Welcome to Incremental Social! Learn more about this project here!
Check out lemmyverse to find more communities to join from here!

Pantherina

@Pantherina@feddit.de

This profile is from a federated server and may be incomplete. Browse more on the original instance.

Pantherina ,

What

Pantherina ,

Crazy how many cables there are through ice, or how many from one point to another on the same coast

Pantherina ,

This shithead posts the stupidest shit and people make it viral.

I understand how people are fucked up about that

Pantherina ,

So true. These fu**ing schools keeping their lights on the whole night and vacations, with their old lamps, while people like me measure their lamps and turn everything off...

Also the amount of 4K or more useless data transfer, ads, unnecessary youtube videos where there could be only audio (if they made that free, you can use any FOSS client and do the same)

Pantherina ,

You can literally donate 1ct. I have no idea how people can complain when developers want money for their work.

The "Linux community" is 80% users that dont contribute, 10% "powerusers" that still dont contribute, 5% people that help with nondevelopment work (bug reporting, community support, etc.) and 5% actual developers.

(Completely rough estimation)

Pantherina ,

Free beer: dont pay and still get software

Free speech: get software you can trust, be sure there are no active backdoors etc.

Pantherina ,

Airplane mode is a blessing. If the OS is trustworthy (i.e. FOSS Android) then it actually works, it turns off that crappy unprivate cell connection and you have anonymous Wifi only.

It saves battery and you can use your phone without anyone being able to track you easily.

Btw Google hides the GPS quicksettings toggle for a reason, edit the shortcuts and add it.

Pantherina ,

If you randomize your Mac address (which is default on GrapheneOS and Fedora now) you are pretty anonymous to the wifi network.

Of course websites see where you are, they always do that. Use Tor or a VPN.

Pantherina ,

Diggi wo guckst du hin?

Pantherina ,

How stupid can a person be and still so rich. What is a "PC Laptop" and why would an account "give their AI access to my PC". Dude.

Pantherina ,

Looool

Pantherina ,

Android doesnt, but a "non PC Laptop" does

Pantherina ,

Look at this

Fedora is fine, you may want to use secureblue or just plain Fedora Atomic/ ublue as Base.

But generally using as many flatpaks as possible and least system packages, and managing filesystem permissions like the guy on Fedora Discuss, this should totally fit your needs.

QubesOS is cool but it tries to solve the problem of insecure software through extreme compartimentalization which is hard to use and extreme on the hardware.

Pantherina ,

I would call it a variant, as its 99% fedora with some different packages (hardened malloc, pam authramp, etc.) and continuously deployed changes.

Pantherina ,

Because Apple

Pantherina ,

Dont use Google Android

Pantherina ,

GrapheneOS is the only good Option. Calyx and /e/ are both just LineageOS forks with incomplete or even insecure additions

Pantherina ,

No

Pantherina ,

Its not about an unlockable bootloader only, but full support for all hardware features

https://lemmy.ml/post/12310012

https://grapheneos.social/@GrapheneOS/111976026139453712

Pantherina ,

AOSP is not a usable product and it is full of Google stuff. GrapheneOS and LineageOS (and derivates) make it usable.

GrapheneOS was the first at complete degoogling, others followed, but still have no secure solution for apps needing Google Play. MicroG is proprietary Google code, ran unsandboxed and still unreliable and less secure.

So GrapheneOS really is the only usable OS right now, it is FOSS (even in the BSD way that companies could make their proprietary fork) and other projects should base on it and weaken its security to make it run on existing other phones. This is still better than alternatives, but it is a hell of maintenance as all that security causes infinitely more bugs than just using AOSP (which is rock solid) and adding some apps lol.

Please donate to GrapheneOS, the project is not yet fully sustainable and they are doing incredible work.

Pantherina ,

Dont wait, just get a Pixel 6a-8 and install GrapheneOS.

(8 is expensive but will last 7+ years with extended GrapheneOS updates)

Pantherina ,

Calyx is way worse than Graphene. Only use it if your device is not supported by GrapheneOS > DivestOS.

