<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/">
  <channel>
    <title>Security on Trafotin.com</title>
    <link>https://trafotin.com/tags/security/</link>
    <description>Recent content in Security on Trafotin.com</description>
    <generator>Hugo -- 0.163.3</generator>
    <language>en</language>
    <lastBuildDate>Sat, 13 Sep 2025 00:00:00 +0000</lastBuildDate>
    <atom:link href="https://trafotin.com/tags/security/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>Tor Has Problems, But Mental Outlaw Has Multiple Too.</title>
      <link>https://trafotin.com/blog/2025-09-13-tor-issues/</link>
      <pubDate>Sat, 13 Sep 2025 00:00:00 +0000</pubDate>
      <guid>https://trafotin.com/blog/2025-09-13-tor-issues/</guid>
      <description>Mental Outlaw made an inaccurate video. A couple actually. Plus some announcements for the next 2 months.</description>
      <content:encoded><![CDATA[<p>A <a href="https://www.youtube.com/watch?v=QDDkfKPmD8c">little</a> <a href="https://odysee.com/@AlphaNerd:8/the-tor-project-is-ignoring-these-issues:d">birdie</a> named Mental Outlaw whispered into my ear that the Tor Project has failed to fix BGP routing problems, issues with the NoScript settings, and the static user agent.</p>
<p>First of all, BGP routing problems don&rsquo;t just affect Tor. They affect all kinds of network architecture like VPNs and certificate authorities. While I don&rsquo;t have a complete understanding, <a href="https://collaborate.princeton.edu/en/publications/counter-raptor-safeguarding-tor-against-active-routing-attacks">the attacks presented by Princeton University&rsquo;s team against Tor</a> are not unique. A similar attack was documented by <a href="https://www.certik.com/resources/blog/bgp-hijacking-how-hackers-circumvent-internet-routing-security-to-tear-the">Certik against the crypto exchange KLAYswap</a>. By that point, this seems out of scope of Tor when all of us could be hit.</p>
<p>Second, I&rsquo;m not familiar with the specifics of what NoScript is doing, but the team has expressed that they need more data for building more up-to-date NoScript profiles. Seeing as I&rsquo;m one of the only people on the planet who uses uBlock Origin advanced mode, I don&rsquo;t know what the expectation is here nor what should be blocked in each mode except Default. The Tor security settings made sense back when NoScript was the only game in town, but there are <a href="https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43365">plans integrating uBlock Origin</a> into Tor and it&rsquo;s going to take some time.</p>
<p>Third, on <a href="https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43292">the Tor Browser no longer changing the user agent to Windows</a>, user agents have long been broken. I constantly get questions on old videos and I&rsquo;ll say it here, stop using user agent switchers. As long as you know what user agent you want (e.g. Chrome on Mac), you can use the responsive design mode in Firefox or &ldquo;Inspect Element&rdquo; in Chromium to change it. This feature exists for people who are web designers or app makers to test compatibility and responsiveness of their sites or apps.</p>
<p>Changing your user agent can fool certain scripts, but other scripts easily bypass it using fonts/CSS detection and find some way to detect your true operating system. Since Apple created Apple Silicon, the Tor Browser has reported the accurate &ldquo;Firefox ESR on Mac&rdquo; user agent because they mostly still are the only ARM users of the Tor Browser. When you think about it this way, it makes changing your user agent detrimental to your privacy because only weirdos and web devs change their user agent.</p>
<p>Fourth and finally, maybe consider not trusting sources that only show their sources in screenshots and make me go down rabbit holes online and yank things out of my brain. He clearly doesn&rsquo;t know anything about Fair Use when he watched Reddit videos in a livestream with no meaningful commentary, <a href="https://odysee.com/@AlphaNerd:8/is-proton-mail-really-private,-secure,:f">previously claimed Proton is a honeypot without provided substantial proof</a>, <a href="https://social.lol/@hen/113319889528790158">stole thumbnails from other YouTubers to use in videos</a>, or <a href="https://linuxreviews.org/File:Mental_Outlaw_-_Politically_Correct_Tech.webm">complained about politics/open source</a> rather than helping people or fixing problems. I hope one day the feds would pay me the money some people will likely accuse me of making. Maybe consider not getting your news from YouTubers, including me, especially when they use awful sources like Linuxiac, the Register, Tech Radar, Reddit, and X (formerly Twitter). This kind of critical thinking is taught in school to fifth graders or students in primary school.</p>
<p>Oh and happy Saturday to you all. I realized Meta Connect is this Wednesday, so I&rsquo;ve had to slow down video production until it&rsquo;s over. Shorts will be out for the last 4 tech events I&rsquo;ve watched over the last 2 months, commentaries are out for Patrons/YouTube members, and the groundwork for 2 videos have been laid out, including one about the mythical Windows 12.</p>
]]></content:encoded>
    </item>
    <item>
      <title>How Symantec VIP Access Holds Your Security Codes Hostage feat. python-vipaccess</title>
      <link>https://trafotin.com/v/symantec-vip-access/</link>
      <pubDate>Mon, 17 Feb 2025 00:00:00 +0000</pubDate>
      <guid>https://trafotin.com/v/symantec-vip-access/</guid>
      <description>Last year I had to rid myself of the Symantec VIP Access app. With the help of python-vipaccess, it&amp;rsquo;s possible to liberate your 2FA codes and get them wherever you want. It&amp;rsquo;s time to learn some package managers, 2FA provisioning, and Python scripting!</description>
      <content:encoded><![CDATA[

<div style="position: relative; padding-top: 56.25%;"><iframe title="How Symantec VIP Access Holds Your Security Codes Hostage" width="100%" height="100%" src="https://spectra.video/videos/embed/df42ea11-191f-4fde-9834-1583e16ed8b2?subtitle=en&amp;title=0" frameborder="0" allowfullscreen="" sandbox="allow-same-origin allow-scripts allow-popups allow-forms" style="position: absolute; inset: 0px;"></iframe></div>


<center>
<button class="button button1">
<a  href="https://youtube.com/shorts/7frJWDJsE_c"  >
	
YouTube

</a>
</button>
</center>

<p>I love two factor authentication (2FA) and it’s essential to operating
accounts in the digital world. But have you ever been forced to use it?
Last year, I had to help my dad use the Symantec VIP Access app for his
Fidelity account and apparently it’s deployed in many other businesses
as well.</p>
<p>First, a bit of background. Fidelity is a popular investment broker here
in the US and in particular, my dad got so annoyed by the text messages
every time he had to login to his retirement account. By default,
Fidelity does everything through your phone number so I was tasked to
find a way around it.</p>
<p>For years, Fidelity only supported one other form of 2FA, that was
Symantec VIP Access, a lame proprietary app that was basically a gated
wrapper for standard 2FA, like in Google Authenticator. In August 2024,
Fidelity made <a href="https://old.reddit.com/r/fidelityinvestments/comments/1esv55g/its_here_you_can_now_use_most_authenticator_apps/">an announcement on their Reddit
page</a>
(<a href="https://old.reddittorjg6rue252oqsxryoxengawnmo46qy4kyii5wtqnwfj4ooad.onion/r/fidelityinvestments/comments/1esv55g/its_here_you_can_now_use_most_authenticator_apps/">Onion
link</a>)
that they now welcome any kind of 2FA app.</p>
<p>The thing that was irks me about apps like Symantec VIP Access is it’s a
proprietary solution and not an open one. Deep down in the app, it is
running the normal Google Authenticator stuff good websites run. They
also make it so you can’t export your codes and include unnecessary data
collection in the app, which is just unacceptable for an app to guard
your accounts.</p>
<ul>
<li><a href="https://vip.symantec.com/">Official Symantec VIP Access page</a></li>
<li><a href="https://reports.exodus-privacy.eu.org/en/reports/com.verisign.mvip.main/latest/">Symantec VIP Access on
εxodus</a></li>
<li><a href="https://apps.apple.com/us/app/vip-access-for-iphone/id307658513">Symantec’s App Privacy Label on Apple’s App
Store</a></li>
</ul>
<p>Like most financial institutions, Fidelity has terrible practices and I
had to go through the trouble of setting all of this up, but I’m making
this video to celebrate Fidelity amends and prepare all of you the next
time you are forced to use Symantec VIP Access.</p>
<h1 id="python-vipaccess">python-vipaccess</h1>
<p>Some people on GitHub, <a href="https://github.com/cyrozap">cyrozap</a> and <a href="https://github.com/dlenski">Dan
Lenski</a>, have reverse-engineered the desktop
and mobile apps and Symantec’s protocol, so you don’t need to use
Symantec’s app and continue using an open-source authenticator app like
<a href="https://getaegis.app/">Aegis</a> or <a href="https://ente.io/auth">Ente</a> for
desktop/iPhone users.</p>
<p><em><a href="https://www.cyrozap.com/2014/09/29/reversing-the-symantec-vip-access-provisioning-protocol/">Read cyrozap’s blog post about reverse engineering server calls for
Symantec VIP
Access</a></em></p>
<p><a href="https://github.com/dlenski/python-vipaccess">python-vipaccess GitHub</a></p>
<h2 id="installation">Installation</h2>
<p>You will need Python and pipx installed in order to use the script. You
can use <a href="https://scoop.sh/">scoop</a> for Windows, pipx from
<a href="https://formulae.brew.sh/formula/pipx">Homebrew</a>, or your Linux package
manager. I use a Distrobox/Docker container to run it to keep my system
clean.</p>
<p>Next, we need to install <code>python-vipaccess</code> from pip using pipx.</p>
<pre><code>pipx install python-vipaccess
</code></pre>
<p>Now you can launch <code>python-vipaccess</code> from your terminal.</p>
<h1 id="symantecs-provisioning">Symantec’s Provisioning:</h1>
<p><code>python-vipaccess</code> will generate your Symantec token by negotiating with
their server the same way their app does. Symantec uses a proprietary,
server-side protocol to issue you a token to obtain Google’s open-source
TOTP standard to generate a code. This is yet another reason Symantec
sucks, because Google Authenticator or other open source authenticators
only require one device–yours.</p>
<pre><code>vipaccess provision -p -i Fidelity -t VSMT
</code></pre>
<ul>
<li><code>-p</code> prints the output without saving it to a file.</li>
<li><code>-i</code> is the 2FA issuer. Default is <code>VIP Access</code>, but this could
changed to <code>Fidelity</code> for example.</li>
<li><code>-t</code> is the token format requested from Symantec’s servers. The
token in this case is <code>VSMT</code>.</li>
</ul>
<p>There are alternative tokens marked for either for mobile or desktop,
but all equally functional. Keep this in mind if when you interact with
IT or customer support.</p>
<ul>
<li>SYMC/VSMT (Mobile)</li>
<li>SYDC/VSST (Desktop)</li>
<li><a href="https://knowledge.broadcom.com/external/article?legacyId=tech239895">More classification codes from
Broadcom</a>
(parent company of Symantec)</li>
</ul>
<p>Running the command should get an output that looks like this:</p>
<pre><code>Generating request...
Fetching provisioning response from Symantec server...
Getting token from response...
Decrypting token...
Checking token against Symantec server...
Credential created successfully:
    otpauth://totp/Fidelity:VSMT95687533?secret=HHW3IFLSHQJBTZQRTULZQN5Q7DV4ZOQR&amp;digits=6&amp;algorithm=SHA1&amp;image=https%3A%2F%2Fraw.githubusercontent.com%2Fdlenski%2Fpython-vipaccess%2Fmaster%2Fvipaccess.png&amp;period=30
This credential expires on this date: 2027-02-19T16:44:55.044Z

You will need the ID to register this credential: VSMT95687533

You can use oathtool to generate the same OTP codes
as would be produced by the official VIP Access apps:

    oathtool    -b --totp HHW3IFLSHQJBTZQRTULZQN5Q7DV4ZOQR  # output one code
    oathtool -v -b --totp HHW3IFLSHQJBTZQRTULZQN5Q7DV4ZOQR  # ... with extra information
</code></pre>
<p>Let’s translate this output:</p>
<ul>
<li>Under <code>Credential created successfully</code>, this is the information we
need to set up the service.</li>
<li>IT/customer support will ask you for an account ID. With the example
output above, this is <code>VSMT95687533</code>, but you will need to supply
your own.</li>
<li>If support asks you for a different token (e.g. “it’s the code that
starts with ‘SY’”), regenerate your code with the matching token.
You can also politely tell them your app is showing you something
different and read your code aloud.</li>
<li>Afterwards, manually enter the text after <code>?secret=</code> into your
authenticator app. In this example, the Google Authenticator seed is
<code>HHW3IFLSHQJBTZQRTULZQN5Q7DV4ZOQR</code></li>
<li>Make a reminder in your calendar app of choice, password manager, or
physical planner to setup Symantec prior to the expiration date.</li>
</ul>
<h1 id="track-listing">Track Listing</h1>
<ul>
<li>Minobe Yutaka (蓑部雄崇) - Satellite (サテライト) from Yu-Gi-Oh! 5Ds
(遊☆戯☆王5D’s（ファイブディーズ）)</li>
<li><a href="https://neotron-chill.booth.pm/items/6383321">Neötrön (ネオトロン) - City Girl Walks Down a Country Road
(シティーガールは田舎道を歩く)</a></li>
<li><a href="https://nyalpaca.booth.pm/items/5649980">Nyalpaca BGM - City Girl
(シティガール)</a></li>
<li>Outro: <a href="https://soundcloud.com/khaimmusic/free-neon-lamp-charlie-puth-x-bruno-mars-type-funky-guitar-pop-instrumental/s-uqEQff1liFX">Khaim - Neon
Lamp</a></li>
</ul>
]]></content:encoded>
    </item>
    <item>
      <title>Verify Your Downloads like a PRO!</title>
      <link>https://trafotin.com/v/gnupg/</link>
      <pubDate>Fri, 16 Aug 2024 00:00:00 +0000</pubDate>
      <guid>https://trafotin.com/v/gnupg/</guid>
      <description>PGP keys, hashes, vendor certificates&amp;hellip; there&amp;rsquo;s so many ways to verify a file! And all of them are like pulling teeth.</description>
      <content:encoded><![CDATA[

<div style="position: relative; padding-top: 56.25%;"><iframe title="Verify Your Downloads Like a PRO!" width="100%" height="100%" src="https://spectra.video/videos/embed/fb438752-a012-4c10-80d8-2387eb2a4a84?subtitle=en" frameborder="0" allowfullscreen="" sandbox="allow-same-origin allow-scripts allow-popups allow-forms" style="position: absolute; inset: 0px;"></iframe></div>


<center>
<button class="button button1">
<a  href="https://www.youtube.com/watch?v=GtEk8bOb0cI"  >
	
