So hear me out. What if we took $6.9M out of the CEO bonus and dropped the Mozilla AI project?
Maybe that would be enough to hire a maintainer or two for Firefox iOS port?
Maybe that could work?
I don’t know, just an idea. Crazy.
When I was last working in the automotive industry about two decades ago, a lot of effort was being put into protecting BIOS on diagnostic laptops, so that only “authentic” manufacturer diagnostic tools could be used to service the vehicles.
I regularly remote into in order to manage, usually logged into KDE Plasma as root. Usually they just have several command line windows and a file manager open (I personally just find it more convenient to use the command line from a remote desktop instead of directly SSH-ing into the system)
I’m not going to judge you (too much), it’s your system, but that’s unnecessarily risky setup. You should never need to logon to root desktop like that, even for convenience reasons.
I hope this is done over VPN and that you have 2FA configured on the VPN endpoint? Please don’t tell me it’s just portforward directly to a VNC running on the servers or something similar because then you have bigger problems than just random ‘oops’.
I do also remember using the browser in my main server to figure out how to set up the PiHole
To be honest, you’re most probably OK - malicious ad campaigns are normally not running 24/7 globally. Chances of you randomly tumbling into a malicious drive-by exploit are quite small (normally they redirect you to install fake addons/updates etc), but of course its hard to tell because you don’t remember what sites you visited. Since most of this has gone through PiHole filters, I’d say there’s even smaller chance to get insta-pwned.
But have a look at browser history on the affected root accounts, the sites along with timestamps should be there. You can also examine your system logs and correlate events to your browser history, look for weird login events or anything that doesn’t look like “normal usage”. You can set up some network monitoring stuff (like SecurityOnion) on your routers SPAN, if you’re really paranoid and try to see if there’s any anomalous connections when you’re not using the system. You could also consider setting up ClamAV and doing a scan.
You’re probably OK and that’s just paranoia.
But… having mentioned paranoia… now you’ll always have that nagging lack of trust in your system that won’t go away. I can’t speak to how you deal with that, because it’s all about your own risk appetite and threat model.
Since these are home systems the potential monetary damage from downtime and re-install isn’t huge, so personally I’d just take the hit and wipe/reinstall. I’d learn from my mistakes and build it all up again with better routines and hygiene. But that’s what I’d do. You might choose to do something else and that might be OK too.
Hmm… ProtonVPN team solved this in better way. They put the repo configuration stuff into DEB file, so it’s just a matter of double clicking it and clicking install
I was wondering how they’d solve signature checking and key installation - and looking at their page they seem to recommend skipping checking package signatures which, to be honest, isn’t a super good practice - especially if you’re installing privacy software.
Please don’t try to check the GPG signature of this release package (dpkg-sig –verify). Our internal release process is split into several part and the release package is signed with a GPG key, and the repo is signed with another GPG key. So the keys don’t match.
I get it’s more userfriendly - and they provide checksums, so not a huge deal, especially since these are not official Debian packages, but the package signing has been around since 2000, so it’s pretty well established procedure at this point.
As others have already pointed out, a lot of Linux software is installed from repositories in a standard way, and once you do that, it updates automatically.
However, as you’ve already discovered, there’s more than one way to install Linux software. Repositories are still the most common way, but installing single .deb’s (Debian based distributions) or .rpms (RedHat packaging format) is still there and there are more like Snap, Flatpak and Appimage. You can also often just download the source and compile it yourself. It’s a very diverse ecosystem, not like the controlled worlds of WIndows and Mac.
In this case you can download the .deb file, and pretty sure you can even install it through the file manager, just like in Windows (I don’t use Ubuntu, but I think it will just start GUI installation if you double-click on a .deb file).
But lot of things in Linux are still done through the terminal, like changing configurations and, yes, installing things.
Getting used to it takes a while, especially if you’re not used to modern Windows administration through PowerShell.
The important part is trying to figure out what each of the commands do and that the output actually means. Software that supports Linux normally has very clear instructions (like in this case), but it does require willingness to change habits, technical curiosity and some trial and error (patience). It’s not quite as polished experience as the commercial OS’s. There’s still a lot of rough edges for the user.