And afaik Calyx doesnt even support many phones lol. On GrapheneOS this is actually due to missing security, which Calyx doesnt even use.

Pantherina ,

In what country does that exist? No onlinebanking and no cash sounds illegal.

Pantherina ,

Thats how you do it with GrapheneOS. Buy a pixel, take like 30min to install the OS, install F-Droid Basic and sandboxed Play and get your apps.

Degoogling Android is not possible, and LineageOS and other more difficult to install Androids are less secure.

GrapheneOS has a graphical installer, you just need a Laptop (Windows, Linux, Mac), a Chromebook or another Android phone and a USB cable, thats it. You can literally install it from one phone (using some variant of Chromium like Chrome, Cromite, Brave etc.) By opening a website and clicking 4 buttons.

Pantherina ,

IOS being private is such a horrible lie. Techlore is really annoying with those subtle ads, even though they also often cover GrapheneOS.

If Apple wants your shit, with any of their OS you are theirs. You are not private if you need to rely on the mercy of Big Brother to not steal your stuff

Pantherina ,

Yup Google is a very strange Company. Chromebooks are sometimes the easiest Coreboot Linux Laptops to buy.

Pantherina ,

Which is even less degoogles as it preinstalls microG which is official Google binaries, running as a system app with permission to critical system infos and basically all your stuff.

See my other comments.

Pantherina ,

No some OS preinstall microG. Because only if the core is finished you can hash and sign it, if the user flashes some apps afterwards that doesnt work.

Btw ROM is read only memory, a tiny part of the firmware

Pantherina ,

Just check grapheneos.org

They have only a minimal appstore preinstalled, which they use for their own apps. It is the best there is with full background updates etc. Every store could do this if they used modern libraries.

You have Vanadium preinstalled, from which you can install "F-Droid Basic" (the modern client), or Aurorastore, or accrescent, obtainium etc.

Their own solution is sandboxed google play, installed as regular user apps with way more restricted permissions and an opt-in method (only dedicated calls are allowed) in contrast to the extremely privileged microG or even "GAPPS" which can do everything (and in the place of microG having selected things removed, badness enumeration while still using proprietary Google code).

GrapheneOS is basically Android done right, play services etc. work, you can install all Google apps from the playstore, not as system apps (wallet and others are exceptions as they require a Google certified OS).

Pantherina ,

No its not. They download Google Binaries which run as system apps and have privileged access.

They practice badness enumeration in some form, while their permission model (only activating what is needed) is a better approach but incomplete.

Any app that relies on Play has those libraries implemented, so they could show ads etc. on their own. But with microG they have a component with privileged system access, in contrast to sandboxed play where no component is privileged.

Pantherina ,

GrapheneOS discuss. Their Github repo looks like they actually have the sources for everything.

Pantherina ,

Portal of nothingness

Pantherina ,

Search for some addon using "desktop view" on addons.mozilla.org

Pantherina ,

So they are going back to the way Linux does it since forever?

Why not just go image based? Instant reboots and even faster updates.

Pantherina ,

Why would you send an image to gemini instead of just text? Annoy Google?

Pantherina ,

Libredirect is the updated version of privacy redirect

Pantherina ,

I recommend running googerteller. Chromium, even after applying all degoogle policies, using without account, no google search etc, connect to Google every few seconds. Especially when launching the profile chooser, loading the addons, viewing some settings and your password list.

Pantherina ,

NoScript is missing a lot here. Ublock doesnt really block much tracking, you need to break every site by default and then allow javascript only from trusted origins. This is the opposite of UBlocks badness enumeration, it is manual work and is waaaay more secure and private.

No Browser without noscript to block everything by default, manually allowing all trusted sites, is private. Ublock may allow this but the UI is too slow to use it generally

There only is a lack of a database or something to share such a config. I use it for years so my noscript list is quite big

Pantherina ,

I recommend Mull and Librewolf for the respective platforms. They are way more private.