YouTube

</a>
</button>
</center>

<p>Verifying downloads is something that should be ingrained into every
computer user. Unfortunately, the process is very complicated and very
few services make this easy for people. It’s intimidating to be told to
use the terminal, especially if you are on Windows or Mac.</p>
<h1 id="paid-signatures">Paid Signatures</h1>
<p>What’s more, why bother when a lot of the programs you use are probably
verified already? Windows and macOS have a built-in mechanism to
identify whether or not a program was created by the manufacturer that
claimed to make it. If you use Snaps or Flatpaks on Linux, both
implement a checkmark system to show the developer was verified by the
Snapcraft and Flathub developers.</p>
<p>Signed applications are necessary to ensure the file wasn’t tampered
with on the way from the developer to your computer. If you use a
package manager like Winget, Homebrew, or the one in your Linux
distribution, this process is also automatic. What’s more on Linux, the
vast majority of packages on Linux are not verified. Even within the
average distribution repository, most packages are not officially
sanctioned by the original developers. This doesn’t mean a application
is malware, but it can often introduce more problems.</p>
<p>The problem is signing systems like Apple’s notarization process or
Microsoft certificates are costly for developers, requiring at least a
couple hundred dollars up front just so the program you made won’t get
blocked by the default antivirus.</p>
<ul>
<li><a href="https://developer.apple.com/support/compare-memberships/">Apple’s crazy developer
fees</a></li>
<li><a href="https://learn.microsoft.com/en-us/windows/win32/seccrypto/hashes-and-digital-signatures">Microsoft’s explainer about
certificates</a></li>
<li><a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/code-signing-cert-manage">Microsoft’s list of code signing certificate
providers</a></li>
</ul>
<p>Unsigned applications don’t suggest they are malware, but it’s important
to pay attention to where you got the program to begin with.</p>
<h2 id="bypassing-signature-checks-on-macos">Bypassing Signature Checks on macOS</h2>
<p>Like Microsoft, Apple has a robust verification system. Unlike
Microsoft, Apple is more proactive at blocking unverified downloads.
When you open an application for the first time, Apple will prompt you
if you want to open the application.</p>
<p><a href="https://support.apple.com/guide/mac-help/open-a-mac-app-from-an-unidentified-developer-mh40616/mac">If you need to open an unsigned
application</a>
(e.g. LibreOffice, Alacritty, etc): navigate to <code>/Applications</code> and
<code>Ctrl + Click</code> the application you want to open. Then select “Open.”</p>
<p>If you are on <a href="https://developer.apple.com/news/?id=saqachfa">macOS Sequoia or
higher</a>, you will need to
go to the Settings, “Privacy &amp; Security” and manually allow an unsigned
app.</p>
<h1 id="manual-verification">Manual Verification</h1>
<p>Naturally, people aren’t accustomed to verifying their downloads.</p>
<p>A couple years ago, <a href="https://blog.linuxmint.com/?p=2994">Linux Mint was
hacked</a> and the ISO was modified to
mine cryptocurrency off the unlucky souls who downloaded it. Thankfully,
Mint’s team shut down the attack very quickly, but it goes to show how
important it is to verify your downloads.</p>
<p>The attack was easily prevented if users verified their downloads.
Unfortunately, verifying downloads is something that doesn’t get enough
attention. The hacker of the Linux Mint, Peace, made the bold, but
accurate claim:</p>
<blockquote>
<p>Who the f**k checks those anyway?</p>
<p><a href="https://www.zdnet.com/article/hacker-hundreds-were-tricked-into-installing-linux-mint-backdoor/">Peace, to ZDNET’s Zack
Whittaker</a>
February 21, 2016</p>
</blockquote>
<p>We’re going to have to go and prove him wrong. It’s not going to be easy
and maybe this is something that we need to start developing.</p>
<h1 id="gpg-signatures">GPG Signatures</h1>
<p>One of the most popular ways files are verified is PGP keys. Pretty Good
Privacy (PGP) keys are often necessary for verifying other files using a
central server for trust. Some projects also require verifying
additional files.</p>
<p>PGP was originally only available to the government in the 1970s and PGP
was developed to make file and text encryption more accessible to
average people. Almost 40 years later, PGP is very unfriendly and is far
too complicated to use. Encrypted messaging apps automate this message
verifiability and security process, so they fill this void better.
Despite its shortcomings, many open source projects and packaging
utilities rely on PGP, because nobody has been able to break it.</p>
<p>PGP is typically handled with a command line application called <a href="https://gnupg.org/">GNU
Privacy Guard (gnupg)</a>. There are various graphical
front-ends:</p>
<ul>
<li>Windows: <a href="https://www.gpg4win.org/index.html">Gpg4win</a></li>
<li>macOS: <a href="https://gpgtools.org/">GPG Suite</a> (Mail encryption is paid)</li>
<li>Linux: <a href="https://apps.kde.org/kleopatra/">Kleopatra</a></li>
</ul>
<p>Of course, like most GNU applications, using gnupg or any of its
frontends is not particularly straightforward.</p>
<h3 id="verifying-gpg-signatures">Verifying GPG Signatures</h3>
<p><em>I will be using the instructions for Kleopatra and Gpg4win. The
instructions are similar for GPG Suite.</em></p>
<p>First, download the files you wish to verify. This will be your desired
file and a signature file with the extension .sig or .asc.</p>
<p>Typically, these files are named something similar. If you download
openSUSE Tumbleweed’s ISO and verify the checksums, the files we need
here are the signature file
<code>openSUSE-Tumbleweed-DVD-x86_64-Current.iso.sha256.asc</code> and file we want
to verify <code>openSUSE-Tumbleweed-DVD-x86_64-Current.iso.sha256</code>.</p>
<p>Make note the folder where the files you downloaded are (e.g.
Downloads).</p>
<ol>
<li>In your GPG program, navigate to “Decrypt/Verify.”</li>
<li>Select the signature file first and the file that needs to be
verified.</li>
<li>If you are told the certificate is unavailable, select “Search” to
download the key from a known key server. Otherwise, skip to #6.</li>
<li>Once the key server has found the certificate, click on it and
select “Import.”</li>
<li>Accept the next dialogue once the certificate was imported.</li>
<li>Repeat the process of “Decrypt/Verify” and select the files again.</li>
<li>Select “Show Audit Log.” If you see “Good signature from…,” the file
has been verified as the authentic file.</li>
</ol>
<p>Ignore any warnings that tell you the signature cannot be verified. This
often confuses people who are trying to verify files when they aren’t
trying to encrypt files themselves.</p>
<blockquote>
<p>Since PGP keys aren’t designed for humans, you need to move them
electronically. But of course humans still need to verify the
authenticity of received keys, as accepting an attacker-provided
public key can be catastrophic.</p>
<p>PGP addresses this with a hodgepodge of key servers and public key
fingerprints. These components respectively provide (untrustworthy)
data transfer and a short token that human beings can manually verify.
While in theory this is sound, in practice it adds complexity, which
is always the enemy of security.</p>
<p>Now you may think this is purely academic. It’s not. It can bite you
in the ass.</p>
<p><a href="https://blog.cryptographyengineering.com/2014/08/13/whats-matter-with-pgp/">What’s the matter with PGP? - Matthew D. Green, Johns Hopkins
University</a></p>
</blockquote>
<h3 id="command-line">Command-Line</h3>
<p>gnupg can also be used from a terminal to verify keys. As a GNU utility,
it’s best utilized on Linux, macOS through Homebrew, or Windows
Subsystem for Linux. It’s also preinstalled in many Linux distributions.</p>
<p>First, verify your file using the signature file first, then the
downloaded file.</p>
<pre><code>gpg --verify openSUSE-Tumbleweed-DVD-x86_64-Current.iso.sha256.asc openSUSE-Tumbleweed-DVD-x86_64-Snapshot20240806-Media.iso.sha256
</code></pre>
<p>If the certificate is not yet added, we need import it into our GPG
keyring. You will get presented with a dialogue similar to this:</p>
<pre><code>gpg: Signature made Tue 06 Aug 2024 09:04:47 AM EDT
gpg:                using RSA key 35A2F86E29B700A4
gpg: Can't check signature: No public key
</code></pre>
<p>Next, import the certificate from a remote server. This is the blob of
letters and numbers after the key type. In this example, openSUSE uses
an RSA key and the key is <code>35A2F86E29B700A4</code>.</p>
<pre><code>gpg --recv-keys 35A2F86E29B700A4
</code></pre>
<p>You should get an output informing you if the signature was imported to
your keyring. Rerun the <code>gpg --verify</code> command from earlier. If you see
“Good signature from…,” the file has been verified as the authentic
file.</p>
<h1 id="check-out-those-checksums">Check Out Those Checksums!</h1>
<p>Often times, software makers will provide checksums, which are verified
using GPG keys. This ensures the files you downloaded aren’t tampered
with or corrupt in some way.</p>
<p>Checksums are alphanumeric representations of files or data—every file
has one. There are many different algorithms to check files and it’s
different for every operating system. For example on Linux, there’s a
nice GUI called <a href="https://apps.gnome.org/Collision/">Collision</a>. There
are also command-line options.</p>
<p>An alternative is uploading the file to
<a href="https://www.virustotal.com/">VirusTotal</a>, but this may be privacy
invasive as VirusTotal will receive a copy of your file.</p>
<p>At any point if you need to navigate to a folder or type a file name,
you can drag the folder or file into your terminal instead of typing it
out.</p>
<h2 id="popular-algorithms">Popular Algorithms</h2>
<ul>
<li>SHA1</li>
<li>SHA256</li>
<li>SHA512</li>
<li>MD5</li>
</ul>
<h2 id="gnu-coreutils-linux">GNU coreutils (Linux)</h2>
<p>Linux has the most comprehensive and commonly used hash verification
tools by the GNU Project. The commands also have a built-in checker to
formatted checksums from a file.</p>
<pre><code>sha256sum openSUSE-Tumbleweed-DVD-x86_64-Snapshot20240806-Media.iso
</code></pre>
<p>Running the command will give an output that looks like this:</p>
<pre><code>3b55f6f88c0a64f0e4e2abe19e106c40578ef60a9d97b5be149736e83154b0ce  /var/home/user/bin/mullvad-browser/Browser/Downloads/openSUSE-Tumbleweed-DVD-x86_64-Snapshot20240806-Media.iso
</code></pre>
<p>If you have a .sha* file, you can verify the file with the -c command.</p>
<pre><code>sha256sum -c openSUSE-Tumbleweed-DVD-x86_64-Snapshot20240806-Media.iso.sha256
</code></pre>
<p>If you were not provided a .sha* file, you can manually verify by
opening the file in a text editor or word processor, then manually
comparing the hashes.</p>
<h2 id="macosbsd-shasum-and-md5">macOS/BSD: shasum and md5</h2>
<p>On Mac, the process is slightly different than Linux, because macOS
still maintains BSD tooling. <a href="https://formulae.brew.sh/formula/coreutils">The GNU version from
above</a> can be downloaded
from Homebrew if you prefer the Linux commands.</p>
<p>Apple briefly discusses SHA checksums in their <a href="https://developer.apple.com/library/archive/documentation/Security/Conceptual/Security_Overview/CryptographicServices/CryptographicServices.html">developer
documentation</a>.
<a href="https://developer.apple.com/documentation/cryptokit/insecure/md5">MD5 is deprecated due to its
insecurities.</a></p>
<p>Open Terminal (or an alternative like iTerm2) and enter the desired
commands.</p>
<h3 id="shasum">shasum</h3>
<p>For SHA checksums, use the <code>shasum</code> command. Below is an example for
SHA256 sums.</p>
<pre><code>shasum -a 256 subscribe.pkg
</code></pre>
<p>The output will look like this:</p>
<pre><code>baaeeedffc7ef4a4f65ec8015699a5c95db91d131d253f1eb2ebc469557344c2 subscribe.pkg
</code></pre>
<h3 id="md5">md5</h3>
<p>For MD5 checksums, use the <code>md5</code> command.</p>
<pre><code>md5 likethevideo.dmg
</code></pre>
<p>The output is very different from the Linux version, but it’s
functionally the same.</p>
<pre><code>MD5(likethevideo.dmg)= 20665acd5f59a8e22275c78e1490dcc7
</code></pre>
<h2 id="windows">Windows</h2>
<p>Windows has a PowerShell utility called
<a href="https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/get-filehash">Get-Filehash</a>,
which is a catch-all command for all signatures and algorithms.</p>
<p><code>Get-Filehash</code> is always following by your file, then the algorithm you
wish to use.</p>
<pre><code>Get-FileHash C:\Users\user1\Downloads\Contoso8_1_ENT.iso -Algorithm SHA256
</code></pre>
<p>All common algorithms are supported by Windows like SHA and MD5.</p>
<h2 id="did-it-work">Did It Work?</h2>
<p>Regardless of operating system, if the file is verified, you should just
get an “OK.” Now your file is ready to use!</p>
<p>Now that you know, verify your downloads every time. You’ll keep
yourself safe from the nasty things out there. All we need to do is pray
for better tooling.</p>
<h1 id="resources">Resources</h1>
<ul>
<li><a href="https://help.riseup.net/en/security/message-security/openpgp/best-practices">Riseup’s tutorial on GPG key
management</a>.
The guide is outdated, but the format of commands and best practices
are still true.</li>
<li><a href="https://simonsingh.net/books/the-code-book/"><em>The Code Book: The Secret History of Codes and Code-breaking</em> by
Simon Singh</a>. If you
want to read specifically about key exchange, PGP, and quantum
computing, it’s chapter 6 and onward.</li>
<li>Damon Garn’s blog post for Red Hat <a href="https://www.redhat.com/sysadmin/hashing-checksums">“An introduction to hashing and
checksums in
Linux”</a></li>
</ul>
<h1 id="track-listing">Track Listing</h1>
<ul>
<li><a href="https://dova-s.jp/EN/bgm/play287.html">Takashi Waraya (稿屋 隆) - With watching the donkey
(ロバでも眺めながら)</a></li>
<li>Yu-Gi-Oh! Power of Chaos: Kaiba the Revenge - Card List</li>
<li><a href="https://dova-s.jp/EN/bgm/play20829.html">えだまめ88 - chocomint
(チョコミント)</a></li>
<li>Outro: <a href="https://soundcloud.com/khaimmusic/free-neon-lamp-charlie-puth-x-bruno-mars-type-funky-guitar-pop-instrumental/s-uqEQff1liFX">Khaim - Neon
Lamp</a></li>
</ul>
]]></content:encoded>
    </item>
    <item>
      <title>The Ultimate Guide to VeraCrypt: Creating Cross-Platform, Encrypted Files</title>
      <link>https://trafotin.com/v/veracrypt/</link>
      <pubDate>Fri, 05 Jul 2024 00:00:00 +0000</pubDate>
      <guid>https://trafotin.com/v/veracrypt/</guid>
      <description>Ever have to share files across computers? Have sensitive documents to safeguard? Protect them by encrypting them with VeraCrypt!</description>
      <content:encoded><![CDATA[

<div style="position: relative; padding-top: 56.25%;"><iframe title="The Ultimate Guide to VeraCrypt: Creating Cross-Platform, Encrypted Files" width="100%" height="100%" src="https://spectra.video/videos/embed/69c207cf-640e-4574-9633-b31f3bcda226?subtitle=en" frameborder="0" allowfullscreen="" sandbox="allow-same-origin allow-scripts allow-popups allow-forms" style="position: absolute; inset: 0px;"></iframe></div>


<center>
<button class="button button1">
<a  href="https://youtube.com/watch?v=QaQYRcZzrBI"  >
	
YouTube

</a>
</button>
</center>

<p>Do you have external storage like USB drives or portable hard drives?
Unfortunately with external storage like USB drives or portable hard
drives, your data is totally unprotected and can be accessed by anybody.</p>
<p>What would you do if you lost that device? Some devices come with
software you could use, but most of these demand too much trust or might
not work on Mac or Linux. Many of these programs are also upsold to you
on top of the device you bought.</p>
<p>If you want assurance that you can password protect a device, VeraCrypt
is the way to go. VeraCrypt is one of the most reliable ways to
guarantee the ability not only encrypt devices, but seamlessly transfer
that device’s data to other operating systems.</p>
<p><a href="https://veracrypt.fr/">VeraCrypt&rsquo;s Website</a></p>
<h1 id="history">History</h1>
<p>VeraCrypt is a rewritten version of a program called TrueCrypt.
<a href="https://archive.is/yreQ">Initially for Windows</a>, TrueCrypt was
exclusively for Windows users and provided a substitution for
Microsoft’s Bitlocker full-disk encryption.</p>
<p>The TrueCrypt developers were anonymous, but seemed genuine in their
goals and gave the source code to anyone (we’ll get back to that one
later).</p>
<p>But one day, during the height of the Snowden leaks and NSA paranoia,
<a href="https://truecrypt.sourceforge.net/">the TrueCrypt website</a> was replaced
with big red text demanding their users immediately stop using and
uninstall TrueCrypt from their computers.</p>
<p>Enter VeraCrypt, a full rewrite of TrueCrypt. The process was a large
undertaking and it was because the <a href="https://github.com/FreeApophis/TrueCrypt/blob/master/License.txt">source code’s
license</a>
was <a href="https://lists.freedesktop.org/archives/distributions/2008-October/000276.html">very
problematic</a>
to develop with and to root out the alleged issues.</p>
<ul>
<li>The TrueCrypt license does not legally absolve the developers or
distributors.</li>
<li><a href="https://blog.cryptographyengineering.com/2015/04/02/truecrypt-report/">An audit from Johns Hopkins University in
2015</a>
revealed TrueCrypt is vulnerable to key extraction from live memory.
This means if someone gains access to a computer with TrueCrypt
turned on, data from volumes could be extracted.</li>
<li><a href="https://ostif.org/the-veracrypt-audit-results/">Another audit by
QuarksLabs</a> was
completed in October 2016.</li>
<li>TrueCrypt was for Windows only, although a Linux version was in the
works. VeraCrypt is cross platform rewrite for Windows, Mac, and
Linux.</li>
</ul>
<p>The restrictions and lack of legal protection are the reasons most Linux
distributions do not package VeraCrypt.</p>
<h1 id="why-not-veracrypt">Why Not VeraCrypt?</h1>
<p>The first thing you will need to consider is whether VeraCrypt is the
right decision for you or not. VeraCrypt is best geared for cross
platform file encryption on physical hardware.</p>
<h2 id="lack-of-platform-diversity">Lack of Platform Diversity</h2>
<p>If you need to access a file across different devices, for example,
Windows and Linux or Linux and Mac, VeraCrypt is good for you.</p>
<p>If you share an encrypted device with somebody who doesn’t use the
operating system you use, VeraCrypt will help maintain the encryption of
your data while being available across operating systems.</p>
<p>VeraCrypt isn’t good if you only use one operating system or if only you
use it. Windows, Mac, and Linux all offer much better integrated
solutions (<a href="https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/faq#bitlocker-to-go">Bitlocker To
Go</a>,
<a href="https://support.apple.com/guide/disk-utility/file-system-formats-dsku19ed921c/mac">encrypted
APFS</a>,
and
<a href="https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md">LUKS</a>
respectively) at the cost of platform lock in.</p>
<h2 id="no-official-mobile-clients">No Official Mobile Clients</h2>
<p>VeraCrypt has no official mobile apps. Despite having a page on their
<a href="https://veracrypt.fr/en/Android%20%26%20iOS%20Support.html">website</a>,
it is horribly out of date and none of the programs listed are
officially by the VeraCrypt team.</p>
<p>A better alternative is <a href="https://cryptomator.org/">Cryptomator</a>. Unlike
VeraCrypt, Cryptomator has an official, paid mobile app.</p>
<p><strong>Do not use any mobile app for VeraCrypt.</strong> You risk the compromise or
loss of data if you do so.</p>
<h2 id="not-cloud-friendly">Not Cloud Friendly</h2>
<p>Since mobile isn’t supported, this is where end-to-end encrypted cloud
storage serves a better purpose. Cloud servers can easily sync to mobile
devices more easily while still retaining full encryption at rest. I use
Proton Drive personally.</p>
<p>VeraCrypt isn’t a good fit if you use cloud storage. You have to upload
a large file with all of your encrypted belongings every time you sync.
If that file is 16 GB, you need upload 16 GB each time.</p>
<p>Not to sound like a shill, Cryptomator stores your data is many
different encrypted blobs. This way, it’s easier to sync only what gets
changed will be synced properly to cloud storage.</p>
<p><a href="https://www.youtube.com/watch?v=Phiqff3VtYI">I made a video on Cryptomator 2 years
ago</a> (<a href="https://odysee.com/@Trafotin:4/conceal-cloud-contents-with-cryptomator:a">Odysee
Link</a>).</p>
<h1 id="installing-veracrypt">Installing VeraCrypt</h1>
<p>Because of TrueCrypt’s legacy, VeraCrypt is first and foremost a Windows
program. You download the installer, verify it, and run it. On Mac and
Linux, things get a bit more complicated.</p>
<h2 id="mac">Mac</h2>
<p>On Mac, in addition to downloading the installer, you must download
<a href="https://osxfuse.github.io/">macFUSE</a> so macOS can mount external
volumes properly.</p>
<h2 id="linux">Linux</h2>
<p>On Linux, VeraCrypt comes officially in 3 packages, a Debian/Ubuntu
.deb, a Fedora/CentOS/openSUSE .rpm, and a generic tarball installer.</p>
<p>There’s also <a href="https://archlinux.org/packages/extra/x86_64/veracrypt/">a third party package in the Arch Linux extra
repository</a>, but
it’s not officially maintained by the VeraCrypt developers. The reason
Arch allows packaging VeraCrypt is because their philosophy doesn’t
discriminate against the TrueCrypt license, unlike the vast majority of
Linux distributions.</p>
<h3 id="generic-archive">Generic Archive</h3>
<p>Unpack the generic archive and run the GUI x64 installer in the
terminal.</p>
<h3 id="fedora-atomic-desktops">Fedora Atomic Desktops</h3>
<p>If you use Fedora atomic desktops or Universal Blue, you can layer the
.rpm with rpm-ostree. Since VeraCrypt is mounting drives, it requires
access to your host system and cannot be installed with Distrobox.</p>
<h1 id="usage">Usage</h1>
<p>After VeraCrypt is installed, you can choose to use either the GUI or
the command line. I’ll focus more on the Windows GUI, since there is
more options, but will include the relevant terminal commands to do the
same things on Mac and Linux.</p>
<p><strong>Much of this tutorial comes from the <a href="https://veracrypt.eu/en/Beginner%27s%20Tutorial.html">VeraCrypt Beginner’s
Guide</a>, including
the screenshots.</strong></p>
<p>Unfortunately, VeraCrypt’s website looks like it was made at least 10
years ago and could be rewritten to make this information more
accessible. There is also little documentation on the command-line
options.</p>
<h1 id="creating-a-volume">Creating a Volume:</h1>


<img src="/i/veracrypt/Beginners_Tutorial_Image_001.webp" loading="lazy"
alt="The main VeraCrypt window with the button “Create Volume” highlighted in a red square" />


<pre><code>sudo veracrypt -t -c
</code></pre>
<p>After installing VeraCrypt, click on “Create Volume” to get started.
Then you will be presented with 3 options:</p>


<img src="/i/veracrypt/Beginners_Tutorial_Image_002.webp" loading="lazy"
alt="The VeraCrypt Volume Creation Wizard with the “Next” button highlighted in a red rectangle." />


<ul>
<li><strong>Create an encrypted file container:</strong> This creates a digital file
that will encrypt your data. This is the default option.</li>
<li><strong>Encrypt a non-system partition/drive:</strong> If you need to encrypt
portable storage, select this option.</li>
<li><strong>Encrypt a non-system partition/drive:</strong> (Windows only) VeraCrypt
is capable of operating as a substitute to Bitlocker. However, with
the system requirements of Windows 11, this is not recommended.</li>
</ul>
<p>Encrypting your Windows installation is not recommended. It is easier
and less hassle to use Bitlocker or <a href="https://www.youtube.com/watch?v=qfcYckw_FNM">follow a guide to enable it for
free on Windows Home</a></p>
<ul>
<li>Using VeraCrypt has a major downside of going through <a href="https://www.veracrypt.fr/code/VeraCrypt-DCS/tree/SecureBoot/readme.txt">various
hoops</a>
to enable Secure Boot and signing the VeraCrypt bootloader.</li>
<li>Sometimes Windows Update will delete the VeraCrypt bootloader and
you will need to use the VeraCrypt Rescue Disk to unlock your system
and reinstall the bootloader.</li>
</ul>
<h2 id="hidden-volumes">Hidden Volumes:</h2>


<img src="/i/veracrypt/Beginners_Tutorial_Image_003.webp" loading="lazy"
alt="The VeraCrypt Volume Type menu with the options “Standard” and “Hidden”" />


<pre><code>Volume type:
 1) Normal
 2) Hidden
Select [1]: 1
</code></pre>
<p>A standard or normal VeraCrypt container is a file that houses all of
your data. A hidden file creates another section within that file that
can be opened with a second passphrase.</p>
<p>Despite what the command-line menu says, it’s much more intuitive to use
the GUI to create a hidden volume. Using the command line requires you
to create a normal VeraCrypt volume with no filesystem, then modify it
after the fact.</p>


<img src="/i/veracrypt/Beginners_Tutorial_Image_024.webp" loading="lazy"
alt="The VeraCrypt Volume Type menu with the options “Standard” and “Hidden”" />


<p>Hidden volumes can also store decoy files. In the event you are <a href="https://www.schneier.com/blog/archives/2008/10/rubber_hose_cry.html">forced
to reveal the
contents</a>
of the VeraCrypt container, these files can be used to placate or
mislead people.</p>
<p>Hidden volumes require a lot of maintanance. Your operating system has
the potential <a href="https://www.schneier.com/academic/archives/2008/01/defeating_encrypted.html">to reveal the presence of a hidden
volume</a>
through things like file caching and “recent files” menus.</p>
<p>If you chose to use a hidden volume, especially if you regularly store
files inside it, you need to have the discipline to update the files
inside the outer volume regularly as well.</p>
<p>Your decoy files should be regularly updated to keep up the illusion
they are valuable. Examples include financial information, journals, or
photos.</p>
<p>If you aren’t prepared for this kind of maintenance, it is for extreme
threat models. Most people shouldn’t have to resort to this and it
reduces your overall storage for valuable files.</p>
<p><em>Using a hidden volume by default could result in data loss <a href="https://veracrypt.fr/en/Protection%20of%20Hidden%20Volumes.html">unless
specific mounting options are
checked</a>.
By default, your hidden volume files will be deleted to free up space
for the outer volume, so give the illusion it is a normal container.
Better safe than sorry!</em></p>
<h2 id="volume-location">Volume Location</h2>


<img src="/i/veracrypt/Beginners_Tutorial_Image_007.webp" loading="lazy"
alt="The VeraCrypt Volume Location menu with the option “Select File” outlined in a red rectangle." />


<p>Enter the location where you want to store the file. If you use the
command-line, this must be an absolute path.</p>
<pre><code>Enter volume path: /home/user/Documents/test.hc
</code></pre>
<h2 id="encryption-algorithms">Encryption Algorithms</h2>


<img src="/i/veracrypt/Beginners_Tutorial_Image_008.webp" loading="lazy"
alt="The VeraCrypt Encryption Options menu with the option “Next” outlined in a red rectangle." />


<p>VeraCrypt comes with various standard encryption algorithms. Most people
should just stick with the default settings.</p>
<pre><code>Encryption Algorithm:
 1) AES
 2) Serpent
 3) Twofish
 4) Camellia
 5) Kuznyechik
 6) AES(Twofish)
 7) AES(Twofish(Serpent))
 8) Camellia(Kuznyechik)
 9) Camellia(Serpent)
 10) Kuznyechik(AES)
 11) Kuznyechik(Serpent(Camellia))
 12) Kuznyechik(Twofish)
 13) Serpent(AES)
 14) Serpent(Twofish(AES))
 15) Twofish(Serpent)
Select [1]: 1

