But us in the middle who pretend we’re smart

The trick you’ll learn is that everyone is just pretending. The more your learn the more you realize you don’t know.

True, but this book is the best thing Microsoft has made.

After you updated the config did you update-initramfs or update-grub (I forget which flags might be needed off hand).

Since this is happening pre-boot it isn’t reading from /etc.

Before Arch that role belonged to Gentoo.

To add, before the change the Gentoo wiki was a top resource when it came to Linux questions. Even if you didn’t use Gentoo you could find detailed information on how various parts of Linux worked.

One day the Gentoo wiki died. It got temporary mirrors quickly, but it took a long time to get up and working again. This left a huge opening for another wiki, the Arch wiki, to become the new top resource.

I suspect, for a number of reasons, Arch was always going to replace Gentoo as the “True Linux Explorer”, but the wiki outage accelerated it.

You also have to keep track the site and how you spell it. For example is it “Microsoft” or “microsoft”?

And keep track of the current name of the site vs the old name. For example am I signing into Microsoft or Live.com or Xbox?

And keep track of my username. Is it my email? Which email? Which username?

I understand the concept but I think if falls apart fast.

I completely forgot that existed! Double checking the technical article they do correctly label it as a browser in their testing matrix/grid.

I just got confused by the clear “Brave browser” call out. When I hear DuckDuckGo I definitely don’t think browser.

Good catch!

You’re not affected if (and only if)

You always used the Brave browser or the DuckDuckGo search engine on mobile

I found that odd, but reading the more technical write up (linked in the article) it seems Brave blocks localhost communication.

The Chrome proposal references a single use case. I’ve never seen a website that sets up my local devices, but is this a new thing?

Why did localhost not get blocked earlier? This seems like a huge hole browsers have ignored for years.

Also the DuckDuckGo exception doesn’t make sense to me. Does DuckDuckGo have Facebook trackers on it to begin with? Whatever site DuckDuckGo sends you to, if they have the trackers, you’ll get tracked.

Linux has two ways of drawing pictures, the old way (Xorg) and the new way (Wayland).

The old way is like a giant box of crayons with the crayon sharpener built in. The box is all marked up, the sharpener is full of gunk, and a few crayons are melted together. Nobody really wants to touch the old box of crayons, although it does work for the most part, it’s a familiar box.

The new way is like a smaller box of crayons. The clean sharpener isn’t built in but it is available nearby, although some people say it doesn’t work as good. A few crayons are missing, but are available in most cases, they’re just not in the box. Most people are working to improve the new box.

If you’re using Linux, the new box of crayons is generally the better choice. It’s ok to stop using the old box.

Knoppix. I didn’t see it listed yet so I had to chime in.

I saw it and was confused that computers could run something that wasn’t Windows and wasn’t Mac. Then I was handed a Knoppix LiveCD and suddenly MY computer was Linux. Absolutely blew my mind.

I then explored Mandrake (now Mandrivia?) for a while but it never really stuck.

A few years later Ubuntu was handing out LivdCDs to everyone running Warty Warthog and soon after window managers started to use Beryl (?) which let you have a fancy cube desktop. Absolutely pointless but that’s how it all started.

As you mentioned elsewhere it’s encrypted.

Take a look at /etc/crypttab and creating and adding a key file that can unlock the drive.

Essentially your additional SSD will have both a password and a file containing a password that can unlock the drive. When you unlock your root filesystem (I’m guessing at boot) it will then have the key file that can unlock the SSD.

Something like cryptsetup luksAddKey /dev/pathtossd --new-keyfile /etc/newpassword

Systemd might make this easier to setup nowadays.

Edit: Also, yes, the password to unlock your SSD is just sitting in a file in your root drive. Be sure to restrict it to only be readable by root.

Oh I completely agree. There is a reason it took me a while and careful observation before I figured it out.

I assume it’s part of, or started as, a little password dance. Something like, “abc123DEF”.

Or maybe it just comes from the idea that only a single key can be pressed at a time?

Either way I completely agree, insane.

I agree, but it’s more common than you’d think.

