
Al termine del bombardamento papa Pio XII si recò a visitare le zone colpite, benedicendo le vittime sul Piazzale del Verano.
Tra i soccorritori morti (morirono ventiquattro vigili del fuoco) anche il comandante dei carabinieri generale Azolino Hazon, accorso sul posto.
Normally I use NewPipe on android. It's an alternative YouTube app that can play videos in the background, doesn't have ads and allows me to download videos and music.
I had the YouTube app disabled with adb on this phone for all the time I've had it. For backup there's always the browser YouTube page.
I must have done something wrong and accidentally clicked install on the YouTube app again, so it activated and was back to normal on this phone.
Holy hell is that app a terrible advertising machine. Every time I click on a YouTube video now I get sent straight to it and it always plays ads and also has text ads all over the GUI so I can't even read the channel info etc while I wait for the ads to go away.
I don't know how people deal with that it would completely make me want to stop using YouTube.
Please do yourself a favor and install NewPipe or ReVanced (I think that's the name of basically the same app but with sponsorblock additionally). Both are on f-droid.org app store as well. Less important because you can manually use NewPipe but you could also disable the YT app with adb so it disappears from your phone.
Forti mura grigie costruite sulla base del criterio di resistenza. Dove domina la forma di montanti parabolici ed interconnessi, traforati per permettere alla luce di passare attraverso.
Amri Wandel kaj François Lo Jacomo rekandidatis por la nova estraro de UEA, sed ne eniris la proponon de la elekta komisiono. Ambaŭ tamen en retmesaĝoj petis subtenon de la komitatanoj. La elekto do ne estos senalternativa, ĉar jam estas 11 aktivaj kandidatoj por maksimume 9 lokoj. Tamen preskaŭ certas, ke Fernando Maia iĝos la sekva prezidanto.
The Environmental Protection Agency said Friday it is eliminating its research and development arm and reducing agency staff by thousands of employees.
The agency’s Office of Research and Development has long provided the scientific underpinnings for EPA’s mission to protect the environment and human health. The EPA said in May it would shift its scientific expertise and research efforts to program offices that focus on major issues like air and water.
𝕽𝖚𝖆𝖎𝖉𝖍𝖗𝖎𝖌𝖍
in reply to Leaflet • • •Is it possible to configure the kernel to allow access to decrypted contend only through the user session?
Theoretically, kernel keys can be set to be readable only by the user session, and in an uncompromised root is not able to read those keys. I can imagine a filesystem encryption design that uses a user session key to en/decrypt data on the fly using a user session key, such that not even root or a process in another user session could read the mounted filesystem.
Does such a system exist? As I understand, this is not the way dm-crypt or LUKS work. FDE and TPM are still vulnerable to hacking while everything is running, unlocked, and mounted.
9tr6gyp3
in reply to 𝕽𝖚𝖆𝖎𝖉𝖍𝖗𝖎𝖌𝖍 • • •fscrypt - ArchWiki
wiki.archlinux.orgFauxLiving
in reply to 9tr6gyp3 • • •𝕽𝖚𝖆𝖎𝖉𝖍𝖗𝖎𝖌𝖍
in reply to FauxLiving • • •Ok, I went and read some more about it, and you can manage keys with the kernel user session keyring. So it's possible.
It brought me back around to why systemd is so shitty.
fscrypt
Emphasis mine. Because the user session keyring is incompatible with systemd, the Poetterites say it shouldn't be used.
The only way to handle keys securely Ok base Linux shouldn't be used because it's incompatible with systemd. What a way to see the world: so convinced in the superiority of your monolithic monster system that you argue against an immediately available way of improving security.
It's incompatible, by the way, because systemd doesn't run user jobs in the user's session, but in parallel sessions. This means that, if you use systemd, you can't use the most secure way of handling secrets with fscrypt, the kernel user session keyring.
fscrypt: Design Document (PUBLIC)
Google DocsRoyaltyInTraining
in reply to Leaflet • • •Leaflet
in reply to RoyaltyInTraining • • •TPM unlocking FDE is complicated for me. I fully understand measured boot and support it, but it seems less secure to me than manually unlocking the disk.
Once the disk is unlocked and you’re put onto the display manager, I feel like there are many more vulnerabilities that could be exploited to gain access to your data.
With manually entering the disk password, the data is locked. You either need to brute force it or use the XKCD wrench method.
So I feel TPM+Pin is the best for security. Unfortunately Aeon, which is based on OpenSUSE and implements TPM, doesn’t support TPM+Pin. I think it’s mainly due to how poor and widespread TPM support is. It could lock you out entirely.
Tenderizer78
in reply to Leaflet • • •As I understand it the TPM is for people who have physical access. It prevents them from cloning your disk.
I think with an adequately long password (or an adequately resource-intensive encryption algorithm) you can secure your disk enough to prevent unauthorized access. But the TPM would prevent them from removing your hard-drive and shunting it into a super-computer (so all password attempts wouldn't need to be on the crummy 10-year old laptop CPU) so a TPM + password is more secure.
pmk
in reply to Tenderizer78 • • •exu
in reply to Leaflet • • •Yep, you need a pin for your TPM to be safe. Here's a proof of concept of someone unlocking Linux systems without TPM pin.
oddlama.org/blog/bypassing-dis…
Bypassing disk encryption on systems with automatic TPM2 unlock | oddlama's blog
oddlama.orgTurboWafflz
in reply to Leaflet • • •Leaflet
in reply to TurboWafflz • • •TPM is used for measured boot. Measured boot can check various parts of the system to ensure they are the expected values haven’t been tampered with. You don’t want a part of the system to be replaced with malware and not realize it.
If it detects something changed, it won’t release its secret. It may signal to you that something malicious was done or something benign that the OS updated didn’t account for.
TurboWafflz
in reply to Leaflet • • •Leaflet
in reply to TurboWafflz • • •A recovery code. I did a test install of Aeon and was given the code: dhnhlgc-fbndjbni-ufrkcfnk-nfebvtut-ftkkiiur-tijidtub-hujnucgu-erduhije
64 digits, but only alphabetical and a certain subset (16/26) due to weirdness of keyboard layouts.
sandwich.make(bathing_in_bismuth)
in reply to Leaflet • • •exu
in reply to sandwich.make(bathing_in_bismuth) • • •sandwich.make(bathing_in_bismuth)
in reply to exu • • •blog.scrt.ch/2024/10/28/privil…
And as far als inux goes, physical access to TPM is game over
Privilege escalation through TPM Sniffing when BitLocker PIN is enabled – SCRT Team Blog
blog.scrt.chMatt
in reply to Leaflet • • •mholiv
in reply to Matt • • •