Hash algorithm:
 1) SHA-512
 2) Whirlpool
 3) BLAKE2s-256
 4) SHA-256
 5) Streebog
Select [1]: 1
</code></pre>
<p>A warning for the command-line, the order is the swapped between the
encryption algorithms and the volume size. Consistency!</p>
<h2 id="volume-size">Volume Size</h2>


<img src="/i/veracrypt/Beginners_Tutorial_Image_009.webp" loading="lazy"
alt="The VeraCrypt Encryption Options menu with the option “Next” outlined in a red rectangle." />


<p>Specify how big you want your volume to be. If you are using a hidden
volume, you will need to allocate space for the decoy files in addition
to your hidden files.</p>
<pre><code>Enter volume size (sizeK/size[M]/sizeG.sizeT/max): 1M
</code></pre>
<p>As another knock on inconsistency, you will be prompted to <a href="/v/veracrypt/#volume-format">pick your
volume format here</a>.</p>
<h2 id="volume-password">Volume Password</h2>


<img src="/i/veracrypt/Beginners_Tutorial_Image_010.webp" loading="lazy"
alt="The VeraCrypt Encryption Options menu with the option “Next” outlined in a red rectangle." />


<p>Enter a strong passphrase to protect your volume.</p>
<h3 id="pim">PIM</h3>
<p>

<img src="/i/veracrypt/pim.webp" loading="lazy"
alt="The Volume PID menu" /> Personal Iterations Multiplier (PIM) is a


value that will run an algorithm for multiple iterations. For extreme
threat models, volumes will mount slower, but the more the algorithm is
run, the more secure your data is.</p>
<p>Normal users can leave this at its default setting.</p>
<h3 id="keyfiles">Keyfiles</h3>
<p>

<img src="/i/veracrypt/keyfiles.webp" loading="lazy"
alt="The Keyfile menu" /> In addition to a password, keyfiles can be


added as another file required to unlock your volume in addition to a
password.</p>
<p>You can add file paths to any file you want or have VeraCrypt generate a
keyfile for you.</p>
<pre><code>Enter keyfile path [none]: /var/home/user/like.txt
Enter keyfile path [none]: /var/home/user/subscribe.txt
Enter keyfile path [finish]:
</code></pre>
<p>It’s imperative you backup and store your keyfiles in a safe place. If
you cannot access them, you will lose access to the data within a
VeraCrypt volume.</p>
<p>By default, no keyfiles are used.</p>
<h2 id="volume-format">Volume Format</h2>
<pre><code>Filesystem:
 1) None
 2) FAT
 3) Linux Ext2
 4) Linux Ext3
 5) Linux Ext4
 6) NTFS
 7) exFAT
Select [2]:
</code></pre>
<p>Formatting your container dictates where your container can be shared or
what kind of files can be stored inside. In general, using these
filesystems outside of VeraCrypt is the same.</p>
<ul>
<li>Ext: One of the oldest file formats on Linux. Do not pick the other
options, just pick Ext4. Can only be opened on Linux.</li>
<li>FAT: A filesystem universally supported across Windows, Mac, and
Linux. Maximum of 4 GB per file.</li>
<li>Mac OS Extended (APFS): The macOS filesystem. It can store files
larger than 4 GB, but is only supported on macOS. Some Linux
distributions like <a href="https://www.kali.org/">Kali Linux</a> come with a
driver called <a href="https://github.com/sgan81/apfs-fuse">apfs-fuse</a> to
read it, but Windows cannot open it.</li>
<li>NTFS: The Windows filesystem. It can store files larger than 4 GB
and decent support on Linux as well. However, macOS doesn’t behave
well and often will not let you write files to it.</li>
<li>exFAT: Yet another Windows filesystem. It can store files larger
than 4 GB, but plays better with macOS. Works across Windows, Mac,
and Linux.</li>
<li>BTRFS: A newer Linux only file format with special repair functions.</li>
<li>None: This option is only available in the command-line and used if
you use hidden volumes. This will prompt you to create a hidden
volume. The rest of the space will become the outer, decoy volume.</li>
</ul>
<h2 id="finalizing-your-volume">Finalizing Your Volume</h2>
<h3 id="entropy">Entropy</h3>


<img src="/i/veracrypt/Beginners_Tutorial_Image_011.webp" loading="lazy"
alt="The VeraCrypt Volume Format menu with the option “Format” outlined in a red rectangle. The GUI contains the previous options for filesystem picking." />


<p>Once you have made it here, it’s time to collect some random noise. This
further protects your VeraCrypt volume.</p>
<ul>
<li>In the GUI, you will be prompted to shake the mouse as randomly as
possible within the window.</li>
<li>In the command-line, you will be prompted to type 320 random
characters on your keyboard, then hit Enter when you are done. If
you still have characters remaining, you will be prompted to
continue typing.</li>
</ul>
<p>Click “Format” and then your volume will be created to specification.</p>
<h1 id="access-your-veracrypt-volumes">Access Your VeraCrypt Volumes</h1>
<p>Now that you have created your first volume, let’s open it.</p>
<h2 id="unlocking">Unlocking</h2>
<h3 id="gui">GUI</h3>
<p>Select a drive letter (Windows) or a number (macOS/Linux), then click
“Mount.” Then a password prompt will appear. Enter all information
relevant to your container.</p>


<img src="/i/veracrypt/Beginners_Tutorial_Image_018.webp" loading="lazy"
alt="The VeraCrypt password prompt with the “Password” box outlined in a red rectangle." />


<p>If you stuck with the default settings, they are the defaults here too.
VeraCrypt will auto-detect which format your container is.</p>
<h3 id="command-line">Command Line</h3>
<p>To unlock a VeraCrypt volume, here are some sample commands:</p>
<pre><code># File
sudo veracrypt -t --mount /home/user/hitthebell.hc

# External Device (Linux, match letters)
sudo veracrypt -t --mount /dev/sda
</code></pre>
<p>After either option, you will be prompted to use your administrative
password on macOS and Linux. On Windows, VeraCrypt is able to bypass UAC
for admin users.</p>
<p>Once your volume has been unlocked, it can be accessed the same way you
access a USB drive. Files can be interacted with in real time.</p>
<h2 id="dismounting">Dismounting</h2>
<p>Similar to thumb drives, VeraCrypt has a procedure that needs to be
followed to remove disks.</p>
<p>To dismount a VeraCrypt volume, select the volume you want to remove,
click “Dismount” in the menu and enter an admin password.</p>
<pre><code>sudo veracrypt -t -d /dev/sda
</code></pre>
<p>If you need to dismount multiple volumes, click “Dismount all”</p>
<pre><code>sudo veracrypt -t -d
</code></pre>
<h1 id="updating-veracrypt">Updating VeraCrypt</h1>
<p>VeraCrypt doesn’t have a mechanism to auto-update. Newer versions of
VeraCrypt often fix issues or serious security vulnerabilities.</p>
<p>The only way to see if there is an update is to subscribe to the
VeraCrypt GitHub releases. You can track VeraCrypt releases using an RSS
feed, where you will repeat the installation process again once you are
notified of a new release.</p>
<p>To follow VeraCrypt’s updates, add the following to your RSS feed
reader:</p>
<pre><code>https://github.com/veracrypt/veracrypt/releases.atom
</code></pre>
<h1 id="referenced">Referenced:</h1>
<ul>
<li><a href="https://fosstodon.org/@sponsorblock/112603139898164385">YouTube to insert server-side ads to break skipping sponsors and
adblocking.</a></li>
<li>The footage from the Snowden leaks is from <em>Citizenfour (2014)</em>.</li>
<li>“Come with me if you want to live” is from <em>Terminator 2: Judgment
Day (1991).</em></li>
<li><a href="https://xkcd.com/538/">xkcd 538: Security</a></li>
<li>The clip shown at 29:18 is from <em>Keijo!!!!!!!!</em> Episode 2</li>
</ul>
<h1 id="track-listing">Track Listing</h1>
<ul>
<li><a href="https://dova-s.jp/bgm/play18719.html">Kei Morimoto - Utopia</a></li>
<li>The music for the sponsor segment is “Blizzard in DC” from the game
Arctic Thunder. Heavily edited to remove the interposed America
bits.</li>
<li><a href="https://dova-s.jp/bgm/play17163.html">yuhei komatsu - Bump!</a></li>
<li><a href="https://dova-s.jp/bgm/play17188.html">crepe (くれっぷ) - Fairy Lullaby
(妖精の子守歌)</a></li>
<li><a href="https://dova-s.jp/bgm/play17650.html">crepe (くれっぷ) - Fairy Gift
(妖精の贈り歌)</a></li>
<li><a href="https://dova-s.jp/bgm/play16439.html">yuhei komatsu - Scattered Sakura
(桜が散る時)</a></li>
<li>Outro: <a href="https://soundcloud.com/khaimmusic/free-neon-lamp-charlie-puth-x-bruno-mars-type-funky-guitar-pop-instrumental/s-uqEQff1liFX">Khaim - Neon
Lamp</a></li>
</ul>
]]></content:encoded>
    </item>
    <item>
      <title>The PR DISASTER of Microsoft Recall!</title>
      <link>https://trafotin.com/v/microsoft-recall-panik/</link>
      <pubDate>Thu, 06 Jun 2024 00:00:00 +0000</pubDate>
      <guid>https://trafotin.com/v/microsoft-recall-panik/</guid>
      <description>Microsoft Build has come and gone, but the new Windows Recall feature has made everyone upset. Some of the reasons are good, others are not. Let&amp;rsquo;s talk about it.</description>
      <content:encoded><![CDATA[

<div style="position: relative; padding-top: 56.25%;"><iframe title="The PR DISASTER of Microsoft Recall!" width="100%" height="100%" src="https://spectra.video/videos/embed/2cea8627-72f1-4400-ae80-a0b8a7886dff?subtitle=en" frameborder="0" allowfullscreen="" sandbox="allow-same-origin allow-scripts allow-popups allow-forms" style="position: absolute; inset: 0px;"></iframe></div>


<center>
<button class="button button1">
<a  href="https://youtube.com/watch?v=hCOPAHIWwnY"  >
	
YouTube

</a>
</button>
</center>

<p>Did you know Microsoft Build happened? It’s one of the biggest days for
Microsoft every year, including announcing the new features of Windows
like the new Windows Recall. Unfortunately for Microsoft, their PR team
was quite up to snuff and has been greeted with hostility about Recall
since the moment of its inception.</p>
<p>People who know me know I’m far from the biggest fan of Microsoft. As a
company, Microsoft is rotten to its core and has few redeeming
qualities. When I was reading the news and listening to opinions last
week, I was very disappointed in new outlets and online influencers at
spreading the narrative Recall is a privacy disaster (which to be fair,
it probably will be in the future).</p>


<img src="/i/2cea8627-72f1-4400-ae80-a0b8a7886dff-1.webp#center"
loading="lazy"
alt="Minecraft running on Windows 11, with a small voice call menu showing the AI assistant" />


<p><em>From the Microsoft Build keynotes, Microsoft showcasing a rigged
Minecraft game and a gamer AI chatbot.</em></p>
<p>In addition to making a video and hopping on the bandwagon of recent
news, I waited and did some reading about Microsoft documentation.
Recall does a lot of things that will negatively impact your Windows
computer, but let’s also be realistic about what those things are, so we
don’t spread any panic, moral or otherwise.</p>
<h1 id="what-is-windows-recall">What is Windows Recall?</h1>
<p>At Microsoft Build this year, Microsoft announced Recall, a system
powered by the artificial intelligence processors in the Qualcomm
Snapdragon X computers, dubbed Copilot+ PCs. Recall is powered by a new
API system in Windows called Windows Copilot Runtime, which empowers
other non-Windows applications to take advantage of the newfound power
and features of the Snapdragon X chips.</p>
<p>Inside the Snapdragon chips are what’s called language models, which
give the Windows Copilot Runtime to caption dialogue, translate it, or
run other types of local, onboard processing. Recall is also not as
intelligent of a system as Microsoft’s engineers would have you believe.
In order to make use of the on-board AI of a Snapdragon X chip and
Windows Copilot Runtime, Recall needs to take screenshots of your screen
every 5 seconds.</p>
<h1 id="ensuingensured-outrage">Ensuing/Ensured Outrage</h1>
<p>Over the last month, many people decried the feature, but we encounter
the first problem with the presentation with Recall and the Windows
Copilot Runtime in general—it’s Microsoft’s inability to communicate.
Not just any woman, Joanna Stern from <em>The Wall Street Journal</em> got to
interview the CEO of Microsoft and the answer only instilled panic in
people because it was poorly worded.</p>
<p><em>After watching the <a href="https://www.wsj.com/video/series/joanna-stern-personal-technology/satya-nadella-on-microsofts-new-copilot-and-the-future-of-ai-pcs/199D08C0-FFBD-44B8-A750-82D445B63EEB">paywalled
interview</a>,</em>
The Wall Street Journal <em>should have interviewed a lower level engineer
or a different PR rep for Microsoft, because Satya did an awful job at
giving Stern a straight answer to any of the questions she asked. The
free interview also warps the conversation in 2 cuts and hides some of
the information Satya said.</em></p>
<blockquote>
<p>STERN: There could be this reaction from some people that this is
pretty creepy. Microsoft is taking screenshots of everything I do.</p>
<p>NADELLA: Yeah, I mean, that’s why that it can only do it on the edge,
right? …So this is, you have to put two things together. This is my
computer, this is my Recall, and it’s all being done locally, right?
…So that’s the promise. So, that’s one of the reasons why Recall works
as a magical thing, because I can trust it that it is on my computer.</p>
<p>Joanna Stern &amp; Satya Nadella, <a href="https://www.wsj.com/video/series/joanna-stern-personal-technology/microsoft-ceo-satya-nadella-on-how-ai-copilot-pcs-beat-macs-exclusive/772F3497-ECBE-4F27-804B-4C3820BDD364">Microsoft vs. Apple: Satya Nadella Says
AI-Focused Copilot+ PCs Beat Macs | WSJ (the free
version)</a>
4:16</p>
</blockquote>
<h1 id="how-does-windows-recall-work">How does Windows Recall work?</h1>
<p>What’s interesting here in this interview is the distinction between
offline language models versus large, cloud-based language models, like
Windows Copilot or ChatGPT. While machine vision AI models are not
something new, the dedication of neural processing units (NPUs) like
what we see in the Snapdragon are going to become commonplace because of
Microsoft’s insistence to their hardware makers.</p>
<p>Since Windows Recall is a very simplistic system. But it does prompt the
question—does it violate user privacy? First, we need to put what
Microsoft tells us about Recall under a microscope. As there is
requirements and compliance for businesses, in light of potential
privacy concerns, Microsoft documents the process.</p>
<p>Unfortunately, the most useful is scattered across 5 pages: Microsoft
Support, the Microsoft Learn page about Copilot, the Microsoft Learn
page about Windows Copilot Runtime, and the landing page for Copilot+
PCs. This is all the information for app developers and IT admins, but
it’s arranged in multiple places.</p>
<h2 id="about-windows-recall">About Windows Recall:</h2>
<p>Microsoft fails to communicate anything clearly if there’s no place to
consolidate this information.</p>
<ul>
<li><a href="https://learn.microsoft.com/en-us/windows/ai/apis/recall">Recall Overview | Microsoft
Learn</a></li>
<li><a href="https://support.microsoft.com/en-us/windows/retrace-your-steps-with-recall-aa03f8a0-a78b-4b3e-b0a1-2eb8ac48701c">Consumer Information (i.e. the Windows support
site)</a></li>
<li><a href="https://www.microsoft.com/en-us/windows/copilot-plus-pcs?r=1#hmc">Copilot
FAQ</a></li>
<li><a href="https://learn.microsoft.com/en-us/windows/client-management/manage-recall">Manage Recall for Windows clients - Windows Client Management |
Microsoft
Learn</a></li>
<li><a href="https://learn.microsoft.com/en-us/windows/ai/overview">Microsoft Copilot Runtime Overview | Microsoft
Learn</a></li>
</ul>
<h2 id="the-appbrowser-bottleneck">The App/Browser Bottleneck</h2>
<p>The first thing to return to is the Windows Copilot Runtime. In order
for the search to be the AI enhanced search like Microsoft shows in
their demos, app makers need to write their applications with these
features in mind. If an application is not supported, Windows Copilot
will capture this data and it cannot be automatically filtered out.</p>
<p>As of time of writing, it’s not clear what non-Microsoft applications
that don’t support Windows Copilot Runtime. It appears they will be
indiscriminately captured and collected because of the <a href="https://learn.microsoft.com/en-us/windows/client-management/manage-recall#supported-browsers">section in
Microsoft Learn about browser
support</a>,
so let’s try to read between the lines here.</p>
<p>The mainstream browsers for Windows: Edge, Chrome, Firefox, and Opera
all support the Windows Copilot Runtime and already filter out private
browsing, DRM-protected content, or user-specified websites. The only
time that private browsing will be collected is when the user explicitly
presses <code>Win + j</code> to manually take a Recall snapshot or if a browser is
not supported.</p>
<h2 id="opting-out">Opting Out</h2>
<p>Since we know how browsers work and what makes Recall’s search to be
effective, what can we, as users or businesses, do about Recall? How can
we turn it off?</p>
<p>To configure Recall, in the Settings app, navigate to <strong>Privacy &amp;
security</strong> → <strong>Recall &amp; snapshots</strong> → uncheck <strong>Save snapshots</strong>.</p>
<p>To configure Recall’s storage of screenshots, in the Settings app,
navigate to <strong>Privacy &amp; security</strong> → <strong>Recall &amp; snapshots</strong> →
<strong>Storage</strong> → <strong>Maximum storage for snapshots limit</strong>. There is a <a href="https://learn.microsoft.com/en-us/windows/client-management/manage-recall#storage-allocation">table
of the storage minimum requirement for Recall on Microsoft
Learn</a>.</p>
<p>To delete Recall snapshots, in the Settings app, navigate to <strong>Privacy &amp;
security</strong> → <strong>Recall &amp; snapshots</strong> → <strong>Delete snapshots from a specific
timeframe</strong> or <strong>Delete all snapshots</strong>.</p>
<p>The most comprehensive way is to use Windows Pro or higher, where you
get access to Group Policy Editor. There is likely an undocumented
registry key for Windows Home users.</p>
<p>In Group Policy, navigate to User Configuration &gt; Administrative
Templates &gt; Windows Components &gt; WindowsAI &gt; Turn off saving
snapshots for Windows</p>
<h1 id="justified-outrage">“Justified” Outrage</h1>
<p>An important thing I want to touch on is what I call “justified”
outrage. It’s fine to be angry about something our oppressive corporate
overlords do, but if you’re going to pick something, it better be
something with demonstrable, substantial evidence and based in reality
and technical feat.</p>
<p>The point being—<strong>Windows Recall cannot be tested right now and we
should reserve judgement until it can be</strong>. There’s a common myth that
proprietary software cannot be analyzed, but that’s far from true. It’s
harder, but it’s not impossible.</p>
<p>Most importantly, let’s critically analyze why you should reserve your
judgement about Recall, but also what can you be angry about now. To be
clear and given Microsoft’s track record, there is a high likelihood
that Recall will be used by invade your privacy, but this will need to
be subject to experimentation.</p>
<h2 id="the-npu-requirement">The NPU Requirement</h2>
<p>Recall requires a Snapdragon X processor. Additionally, hardware makers
AMD and Intel have promised to release Copilot+ PCs in the future. The
key thing here is none of these devices are in the hands of journalists
or consumers (as of time of writing). Since nobody has any of these
computers handy, you can’t do any of the testing.</p>
<p>The annoyance introduced by Recall is Microsoft’s requirements for it
that screws over people who have computers capable of AI operations. I
have a Nvidia 4060 in a gaming laptop. I can already run AI that runs
speech inference or large language models like Google’s Gemma or
Facebook’s Llama 3.</p>
<p>According to Microsoft’s arbitrary system requirements, my computer,
fully capable of AI programs, cannot run Recall. I can only guess that
it’s because they want to sell me more computers…</p>
<ul>
<li>a NPU (Qualcomm Snapdragon X, Intel, AMD)</li>
<li>a minimum of 256 GB of storage</li>
<li>16 GB of RAM</li>
<li>8 processor cores</li>
</ul>
<h2 id="recalls-allocated-storage">Recall’s “Allocated Storage”</h2>
<p>While Recall allows you to turn it off, Recall will perpetually eat up
at least 10% of drive. There’s a full table in Microsoft’s documentation
about <a href="https://learn.microsoft.com/en-us/windows/client-management/manage-recall#storage-allocation">how much storage is taken up by
Recall</a>.</p>
<ul>
<li>If you have storage higher than 1 TB, 150 GB will eaten up out of
the box.</li>
<li>This is in addition to the 27-28 GB part of the base Windows 11
installation.</li>
<li>The amount cannot be customized beyond the set amounts Microsoft
prescribes.</li>
<li>All future snapshots will stop when Recall is disabled or if the
<code>C:/</code> has 25 GB or less space.</li>
<li>Snapshots will only commence if 50 GB is available.</li>
<li>Since snapshots are stored in the temporary files, all data is
deleted upon resetting Windows or installing an alternate operating
system.</li>
</ul>
<h2 id="peering-deeper-in-the-crystal-ball">Peering Deeper In the Crystal Ball</h2>
<p>Recall is a PR nightmare. Microsoft is vague about actual information
people are looking for and distrust for Microsoft is at an all time high
as a result. Privacy will be a concern for some, but Windows itself and
Microsoft have greater problems that will eventually ruin the good parts
of Recall.</p>