I used to work at an organization that used Chromebooks, which replaces the caps lock key with a search key (same shape, different behaviour). I was surprised at the number of people who struggled with their passwords because they would hit the “search” key, enter a single letter, and then hit “search” again. It took me a little while to figure it out because… Who does that?

At the time (and possibly still) Dell was promoting laptops with Ubuntu preinstalled. These laptops also avoided the “Windows Tax” and were ~$50-$100 cheaper.

*The “Windows Tax” being that Windows cost money. Most companies just built the cost of Windows into their product with no (easy) method of not purchasing Windows. So if you bought a $800 laptop, you actually bought a $700 laptop plus a Window license, even if you never planned on using Windows.

Also worth adding, since this story was big many years ago, when the college was contacted they were fine with her laptop. They had no requirement that she use Wimdows.

Re random IPs,

Sure, but my point is there is no such thing as a “truly random” IP address. You receive an IP from your ISP or VPN provider, that provider has a pool of IP addresses. Dynamic means you get one from the pool. Static means you get the one reserved for you, from a similar pool. The security/privacy benefits are nearly zero and not worth highlighting as an advantage.

Re static IP,

https://nordvpn.com/blog/static-ip-vs-dynamic-ip-address/ says,

Costly. Static addresses usually cost more for ISPs and consumers than dynamic IP addresses.

I really appreciate this post since I think many discussions about VPNs are misleading or treat them as a magic solution to all problems.

I think you’ve given a fair outline of what a VPN.

But, being the Internet, I have a few thoughts,

Hiding your IP address: VPNs will replace your IP address with a random IP address assigned by the VPN provider.

I don’t think the word “random” is needed. The IP address a VPN assigns is no more random than the IP address your ISP assigns. I think someone could see random and assume more security, which would be incorrect.

IP addresses are usually static, meaning it never changes, but sometimes your ISP may assign you a dynamic IP address, which will change every few months or so.

Last I knew ISPs still charged for static IP address, so most would be dynamic. Although often times a dynamic IP address is de facto static, since an ISP will never change it.

If you open up ports on your router (for various purposes), it can leave your network vulnerable to certain attacks as long as the attackers know your public IP address.

I think this should be a separate bullet point, since this is clearly security and not privacy. I think as a security point it needs further discussion. Really I imagine this only comes up in peer to peer connection scenarios. I don’t know if the denial of service attacks of old are still relevant.

Encrypting your traffic: VPNs can allow your traffic to be encrypted, so that your ISP or other people connected to the same network can’t see which sites you visit or (in some cases) what data is sent. The reasons why this is important are too long to list, but you can work it out on your own.

I think it’s important to clarify who you are encrypting your traffic from. Generally your traffic is already encrypted. DNS is often not encrypted.

Debian Testing. It isn’t “recommended” but it works fine.

Obviously if you want AUR you need an Arch variant, in which case just pick Arch.

Edit: I needed the why, it’s up to date enough for me and I know apt well.

I have no way to put this gently: I cannot conclusively determine which one is more secure.

That’s the only conclusion I would have trusted. Otherwise you should have been awarded the tech equivalent of a Nobel Prize.

Security (and privacy) is not a zero sum game. That isn’t to say we shouldn’t discuss it. That isn’t to say we can’t point out clear advantages.

In any case, I appreciate the write up.

404s for me as well but im guessing https://arstechnica.com/gadgets/2024/01/convicted-murderer-filesystem-creator-writes-of-regrets-to-linux-list covers it.

Re Google Safe Browsing

I would argue it’s a security feature with potential privacy concerns, however I would agree it is more of a failsafe or suggestion.

However it being disabled by default or not included at compile time versus enabled by default may also be relevant when it comes to security. As a hypothetical a high severity bug with Google Safe Browsing could arguably make a browser less secure. However even as a failsafe/suggestion, the small security benefit may make the overall browser more secure, e.g. filtering known bad websites that attack known vulnerabilities.

I’m also just using Safe Browsing as an example here, it may or may not be worth focusing on since a browser is basically an operating system.

You mentioned sandboxing, which I think is perhaps a more reasonable scope.