More crypto discussions in general and I don’t mean cryptography. I think because of those topics being almost dead here, it would be good to just have 1 crypto community instead of having different communities for every different blockchain/topic. Or maybe 2 communities to seperate shilling and speculating price from technological and political crypto discussions.

I meant communities. I just mixed the words up

I dont think its so active at least not topics i’m most interested in. Privacy has only one lemmy instance that is active. Security has only 1 instance but no one ever discusses there, it’s just sharing Security news and 0 comments. Talk about crypto is pretty much completely dead as well which is strange.

Be careful not to say anything positive about luigi because you’re certainly going to end up on a priority list of people they are going to keep a lot of surveillance on. It’s true, feds are terrified of people who seem inspired by things like this. If you say something really really nice about Luigi, the feds might even send you one of their female undercover agents to be your girlfriend for a while and spy on you.

OP is wrong about firmware. linux-firmware package is not about mitigating firmware vulnerabilities. It’s just blobs for things like nvidia and other stuff. I don’t know if Linux has firmware vulnerability mitigation but if it doesn’t then QubesOS is much better because it does prevent a lot of the vulnerabilities by disabling hyperthreading.

Can you explain in short bullet points how heads is better than bootguard? I’ve read people saying that Heads can be defeated by flashing the boot rom with external programmer. But that wouldnt be possible with bootguard because its in pcr0 and fused and can’t be modified again. Pros and cons of bootguard vs heads?

they also make extreme examples of anyone threatening to “blow it up”, show the public all the corruption and give freedom to the people. Edward Snowden is an example. Also recently Roman Storm the Tornado Cash dev. These extreme attacks from the government are meant to cause fear so no one dares to do anything like that again.

You are right but I think most people would in hindsight say they wished the did more to protect their computer when shit happens. It’s like a camera, you can buy a cheap camera meant to be used for a vacation then thrown away and it’s not worth much but the pictures you have taken are worth a lot as in semantic value, memories you want to keep.

In someones computer they have their entire digital life. Work, personal life, social life, all kinds of data, pictures, banking, investments, crypto, etc. All that is priceless. That’s why ransomware viruses are so effective, people will pay and do anything to get their data back and they all wished they had just done some simple backups and from then on they will probably spend effort on security.

Ahh, very interesting! I think QubesOS only does mitigations, not microupdates. So that’s a point for linux in linux vs qubesos. I need to spend more time learning about these cpu vulnerabilities. One of the things I like about QubesOS is they do many security stuff that many of users don’t know about or understand. For example QubesOS doesn’t use the GPU in the Qubes because an attacker could get control of the GPU and see everything that the GPU renders which means seeing the host (dom0) and all the Qubes.

I guess you can do that on Linux as well by disabling kvm passthrough of the GPU to the VMs.

And maybe disabling hyperthreading like QubesOS does isn’t necessary on Linux if the cpu microupdates from Linux kernel already solves that cpu vulnerability. Many things for me to look into regarding these cpu vulnerabilities.

QubesOS does make compartmentalizing much easier and smoother experience though.

yeah the elites who run the world have limitless money for the lobbying. I don’t think it’s possible to win this war on their turf under their rigged rules. Revolution is the only way but I don’t think that’s a realistic possibility neither. They have so many ways to divide and conquer.

problem is getting everyone to do revolution at the same time. That’s one of the purposes of mass surveillance, they can detect the early beginnings of organization and send them to prison before it grows into a big snowball.

On https://osresearch.net/ it says Linux kernel has some mitigations but it doesn’t protect entirely.

I hope you are right, it would really make it easier if it’s just an external boot rom flash that is needed. I mean I know that feds can plant chips in the silicon and you wouldn’t find it if they had covert physical access and there’s no glitter nail polish to protect the screws, but in this case they are not the adversary, in this case it’s just random cyber criminals who are the adversary when you buy a second hand laptop.

That article I linked to seems to suggest the malware can persist by hiding in any usb peripheral even camera. I think bluetooth is usb as well if i am not mixing it up with something else but i remember reading bluetooth is actually using usb bus. But anyway you mentioned only the boot rom and EC, you didn’t mention other peripherals so that’s why I’m replying and asking what you know about it. Do you think that linked article is mostly FUD and a bit incorrect when it says a malware can hide in the hardwired webcam or other USB components inside the computer?

Intel ME and AMD PSP, in conspiracy-speak are kinda like government backdoors, closed source, undocumented, with huge control over a processor.