<img src="/i/2cea8627-72f1-4400-ae80-a0b8a7886dff-2.webp#center"
loading="lazy"
alt="A laptop running Windows 11 showing a Window of Microsoft 365’s Copilot. In the taskbar are the icons for Outlook, Edge, File Explorer, Google Chrome, some program I don’t know, Settings, Excel, OneNote, and the (new) Teams. Google Chrome is blurred out." />


<p><em>On the Build Day 2 Keynote, Microsoft showed an ad for Lumen. For a
brief moment within the ad, a Windows desktop is shown, but Google
Chrome is blurred out in the taskbar. Microsoft traditionally has tried
to make switching to alternative browsers like Google Chrome more
difficult.</em></p>
<ul>
<li>Windows has a nasty habit of resetting your settings to default
settings after updates. Such a feature could be enabled again after
an update.</li>
<li><a href="https://x.com/thebookisclosed/status/1793779204871553128">Recall is enabled by default, according to The Verge’s Tom
Warren.</a>
Microsoft claims it is opt-in. We need to wait and see which one.</li>
<li>While Windows may process and store your Recall data offline,
there’s nothing to stop Microsoft from running not-so-private
telemetry on it after the fact. This will need to be subject to
experimentation.</li>
<li>Microsoft has a problem with
<a href="https://pluralistic.net/2023/01/21/potemkin-ai/#hey-guys">enshittifying</a>
Windows by adding advertisements or promoting their own products.
Recall has the potential to be next.</li>
<li><a href="https://doublepulsar.com/how-the-new-microsoft-recall-feature-fundamentally-undermines-windows-security-aa072829f218">Storing this data brings up the possibility that law enforcement
will start requesting it, hackers will steal it, or people will
sabotage
it.</a></li>
<li>The snapshots are not synced to the cloud. Yet.</li>
<li>What is the power draw of the NPU accelerated tasks like Recall?
It’s probably terrible.</li>
</ul>
<p>As someone who has a deep distrust of Microsoft, I don’t recommend
anybody use Recall. The greater problem is how the “choice” of using
Recall or not is handled by Windows. This outrage over the last month is
distraction from real questions people should be asking and where
Microsoft has been light on answers.</p>
<p>We need to wait until Recall becomes generally available so it can be
tested and prove/dispel rumor. The next time you read the news, hold off
on sounding the alarm. Think before you act and as always, just buy a
Mac or install Linux already.</p>
<h1 id="referenced">Referenced:</h1>
<ul>
<li><a href="https://www.youtube.com/watch?v=aZbHd4suAnQ">Microsoft Build 2024 Monday Keynote: Introducing Copilot+ PCs
(Journalists only)</a></li>
<li><a href="https://build.microsoft.com/en-US/sessions/b49feb31-afcd-4217-a538-d3ca1d171198">Microsoft Build 2024 Tuesday
Keynote</a></li>
<li><a href="https://www.lesswrong.com/tag/rokos-basilisk">(Disinformation Warning) The origin of Roko’s
Basilisk</a></li>
<li><a href="https://www.windowscentral.com/software-apps/windows-11/what-is-windows-11-ai-explorer-everything-you-need-to-know-about-microsofts-upcoming-defining-ai-pc-feature">What is Windows 11 ‘AI Explorer’? Everything you need to know about
Microsoft’s upcoming defining AI PC feature - Zac
Bowdin</a>
It’s important to note this information came out before the
announcement and Bowdin says the leakers were insistent the data was
stored locally.</li>
<li><a href="https://www.tiktok.com/@shanselman/video/7371534434736082219">Scott Hanselman’s (VP at Microsoft) TikTok about the local
processing of
Recall</a></li>
<li><a href="https://web.archive.org/web/20160804211026/https://www.cnil.fr/en/windows-10-cnil-publicly-serves-formal-notice-microsoft-corporation-comply-french-data-protection">Windows 10: CNIL publicly serves formal notice to Microsoft
Corporation to comply with the French Data Protection Act within
three months
(Archive)</a></li>
<li><a href="https://www.autoriteitpersoonsgegevens.nl/uploads/imported/public_version_dutch_dpa_informal_translation_summary_of_investigation_report.pdf">Microsoft Windows 10 Home and Pro investigation by the Autoriteit
Persoonsgegevens (Dutch DPA), August
2017</a></li>
<li><a href="https://twit.tv/shows/windows-weekly/episodes/884">Windows Weekly 884 and Paul Thurrott’s angry rant about Recall
sensationalism at
33:57</a></li>
<li><a href="https://x.com/neuralink/status/1770563939413496146">The Neuralink livestream featuring the first patient Noland
Arbaugh</a></li>
<li><a href="https://neuralink.com/blog/prime-study-progress-update-user-experience/">Neuralink’s silent blog post about the setbacks of Arbaugh’s
surgery</a></li>
</ul>
<h1 id="bonus-content">Bonus Content</h1>
<div style="position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;">
			<iframe allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen" loading="eager" referrerpolicy="strict-origin-when-cross-origin" src="https://www.youtube-nocookie.com/embed/Ey_Z_OswJZY?autoplay=0&amp;controls=1&amp;end=0&amp;loop=0&amp;mute=0&amp;start=0" style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;" title="YouTube video"></iframe>
		</div>

<div style="position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;">
			<iframe allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen" loading="eager" referrerpolicy="strict-origin-when-cross-origin" src="https://www.youtube-nocookie.com/embed/9e6a6x41jMQ?autoplay=0&amp;controls=1&amp;end=0&amp;loop=0&amp;mute=0&amp;start=0" style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;" title="YouTube video"></iframe>
		</div>

<h1 id="track-listing">Track Listing</h1>
<ul>
<li><a href="https://dova-s.jp/bgm/play4655.html">KK - ordinary landscape
(いつもの風景)</a></li>
<li><a href="https://dova-s.jp/bgm/play20437.html">Kurippu (くれっぷ) - Skip of the Beginning
(始まりのスキップ)</a></li>
<li><a href="https://dova-s.jp/bgm/play12652.html">Moppy Sound (もっぴーさうんど) -
Escort</a></li>
<li><a href="https://dova-s.jp/bgm/play10961.html">Sharou (しゃろう) - Weekend Kyoto Reality Escape
(週末京都現実逃避)</a></li>
<li><a href="https://dova-s.jp/bgm/play16623.html">yuhei komatsu - Holiday</a></li>
<li>Outro: <a href="https://soundcloud.com/khaimmusic/free-neon-lamp-charlie-puth-x-bruno-mars-type-funky-guitar-pop-instrumental/s-uqEQff1liFX">Khaim - Neon
Lamp</a></li>
</ul>
]]></content:encoded>
    </item>
    <item>
      <title>Lessons Learned From the liblzma and xz Backdoor</title>
      <link>https://trafotin.com/v/xz-backdoor/</link>
      <pubDate>Fri, 12 Apr 2024 00:00:00 +0000</pubDate>
      <guid>https://trafotin.com/v/xz-backdoor/</guid>
      <description>The open source community was rocked with the revelations of a backdoor targeting millions. Turns out, the enemy was the people and processes along the way.</description>
      <content:encoded><![CDATA[

<div style="position: relative; padding-top: 56.25%;"><iframe title="Lessons Learned From the xz Backdoor" width="100%" height="100%" src="https://spectra.video/videos/embed/ce5aeaf3-e74d-4bd1-8b70-07064c94ad94?subtitle=en" frameborder="0" allowfullscreen="" sandbox="allow-same-origin allow-scripts allow-popups allow-forms" style="position: absolute; inset: 0px;"></iframe></div>


<center>
<button class="button button1">
<a  href="https://youtube.com/watch?v=NzKF737rhRc"  >
	
YouTube

</a>
</button>
</center>

<p>Did you hear about that really bad Linux vulnerability? It’s the
compression software liblzma or by the better shorthand xz and the code
was backdoored. Now when most people hear backdoor, most of the time
it’s just bozos on the internet abusing the term; this time, it’s not a
drill. Also, remember how I said it was a Linux vulnerability? It’s
actually much worse than that. If you are a BSD or use other Unix-like
tools on macOS or Windows, this matters for you too. I’ll do a quick
recap of the situation, but I’m not interested in telling you the news.
Instead, let’s the discuss the impact this has on you, the end user, and
what the open source community can learn from this situation and respond
effectively.</p>
<h1 id="what-happened">What Happened?</h1>
<p>Everybody compresses their files. It could be a .zip file or it could be
done by your operating system or a website you visit so you don’t use as
much bandwidth. Even watching videos on YouTube or Peertube are
compressed videos. To compress things, programmers rely on compression
algorithms, which bulk analyze files and remove information to save on
space. If you extract a file, that space becomes filled up again. File
compression plays an important role in saving you data and memory.</p>
<p>In the case of xz, a developer at Microsoft, Andres Freund, found that
liblzma, the core compression library in many popular programs, was
<a href="https://www.openwall.com/lists/oss-security/2024/03/29/4">manipulated by the xz maintainer Jia Tan to steal security keys to
login to
servers</a>. The
vulnerability was only found after ssh, the protocol commonly used to
login to remote computers, was taking merely milliseconds longer to
connect. This attack is not normal for open source and speaks of a
sophisticated actor with in-depth knowledge of the inner workings of xz
and its potential weaknesses.</p>
<p>There’s more to this story, but I will be returning to pull details as
they become relevant.</p>
<ul>
<li><a href="https://tukaani.org/xz-backdoor/">Official response from lead maintainer Lasse
Collin</a></li>
<li><a href="https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/">What we know about the xz Utils backdoor that almost infected the
world</a></li>
<li><a href="https://infosec.exchange/@fr0gger/112189232773640259">An infographic created by Thomas
Roccia</a></li>
</ul>
<h1 id="am-i-affected">Am I Affected?</h1>
<p>Now most journalists panicked and ran with this story, but let’s not
downplay how bad this is. Unless you maintain a server that is connected
to the public internet and even if you do, this is largely irrelevant to
you. Most of the open source vendors responded promptly on Friday and
stopped the backdoored library from getting very far. If you are a
“normal” end user or you just run a home lab, you are probably safe from
the xz disaster. If you do have a server, most servers run older
libraries than the ultra newest libraries that had the backdoor. Even if
your system had the most updated backdoored xz, you’d still need to have
a distro that <a href="https://nondeterministic.computer/@mjg59/112181057962158116">downloaded the releases page of the
GitHub</a>.
That’s a lot of ifs and if you are a normal user, keep calm and download
the latest update from your package manager.</p>
<ul>
<li><a href="https://alpinelinux.org/posts/XZ-backdoor-CVE-2024-3094.html">Alpine Linux: Backdoor found in xz package
source</a></li>
<li><a href="https://archlinux.org/news/the-xz-package-has-been-backdoored/">Arch
Linux</a></li>
<li><a href="https://micronews.debian.org/2024/1711830544.html">Debian CVE-2024-3094 concerning a backdoor exploit in XZ
Utils</a></li>
<li><a href="https://fedoramagazine.org/cve-2024-3094-security-alert-f40-rawhide/">Fedora 40 and Rawhide: CVE-2024-3094: Urgent alert for Fedora Linux
40 and Rawhide
users</a></li>
<li><a href="https://bugs.gentoo.org/928134">Gentoo discussion</a></li>
<li><a href="https://github.com/Homebrew/homebrew-core/pull/167512">Homebrew for
macOS</a></li>
<li><a href="https://www.kali.org/blog/about-the-xz-backdoor/">Kali Linux: All about the xz-utils
backdoor</a></li>
<li><a href="https://news.opensuse.org/2024/03/29/xz-backdoor/">openSUSE addresses supply chain attack against xz compression
library</a></li>
<li><a href="https://access.redhat.com/security/cve/CVE-2024-3094">Red Hat:
CVE-2024-3094</a></li>
<li><a href="https://nondeterministic.computer/@mjg59/112186391043591598">systemd changes libsystemd to block
liblzma</a></li>
<li><a href="https://discourse.ubuntu.com/t/xz-liblzma-security-update/43714/3">Ubuntu 24.04 Delay LTS Xz/liblzma security
update</a></li>
</ul>
<h1 id="technological-social-and-cultural-issues">Technological, Social, and Cultural Issues</h1>
<p>But even after you download your updates, we still have arguably a
complicated and bigger problem remaining—what do we do if something like
this happens again? What’s worse, what other vulnerabilities have been
using the same tactics as the xz backdoor? What are developers doing to
detect them? The unfortunate reality is this will not be the last time
this happens. You bet after the attention over the last couple days that
everyone has been watching this. There’s no clean solutions, but let’s
take look at what’s been done and what’s being done.</p>
<h2 id="the-technological-solution-reproducible-builds">The Technological Solution: Reproducible Builds</h2>
<p>A technological solution we can turn to is reforming the build process.
Extensive testing with the infected library showed that fake white
spaces Unicode lookalikes were used to falsify commit history and making
various obfuscated files to deliver the final blow. White spaces will
require some extra code in testing tools and we’ve also seen programs
like Google’s extension store adopt <a href="https://blog.chromium.org/2018/10/trustworthy-chrome-extensions-by-default.html">policies against using obfuscated
code</a>.</p>
<p>Something that many Linux distros have been striving for is reproducible
builds. The backdoor relied on someone downloading the archives from the
releases page, not the source code, so when developers like Freund comes
along to troubleshoot, contributors can verify the source code matches
the final product of libraries or binaries. For years, distros like
Debian and NixOS have championed reproducible builds because it builds a
great degree of trust between all parts of software delivery.</p>
<p>If you are willing to pitch in, Linux vendors could always use help in
making sure their software is reproducible.</p>
<ul>
<li><a href="https://reproducible-builds.org/who/projects/">Who is involved? —
reproducible-builds.org</a></li>
<li><a href="https://www.youtube.com/watch?v=w9UKzmZH3NU">Stretching out for trustworthy reproducible builds - creating bit
by bit identical binaries - DebConf
2015</a></li>
</ul>
<blockquote>
<p>Intelligence agencies…</p>
<p><a href="https://media.ccc.de/v/31c3_-_6240_-_en_-_saal_g_-_201412271400_-_reproducible_builds_-_mike_perry_-_seth_schoen_-_hans_steiner/">Mike Perry, “Reproducible Builds Moving Beyond Single Points of
Failure for Software Distribution”
5:07</a></p>
</blockquote>
<h2 id="the-social-solution-combating-project-leeching-and-burnout">The Social Solution: Combating Project Leeching and Burnout</h2>
<p>So we’ve addressed real name policies and things developers can do
prevent these kind of vulnerabilities, but we need to talk about
cultural reform. Open source has a big problem and it’s a human one. The
lead maintainer of xz, Lasse Collin, has been doing so tirelessly for
years. Unfortunately, it was only him working on xz for a long time.
There were other contributors, but none of them did as much work by
Collins, who was very open about <a href="https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.html">his own mental health
issues</a>.
Except if you see what prompted this response, which was two of the
puppet accounts run by the perpetrators and almost like a heist movie, 3
days later, Jia Tan joins as a developer. There’s multiple layers to
this, so let’s break this down.</p>
<p><a href="https://social.coop/@eb/112180449849400086">Related: Evan Boeh’s breakdown of the exchanges of the puppet
accounts</a></p>
<p>I think the most important thing here is some basic operational
security. It’s tough to be a big target on the internet and being a
developer falls into that camp. Everybody <em>will</em> get on your case and
blame you for every tiny issue about and stuff that’s not even related
to your software. But mention of Colin’s mental health issues was taken
advantage of by people who intended to do ill. As a warning, do not tell
the internet about your mental health, especially with the risk somebody
will try to use it to exploit your overworked state of mind.</p>
<p>Related: <em>Mr. Robot</em> S1, E5</p>
<h2 id="the-cultural-solution-leadership-and-vision">The Cultural Solution: Leadership and Vision</h2>
<p>But on mental health, we also need to talk about the state of open
source development and the <a href="https://mastodon.world/@Mer__edith/112202731458142364">consumerist culture in
FOSS</a>.
Maintainers are accustomed to people visiting their repos to have people
ask about new features or fix a bug or two. Unfortunately, some people
are… not very nice to put it mildly. And it’s not just xz, but tons of
other projects like <a href="https://mastodon.social/@jasonkoebler/112208838700118900">the Android app store
F-Droid</a> deal
with this as well as <a href="https://social.librem.one/@eighthave/112194828562355097">an attempted SQL
backdoor</a>.</p>
<p>In fact, this whole xz backdoor only started because of the sock puppet
accounts started with really
<a href="https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.html">aggressive</a>
<a href="https://www.mail-archive.com/xz-devel@tukaani.org/msg00568.html">language</a>
to make Collin feel like he wasn’t doing enough.</p>
<p>The issue here is a communication one and there’s no easy fix, so let me
provide two of my internet armchair opinions. Projects need to curb
toxic behavior like this. Notice nobody stepped in to quash this kind of
behavior against Collin. Open source projects aren’t the only things on
the internet with these issues, but it’s high time to start addressing
this. I’ll let you be the judge of how. People are the biggest
weaknesses of hacking, not just the code.</p>
<p>No matter how big or small, your project should have a clear vision in
mind from the get-go. For xz, these “complaints” could be easily quashed
by simply <a href="https://hachyderm.io/@joeyh/112180715824680521">declaring the project feature
complete</a>. There also
needs to be a defined pipeline for users to give back to a project,
either financially or through maintenance like fixing bugs or packaging.
Getting there requires a vision that leads successful communities that
can tackle complex problems: technological, social, or cultural. It
needs to be a vision that inspires people to say “I want to be a part of
that” and building relationships that make everyone better.</p>
<p><a href="https://hackers.town/@zwol/112198885007988022">Relevant: Zack Weinberg’s Mastodon post on reform in
FOSS</a></p>
<h1 id="closing">Closing</h1>
<p>At risk of going too long, I think it’s better to close out with an ask:
there’s three solutions for communities to consider, the matter here is
picking the right one. This whole situation isn’t so much about the
security as much as it is a wake up call for proper community
development and solid technological policy to prevent incidents like the
xz backdoor. You can read all the news you want about liblzma, but if we
don’t evaluate our own practices, we’ll be doomed to repeat the same
mistakes again.</p>
<h1 id="track-listing">Track Listing</h1>
<ul>
<li><a href="https://dova-s.jp/bgm/play4655.html">KK - Ordinary Landscape
(いつもの風景)</a></li>
<li><a href="https://dova-s.jp/bgm/play13884.html">gooset - Bittersweet</a></li>
<li><a href="https://dova-s.jp/bgm/play13493.html">gooset - SUNNY</a></li>
<li><a href="https://dova-s.jp/bgm/play19782.html">Fukagawa - Green Harmony</a></li>
<li>Song that plays over the <em>Mr. Robot</em> clip is
<a href="https://macquayle.bandcamp.com/track/14-3-billharper-mp3">1.4_3-billharper.mp3</a></li>
<li><a href="https://soundcloud.com/lukrembo/store">Lukrembo - Store</a></li>
<li>Outro: <a href="https://soundcloud.com/khaimmusic/free-neon-lamp-charlie-puth-x-bruno-mars-type-funky-guitar-pop-instrumental/s-uqEQff1liFX">Khaim - Neon
Lamp</a></li>
</ul>
]]></content:encoded>
    </item>
    <item>
      <title>Setting up a Pixel Tablet with GrapheneOS for My Mom</title>
      <link>https://trafotin.com/v/pixel-tablet/</link>
      <pubDate>Mon, 25 Mar 2024 00:00:00 +0000</pubDate>
      <guid>https://trafotin.com/v/pixel-tablet/</guid>
      <description>I helped my mom set up GrapheneOS on the Google Pixel Tablet. Are Android tablets ready now?</description>
      <content:encoded><![CDATA[

<div style="position: relative; padding-top: 56.25%;"><iframe title="Setting up a Pixel Tablet with GrapheneOS for My Mom" width="100%" height="100%" src="https://spectra.video/videos/embed/2841d5fe-dacd-4f54-b60e-d232b1e86184?subtitle=en" frameborder="0" allowfullscreen="" sandbox="allow-same-origin allow-scripts allow-popups allow-forms" style="position: absolute; inset: 0px;"></iframe></div>


<center>
<button class="button button1">
<a  href="https://youtube.com/watch?v=_-CAaJOnN_c"  >
	
