I’m not sure how funny this will be, but here’s how I broke my system twice in a single case. Step by step:
Migrated from Manjaro KDE to EndeavourOS KDE. Kept the previous home directory.
After a few updates, there was a problem with Plasma. Applications were not starting from the panels or the .desktop files (they worked from the terminal. The terminal emulator was in startup and worked that way)
After a few google searches, found out that downgrading glibc would do something, so downgraded… Worked for a while
While using pacman -Syu, I always checked for warnings (foolishly thinking that the downgraded and ignored glibc would cause a pacman warning if it broke dependencies) and there were none. So, the updated OS stopped working due to unmatched glibc. BREAK 1
To fix it, I opened one of my multiple boots (another EndeavourOS) and made a script using pacman -Ql and cp to copy new glibc related files into the broken system (because I was too lazy to learn how to do it the correct way with pacman and chroot didn’t work because glibc is needed by bash).
Turned out the script I made was wrong and I hadn’t checked the intermediate output from pacman -Ql, which was telling cp to copy the whole /etc /usr and other directories. (just if I hadn’t given the -r to cp) BREAK 2
In the end, I just made a new installation, this time with a new home and hand-picked whatever settings I wanted from the previous home, Viva la multi-HDD
You can attach a fake one in software via XVFB (X Virtual Frame Buffer). It’s a little involved if you aren’t familiar with X, but it only took me an hour or so to get setup. Then you don’t need any hardware at all, and can set whatever resolution you’d like.
The messages you’re getting sound like they’re from the bootloader, so I think secure boot is not causing the problem… Linux should print some stuff right away when it loads, maybe check the architecture of the kernel you’re trying to boot, even an error immediately after loading the kernel should print something unless the architecture is so different that it’s just feeding the CPU bad instructions… Not sure how the bootloader would get installed correctly in that situation though. Is this after installation? Does the system boot from a live USB or cdrom?
This is great!! I use macOS for work but I’m sure I can get 90% of the work done on Linux now! Just wondering about GPU perfomance? Video editing is crazy fast on macOS, anyone tried on Asahi?
I often switch between Wayland and X. My only concern is java does not yet support Wayland and old native libraries (e.g. 3D stuff for no longer maintained Java games) will probably break, once Java actually switches. Java and some Java games work with the xwayland compatibility layer, for now, but there are glitches sometimes. There are multiple projects porting Java stuff (e.g. Swing) to Wayland. All unofficial and incomplete.
I think that’s only true for the programs, not for the JVM/JRE code. The JVM/JRE doesn’t support Wayland without the xwayland compatibility layer. Also, some games use “native” libs that do optimized 3D stuff. Those are special Java classes, not part of the JVM/JRE that interface with C libs, kernels, system calls and hardware directly. Some will stop working without an X window to connect to. Some are long forgotten and won’t be ported.
Yeah, I don’t know about Java. I often switch between X and Wayland myself, but I’m mostly on X because I use a tiling window manager (Qtile) which has a Wayland version but is still ironing out some issues before I can switch full time.
There are some hacky methods to make some Java software use Wayland. Iirc, github.com/openjdk/wakefield is the jvm version I used to test it on Minecraft and Mindustry. I did not really get that far, but it has been quite some time since I tested it so I do not remember exactly what the results were. Otherwise it is possible the subjected software itself needs extra editing to make it work on Wayland.
Once an admin I know forgot to install a text editor. Imagine the fun editing files with cat, grep, awk etc., now imagine you have to use it to browse the web.
I still have every email I’ve ever received, going back now more than 20 years. My solution isn’t terribly fancy, but it gets the job done.
I have a Synology here at home running a mail server. You don’t need a Synology specifically, just a simple mail server with access to a lot of disk space. The server isn’t on the Open web or anything and doesn’t support SMTP. It’s just running IMAP to serve the local mail around the house.
I connect to it from Thunderbird on my various machines. I also use Thunderbird to connect to my actual mail servers to do my day-to-day mail stuff.
Every six months or so, I move old mail messages from my actual mail servers over to the archival one. Generally, I keep the mail on the archival server in folders; one per year, that keeps the loading time to a minimum. For example, come January 1st 2024, I’ll be moving mail from January 2023 - June 2023 to the /2023 folder on the archive.
