Network Guardian Angel. Infosec.



  • 10 Posts
Joined 10d ago
Cake day: Jan 11, 2022


Does anybody know about a Linux distro that enforces strong firewall rules (that’s one of the control points of that linux distro security assessment) by default? I mean other than Tails which I expect does it. RFI vuln, such as log4shell, rely on outgoing connections. A linux distro with a strict firewall by default would have to be purposely poked to let such queries out. Sounds interesting to me.

Accept that you are wrong, defending your wrong arguments makes it worse for you, the more you answer the easier it is to humiliate you.

I take note of your explicit intent of humiliating me.

I also take note of your condescending tone:

  • we are talking about your intolerance accepting valid criticism

  • Weak argument.

  • to justify your weak and flawed logic.

  • Please stop wrongfully interpret more into it

Yelling at people, threatening them, humiliating them is not a civil conduct, and hereby ask for a moderation team intervention for violation of rule 2.

I posted that link in my company chat, where some do use Mint but most don’t (mix of Ubuntu, Manjaro, Fedora). Many were interested, and we have had a healthy discussion about some of the evaluation points, some of which we did find subjective and not very meaningful, and how Mint compared with the other distro evaluation linked at the top of the article.

Also, you are talking about firewall GUI, but it is not even one of the evaluation points. They just said that there was nothing about a firewall configuration in the configuration wizard.

Linux Mint does ask the user to enable the firewall in the graphical Welcome Wizard though.

However the evaluation points were:

[N] Is the host firewall enabled by default?

[N] Does the host firewall block all incoming/ingress traffic by default?

[N] Does the host firewall filter outgoing/egress traffic by default?

Did you actually read the article? I doubt it. If you did, you would have noticed that the article does mention the methodology, and the results for other distros, with link to them if need be. Someone using yet another distro could be interested in that methodology to improve it or post a review about their favorite distro too. Maybe that is not “Linux enough” for you. In that case, you can move on.

Thank you.

Then close other Communities, and bring this under the same argument.

otherwise we can close them and put everything under here.

When I and others post here in this community we get the same comments… post it under xyz.

So your excuse for bullying people is that you got bullied too.

Not sure what my status has to do with anything here

If a link is not to your liking, you can just skip it, or even downvote it. You don’t need to tell people what to do. Except of course if you are a mod and the post is against the rules. Then go ahead and thank you. But no.

Have a nice day as well

Considering the post also mentions a generic evaluation methodology, and provides pointers to similar studies on other distros, the stuff may actually be of interest for some people interested in Linux. Maybe not you. I am ok with that. I actually don’t care.

BTW, when did you get your mod promotion? I don’t see it. Ok bye.

Second line:

I performed the same testing on the following distros:

In that case, I would recommend Fedora Silverblue :)

What is your new user gonna do with it?

If they just want it to work and be secure, but not feel the cogs, you might be interested in looking into Chromium OS or Fedora Silverblue.

If they are a tech, you might wanna go with a flavor of Ubuntu.

If they are willing to become proficient and experienced with GNU/Linux as a distro as a tech, maybe something like Arch or Debian?

Internet is that strange place where you find instances of stuff nobody should ever do 😆

I don’t think iDrac are much better, though, in that regard.

There have been and there will be many stories about these BMCs, unfortunately. One thing seems for sure: they should be in an isolated network or even better: unplugged.

Pretty uninformed move. Or yet another marketing stunt.

Cryptocurrencies are not bad (edit: for the climate) by essence. Some are (e.g. proof-of-work based consensus ones). Some aren’t (e.g. federated bizantine agreement).

The latter does not consume a lot of energy to reach decentralized consensus. That’s why I like XLM.

Disclosure: I do not own any crypto assets (edit: and I never did in the past either). I am just an applied cryptographer.

Also, this quote neglects the fact that many contributions are authored by employees of big tech companies, like Microsoft. The author of this quote needs to learn about how to use git log --author=""

I have often used asciinema for demonstrations of my command line utilities and it is excellent. Definitely worth being in your toolbox.

I suppose you want protection from server compromise if you require client-side encryption. However, you should be mindful that if the code that encrypts your content is served by your server as part of a web interface, then an attacker can simply alter the code that is sent to your browser to leak your master password, or your files. If you want secure client side encryption, you cannot rely on a code that is served by your server either. You will need to install an app.

Being a network security specialist, I’ll ask these basic questions:

  • what’s the universal definition of a private network?
  • does this measure make sense in IPv6 within the global scope?
  • is it the responsibility of the browser to secure against DNS rebinding?

My answers to these questions are:

  • there is no universal definition, so this approach is doomed by design
  • no
  • heck, no; that’s the job of the webserver, by avoiding the so-called default virtual host. The Host/:authority header should always be verified, and this is sufficient to counter all forms of DNS rebinding.

I fear that ignoring tickets just makes them stack. Similarly, closing and locking tickets arbitrarily may affect your reputation. This may or may not be a problem depending on how you feel about your reputation. Still, it is worth remembering that some maintainers do care, and that they don’t want to look bad (even though most would understand).

I personally don’t think that setting a bar high to deter less motivated people from contributing is a sane approach. I suffer from poor quality bug reports every single day, at work, and yet, they often are an indicator of something that IS broken in my software. I need them.

The key difference is that I am paid for it, and that my contributors are also paid employees, that I have to work with every day, and that will learn over time. Being on the receiving end of an endless streams of negative comments, for no other reason that being willing to share some of your work, as-is, is not an appropriate retribution. And even if that was a paid job, I’m not sure one would want to keep it.

I don’t think the issue is whether contributors are tech pros or not, and whether one should do gatekeeping. I think that the point is that it is worth remembering, when you contribute an issue to a project, that the maintainer is a human being, probably giving some of its own free time, out of passion and compassion, to fix your issue, and that negative comments are plainly abusive and should probably be worded in a gentler way.

It doesn't work

An inspired blogpost by Frank Denis on the depression that may be felt by FOSS maintainers…

Secure large file decryption using Linux, Go and Nacl

In this article, I explain the challenges of decrypting large files that do not fit in RAM and some possible solutions leveraging Linux and a good high-level crypto library written in Go…