YouTube

</a>
</button>
</center>

<p>Today, I’m here to talk about my mother. My mom has also been looking to
downsize the amount of technology in her life. My mom daily drives an
iPhone and has for a long time, but has no concern for the Apple
ecosystem. My dad still handles most of the tax collecting duties and my
mom has also completely dropped using a computer altogether and only
uses her iPhone. After all, most things are done in a web browser just
fine.</p>
<p>But as my parents starting to get up there in the years and their senses
are start to get weaker. My mom in particular has wanted a device with a
screen larger than her iPhone and initially suggested an iPad. Not
wanting her to fall deeper into the Apple ecosystem, I pushed her to get
<a href="https://store.google.com/us/product/pixel_tablet">Google’s first generation Pixel
Tablet</a>. You have the
ability to use a tablet fully free of the Google ecosystem through
GrapheneOS and a mobile device with more software longevity than an
iPad. Google has had a rough reputation with Android tablet support, but
have leapt into action to try to catch up to iPads. So going in, I’m
going to be focusing on the Android Tablet experience for a “normal”
user–my mom.</p>
<p>I do a lot of paranoid things with my own devices, but the priority is
for my mom to what she needs done done; open source and respect for her
privacy are secondary priorities. Don’t get too excited about a hardware
review because there isn’t a whole lot to say.</p>
<p><em>As a reminder, I receive nothing from Google except your ad revenue (if
you watch the video on YouTube). The tablet was bought at a Best Buy
with my parents’ retirement fund.</em></p>
<h1 id="hardware">Hardware</h1>
<p>The Pixel Tablet comes in a large box with the “charging speaker dock,”
some manuals, and the tablet itself. In terms of hardware, the Pixel
Tablet uses and shares similarities to Samsung’s Galaxy Tab. A
difference is the Pixel Tablet uses the Exynos chip, which Samsung
appears to be returning to with their phones.</p>
<p>If wasn’t clear by the video footage, the Pixel Tablet isn’t very
visible in bright lighting conditions. The display is quite capable, but
not ideal. It works great in dark environments like during the evening,
but leaves a bit to be desired during the day.</p>
<p>On the charging speaker dock, it’s an interesting idea, but the speakers
are kind of middling. There is also no charging cable included, so you
will need to provide your own. When charging the tablet, the tablet
comes with dots which allows you to magnetically attach it to the dock.
The magnets are pretty sensitive, so you have to make sure the dots are
properly aligned or you risk the tablet falling. She also purchased <a href="https://www.amazon.com/dp/B0CF5NT3PF">a
synthetic leather Fintie case from
Amazon</a>.</p>
<p>In terms of hardware, the Pixel Tablet is pretty unremarkable, but not
overtly cheap. The price comes in at $500, frequently discounted 1 year
in. In some ways, the Pixel Tablet provides a worse app experience than
an iPad, but outperforms an iPad in offering more freedom and features
Apple refuses to give users.</p>
<h1 id="grapheneos">GrapheneOS</h1>
<p>The very first thing that I did was install GrapheneOS. On this tablet.
However, one thing I want to make obvious is my mom is not a technical
user–far from it actually. I chose to use GrapheneOS because of the
security features, but also the “extended” support cycle. Since moving
away from Qualcomm, Google has extended their hardware to <a href="https://support.google.com/googlepixeltablet/answer/13399216">3 years of
feature updates (or Pixel Feature Drops) and 5 years of security
updates</a>.
After June 2028, the Pixel OS will be out of support and ROMs like
<a href="https://grapheneos.org/">GrapheneOS</a> <del>and
<a href="https://calyxos.org/">CalyxOS</a></del> will be the top picks. GrapheneOS is the
winner for me because of their frequent updates and the constant
innovation of features to making Android better, including <a href="https://grapheneos.social/@GrapheneOS/112056847328196636">assisting
Google and the Android community in detecting serious vulnerabilities
and bugs</a>.</p>
<p>There are some post installation steps you can do, which I never touched
on in <a href="/v/grapheneos/">my original GrapheneOS video</a>. I want to cover
some of GrapheneOS’s extra apps and features.</p>
<p>Following the <a href="https://grapheneos.org/install/web">esoteric guide on GrapheneOS’s
website</a> (seriously, this thing is
way too technical for normal people) and used my Pixel 7 Pro as the
installation device. I jacked in with a USB-C cable and pressed all the
buttons the installer told me to.</p>
<p>If you don’t have another Android device, you will need to use one of
the supported operating systems, download the <a href="https://developer.android.com/studio">Android debugging
bridge</a> from Google’s website or
from a supported Linux distro’s repos, and the Chromium browser from
their list. Then you enter what is basically a cheat code to unlock the
bootloader and click 3 buttons.</p>
<p>The installation took about 20 minutes, but at the end, the Google was
ripped out and GrapheneOS was in. Afterwards, you follow more
<a href="https://grapheneos.org/install/web#post-installation">post-installation
steps</a>.</p>
<h2 id="the-grapheneos-app-store">The GrapheneOS App Store</h2>
<p>GrapheneOS comes with an app store for independently updating their
secure Camera, PDF Viewer, the default Vanadium browser, and the
Auditor.</p>
<p>Separate from the stock apps, GrapheneOS includes downloads for various
Google products compatible with GrapheneOS: Android Auto, Markup, and
the Play Store. Typically, Google’s apps get much more visibility into
your device and could potentially use this to collect more information
about you.</p>
<p>GrapheneOS levels the playing field by forcing these apps to be
installed and treated as normal apps you might download from another app
store. They don’t get the special access, but are still able to do what
most people expect them to do.</p>
<h2 id="google-play-store">Google Play Store</h2>
<p>Unlike other Android ROMs, GrapheneOS provides <a href="https://grapheneos.org/usage#sandboxed-google-play">a fully functional copy
of the Google Play
Store</a>. This is the
standard of way of getting apps on Android, but also necessary for
specific services. For example, when you use apps that receive
notifications, most apps call for the Google services because it’s more
battery efficient.</p>
<ul>
<li>To download the Play Store, you need to download all of the
pre-requisite libraries. At the end, you should only get the Play
Store available. The Play Store and the Google services are required
if you wish to use Android Auto.</li>
<li>Some apps require Google services in order to function properly.
Others will have features missing, like passkey support or specific
banking apps. Great resources for seeing app performance are
Techlore’s <a href="https://plexus.techlore.tech/">Plexus</a>, which documents
various apps with(out) Google services and <a href="https://privsec.dev/posts/android/banking-applications-compatibility-with-grapheneos/">PrivSec’s list of
working banking
apps</a>.</li>
<li>There are some apps like Tuta or Signal, which do not use Google’s
services and provide a redundant service instead for privacy
reasons.</li>
</ul>
<h1 id="usage">Usage</h1>
<p>Using an Android tablet like the Pixel Tablet is pretty similar to
running an Android phone, but there are some differences. My mom also
has very different uses than most of the target audience of something
like GrapheneOS–she needs to use all of the spyware apps in her life.</p>
<h2 id="user-profiles">User Profiles</h2>
<p>A feature Android possesses is user profiles. User profiles allow
Android users to have a separate profile where they can store data or
install things separate from their main profiles. User profiles are
similar to users on computers.</p>
<p>On most Android ROMs, you are limited to 4, but GrapheneOS bumps this
limit up to 32 and makes various enhancements to these profiles,
including a secure “end session” feature, which shuts down all running
apps.</p>
<p>While not typically seen as a business device, using a profile is much
more valuable when a tablet is a family device. Suppose my dad wants to
use the Pixel Tablet. He can create a user profile for himself to
install apps just for him, completely separate from my mom. My mom is
also given the “owner” account, which allows her to retain full control
of the Pixel Tablet. What if you have a child who want to hop in on the
latest mobile game? You can install the game in a separate profile so
the game doesn’t get access to all my personal app data.</p>
<h2 id="to-google-or-not">To Google or Not?</h2>
<p>My mom has very specific needs and uses her tablet only for using
streaming services and social media apps. This already encompasses a
wide variety of apps like YouTube, Netflix, and Amazon Prime.</p>
<p>As a result, I linked her Google account to the Tablet and we got the
Play Store up and running. YouTube requires Google services to function,
plus my mom was just going to sign in anyway.</p>
<p>I said earlier that GrapheneOS locks these apps down more, but they are
still very much functional. This includes spying on you, so with higher
threat models, Google Services will still capture your notifications.
Google account information is also kept if you choose to login, so it
would be prudent to disable your advertising ID.</p>
<h3 id="disable-your-advertising-id-grapheneos">Disable your advertising ID (GrapheneOS)</h3>
<p>hidden=&quot;&quot;</p>
<p>In the Settings app, navigate to Apps &gt; Sandboxed Google Play &gt;
Google Settings &gt; Ads &gt; Delete advertising ID</p>
<h2 id="android-tablet-support-exists">Android Tablet Support Exists…</h2>
<p>When I set up the Pixel Tablet last year, my mom and I came across our
biggest hurdle–incompatible apps. The long and short is despite the
budding interest in Android tablets, not every app will work with
Android tablets properly, if even at all.</p>
<h3 id="fixing-the-aspect-ratio">Fixing the Aspect Ratio</h3>
<p>Similar to iPads, some apps like Reddit are limited to a phone-like
window to preserve the app’s intended aspect ratio. If you are bothered
by this, Android 14+ allows you to stretch these apps to match your
tablet’s screen ratio. It’s pretty seamless.</p>
<h3 id="early-woes-with-signal">Early Woes with Signal</h3>
<p>Thankfully, I have convinced a good portion of my family to adopt the
secure messaging app <a href="https://signal.org/">Signal</a>. However, when we
first got the Pixel Tablet, there was a major issue: Signal would not
work on Android tablets at all. Today, Signal works flawlessly on
Android tablets, but this was not always the case.</p>
<p>With Signal in particular, there was a workaround I found that worked. I
installed <a href="https://molly.im/">Molly</a> using their F-Droid mirror. Molly
is a fork of Signal Android client that implements some anti-forensic
features not present in Signal. For a long time, Molly was the only way
to use Signal’s service on an Android tablet.</p>
<p>Molly is generally a day behind Signal with updates (which is pretty
reasonable) and I personally prefer the main Signal app as using Molly
requires you trust their developers in addition to Signal’s. Molly is
also great if you need to access more than one Signal account on a
single Android profile.</p>
<p>While Signal works today, I feel it is too much friction to get my mom
to switch away from Molly.</p>
<h3 id="airpods-on-android">AirPods on Android</h3>
<p>As an Apple refugee, my mom has 2nd generation AirPods as her headphones
of choice. However, as Apple products, controlling them without an Apple
device is difficult. I discovered a project by <a href="https://github.com/adolfintel">Frederico
Dossena</a> (the creator of
<a href="https://librespeed.org/">LibreSpeed</a>) called
<a href="https://f-droid.org/packages/com.dosse.airpods/">OpenPods</a>. It lets you
control your AirPods, gives connection notifications, and monitor their
battery life of both ears.</p>
<p>OpenPods must be downloaded from F-Droid as they were mysteriously
banned from the Play Store.</p>
<h3 id="viki--vanadium">Viki &amp; Vanadium</h3>
<p>In the United States, there’s been a surge in people seeking to stream
Korean dramas and my mom is no exception. The most popular app to watch
K-dramas is an app called <a href="https://www.viki.com/">Viki</a>. However, Viki
is incompatible with Android tablets and they still refuse to make a
compatible app.</p>
<p>The solution was actually fairly simple–using a web browser. Using a web
browser is not only possible, but we can also create a home screen
shortcut so it can be used similar to an app. However using a web
browser opens up the can of worms that is browser choice.</p>
<p>GrapheneOS’s default browser,
<a href="https://grapheneos.org/features#vanadium">Vanadium</a>, supports Google’s
Widevine DRM. GrapheneOS also takes your connection to Google’s DRM and
puts it through a proxy to limit what Google can collect about you.</p>
<p>The one disappointment with Vanadium doesn’t support blocking static or
cosmetic ads and I really do not want my mom clicking on malicious ads.
Instead, my mom uses <a href="https://brave.com/">Brave</a>. I know there are some
who swear by Vanadium, but Vanadium has weaker fingerprinting protection
and content blocking. Brave is the only other browser endorsed by
GrapheneOS and my second choice anyway.</p>


<center>
<blockquote class="mastodon-embed" data-embed-url="https://grapheneos.social/@GrapheneOS/111966180001152300/embed" style="background: #FCF8FF; border-radius: 8px; border: 1px solid #C9C4DA; margin: 0; max-width: 540px; min-width: 270px; overflow: hidden; padding: 0;"> <a href="https://grapheneos.social/@GrapheneOS/111966180001152300" target="_blank" style="align-items: center; color: #1C1A25; display: flex; flex-direction: column; font-family: system-ui, -apple-system, BlinkMacSystemFont, 'Segoe UI', Oxygen, Ubuntu, Cantarell, 'Fira Sans', 'Droid Sans', 'Helvetica Neue', Roboto, sans-serif; font-size: 14px; justify-content: center; letter-spacing: 0.25px; line-height: 20px; padding: 24px; text-decoration: none;"> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="32" height="32" viewBox="0 0 79 75"><path d="M74.7135 16.6043C73.6199 8.54587 66.5351 2.19527 58.1366 0.964691C56.7196 0.756754 51.351 0 38.9148 0H38.822C26.3824 0 23.7135 0.756754 22.2966 0.964691C14.1319 2.16118 6.67571 7.86752 4.86669 16.0214C3.99657 20.0369 3.90371 24.4888 4.06535 28.5726C4.29578 34.4289 4.34049 40.275 4.877 46.1075C5.24791 49.9817 5.89495 53.8251 6.81328 57.6088C8.53288 64.5968 15.4938 70.4122 22.3138 72.7848C29.6155 75.259 37.468 75.6697 44.9919 73.971C45.8196 73.7801 46.6381 73.5586 47.4475 73.3063C49.2737 72.7302 51.4164 72.086 52.9915 70.9542C53.0131 70.9384 53.0308 70.9178 53.0433 70.8942C53.0558 70.8706 53.0628 70.8445 53.0637 70.8179V65.1661C53.0634 65.1412 53.0574 65.1167 53.0462 65.0944C53.035 65.0721 53.0189 65.0525 52.9992 65.0371C52.9794 65.0218 52.9564 65.011 52.9318 65.0056C52.9073 65.0002 52.8819 65.0003 52.8574 65.0059C48.0369 66.1472 43.0971 66.7193 38.141 66.7103C29.6118 66.7103 27.3178 62.6981 26.6609 61.0278C26.1329 59.5842 25.7976 58.0784 25.6636 56.5486C25.6622 56.5229 25.667 56.4973 25.6775 56.4738C25.688 56.4502 25.7039 56.4295 25.724 56.4132C25.7441 56.397 25.7678 56.3856 25.7931 56.3801C25.8185 56.3746 25.8448 56.3751 25.8699 56.3816C30.6101 57.5151 35.4693 58.0873 40.3455 58.086C41.5183 58.086 42.6876 58.086 43.8604 58.0553C48.7647 57.919 53.9339 57.6701 58.7591 56.7361C58.8794 56.7123 58.9998 56.6918 59.103 56.6611C66.7139 55.2124 73.9569 50.665 74.6929 39.1501C74.7204 38.6967 74.7892 34.4016 74.7892 33.9312C74.7926 32.3325 75.3085 22.5901 74.7135 16.6043ZM62.9996 45.3371H54.9966V25.9069C54.9966 21.8163 53.277 19.7302 49.7793 19.7302C45.9343 19.7302 44.0083 22.1981 44.0083 27.0727V37.7082H36.0534V27.0727C36.0534 22.1981 34.124 19.7302 30.279 19.7302C26.8019 19.7302 25.0651 21.8163 25.0617 25.9069V45.3371H17.0656V25.3172C17.0656 21.2266 18.1191 17.9769 20.2262 15.568C22.3998 13.1648 25.2509 11.9308 28.7898 11.9308C32.8859 11.9308 35.9812 13.492 38.0447 16.6111L40.036 19.9245L42.0308 16.6111C44.0943 13.492 47.1896 11.9308 51.2788 11.9308C54.8143 11.9308 57.6654 13.1648 59.8459 15.568C61.9529 17.9746 63.0065 21.2243 63.0065 25.3172L62.9996 45.3371Z" fill="currentColor"/></svg> <div style="color: #787588; margin-top: 16px;">Post by @GrapheneOS@grapheneos.social</div> <div style="font-weight: 500;">View on Mastodon</div> </a> </blockquote> <script data-allowed-prefixes="https://grapheneos.social/" async src="https://grapheneos.social/embed.js"></script>
</center>


<p><em>I’d be open to exploring <a href="https://nextdns.io/">NextDNS</a> in the future,
but have not had adequate time to test whether the free plan would work
with my mom or not. If it doesn’t, I would have to pay and have her
piggyback off my plan.</em></p>
<h3 id="gboard">Gboard</h3>
<p>I installed Gboard, the stock Google keyboard and the keyboard for the
Pixel Tablet’s stock ROM. I disabled the internet connection for the app
to limit Google’s data collection. As much as I like GrapheneOS, the
AOSP keyboard is borderline unusable. Since my mom uses Google services
anyway, I figured it would be a better experience.</p>
<h1 id="misc">Misc</h1>
<ul>
<li>There’s a phone app in GrapheneOS’s Tablet ROM. The Pixel Tablet
can’t use eSIMs or a SIM card, so I don’t know why this is here.</li>
<li>I enabled button navigation opposed to gesture navigation. My mom
has a strong preference for buttons.</li>
<li>I disabled all touch/tap sounds. My mom is so angry whenever my dad
types on his phone.</li>
<li>Adaptive brightness can sometimes be very aggressive.</li>
</ul>
<h1 id="should-you-buy">Should you buy?</h1>
<p>After 5 months with the Pixel Tablet, my mom has been very satisfied
with its performance and rarely commented on the differences of
GrapheneOS. It very much is the stripped down Android experience for the
vast majority of people, but they will need help setting it up, whether
it’s a custom ROM like GrapheneOS or because of lack of app support.</p>
<p>Setting up a custom Android ROM is not overly difficult, but if you
don’t have that knowledge, it can difficult. While GrapheneOS has made
lots of great changes to make the installation experience pretty
painless, it could stand to hold the less technical user’s hand a little
bit. Most people will see the wall of text on that installation page and
lose their minds. In my mind, unless you set up GrapheneOS or CalyxOS,
the Pixel Tablet isn’t worth your time.</p>
<p>There’s also the issue of identifying problematic apps because Android
tablets have been treated like third-class citizens for years. The
Android tablet app experience leaves a bit to be desired, complicated
more by the “fragmentation” of the Android ecosystem. If you won’t
install a custom ROM or you have apps you know will not work, you’d
probably be better off with the tried and true iPad.</p>
<p>I think that if you are willing to learn and follow that ultra-technical
guide on GrapheneOS’s website, the Pixel Tablet is the best choice for
you for a tablet device that respects your privacy, freedom, and
ownership of the device. This, combined with user profiles, proper
split-screen, and freedom to use alternate app stores are all amazing
reasons to consider a Pixel Tablet. It would also be cool to see if
Google keeps making tablets and what the next generation has in store.</p>
<h1 id="summary">Summary</h1>
<p>🚫 Not recommended, due to poor Android tablet compatibility and <a href="https://www.androidauthority.com/pixel-tablet-2-canceled-3502094/">Google discontinuing future prospects</a> for this form factor (but will continue device security updates until 2028). Installing GrapheneOS is necessary to last beyond end of life, but not encouraged.</p>
<h2 id="pros">Pros</h2>
<ul>
<li>Allows installation of a custom OS (GrapheneOS)</li>
<li>Best choice for Android tablets in terms of updates (5 years of
support), legacy support on custom ROMs</li>
<li>Tablet experience offers things Apple will not: calculator, split
screen, user profiles, third party app stores</li>
<li>Good performance</li>
<li>Great as media or emulation device</li>
</ul>
<h2 id="cons">Cons</h2>
<ul>
<li>Comes with privacy invasive stock OS</li>
<li>Android tablet experience (while functional for most) leaves a bit
to be desired</li>
<li>Screen does not perform well in bright conditions</li>
<li>No headphone jack</li>
<li>Forces you to buy a gimmick speaker dock with a proprietary cable
and does not include a USB-C charger</li>
</ul>
<h1 id="track-listing">Track Listing</h1>
<ul>
<li><a href="https://dova-s.jp/bgm/play9965.html">kinono - Peaceful Days
(平穏な日々)</a></li>
<li><a href="https://dova-s.jp/bgm/play12439.html">Sharou (しゃろう) - 10°C</a></li>
<li><a href="https://dova-s.jp/bgm/play4656.html">KK - Oya oya (おやおや)</a></li>
<li><a href="https://dova-s.jp/bgm/play098.html">Takashi Waraya (稿屋 隆) - Cats
(カッツェ)</a></li>
<li>Outro: <a href="https://soundcloud.com/khaimmusic/free-neon-lamp-charlie-puth-x-bruno-mars-type-funky-guitar-pop-instrumental/s-uqEQff1liFX">Khaim - Neon Lamp</a></li>
</ul>
]]></content:encoded>
    </item>
    <item>
      <title>A Survival Guide to Windows Update</title>
      <link>https://trafotin.com/v/windows-update/</link>
      <pubDate>Sat, 24 Feb 2024 00:00:00 +0000</pubDate>
      <guid>https://trafotin.com/v/windows-update/</guid>
      <description>Windows Update is one of the worst things about Windows. What&amp;rsquo;s the best way to deal with its problems? Here&amp;rsquo;s my game plan to survive Patch Tuesday, but you could just use automatic updates&amp;hellip;</description>
      <content:encoded><![CDATA[

