Pinned toot

i want a shortcut that mentions all users on the fediverse just to say how awesome they are

while searching for the icons repo i found this: wiki.ubuntu.com/Artwork/Incomi. i still think that the interface on the screenshots looks much better than modern ones.. and modern operating systems don't ask you to find your inner koala! wiki.ubuntu.com/Artwork/Incomi

Show thread

installed ubuntu in a vm out of curiosity. its icons are awesome, i think i'll try to package them for the distro i use. it's good that the installer lets you choose a minimal install with fewer apps. but i don't understand the why they suggest that you use livepatch on a desktop system, which is presumably meant for users who don't know what a kernel is.

does kernel live patching prevent using lockdown? a security feature at the cost of another security feature?

website: we've emailed you your new password
me: *checks email* "7756"? i should change that!
website: "watch-unelected-handgrip" is a weak password

and "7756" isn't?..

so, there's no way to disable leaking single-word searches to dns in chromium itself. but maybe i could add a name service switch hook that'd return notfound for any request which doesn't have a valid tld? (i hope that doesn't require writing c..)

/: 22,3 GiB (23918297088 bytes) trimmed

and now that block is filled with zeroes :)

Show thread

i created another very large file from urandom and that block got overwrited as it should've been

yay, free space on ssd wiped!

Show thread

it was a journald file (!) which apparently contained my browser data. i found it by searching "infosec.exchange". now i vacuumed journals and the block no longer belongs to anyone..

Show thread

well the block dump shows me that data i saw in dhex, so i got the right block number, but inside the file that i found this way there's no such data

Show thread

okay so i tried to calculate the block number knowing the hex offset in bytes (= offset / 4096), found the inode using that block with

debugfs -R "icheck $block_number" /dev/sda1

then found the file for that inode using

debugfs -R "ncheck $inode_number" /dev/sda1

now let's see if i found the right file..

Show thread

so there's some data i can see by opening the block device in a hex editor, but can't find with grep on the mounted filesystem. is there a way to find in which file is this data located? i have zero space left, so it has to be a file.. (fs is ext4)

cars parked near the office are a side channel

okay, no, it doesn't. it was a bad idea. i thought that adding it late enough would make it act as a fallback, but it overrides default rules, including those that allow local users to run poweroff/reboot/etc without authentication. so yeah, the only way is to add the homed user as an administrator in a separate rule. which isn't a clean solution.

Show thread

whoa, my laptop's bios/uefi setup doesn't appear to be backdoored

i'm pretty sure it can be reset after disassembling the laptop, but at least that's something. the service manual says, if you don't remember your password, lenovo can't help you. so maybe there isn't even a jumper dedicated to resetting cmos!

oh wait i could add an interactive rule, like, if subject.isInGroup("wheel"), then auth_self. that should work.

Show thread

so far the only thing that doesn't work with systemd-homed correctly is polkit. my distro adds unix-group:wheel as admin by default, but that rule doesn't add homed users. rules mentioning user in question directly (unix-user:username) do work.

imo systemd-homed should let the admin create a temporary user password, one that would only be used for the first login, after which systemd would ask the user to submit a new password and do the encryption work itself

setting the password during user creation is no good bc the admin could set a temporary password and save generated luks headers. then the user would change their password and think they're safe, while in reality they're not.

Show thread

luks works by encrypting the real encryption key using a user-supplied password or file. so changing the luks password only makes sense if you found a hardware keylogger or someone saw you enter your password, not when an adversary had access to your system? and giving each user their own password only makes sense if they don't have access to raw disk data?

Show more
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.