Flagfox should not be used, it sends every site you visit to random servers of theirs, which is basically really invasive tracking.

Pantherina ,

Instead of forget everything I recommend to keep session and create cookie exceptions for selected sites. So you will stay logged in there and have a normally working browser, that is just as private

Pantherina ,

Ghostery is extremely shady and should not be used. Also piling up adblockers is really bad, use one and that should be enough.

Look at badness enumeration to understand that reasoning.

Pantherina ,

You really cant rely on GUI settings at all. Edge cannot be made private very likely.

Using Christitus WinUtil you can remove edge entirely, reinstall the webview afterwards its needed, replace it with Librewolf, Brave, thats basically it.

Pantherina ,

I dont, but Brave at least has no Google and MS tracking and their own stuff seem to be possible to disable entirely via bravs:flags or a policy.

They only have Windows docs though and I use firefox with hardening, compiled myself to work with hardened_malloc

Pantherina ,

You can use profiles if you want different use cases. I dont think "increased attack surface" is the biggest problem, but you have 2 browsers that are both updated, take up RAM etc.

You could just use different Firefox profiles, using a custom desktop entry with actions and one action for every profile, example:

desktop entry
[Desktop Entry]
Name=Firefox
Comment=Web Browser
GenericName=Web Browser
Exec=firefox %u
Type=Application
Icon=firefox
Categories=Network;WebBrowser;
MimeType=text/html;text/xml;application/xhtml+xml;application/vnd.mozilla.xul+xml;application/rss+xml;application/rdf+xml;image/gif;image/jpeg;image/png;x-scheme-handler/http;x-scheme-handler/https;
Actions=Private;Work;PrivateWindow;Insecure

[Desktop Action Private]
Name=Open Private Profile
Exec=firefox -p private %u

[Desktop Action Work]
Name=Open Work Profile
Exec=firefox -p work %u

[Desktop Action PrivateWindow]
Name=Open Private Window
Exec=firefox -p private --private-window %u

[Desktop Action Insecure]
Name=Open Insecure Profile
Exec=mullvad-exclude firefox -p insecure %u

This was so cool to find out, and in KDE (and likely other desktops) you can access those actions using right click.

You can also change such a workflow to do

launch app && rm -rf ~/appdirectory which will enforce to always delete everything without needing to trust that app. I do that for the flatpak app "Decoder" which is great but wants to save a history without an opt-out, and as I use it for password sharing (generate a QR code locally on my phone)

Pantherina ,

https://en.m.wikipedia.org/wiki/Ghostery#Criticism

They tracked users by sending every domain to their servers even though using dumb badness enumeration (possible via a quickly updated local blocklist).

Pantherina ,

Googerteller just shows connections.

Maybe there is a traffic analysis, you need to install a custom public https certificate for that and intercept using a middle server. MITM attack so to say.

Pantherina ,

Muricans do everything but forbid guns

Pantherina ,

Podman runs without a daemon which for some reason makes podman compose an a bit tricky replacement for docker compose.

But for a single purpose, why not just install nextcloud as a system package via layering? I think that should be pretty secure through SELinux and would be the easiest choice.

Other problems with coreOS:

  • ignite file make monkey brain confusion
  • updates always require a reboot unlike on Debian, where only kernel updates need that (downtime is minimal and can be automated using a systemd service)
its not that hard
pkexec cat /etc/systemd/system/nightly-reboot.service <<EOF
[Unit]
Description=Update rpm-ostree and reboot
After=network.target

[Service]
Type=oneshot
ExecStart=/usr/bin/rpm-ostree --reboot update

[Timer]
OnCalendar=daily
AccuracySec=1h
Persistent=true
Unit=rpm-ostree-update.service

[Install]
WantedBy=multi-user.target
EOF

But I would honestly try it. Maybe give secureblue server a try, should be more similar to your desktop than coreOS (which seems to be made for wide deployments)

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • incremental_games
  • meta
  • All magazines
    •