<div style="position: relative; padding-top: 56.25%;"><iframe title="A Survival Guide to Windows Update" width="100%" height="100%" src="https://spectra.video/videos/embed/48f54ed6-0aef-4d25-b6fc-1c21ff306f76?subtitle=en" frameborder="0" allowfullscreen="" sandbox="allow-same-origin allow-scripts allow-popups allow-forms" style="position: absolute; inset: 0px;"></iframe></div>


<center>
<button class="button button1">
<a  href="https://youtube.com/watch?v=MmZWNbDYe2M"  >
	
YouTube

</a>
</button>
</center>

<p>Windows is notorious for having the worst update system in the world.
It’s unstable, breaks all the time, and it’s slow as hell. You made it
through the <a href="http://localhost:1313/v/win11/">awful install/setup
process</a> and dodged creating a Microsoft
account. If you want to use Windows effectively, you need to know what
it takes to survive Windows Update. Let’s dive into the Windows Update
schedule, how to download your updates, and how you can avoid any
problems along the way.</p>
<h2 id="patch-tuesday">Patch Tuesday</h2>
<p>Windows Update is how you update your computer and firmware. For
something simple for most Linux and Mac users, Microsoft makes their
update process incredibly confusing and painful for their users. It’s
already a meme that Windows Update forcefully turns off people’s
computers to install updates.</p>
<p>Windows Update is notorious for being slow and causing lots of problems:
ranging from <a href="https://www.askwoody.com/newsletter/free-edition-kb5034441-has-led-us-astray-in-a-horrible-way/">broken
partitions</a>,
<a href="https://heimdalsecurity.com/blog/all-printnightmare-vulnerabilities-were-fixed/">fundamentally flawed
protocols</a>,
and worst of all, <a href="https://www.bleepingcomputer.com/news/microsoft/microsoft-says-they-can-recover-files-deleted-by-windows-10-october-2018-update/">dereferenced files that looked like data
loss</a>
in addition to these great anti-features.</p>
<p>Microsoft has a schedule of releasing the security update, split into a
4-5 letter cycle for each week of the month (A, B, C, D, and sometimes
E). This naming scheme how Microsoft organizes their updates and we can
use this lettered cycle to plan around a game plan to deal with Patch
Tuesday.</p>
<p>Microsoft describes <a href="https://learn.microsoft.com/en-us/windows/deployment/update/release-cycle">their process in their Microsoft Learn
documentation</a>
and on <a href="https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-monthly-updates-explained/ba-p/3773544">the Tech Community
blog</a>.</p>
<p>One of the core tenets of maintaining Windows is Patch Tuesday, although
Microsoft would prefer you refer to this as “Update Tuesday,” but that
isn’t a marketing term–it’s a derogatory term given to it by the IT
community. The 2nd Tuesday of every month (Week B) is a nightmare day
for IT admins, as Microsoft, Adobe, and Intel all orchestrate their
updates on this day, hence Patch Tuesday. In years past, Microsoft would
deliver updates erratically and through “service packs,” which often led
to extreme distrust and breakage or people not downloading their updates
at all.</p>
<p>Of course, Microsoft isn’t transparent about this at all, plus they
might watch my video and change their mind because it’s too predictable
right now! The communication for this is scattered across
<a href="https://blogs.windows.com/">blogs</a>, <a href="https://twitter.com/windows">X (formerly
Twitter)</a>, forums, and documentation and
there’s no good way to get a real answer about this.</p>
<h1 id="after-first-install">After First Install</h1>
<p>Before we formulate a game plan with how Windows Update works, let’s
start with a fresh Windows 11 install. You’ll want to go into Windows
Update and just download as many updates as you possibly can. Often
times, when you first purchase your computer, the computer haven’t
turned it on and is likely running an older version of Windows. If you
recently reinstalled Windows, there’s a number of updates since that
version of Windows was released.</p>
<p>As an obligatory warning, when you do this, Microsoft will instantly
make you <a href="https://blogs.windows.com/windowsexperience/2018/12/10/windows-monthly-security-and-quality-updates-overview/">a guinea pig to test their updates and enroll you in
beta-testing updates for the rest of
Windows</a>.
In fact, Week D, the 4th Tuesday of the month is when Microsoft delivers
feature updates to Microsoft’s other products like Office 365 and .NET.</p>
<p>To configure non-Windows Microsoft product updates, in the Settings app,
navigate to <strong>Windows Update</strong> → <strong>Advanced Options</strong> → <strong>Receive
updates for other Microsoft Products</strong></p>
<p>While that happens, go to the Microsoft Store and update all of the
Store apps. All of the stock applications in Windows are installed
through the Microsoft Store and the easiest way to update them is to
visit the Microsoft Store and verify that all of them are fully updated.
Windows’s stock apps are updated independently of Windows Update, so
it’s important you come back and check for updates often. This really
tedious and takes at least an hour, but it’s worth it to get the
security updates you need and making sure all of your Store apps are up
to date.</p>
<p>To update your apps from the Microsoft Store or Winget, in the Microsoft
Store, navigate to <strong>Library</strong> → <strong>Get Updates</strong></p>
<p>When you’re done with both your Windows Updates and Microsoft Store
updates, hit restart and pray your computer turns on again.</p>
<h1 id="update-frequency">Update Frequency</h1>
<p>Despite its problems, Windows Update does impact the reliability and
bottom line of Microsoft and the Windows team has made some minor, but
respectable improvements to the process by making <a href="https://techcommunity.microsoft.com/t5/windows-it-pro-blog/how-microsoft-reduced-windows-11-update-size-by-40/ba-p/2839794">the updates smaller
in
size</a>
and <a href="https://learn.microsoft.com/en-us/windows/deployment/update/psfxwhitepaper">preventing common forms of installation
corruption</a>.</p>
<p>Microsoft self-reports issues and describes Windows feature updates on
the <a href="https://learn.microsoft.com/en-us/windows/release-health/">Windows Release Health
page</a>.</p>
<p>This is the tough decision: Windows is the only way for you to download
security updates, sometimes for actively exploited attacks in the wild,
but is constantly plagued with buggy, broken updates, beta-tested
breakages, and Microsoft anti-features. What’s the most optimal way to
update Windows while keeping up effectively with Patch Tuesday and
keeping our devices updated?</p>
<h1 id="the-vicious-cycle">The Vicious Cycle</h1>
<p><a href="https://www.troyhunt.com/dont-tell-people-to-turn-off-windows-update-just-dont/">Automatic updates are crucial to keeping your device
updated</a>.
Utilize the fact that the Windows team <a href="https://learn.microsoft.com/en-us/windows/deployment/update/how-windows-update-works">rolls out updates in
stages</a>
and you’re not going to be immediately hit with an update at once. We
also can’t sit idly by and let Microsoft wreak havoc on our devices.
Therefore, let’s take appropriate measures to handle Windows Updates and
the schedule I use when I deal with Patch Tuesday, starting from Patch
Tuesday itself.</p>
<h2 id="week-a">Week A</h2>
<p>Hunker down and block Windows Update. It’s always prudent to block
Windows Update and if an update is really bad, Microsoft will block it
from getting to your computer. Delaying updating is a more reasonable
approach to disabling Windows Updates altogether. Be prepared to back up
any data to offline or cloud-based storage. If an update goes wrong, you
can always restore from a backup.</p>
<p>To delay Windows Update, in the Settings app, navigate to <strong>Windows
Update</strong> → <strong>Pause Updates</strong></p>
<h2 id="week-b">Week B</h2>
<p>Microsoft issues the newest Windows Update. Be on the lookout for news
websites that talk about Microsoft and report immediate problems related
to Patch Tuesday. I typically view <a href="https://krebsonsecurity.com">Brian
Krebs</a> and <a href="https://www.askwoody.com/">Susan Bradley’s comments from
Ask Woody</a>. While both Krebs and Bradley
reiterate information directly from Microsoft, they save you the work of
wading through the mess that is <a href="https://www.catalog.update.microsoft.com/Home.aspx">Microsoft’s Update
Catalog</a>. They both
offer different perspectives too.</p>
<ul>
<li>Krebs focuses on the security-related issues and often links the
original work submitted to Microsoft. If you see any
vulnerabilities, especially for popular programs that you use, his
monthly warning is your nudge to update.</li>
<li>Bradley takes the slow and steady approach and is very vocal about
the instability of Windows. If she’s still squawking, that’s your
cue to wait on Windows Updates. She usually separates
recommendations for both home and business users. In my personal
opinion, she’s a little too cautious, but generally she helps strike
a healthy balance for home users.</li>
<li>Microsoft will often block problematic updates from being installed
and will not let you get them, even if you smash that update button.
However, if their engineers (or AI) decide that the update is
“safe,” they will forcefully install it unless you have delayed
Windows Update. You will get a prompt in the system tray or the
Start menu.</li>
</ul>
<p>No matter where you get your update information from, it’s important to
use <strong>your</strong> own judgment. Krebs, Bradley, nor I can answer if updating
is right. Microsoft will help a little bit if they block an update, but
more often than not will force it upon you. It’s important to develop an
awareness and the discernment to accept a Windows Update or delay it
longer.</p>
<h2 id="week-c">Week C</h2>
<p>If you see people complaining online about how Windows Update broke
something, there’s a big button to delay Windows Update for a week and
sit Week B out. If you get through Week C with no complaining, it’s
probably safe to accept that Update button.</p>
<h2 id="week-d-and-e">Week D (and E)</h2>
<p>Microsoft releases non-security updates for their other software, like
Microsoft Office or .NET. Pick these up while can, unless you’re a crank
like me. Otherwise, use this time to catch up on updates if you’re
behind on Patch Tuesday.</p>
<h2 id="week-a-again">Week A (Again)</h2>
<p>Patch Tuesday is next week and another month has come and gone. Even if
people are still complaining, download your updates now for security
reasons, else you might be forced to update during the next Patch
Tuesday, then you have 2 Patch Tuesdays worth of trouble.</p>
<h2 id="the-cycle-goes-on">The Cycle Goes On</h2>
<p>Remember, by the next Patch Tuesday, you have downloaded all
security/cumulative updates, then the vicious cycle will repeat, you’ll
be doing this forever. Or you could just ditch Windows altogether…</p>
<h1 id="the-annual-windows-update">The Annual Windows Update</h1>
<p>Every year, Microsoft issues a new version of Windows and has
<a href="https://learn.microsoft.com/en-us/lifecycle/policies/modern">obligations to their commercial
customers</a>
to alert them of changes. Thankfully, this has gone down from twice a
year, but it’s not exactly an improvement with how long these updates
take and useless features introduced. What’s more, these version numbers
are largely invisible to end users, especially when disparate versions
of Windows 11 all look the same.</p>
<p>To find your Windows release, non-Windows Microsoft product updates, in
the Settings app, navigate to <strong>System</strong> → <strong>About</strong> → <strong>Windows
specifications</strong> → <strong>Version</strong></p>
<p>Microsoft provides information about <a href="https://learn.microsoft.com/en-us/lifecycle/products/windows-11-home-and-pro">Windows 11’s support
cycle</a>
in their Learn documentation. Upgrading works seamlessly between
versions as long as your version of Windows is currently supported and
between major Windows releases (e.g. 10, 11, etc).</p>
<p>If you rarely use Windows or you haven’t updated in a while, you could
get into a situation where you are using an unsupported version of
Windows. In this scenario, Windows Update will not give you security
updates and we need to upgrade to the most recent stable build of
Windows. For example, if you are running 21H2, consulting Microsoft’s
documentation shows 21H2 lost support in October 2023.</p>
<p>If you get stuck on an unsupported version of Windows, you can attempt
to upgrade using <a href="https://www.microsoft.com/en-us/software-download/windows11">the Windows Installation
Assistant</a>.
This will get you hooked up with the latest version of Windows 11
(provided you meet the hardware requirements). Using the Windows
Installation will allow you to keep all of your data and install the
latest version of Windows on your device.</p>
<p>Alternatively, you can download a Windows ISO and burn it to a USB stick
using <a href="https://rufus.ie">Rufus</a> or creating a new Windows Installation
Media. Once you boot into the Windows USB, you can upgrade in-place and
preserve your data.</p>
<h1 id="uninstalling-an-update">Uninstalling an Update</h1>
<p>Let’s say you install the latest Windows update, but it’s a little
sluggish. People are complaining online that their system got slower,
but you installed the bad update! You can <a href="https://support.microsoft.com/en-us/windows/how-to-uninstall-a-windows-update-c77b8f9b-e4dc-4e9f-a803-fdec12e59fb0#ID0EBF=Windows_11">uninstall the offending
update from
Windows</a>.</p>
<p>To uninstall a Windows update, identify the current name of the update.
Microsoft uses the <a href="https://support.microsoft.com/en-us/topic/how-to-query-the-microsoft-knowledge-base-by-using-keywords-and-query-words-1f39ec6a-edc7-e3dd-d265-77270160bfc6">Knowledge Base
(KB)</a>
to document individual changes to Windows. After your brain turns to
mush scrolling down their massive list, look for the KB number that
might be the offending update.</p>
<p>Let’s return to our fictional scenario. I’ve read a news article and
found out that the offending update is KB1234567.</p>
<p>In the Settings app, navigate to <strong>System</strong> → <strong>Windows Update</strong> →
<strong>Update history</strong> → <strong>Uninstall updates</strong></p>
<p>The legacy Control Panel will open and list all of the updates you can
uninstall. From here, select the offending update, right-click, and
Uninstall. Windows will prompt you to reboot afterwards similar to
normal Windows Updates. Afterwards, delay updates so the offending
update is not installed.</p>
<p>If you still encounter problems, well that’s Windows for you. Good luck
next month!</p>
<h1 id="track-listing">Track Listing</h1>
<ul>
<li><a href="https://dova-s.jp/bgm/play16351.html">yuhei komatsu - Cry Baby</a></li>
<li><a href="https://dova-s.jp/bgm/play13493.html">gooset - SUNNY</a></li>
<li><a href="https://dova-s.jp/bgm/play17485.html">h - Saturday morning</a></li>
<li><a href="https://dova-s.jp/bgm/play18295.html">yuhei komatsu - Pop out</a></li>
<li><a href="https://dova-s.jp/bgm/play19065.html">yuhei komatsu - Twilight Sunset
(黄昏Sunset)</a></li>
<li>Outro: <a href="https://music.youtube.com/watch?v=ta0iw2FhnXA">Khaim - Neon Lamp</a></li>
</ul>
]]></content:encoded>
    </item>
    <item>
      <title>How Okta ruined my life for the last 2 years...</title>
      <link>https://trafotin.com/v/okta/</link>
      <pubDate>Sat, 02 Dec 2023 00:00:00 +0000</pubDate>
      <guid>https://trafotin.com/v/okta/</guid>
      <description>Don&amp;rsquo;t use Okta. Wait, you want to know more? How about the utter mishandling of user information and complete disregard for transparency?</description>
      <content:encoded><![CDATA[

<div style="position: relative; padding-top: 56.25%;"><iframe title="How Okta RUINED My Life For 2 Years..." width="100%" height="100%" src="https://spectra.video/videos/embed/b4f7ccf6-e1a9-4cc5-b048-2109934e8560?subtitle=en" frameborder="0" allowfullscreen="" sandbox="allow-same-origin allow-scripts allow-popups allow-forms" style="position: absolute; inset: 0px;"></iframe></div>


<center>
<button class="button button1">
<a  href="https://youtu.be/YBMo7HlYprs"  >
	
YouTube

</a>
</button>
</center>

<p>Don’t use Okta. Wait, you want to know more? How about the utter
mishandling of user information and complete disregard for transparency?</p>
<p><em>Even funnier, it was revealed that the September/October breach was
actually much more serious than was originally believed and leaked
everyone’s information. All while I was editing this video.</em></p>
<h1 id="how-to-protect-yourself-from-okta">How to Protect Yourself from Okta:</h1>
<p>Okta requires a phone number, the email your IT admin associated with
your account, or in certain configurations, downloading the app as the
only option. So you don’t want to give them a phone number or download
the app because of their awful practices and your value for privacy,
what can you do?</p>
<ul>
<li><strong>Using a work VOIP number:</strong> If your employer provides a voice over
IP (VOIP) phone number, you can use that as a second factor. This is
my current strategy.</li>
<li><strong>Using a “burner” phone number:</strong> If you own more than one phone
number, you can dedicate another phone number to protect your
personal phone number.</li>
<li><strong>Using a separate Android profile:</strong> If you use Android, you can
create a separate profile for your work apps and download the Okta
app. It’s not totally anonymous, but using the QR code for their 6
digits, it doesn’t require internet access.</li>
<li><strong>Using Android-x86 in a virtual machine or spare device:</strong> You can
sideload the Okta Verify app and sign in to your email in the
virtual machine to receive a magic link. When the app is installed,
you can click the link and bind the virtual machine’s app to Okta’s
push notification system.</li>
<li><strong>The old phone:</strong> If you have a spare old smart phone, you can
download the app there.</li>
<li><strong>Using a third party emulator:</strong> There are many commercial Android
emulators, like GenyMotion or Bluestacks.</li>
</ul>
<h2 id="side-notes">Side notes:</h2>
<ul>
<li>The Okta app works without Google Play Services, but you will not
receive notifications.</li>
<li>Okta’s push verification requires internet access, but their
proprietary 6 digit codes works without internet access. It is not
Google’s standard, so you can’t use a conventional TOTP app.</li>
<li>I tried Waydroid, but the orientation and functionality of the Okta
app within it is questionable at best.</li>
<li>It would be worth looking into Google’s Android Studio and trying to
run it there.</li>
</ul>
<h1 id="alternatives-to-okta">Alternatives to Okta</h1>
<ul>
<li><a href="https://getaegis.app/">Aegis</a></li>
<li><a href="https://bitwarden.com/">Bitwarden</a></li>
<li><a href="https://ente.io">Ente</a></li>
<li>Passkeys, a universal standard by the FIDO alliance (<a href="https://fidoalliance.org/members/">ironically
funded by Okta</a>)</li>
</ul>
<h1 id="referenced">Referenced</h1>
<ul>
<li><a href="https://techcrunch.com/2022/03/28/lapsus-passwords-okta-breach/">Lapsus$ found a spreadsheet of accounts as they breached Okta,
documents show | TechCrunch, Zack
Whittaker</a></li>
<li><a href="https://www.wired.com/story/lapsus-okta-hack-sitel-leak/">New Lapsus$ Hack Documents Make Okta’s Response Look More Bizarre |
WIRED</a></li>
<li><a href="https://www.bloomberg.com/news/articles/2022-03-23/teen-suspected-by-cyber-researchers-of-being-lapsus-mastermind#xj4y7vzkg">Teen Suspected by Cyber Researchers of Being Lapsus$ Mastermind -
Bloomberg</a></li>
<li><a href="https://support.okta.com/help/s/article/Frequently-Asked-Questions-Regarding-January-2022-Compromise">Frequently Asked Questions Regarding the January 2022 Compromise |
Okta</a></li>
<li><a href="https://www.okta.com/pricing/">Okta’s disgusting pricing page</a></li>
<li><a href="https://blog.1password.com/okta-incident/">Okta Support System incident and
1Password</a></li>
<li><a href="https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/">How Cloudflare mitigated yet another Okta
compromise</a></li>
<li><a href="https://www.wired.com/story/okta-support-system-breach-disclosure/">Okta’s Latest Security Breach Is Haunted by the Ghost of Incidents
Past |
WIRED</a></li>
<li><a href="https://infosec.exchange/@dangoodin/111348246005935166">ArsTechnica’s Dan Goodin’s woes with Okta’s PR
team</a></li>
<li><a href="https://www.wired.com/story/okta-support-system-breach-disclosure/">Various compiled critiques by WIRED’s Lily Hay
Newman</a></li>
<li><a href="https://krebsonsecurity.com/2023/10/hackers-stole-access-tokens-from-oktas-support-unit/">Hackers Stole Access Tokens from Okta’s Support Unit – Krebs on
Security</a></li>
<li><a href="https://krebsonsecurity.com/2023/11/okta-breach-affected-all-customer-support-users/">Okta: Breach Affected All Customer Support Users – Krebs on
Security</a></li>
</ul>
]]></content:encoded>
    </item>
    <item>
      <title>Firefox</title>
      <link>https://trafotin.com/v/firefox/</link>
      <pubDate>Wed, 22 Nov 2023 00:00:00 +0000</pubDate>
      <guid>https://trafotin.com/v/firefox/</guid>
      <description>&lt;div style=&#34;position: relative; padding-top: 56.25%;&#34;&gt;&lt;iframe title=&#34;Installing Firefox... With Custom Profiles!&#34; width=&#34;100%&#34; height=&#34;100%&#34; src=&#34;https://spectra.video/videos/embed/5e31914e-3119-4ded-ab93-af08f36eae3c?subtitle=en&#34; frameborder=&#34;0&#34; allowfullscreen=&#34;&#34; sandbox=&#34;allow-same-origin allow-scripts allow-popups allow-forms&#34; style=&#34;position: absolute; inset: 0px;&#34;&gt;&lt;/iframe&gt;&lt;/div&gt;


&lt;center&gt;
&lt;button class=&#34;button button1&#34;&gt;
&lt;a  href=&#34;https://youtube.com/watch?v=OGC5CwEgr_g&#34;  &gt;
	
YouTube

&lt;/a&gt;
&lt;/button&gt;
&lt;/center&gt;