Searching is done via Thunderbird just like you search any mail account, and on my desktop machine, I let Thunderbird keep copies of the mail locally for quick searching. On my laptop though, I ask it to not keep copies to save disk space.
<span style="color:#323232;">$ du -sh .Maildir/
</span><span style="color:#323232;">13G .Maildir/
</span>
That’s going back to 2000 1995, both sent & received. The first email I have in there is from a friend of mine offering to send me an MP3 she downloaded.
@danielquinn Is that just for text or also for images & attachments? Either way, yeah, 13G is a tiny amount of space when you consider how much info is in there! I wish I had done something similar.
Somehow I found ways to remove and break the GUI multiple times in multiple ways in multiple distros.
Different scenarios, different times, different issues trying to “fix”. My usual fix after this was always to copy what I think I still had important and then move on with a reinstall.
Recently I have been playing with ZorinOS and broke it in the same way by fidgeting with pipewire. Distro hoped to Fedora Silverblue due to the immutable filesystem. I wonder if I will break this one in a way I cannot revert it easily with rpm-ostree. I almost feel challenged.
So you need an MitM situation to even be able to perfom the attack, and the the attack on works on two ciphers? The article says those ciphers are commonly enabled, but are they default or used in relatively modern distributed versions of openssh?
A scan performed by the researchers found that 77 percent of SSH servers exposed to the Internet support at least one of the vulnerable encryption modes, while 57 percent of them list a vulnerable encryption mode as the preferred choice.
That means a client could negotiate one or the other on more than half of all internets exposed openssh daemons.
I haven’t got too whizzed up over this, yet, because I have no ssh daemons exposed without a VPN outer wrapper. However it does look nasty.
So I am sort of an embedded developer, and I like to mess around with weird configurations. So the craziest experiment I did was trying to reflash a rasberry pi from a system running in the pi’s RAM. It honestly might have worked, but during the prep work I forgot to resize the filesystem before mucking with the paritions and had to reflash the normal way before I could try again. Ended up just turning it into a pihole instead, but I still learned a lot about pivot_root
I get your point that the exploit existed before it was identified, but an unmitigated exploit that people are aware of is worse than an unmitigated exploit people aren't aware of. Security through obscurity isn't security, of course, but exploiting a vulnerability is easier than finding, then exploiting a vulnerability. There is a reason that notifying the company before publicizing an exploit is the standard for security researchers.
You're right that it's never an OK title, because fuck clickbait, but until it's patched and said patch propagates into the real world, more people being aware of the hole does increase the risk (though it doesn't sound like it's actually a huge show stopper, either).
Weakness and risk are distinct things, though—and while security-through-obscurity is dubious, “strength-through-obscurity” is outright false.
Conflating the two implies that software weaknesses are caused by attackers instead of just exploited by them, and suggests they can be addressed by restricting the external environment rather than by better software audits.
In my opinion Dan Goodin always reports as an alarmist and rarely gives mitigation much focus or in one case I recall, he didn't even mention the vulnerable code never made it to the release branch since they found the vulnerability during testing, until the second to last paragraph (and pretended that paragraph didn't exist in the last paragraph). I can't say in that one case, it wasn't strategic but it sure seemed that way.
For example, he failed to note that the openssh 9.6 patch was released Monday to fix this attack. It would have went perfectly in the section called "Risk assessment" or perhaps in "So what now?" mentioned that people should, I don't know, apply the patch that fixes it.
Another example where he tries scare the reading stating that "researchers found that 77 percent of SSH servers exposed to the Internet support at least one of the vulnerable encryption modes, while 57 percent of them list a vulnerable encryption mode as the preferred choice." which is fine to show how prevalent the algorithms are used but does not mention that the attack would have to be complicated and at both end points to be effective on the Internet or that the attack is defeated with a secure tunnel (IPSec or IKE for example) if still supporting the vulnerable key exchange methods.
He also seems to love to bash FOSS anything as hard as possible, in what to me, feels like a quest to prove proprietary software is more secure than FOSS. When I see his name as an author, I immediately take it with a grain of salt and look for another source of the same information.
linux
Active
This magazine is from a federated server and may be incomplete. Browse more on the original instance.