In theory it’s possible that intel me is made to be spyware/backdoor for feds but I don’t think it is because if it was then why are there so many cyber criminals in the world who the feds can’t catch? There are lots of cyber criminals on the top wanted lists and feds want to catch them so badly. And that’s just the non-affiliated cyber criminals, then there are also nation sponsored hackers for example north korea has been in spotlight recently for crypto hacks. And if intel me really was what we fear it could be in theory then usa’s enemies like russia and china would be instantly defeated.

So even if it’s possible in theory because it’s cpu proprietary firmware with its own OS and that’s scary but if it really was abused that way then wouldn’t the world be a completely different situation?

Also, intel wouldn’t need to have a backdoor in intel me. This source puts it well (https://deploy-preview-244--privsec-dev.netlify.app/posts/knowledge/laptop-hardware-security/):

Intel and AMD do not need the co-processor to implement a backdoor - they can simply introduce CPU vulnerabilities like Spectre and Meltdown if they want to. If you do not trust a CPU vendor, the only mitigation is to not use said vendor.

So if you read that article, he says there’s no point in buying an old brick just to be able to disable intel me because of the above quote.

You have to negotiate.

They: Do you have whatsapp?

You: No i hate that app but we can use Rehnijobuboba, heard of that?

They: No and there’s no way I’m installing something I can’t even speak.

You: Ok, you dont want to install that and I don’t want whatsapp, lets meet halfway and use Signal together!

They: Fine.

I have respect for what you’re saying and I would like to think you’re right. I don’t have the experience myself to know, I just listen to what experts like you are saying. But I have also read other experts say worrying things like this (https://www.srlabs.de/blog-post/usb-peripherals-turn):

To make matters worse, cleanup after an incident is hard: Simply reinstalling the operating system – the standard response to otherwise ineradicable malware – does not address BadUSB infections at their root. The USB thumb drive, from which the operating system is reinstalled, may already be infected, as may the hardwired webcam or other USB components inside the computer. A BadUSB device may even have replaced the computer’s BIOS – again by emulating a keyboard and unlocking a hidden file on the USB thumb drive.

Once infected, computers and their USB peripherals can never be trusted again.

What do you think about that?

And if you want to get tin foil hatty. How do you know you werent man in the middled when you bought a laptop from a retailer. What if a bad actor installed or tampered with the new laptop you bought. And now is less secure than a second hand laptop because joe down the street doesnt care what you do with the laptop as long as he gets paid.

That is part of the unavoidable risk. There are some entities we can’t avoid having to place some trust in. But I think the risk is higher buying second hand instead of from a reputable brand and off the shelf. And the previous owner was also at risk of such a mitm attack from the vendor.

Lets say you have your laptop and sombody steals it. Your using LUKS full disk encryption right? Lets say you did for this example, your headers for decryption are plaintext on boot. So a threat actor can use brutforce to crack your disk. You can setup LUKS to have your headers on a separate disk that you take with you. Its the equivalent of taking away a lock and a key. So all the threat actor is left with is a door.

If you have a password with 100+ entity then practically I don’t think we need to worry about bruteforce attack, or am I wrong about that? But you are still making a good point about there being many attack surfaces to defend against, it’s not only about where you buy it from.

It sounds like you’re saying buying used second hand laptops can’t have malware from the manufacturers, only new laptops can but that is wrong.

If you buy second hand you still have that risk of malware from manufacturers and you also have the risk of malware received because of previous owner bad opsec. So if you avoid second hand laptops then your risk is small but with second hand then its bigger risk.

https://osresearch.net/

If they don’t want to use private communication then just leave it. If you want privacy you have to get used to having a less social life, at least online. That’s the key really, if you want a social life, you have to start going offline, out into the real world and meet people. Get to know your neighborhood a bit or join some outdoor activity or club or something. I know it’s weird at first about going outside because we’re all basement computer nerds but you will find freedom without all the online surveillance when you leave your home.

JK, because next challenge is to convince everyone you meet that they should leave their phones are home and if you thought getting people to use Signal is hard you have no idea because that’s just step 1.

should be able to cut D-/D+ and the SS lines

What do those lines do if they are ok to cut? And why we cutting them?

I also wonder if Boot Guard or USBGuard is enough to protect against a malicious charger. Becuase if the adversaries switch the charger out for their own malicious charger that looks the same but is going to be used to maybe record my password or something, then USBGuard should recognize it’s a different device? And I don’t know enough about Boot Guard, I guess Boot Guard doesn’t help in this situation because Boot Guard is just about during the Boot.