&lt;p&gt;Firefox is one of the longest living browsers still with us today (good
riddance Internet Explorer) and is arguably the most customizable
browser when comes to protecting your privacy. I have made lots of
videos about Firefox, but lots has changed to Firefox since then and I
want to take my time to take a step back to review the basics, update
some of the configuration files I have, and why I still use Firefox as
my daily browser.&lt;/p&gt;</description>
      <content:encoded><![CDATA[

<div style="position: relative; padding-top: 56.25%;"><iframe title="Installing Firefox... With Custom Profiles!" width="100%" height="100%" src="https://spectra.video/videos/embed/5e31914e-3119-4ded-ab93-af08f36eae3c?subtitle=en" frameborder="0" allowfullscreen="" sandbox="allow-same-origin allow-scripts allow-popups allow-forms" style="position: absolute; inset: 0px;"></iframe></div>


<center>
<button class="button button1">
<a  href="https://youtube.com/watch?v=OGC5CwEgr_g"  >
	
YouTube

</a>
</button>
</center>

<p>Firefox is one of the longest living browsers still with us today (good
riddance Internet Explorer) and is arguably the most customizable
browser when comes to protecting your privacy. I have made lots of
videos about Firefox, but lots has changed to Firefox since then and I
want to take my time to take a step back to review the basics, update
some of the configuration files I have, and why I still use Firefox as
my daily browser.</p>
<h1 id="browser-battles">Browser Battles</h1>
<p>The undisputed point is Firefox is Mozilla has always been at odds with
the current browser at the time (Netscape in the old days and now
Chromium). Firefox has also become the heart of many important open
source projects: Thunderbird, the Tor Browser, Web Assembly, and nss.</p>
<p>Mozilla has diverged from many other browser makers because of their
nonprofit status and has been more proactively for the end user than
many other web browsers.</p>
<ul>
<li>It’s easier to switch your default search engine in Firefox and
access multiple search engines in the address bar.</li>
<li>It’s easier to change it to the default browser on Windows 11.</li>
<li>Firefox has one of, if not the most, robust screenshooting utilities
in a web browser, full stop.</li>
<li>Also has a built-in color picker and my favorite developer mode.</li>
<li>Firefox has also been faster to accept hardware acceleration on
Linux and macOS than Chromium has. For example, Firefox’s initial
Apple Silicon support was much better than Chromium’s, as they got
the secret sauce directly from Apple. Similarly, Wayland support on
Linux is much stronger than Chromium.</li>
<li>Firefox also offers Total Cookie Protection, blocking websites from
viewing your other websites by further isolating the cookie jar.</li>
</ul>
<p>Mozilla has also been much more forgiving in regards to the dreaded
C-word, and you know, the C-word that blocks things on websites. That’s
right, I’m talking about cont—Containers to compartmentalize multiple
logins and data. Want to stay logged into work and personal accounts at
the same time? Firefox Containers have you covered!</p>
<p>Unlike Chromium, Mozilla has been much more of ManifestV2, soon to be
replaced by ManifestV3. To be fair, ManifestV3 is absolutely a security
win: browser extensions will be much more limited in what they can do.
This comes at the drawback of traditional content blockers not being as
good as they used to be die to rule limits of 500,000, far too low for
most common content blockers.</p>
<p>Mozilla’s response to this has been to continue support for ManifestV3,
especially because of the number 1 most downloaded extension on Firefox
that starts with the letter U. The bottom line is this: Chromium is
largely maintained by companies that rely on surveillance capitalism and
have incentive to neuter content blockers. Firefox doesn’t and is able
to users this choice.</p>
<p>Unfortunately, most people fall victim to the tyranny of the default.
The decline of Firefox has been obvious for multiple reasons.</p>
<ul>
<li>Firefox has little mobile market share. By default, phone users are
presented Google Chrome on Android and Safari on iPhone. Even if you
do install it, it’s a crippled browser. It’s also more insecure, but
that’s a topic for another day.</li>
<li>Most browsers are based on Chromium, which is for the most part
largely controlled by Google. Lack of browser competition among
giants is harmful for users in the long run.</li>
</ul>
<p>That also doesn’t even account for Firefox has some cheap imitators. I
would advise you stay away from most of them. A lot of them struggle to
receive updates in a timely manner.</p>
<h1 id="installing-firefox">Installing Firefox</h1>
<p>Installing Firefox is about what you’d expect: visit your software store
or Mozilla’s FTP server to get it and avoid the unique identifier
planted in the installer. If you are on Mac, consider using homebrew.</p>
<h2 id="special-note-for-windows-users">Special Note for Windows Users</h2>
<p>An important thing to note is Windows users are going to need to take
some extra steps:</p>
<ol>
<li>While you can download Firefox from the Microsoft Store (not
winget), this version doesn’t include various hacks to automatically
set Firefox as your default browser when you ask it to. This is
because Microsoft hates your freedom, plain and simple. The primary
benefit of using the Microsoft Store is to get UWA apps, which
Mozilla isn’t anyway.</li>
<li>Firefox installs a scheduled task to constantly check if Firefox is
your default web browser. Mozilla, it’s none of your beeswax what I
use as my default browser. Go into Task Scheduler and delete it.</li>
</ol>
<h1 id="profile-manager">Profile Manager</h1>
<p>Now you have Firefox and we’re going to configure it, right? Hold your
horses there sport! We’re going configure profiles. While not as easy to
use or as forward facing as Chromium, Firefox supports profiles to
separate different identities and configurations of Firefox. I’m going
to cover some in a future video, but it’s all about ensuring we only use
one browser that we know works in various different ways.</p>
<p>First, you have to run a Firefox command, then we can append an argument
to open the profile selector by default. This varies based on operating
system. In the video, I cover Linux and Windows, but the principal is
the same on macOS as it is on Linux.</p>
<h2 id="windows">Windows</h2>
<pre><code>C:\Program Files\Mozilla Firefox\firefox.exe -p
</code></pre>
<h2 id="macos">macOS</h2>
<p>Make sure you open Firefox normally first to bypass Gatekeeper prompts.
Then you can create an alias with the following:</p>
<pre><code>/Applications/Firefox.app/Contents/MacOS/firefox -p
</code></pre>
<h2 id="linux">Linux</h2>
<p>If you are on Linux, consider using the snap package on Ubuntu or the
Flatpak if you don’t use Ubuntu.</p>
<ul>
<li><strong>Snap/Flatpak:</strong> Both the snap and Flatpak are maintained by
Mozilla’s developers. The snap and Flatpak are also sandboxed, so
you can configure permissions using Snap Store or Flatseal.</li>
<li><strong>Your distro’s native package:</strong> While behind on updates, native
packages can offer stronger sandboxing than what Flatpak provides.</li>
</ul>
<p>You’ll need to make a decision:</p>
<h3 id="native">Native</h3>
<h4 id="pros">Pros</h4>
<ul>
<li>Stronger security</li>
<li>Can include special fixes for your distro</li>
</ul>
<h4 id="cons">Cons</h4>
<ul>
<li>Slower to deliver security updates and bug fixes</li>
<li>Might not even be available at all due to licensing conflicts</li>
</ul>
<h3 id="snapflatpak">Snap/Flatpak</h3>
<h4 id="pros-1">Pros</h4>
<ul>
<li>Universal package</li>
<li>Officially maintained by Mozilla, no middlemen</li>
<li>Fast updates and bugfixes</li>
</ul>
<h4 id="cons-1">Cons</h4>
<ul>
<li>(Flatpak only, snap untested) Weaker sandboxing and isolation</li>
<li>(Snap only) Requires AppArmor for proper isolation</li>
</ul>
<pre><code># Native/snap
firefox -p
# Flatpak
flatpak run org.mozilla.firefox -p
</code></pre>
<p>Uncheck the box <code>Use the selected profile without asking at startup</code>,
now every time you launch Firefox as such, you will be presented with a
menu to choose which profile you want. The first profile you create is
called <code>default-release</code>, but you can rename it or create a different
one.</p>
<h1 id="stock-firefox">Stock Firefox</h1>
<p>Out of the box, Firefox isn’t all that great. The search engine is a bit
invasive and has sponsored links. Pocket is lurking around at the top.
Mozilla collects telemetry which they never cite as helpful. Rather than
fix this right now, I might get some hate for this, but there’s an
argument to not configure Firefox at all. Configuring Firefox in extreme
ways can cause websites to be much more suspicious of you. You must be
doing something wrong if you used the about:config, obviously!</p>
<p>Keeping a stock Firefox with no configuration is great for a browser
where your anonymity isn’t as important. Services like banks and
critical work or business functions are great examples of this. You
could get on your high horse and say that you are doing your duty by
configuring it, but I would argue it’s not worth the hassle when these
services probably know you by your real name anyway, so it’s not a big
deal.</p>
<h1 id="configuring-firefox-the-easy-way">Configuring Firefox the Easy Way</h1>


<div style="position: relative; padding-top: 56.25%;"><iframe title="The Basics of Configuring Firefox Settings: New Tab Page, Search Engines, Privacy &amp; Security" width="100%" height="100%" src="https://spectra.video/videos/embed/fb778622-ed89-4cff-8052-963566a259de?subtitle=en" frameborder="0" allowfullscreen="" sandbox="allow-same-origin allow-scripts allow-popups allow-forms" style="position: absolute; inset: 0px;"></iframe></div>


<p>Firefox has a lot of configurability, especially when configuring
Firefox offers a lot benefits protecting your privacy, security, and the
occasional weird Mozilla feature. If you’re looking to configure
Firefox, but don’t want to have to deal with the fuss of a user.js file,
this is the place for you!</p>
<h2 id="why-bother">Why bother?</h2>
<p>Firefox has a lot of settings and these are the only ones that most
people have access to! If you haven’t already, I strongly recommend
setting up custom profiles if you haven’t already. I maintain at least 4
Firefox profiles at once, each of them serving a different purpose. I
typically name this profile “PrivacyFox,” because we’re going to
configure Firefox to a minimal degree. Scripts like Arkenfox turn off a
lot of features and while features that break websites are marked, many
others indirectly cause websites to break.</p>
<p>And even if you’re an advanced user and use privacy-hardened Firefox
with a custom user.js and fancy userChrome.css, you still need to be
aware of the GUI settings because scripts like Arkenfox won’t configure
these for you most of the time. They often leave the GUI settings open
for users to configure it themselves.</p>
<p>The benefit is you can customize Firefox to resemble the behavior <em>you</em>
want and you can choose how you want Firefox to look. Unlike most other
browsers, Firefox truly lets you claim it as your own, and no, it won’t
break upon updates unlike Vivaldi!</p>
<p>We’re going roll through all of the default Firefox settings and give a
quick rundown of each one.</p>
<h2 id="home">Home</h2>
<p>You can toggle your homepage by changing it something else. And for the
last time Josiah, I’m not making your homepage Google if you can just
type in the search bar to use Google!</p>
<p>Popular options include:</p>
<ul>
<li>DuckDuckGo</li>
<li>Startpage</li>
<li>Brave Search</li>
<li>Google</li>
<li>Bing</li>
<li>Yandex</li>
<li>Baidu</li>
</ul>
<h2 id="search">Search</h2>
<p>The search settings are where you can configure Firefox’s search engine.
I would be remiss not to tell you that Firefox gets paid millions of
dollars by Google to be the default search engine. There have even been
rumored talks of a bidding war with whether or not Bing would replace
Google as the default. If you have preference for a different search
engine here, you can change it here.</p>
<p>Alternatively, if your search engine is not listed, you can visit your
favorite search engine and right-click on the Address Bar, then click to
add it to these options.</p>
<ul>
<li>Disable “Provide search suggestions”</li>
</ul>
<p>Firefox will also proactively search with autocomplete enabled by
default. This means that anything you type into your Address Bar will be
sent to your search engine provider. I recommend turning this off.</p>
<h2 id="privacy--security">Privacy &amp; Security</h2>
<ul>
<li>Select “Strict” Enhanced Tracking Protection</li>
</ul>
<p>Firefox offers Enhanced Tracking Protection (ETP) against common threats
on the web. It will not protect you from everything, but it’s designed
not to negatively impact your browsing at all, even on Strict.</p>
<p>Navigate to “Address Bar,”</p>
<ul>
<li>Disable “Suggestions from the web”</li>
<li>Disable “Suggestions from sponsors”</li>
</ul>
<p>In America, us Firefox users are pestered with sponsored links in the
autocomplete. Just turn them off.</p>
<ul>
<li>Navigate to “Cookies and Site Data” and select “Delete cookies and
site data when Firefox is closed”</li>
</ul>
<p>Cookies are used to track things across the web like login sessions and
cached information. However, most websites abuse this and use this as a
mechanism to track you.</p>
<blockquote>
<p>[Advertisers] capture the “cookies” that your computer automatically
deposits into your Web browser, creating an indelible of every site
you visit and every page you view, then use that information to send
you personalized advertisements… “Cookies are used by virtually all
commercial websites for various purposes, including advertising,
keeping users signed in and customizing content… Bad as it was to be
stalked by shoes…”</p>
<p><a href="https://www.martinlindstrom.com/our-books/brandwashed/">Martin Lindstrom,
<em>Brandwashed</em></a></p>
</blockquote>
<p>But naturally this leads to a question: how do you stay logged into
accounts you always use and you want the convenience of staying signed
in?</p>
<ul>
<li>Under “Manage exceptions,” you can add an exception by typing in the
site, and selecting “Allow”</li>
<li>Visit the site you want to save your credentials for, then press
<code>Ctrl+i</code> (<code>⌘+i</code> on Mac) Navigate to “Permissions” -&gt; “Set
cookies” -&gt; “Allow”</li>
</ul>
<h2 id="https-only-mode">HTTPS-Only Mode</h2>
<p>Back in the old days, websites thought it was a good idea to use
unencrypted websites, which allow your ISP to snoop on what you do. Most
of these things have been eradicated from the Internet today, but for
those who couldn’t figure out how to do it, you want to be presented
with a full-screen warning to protect your privacy.</p>
<ul>
<li>Enable “HTTPS-Only Mode in all windows”</li>
<li>You can also “Manage Exceptions”</li>
</ul>
<h2 id="dns-over-https">DNS over HTTPS</h2>
<p>DNS over HTTPS (DoH) is one of the newest web standards for secure DNS
connections, which translate your URLs like “trafotin.com” into the
corresponding servers on the internet and IP addresses.</p>
<p>DoH changes the DNS paradigm by using HTTPS packets to call the websites
you want to visit. By using DoH, in junction with encrypted DNS, your
internet service provider can still see sites you visit, but they aren’t
allowed to tamper with any of the content, because yes, they have done
this before.</p>
<p>I previously enabled the US default of Cloudflare’s DoH server as the
default, but I’m taking a step back and letting you guys decide what you
want. I think Cloudflare is a great default and the other, NextDNS, is
also very handy. Other providers like Quad9 offer their own servers.</p>
<h3 id="enable-secure-dns-using">Enable Secure DNS using:</h3>
<p>Lastly, Firefox now has the ability to force all traffic through DoH,
which is really cool. In Chromium and previously in Firefox, DoH would
be the default, but if websites rejected it, it would just fall back to
normal DNS.</p>
<ul>
<li>Select “Increased Protection” or “Max Protection” for DoH.</li>
</ul>
<p>If you select “Max Protection,” if you can’t connect to your DoH
provider or if the connection is routed back, you will get a full screen
warning.</p>
<p>If you are interested in learning more about DNS, I recommend <a href="https://www.irongeek.com/i.php?page=videos/nolacon2019/nolacon-2019-d-03-dns-strategies-for-reducing-data-leakage-protecting-online-privacy-jim-nitterauer">a talk
from Jim Nitterauer about compliance and protecting your privacy with
DNS</a>.</p>
<h2 id="telemetry">Telemetry</h2>
<ul>
<li>Disable “Allow Firefox to send technical and interaction data to
Mozilla”</li>
<li>Disable “Allow Firefox to install and run studies”</li>
<li>Disable “Allow Firefox to send backlogged crash reports on your
behalf”</li>
</ul>
<p>While Firefox is fairly respectful of your rights, one of the things I
am the most suspicious of is their telemetry collection. The telemetry
being opt-in isn’t a crime, but they don’t make it clear whether this
information is useful or not, nor is it published anywhere publicly. It
also doesn’t help that Mozilla places ads everywhere.</p>
<p>Even if you believe Mozilla is in the right, I’m a paranoid weirdo who
would turn it off anyway. If you use an account, Mozilla collects more
information about you and ties it to your Firefox account, so you might
have more reason to turn it off given Firefox accounts demand an email.</p>
<h1 id="customizing-firefox">Customizing Firefox</h1>
<p>Firefox allows users to customize the UI to their liking. For example,
if don’t like the “wide” address bar, you can remove the spaces. If
you’re a front-end dev, you can add the developer tools to the toolbar.
If you want to add back the extension icons to your taskbar, you can pin
them near the puzzle piece icon. Be creative and make Firefox your own.
You can make it look like Chrome, old school Firefox/Opera, or Safari.</p>
<ul>
<li>Right-click on the top bar or window decorations and select
“Customize Toolbar”</li>
</ul>
<h1 id="new-tab">New Tab</h1>
<p>Firefox also allows users to customize the New Tab page, including using
a custom website as one. Still, with the vanilla New Tab page, there are
things to be done.</p>
<ul>
<li>Right-click and unpin all preinstalled shortcuts. These are all
sponsored links for companies who paid to be here.</li>
<li>Gear -&gt; # rows here</li>
<li>Gear -&gt; Sponsored Shortcuts -&gt; Disabled</li>
<li>Gear -&gt; Pocket</li>
</ul>
<h1 id="mullvad-browser">Mullvad Browser</h1>


<div style="position: relative; padding-top: 56.25%;"><iframe title="STOP Using Firefox Forks! Use Mullvad Browser Instead." width="100%" height="100%" src="https://spectra.video/videos/embed/bf36a951-8276-4341-a3b4-89ed06ff93cc?subtitle=en" frameborder="0" allowfullscreen="" sandbox="allow-same-origin allow-scripts allow-popups allow-forms" style="position: absolute; inset: 0px;"></iframe></div>


<p>You could configure Firefox by going through the settings, but the easy
way to get a privacy-hardened Firefox is using the Mullvad Browser.
Since my very first video with Arkenfox, this has been what I consider
the most radical change to Firefox forks. Ordinarily, I never recommend
Firefox forks because most of them have trouble updating in a timely
manner or don’t have a good enough reason to exist.</p>
<h2 id="the-problem-with-firefox-forks">The Problem With Firefox Forks</h2>
<p>The problem with most Firefox forks is you need to not only trust
Mozilla, you need to trust the other people who are touching the fork,
and trust that they will keep it up to date. With something as important
and unfortunately resource heavy like a web browser, you need to ensure
you get updates promptly and most smaller browser forks aren’t able to
do this well.</p>
<h2 id="why-the-mullvad-browser">Why the Mullvad Browser?</h2>
<p>The exception has been the Mullvad Browser. Mullvad Browser doesn’t use
the normal Firefox, but the Extended Support Release or ESR of Firefox.
It’s much slower to adopt features, but the core security and engine of
Mullvad Browser is the same.</p>
<p>In fact, Mullvad Browser was developed in conjunction with the foremost
popular fork of Firefox, the Tor Browser. The Tor Browser has worked
with Mozilla for years to fine tune Firefox against the invasive
practice of surveillance capitalism and protecting your anonymity on the
internet. Mullvad Browser inherits all of the Tor Browser’s work and it
basically the Tor Browser, just no dark web functionality.</p>
<p>Well if you can’t connect to the dark web, what’s the point? Because
Mullvad Browser is perfectly privacy-hardened by default and has all the
extensions you might need in it, you don’t even need to pay for a
Mullvad subscription to use it; you can use it as is. Everyone who uses
Mullvad Browser is now lumped into the same pool of people and if you
use a VPN (commercial, self-hosted, etc), you are now part of the same
army of people using this browser.</p>
<h2 id="limitations-to-the-mullvad-browser">Limitations to the Mullvad Browser</h2>
<p>There are some caveats where you might want to avoid Mullvad Browser:</p>
<ul>
<li>You can&rsquo;t use some newer features of Firefox. Previously this included screenshots, but also things like AI integration and vertical tabs. This is because Mullvad is based on Firefox&rsquo;s extended support release (ESR).</li>
<li>You can’t save logins. All data is deleted upon closing Mullvad
Browser. You run this in Private Browsing/Incognito mode all the
time.</li>
<li>You are stuck with the extensions they give you and you shouldn’t
configure them beyond their default values. In order to blend in,
everyone needs to have the same uBlock Origin settings and the same
NoScript settings.</li>
<li>There are what some would consider bloat features like the Mullvad
extension or the Mullvad Leta search engine, especially if you don’t
use/like Mullvad.</li>
<li>Some websites might not work correctly, because of the Tor Browser
configurations. You can’t watch DRM-protected content for example or
some website elements might not work.</li>
<li>There’s also the pain point of the Mullvad Browser is pretty young
and not as many people use it.</li>
</ul>
<h2 id="the-easy-way-out">The Easy Way Out</h2>
<p>And that’s why I’m recommending it. I’m selfishly recommending it
because it is the easiest way to get privacy-hardened Firefox and you
can join me in the sea of people using it. It’s the newest kid on the
block, so we need to make this pool of people bigger and more normies
use it.</p>
]]></content:encoded>
    </item>
    <item>
      <title>Installing Custom Android ROMs Is Easier Than Ever!</title>
      <link>https://trafotin.com/v/grapheneos/</link>
      <pubDate>Fri, 20 Oct 2023 00:00:00 +0000</pubDate>
      <guid>https://trafotin.com/v/grapheneos/</guid>
      <description>This September, I underwent the experience of installing my first custom Android ROM, installing a customized version of Android on a Pixel 7 Pro. This was my experience.</description>
      <content:encoded><![CDATA[

