N.E.P.T.R

N.E.P.T.R@lemmy.blahaj.zone · 1 day ago

I watched the video. Yes, if your sandbox config is weak then it will allow sandbox escapes. I agree the should default should be a secure sandbox. Bubblewrap offers the opportunity to shoot yourself in the foot. Look into the others tools I mentioned if you want to see different implementations. Sydbox is the one I think is the most interesting.

N.E.P.T.R@lemmy.blahaj.zone · 2 days ago

The only way I know to harden Linux Mint is using the Debian edition. Using LMDE, you can (unofficial) use Kicksecure to harden the base system. This isnt a great solution since the Linux Mint software is untested with Kicksecure and may/will reduce the security of the overall hardening.

N.E.P.T.R@lemmy.blahaj.zone · 2 days ago

Hardening is not useless, but it doesnt fix the architectural issues with Linux and its outdated threat model. That article says the same thing. It isnt an all-or-nothing situation, hardening still improves Linux security. Projects exist like SELinux, Bubblewrap, Crablock, Sydbox, and Landlock. Efforts to harden GNU/Linux have been made, like Kicksecure (Debian) and Secureblue (Fedora Silverblue), which protect against many threat vectors, but not perfect obviously.

N.E.P.T.R@lemmy.blahaj.zone · 3 days ago

/e/os is often behind on Android monthly security patches (sometimes up to a month!) and the apps they fork I have heard also often lag behind upstream. It also doesnt do much to deblob the ROM if proprietary binary blobs.

Comparison table of Android ROMs: https://eylenburg.github.io/android_comparison.htm

N.E.P.T.R@lemmy.blahaj.zone · 4 days ago

IIRC, they block 3rd Android ROMs (eg GrapheneOS) using Google’s Safety net service verification.

N.E.P.T.R@lemmy.blahaj.zone · 6 days ago

That is generally called the principle of least privilege.

N.E.P.T.R@lemmy.blahaj.zone · 7 days ago

Using a VPN should defeat the attack by having a different data center cache the media file.

N.E.P.T.R@lemmy.blahaj.zone · edit-2 8 days ago

Fitejail is a large SETUID binary which weakens security and can aid in privilege escalation. Use Bubblewrap (preinstalled on most Linux systems cus of Flatpak) which runs unpriveleged. Bubblejail is a program that makes it easier to make sandboxes profiles for apps.

N.E.P.T.R@lemmy.blahaj.zone · 9 days ago

Very interesting read.

N.E.P.T.R@lemmy.blahaj.zone · 10 days ago

People on Snapchat dont give a fuck about cleanliness.

N.E.P.T.R@lemmy.blahaj.zone · edit-2 11 days ago

Not exactly. Ironfox is a fork, not a direct continuation of Mull. I’m holding off on using it because I want to verify that the new fork can keep timely security updates. Ironfox is a big unknown.

N.E.P.T.R@lemmy.blahaj.zone · 12 days ago

Is there now a flatpak for virt-manager?

N.E.P.T.R@lemmy.blahaj.zone · 13 days ago

They used to recommend Mull (firefox-based) before it died.

N.E.P.T.R@lemmy.blahaj.zone · 13 days ago

Not from f-droid, but Piper TTS models are great and performant. You can install the apk and the app requires no permissions. They also have other models other than Piper (eg Coqui). For English, I recommend recommend vits-piper-en_US-lessac-medium for the model.

Here is a link to the list of prebuilt APKs: https://k2-fsa.github.io/sherpa/onnx/tts/apk-engine.html

Here is the Github repo: https://github.com/k2-fsa/sherpa-onnx

N.E.P.T.R@lemmy.blahaj.zone · 20 days ago

How insensitive! Lactose are people too.