<div style="position: relative; padding-top: 56.25%;"><iframe title="Installing Android ROMs Is Easier Than Ever!" width="100%" height="100%" src="https://spectra.video/videos/embed/3880d0c4-b38d-41fc-af7b-61ca53835046?subtitle=en" frameborder="0" allowfullscreen="" sandbox="allow-same-origin allow-scripts allow-popups allow-forms" style="position: absolute; inset: 0px;"></iframe></div>


<center>
<button class="button button1">
<a  href="https://youtube.com/watch?v=b949BaPnRzw"  >
	
YouTube

</a>
</button>
</center>

<p>Remember the last time I made a video on Android? It was over a year ago
(and on Airguard)! Now that changes. I have right here a Google Pixel 7
Pro, which I pawned off a relative. I mean, if it were me, I would have
waited for the Pixel 8! But this is something I’ve been excited for: an
Android operating system that truly puts your rights first and foremost.
This has now become my daily driver phone and I have never been more
exicted for a Phone since my LG VX-5400! Buckle up guys, Android ROM
flashing time!</p>
<h1 id="what-is-grapheneos">What is GrapheneOS?</h1>
<p>GrapheneOS is a custom Android ROM, but what does that actually mean?
Android ROMs are the same as when you choose to run operating systems on
your computer. Few Android phones grant you the ability to install
custom operating systems and many manufacturers refuse to provide you
such a freedom or will hamper your efforts to run custom Android ROMs.</p>
<p>But why would someone choose to do this? It really comes down to control
or functionality. Since many manufacturers maker it difficult, they are
effectively taking away your freedom to do or run exactly what you want
on your device. It’s important because compared to Apple for example, at
least you are given the choice (on certain phones) to do what you want.</p>
<p>That being said, there are risks and I can’t go without mentioning them.
In the past, installing a custom Android ROM could result in bricking
your phone, but times have changed. As long as you choose to run a
reputable Android ROM, the chances of you bricking your phone are
telegraphed to you. As long as you play it safe and stick to big name
ROMs, it’s hard to mess up.</p>
<h2 id="custom-rom-insecurity">Custom ROM Insecurity</h2>
<p>While I am all about encouraging software freedom and running what you
want on you device, I want to warn you against rooting your device.
Rooting usually gives you as the end user the same ability to run
dangerous command that could your damage your system. “But Trafotin, I
made it this far and I haven’t gotten in trouble yet!” Rooting your
phone has dangerous consequences especially if you are downloading files
outside of the Google Play Store. Sure you can do you get your whiz-bang
battery enhancing apps, but newer innovations prove using an unrooted
device is great. You can install an Android ROM and not be constantly
using your phone with administrative privileges. It’s a bad practice for
computers and it’s just as much a bad practice for phones.</p>
<h1 id="the-grapheneos-solution">The GrapheneOS Solution</h1>
<p>This is why I am firm proponent of GrapheneOS. GrapheneOS is a custom
Android ROM, designed to not compromise on user security while still
respecting your rights. It’s the most robust custom Android ROM, but
that polish comes at a cost. GrapheneOS can only be installed on Google
devices. Google makes the best smart phones when it comes to keeping
your phone up to date and not flooding your phone with crapware that
other Android manufacturers throw in. Inevitably, people will fear
Google kills off their phone line, but I am doubtful that this will
happen. The state of manufacturers providing timely security updates on
Android is so bad Google is willing to go into debt and force their OEMs
to do the same. Sure Google is one of the Big Tech companies, but they
recognize they are responsible for the biggest phone operating system in
the world.</p>
<p>And I know the irony of using a Google phone to get more privacy, but
Google’s phones are legitimately the easiest phones to install custom
Android ROMs on and they have been for years. The entry level devices,
like the Pixel 7a and the Pixel Tablet are less than $500 and pretty
affordable.</p>
<h1 id="installing-grapheneos">Installing GrapheneOS</h1>
<p>So you’re sold on using a custom Android ROM and you have a nice fresh
Google phone. I’m doing this with a Pixel 7 Pro, but all of Google’s
newest product line is compatible with GrapheneOS. I normally recommend
buying a phone on sale, but I got a $200 discount for 4 years of updates
and I wanted a model with an actually decent camera because anyone who
has seen videos filmed with my iPad are atrocious. But how do we install
GrapheneOS?</p>
<p><em>The following entails a guide on how to install GrapheneOS. The project
has been in some drama because their former head developer didn’t like
publishing guides, even if you supply the same or more depth
instructions than on their website.</em></p>
<h1 id="prerequisites">Prerequisites</h1>
<p>I’m not going to get into detail, but the first step is to</p>
<ul>
<li>a Google device that is carrier unlocked</li>
<li>use a computer from one of their supported operating systems to
reduce as much error as possible. This can be a computer or even
another Android phone.</li>
<li>use a Chromium-based browser from the list</li>
<li>connect your Google device with a USB cable and trust the device you
plug it into</li>
</ul>
<p>If you do the computer method, you need to make sure to have the Android
SDK tools. I used a spare computer with Ubuntu and Brave and the
instructions are pretty reliable with Linux and Windows, but pretty
vague overall. If I had criticize the installation process, there could
be a little pulldown menu with some extras instructions.</p>
<h1 id="oem-unlocking">OEM Unlocking</h1>
<p>But that’s the hard part, let’s do something more fun–OEM unlocking.
This is one of the coveted features of Android phones that allow custom
ROMs. But how do we configure this?</p>
<ul>
<li>Go to <em>Settings</em>→<em>About</em>→<em>Build number</em> then smash that button until
you become a developer.</li>
<li>Go to <em>Settings</em>→<em>System</em>→<em>Developer options</em>→<em>OEM unlocking</em>
enabled.</li>
</ul>
<p>You might also need to connect to Wi-Fi at least once.</p>
<h1 id="rebooting">Rebooting</h1>
<p>After you enabled OEM unlocking, you need to turn off the Google device.
In my case, it’s the sleep button and the volume up button at the same
time. This took me more attempts than I would like to admit.</p>
<p>When you turn on the device, then hold the volume down button while the
phone turns on and you get a spooky tiny text menu. This means we are in
business for the hardest step of all…</p>
<h1 id="doing-the-deed">Doing the Deed</h1>
<ul>
<li>Go to your nice Chrome browser and click the button to identify your
Google device and unlock the bootloader.</li>
<li>Click the button to download the corresponding release for your
device.</li>
<li>Click the button to wipe Google off your device. <strong>Do not touch your
device or unplug it while it is working.</strong> It will reboot multiple
times and you know when you succeed when the Google logo shows up,
only for the GrapheneOS logo to jumpcut in front of it just like
having in movies.</li>
</ul>
<p>You still see a hash appear as your phone boots up and compare this with
the hash on GrapheneOS’s website. This ensures you’re running an
official GrapheneOS image.</p>
]]></content:encoded>
    </item>
    <item>
      <title>Secure Boot</title>
      <link>https://trafotin.com/v/secure-boot/</link>
      <pubDate>Fri, 23 Jun 2023 23:34:21 -0500</pubDate>
      <guid>https://trafotin.com/v/secure-boot/</guid>
      <description>&lt;iframe id=&#34;odysee-iframe&#34; width=&#34;560&#34; height=&#34;315&#34; src=&#34;https://odysee.com/$/embed/@Trafotin:4/use-uefi-secure-boot-now!-2:e&#34; allowfullscreen&gt;&lt;/iframe&gt;


&lt;p&gt;Have you enabled Secure Boot on your computer? I sure have, but what is it and why it&amp;rsquo;s so important to the fabric of computing today? Why is Windows 11 pushing Secure Boot so hard? Is it a way for Microsoft to block off third party operating systems? Did someone on a forum or Discord tell you to turn it off? All of this and more as we learn together why UEFI Secure Boot should be required for everyone!&lt;/p&gt;</description>
      <content:encoded><![CDATA[

<iframe id="odysee-iframe" width="560" height="315" src="https://odysee.com/$/embed/@Trafotin:4/use-uefi-secure-boot-now!-2:e" allowfullscreen></iframe>


<p>Have you enabled Secure Boot on your computer? I sure have, but what is it and why it&rsquo;s so important to the fabric of computing today? Why is Windows 11 pushing Secure Boot so hard? Is it a way for Microsoft to block off third party operating systems? Did someone on a forum or Discord tell you to turn it off? All of this and more as we learn together why UEFI Secure Boot should be required for everyone!</p>
<h1 id="what-is-uefi">What is UEFI?</h1>
<p>Desktop computing is exposed to constant threats in the wild and one of the worst things that could be compromised is your boot process. For something like your phone or your laptop with critical information, we want that stuff locked down tight to prevent bad guys from getting in.</p>
<p>In a brief (ultra-simplified) explainer, any computerized has 3 major layers:</p>
<ol>
<li>Your hardware, like the device you use.</li>
<li>Your BIOS, which operates as a single point of trust to handle things like peripherals.</li>
<li>Your operating system, like Windows, macOS, or Linux, where you make changes to your computer.</li>
</ol>
<p>While booting up a computer started off simple in the early days, it has become more complex. Previous older iterations were things like the Extensible Firmware Interfaces (EFI), which is a miniature operating system that vastly increased this capability. EFI adds that ugly interface you have hidden away that controls things like your power management, virtualization, and what not.</p>
<p>UEFI &ldquo;unifies&rdquo; the complexity of EFI, but also makes UEFI the &ldquo;trusted&rdquo; version of EFI. You rely on your firmware to know if your computer is properly booting and not doing something sketchy in the process. UEFI is another chip attached to your motherboard that adds cryptographic authentication your devices are running and initialized properly. We need UEFI because many corporations view UEFI as the continuation and future of EFI.</p>
<h1 id="what-is-secure-boot">What is Secure Boot?</h1>
<p>The added cryptographic verification presented a new frontier for device makers. Personal computing devices like your computer or your phone contain lucrative information for attackers, so the big operating system vendors invest into protecting the sanctity of your system.</p>
<p>This started with the Platform Initialization standard. This generates a key, typically from your motherboard&rsquo;s manufacturer, which attests the firmware on your motherboard is indeed valid and has not been tampered with (there&rsquo;s protections for timestamping changes, so modifications, to prevent rollbacks, and replay attacks).</p>
<p>Secure Boot uses UEFI&rsquo;s keys and ties it to pre-baked keys from your manufacturer to add an extra layer of security against malware exploiting this boot process (it&rsquo;s similar to the prebuilt keys in your browser). This validates that the operating system you boot up is precisely the intended target and there&rsquo;s no malicious code burrowed in as your device boots up. There&rsquo;s also a keystore with forbidden keys, where if a key can no longer be used to verify boot images, it&rsquo;s added to a blacklist so they won&rsquo;t ever work again.</p>
<h2 id="exploitable-firmware-interfaces">Exploitable Firmware Interfaces</h2>
<p>This isn&rsquo;t hypothetical, because state-sponsored attacks and limited attacks in the wild take advantage of people who haven&rsquo;t caught up yet despite the years that have gone on. The Chinese research company <a href="https://web.archive.org/web/20220725102425/https://bbs.360.cn/thread-14959110-1-1.html">Qihoo 360 reported on (in Chinese)</a> UEFI rootkits using the backwards compatibility modules for EFI in ASUS&rsquo;s computers.</p>
<p>Most recently, the Russian firm <a href="https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/">Kaspersky found</a> a rootkit yet another vulnerability targeting this backwards compatbility, once again in ASUS and Gigabyte motherboards. If you thought ASUS shorting their BIOS or Gigabyte getting their firmware backdoored, that isn&rsquo;t even the worst of it!</p>
<h1 id="microsoft-vs-corporate-linux">Microsoft Vs Corporate Linux</h1>
<p>These sophisticated attacks are nothing compared to the history tied into the way Secure Boot was presented to the public. The dreaded operating system Windows 8, under the iron fist of Steven Sinofsky, began to require &ldquo;Microsoft-compliant&rdquo; UEFI Secure Boot. In the classic, poorly worded style of Microsft communication from the madman, <a href="https://web.archive.org/web/20110924161843/http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx">Sinofsky added just a little clause to these requirements</a>:</p>
<blockquote>
<p>In the screenshot below you will notice that we designed the firmware to allow the customer to disable secure boot. However, doing so comes at your own risk. <strong>OEMs are free to choose how to enable this support and can further customize the parameters as described above in an effort to deliver unique value propositions to their customers.</strong></p>
</blockquote>
<p>This last line got <a href="https://canonical.com/blog/white-paper-secure-boot-impact-on-linux">major Linux manufacturers seriously concerned</a> because history has shown OEMs often cut corners to ship firmware and what if the ability to boot something other than Windows was taken away?</p>
<p><a href="https://ozlabs.org/docs/uefi-secure-boot-impact-on-linux.pdf">Papers from Red Hat and Canonical</a> describe how the ability to write and add keys needed to be included into the Microsoft requirements so OEM keys. In the original Build blog post, Sinofsky does mention this at the beginning, contradicting the quote that got everyone so worried:</p>
<blockquote>
<p>Secure boot doesn’t “lock out” operating system loaders, but is a policy that allows firmware to validate authenticity of components&hellip; Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows</p>
</blockquote>
<p>This quote provides probably the &ldquo;intended&rdquo; (whatever that means to you) meaning to users, &ldquo;you can turn off Secure Boot, but you do so at your risk.&rdquo; If you examine these carefully, you&rsquo;ll see Red Hat and Canonical&rsquo;s engineers <em>don&rsquo;t reject</em> the UEFI or Secure Boot standard, but <a href="https://wiki.debian.org/SecureBoot">it needed to be done in an inclusive way to allow Linux users, on the server or desktop, to get Secure Boot.</a></p>
<h1 id="secure-your-boots-now">Secure Your Boots Now!</h1>
<p>To this day in comments, in places like Reddit, Discord, or 4chan, I continue to hear is using Secure Boot doesn&rsquo;t work if you don&rsquo;t use Windows. And while that might have been true at one point, it hasn&rsquo;t been true for over a decade. I can guarantee that the vast majority of Linux users disabled Secure Boot because a guide online told them to. For example, I caught <a href="https://forum.garudalinux.org/t/troubleshooting-system-stutter-lags-freezes-and-hangs/18044/4">this &ldquo;guide&rdquo;</a> from some guys on the Garuda Linux team <a href="https://t.me/garudalinux/292499">telling their users</a> <a href="https://forum.garudalinux.org/t/install-garuda-in-secure-boot-mode/26721">to disable Secure Boot</a>, which just borders on irresponsible because <strong>it can be done!</strong></p>
<p><em>Not just this behavior, but also the fact Garuda automatically trusts and rebuilds some goofy fork of the AUR is reason alone you should just stay away from them.</em></p>
<p>It&rsquo;s even more ironic the 2 most popular desktop Linux distributions, Fedora and Ubuntu (and their derivatives like Mint and ublue for example), have never been subject to this. Red Hat and Canonical have to cough up a one-time $99 fee to access the 3rd party Microsoft key, which ensures their users get full access to Secure Boot. This third party shim key Fedora pays for is used by <a href="https://www.ventoy.net/en/doc_secure.html">the USB tool Ventoy</a> to ensure Windows 11 and other compatible Linux distros can use Secure Boot out of the box (with a nifty guide!).</p>
<p>But Secure Boot on Linux breaks if you use the proprietary drivers like NVIDIA proprietary driver. In Fedora, Fedora includes Akmods, a startup script that rebuilds your packages on boot. Akmods allows you to generate your own key using openssl and sign the Linux kernel, thus allowing NVIDIA&rsquo;s driver through Secure Boot correctly.</p>
<p>I wrote 2 little scripts based on a guide from the folks at Fedora&rsquo;s RPMFusion that allows you to sign the kernel, so you too can get Secure Boot with the NVIDIA driver on Fedora. Once you enroll your keys, you reboot and can toggle some settings using mokutil to configure Secure Boot properly, by continuing with your keys. There are other methods for <a href="https://en.opensuse.org/openSUSE:UEFI">openSUSE&rsquo;s installer</a> and Arch Linux, but I&rsquo;m not familiar enough with them.</p>
<p>I&rsquo;m going to leave it there because instead of making strawman arguments claiming Secure Boot will lock people out, we need to accept the new standards because UEFI and Secure Boot are realities you need to wake up to. I didn&rsquo;t even get into the part where Windows and Linux are just broken compared to Macs or mobile devices! So leave a like on this video. Leave a like on this video if you hated the Windows 8 era!</p>
<h1 id="verified-boot-and-tpm-verified-boot">Verified Boot and TPM-verified boot</h1>
<p>Desktop computing security is fundamentally broken compared to the strength of verified boot on Android and Apple devices. The advent of technologies like Intel Bootguard and Microsoft&rsquo;s Pluton prove that the silver-lining of Windows 11 is PC verified boot has gotten easier than ever.
However, there&rsquo;s the issue of certificate verification. There&rsquo;s are bypasses that require enabling third party UEFI certificates, like the ones Fedora and Ubuntu use, <a href="https://download.lenovo.com/pccbbs/mobiles_pdf/Enable_Secure_Boot_for_Linux_Secured-core_PCs.pdf">on Lenovo computers</a>, but Linux now supports Secured Core computers without the need for such measures. If you use a distribution that isn&rsquo;t a rolling release with an updated Linux 6.3 kernel or higher, you won&rsquo;t get access to stuff like Pluton.</p>
]]></content:encoded>
    </item>
    <item>
      <title>Flatpaks</title>
      <link>https://trafotin.com/v/flatpaks/</link>
      <pubDate>Wed, 10 May 2023 23:34:21 -0500</pubDate>
      <guid>https://trafotin.com/v/flatpaks/</guid>
      <description>&lt;div style=&#34;position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;&#34;&gt;
			&lt;iframe allow=&#34;accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen&#34; loading=&#34;eager&#34; referrerpolicy=&#34;strict-origin-when-cross-origin&#34; src=&#34;https://www.youtube-nocookie.com/embed/Jiqxdb6ZhkQ?autoplay=0&amp;amp;controls=1&amp;amp;end=0&amp;amp;loop=0&amp;amp;mute=0&amp;amp;start=0&#34; style=&#34;position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;&#34; title=&#34;YouTube video&#34;&gt;&lt;/iframe&gt;
		&lt;/div&gt;

&lt;p&gt;It&amp;rsquo;s time to learn about Flatpak and why you need to use it. Flatpak is the way to go and is going to revolutionize Linux, whether you want to or not, especially since it&amp;rsquo;s the easiest way to get things that you want. I&amp;rsquo;m going to be going over what Flatpaks even are, how to use it, and how to control what your Flatpaks do.&lt;/p&gt;</description>
      <content:encoded><![CDATA[<div style="position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;">
			<iframe allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen" loading="eager" referrerpolicy="strict-origin-when-cross-origin" src="https://www.youtube-nocookie.com/embed/Jiqxdb6ZhkQ?autoplay=0&amp;controls=1&amp;end=0&amp;loop=0&amp;mute=0&amp;start=0" style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;" title="YouTube video"></iframe>
		</div>

<p>It&rsquo;s time to learn about Flatpak and why you need to use it. Flatpak is the way to go and is going to revolutionize Linux, whether you want to or not, especially since it&rsquo;s the easiest way to get things that you want. I&rsquo;m going to be going over what Flatpaks even are, how to use it, and how to control what your Flatpaks do.</p>
<h1 id="what-are-flatpaks">What are Flatpaks?</h1>
<div style="position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;">
			<iframe allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen" loading="eager" referrerpolicy="strict-origin-when-cross-origin" src="https://www.youtube-nocookie.com/embed/jDVCITRWGgs?autoplay=0&amp;controls=1&amp;end=0&amp;loop=0&amp;mute=0&amp;start=0" style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;" title="YouTube video"></iframe>
		</div>

<p>Flatpaks are sandboxed apps using bubblewrap, designed to universally work across many Linux operating systems, but specifically on desktop. Flatpak acts as a front-end for bubblewrap, which has really complex command-line arguments, and as an easy way to install packages independent of the operating system you use (a Debian user and an Arch user install the same packages together in harmony).</p>
<p>Since apps are sandboxed, Flatpak downloads dependencies and libraries independently, so your programs work the everywhere. Gaming on Linux is one desktop activity that greatly suffers from this, whether you&rsquo;re running SteamOS, Ubuntu, Arch, you and developers will experience the agony of inconsistent results, when they could be universal. Flatpak also simulates architecture, so you can still run all your 32 bit libraries, ARM programs, or x86 games and graphics using Flatpak.</p>
<h1 id="linux-cant-sandbox">Linux Can&rsquo;t Sandbox</h1>
<p>On desktop Linux, applications are given access to daemons or allowed to access all files on your system. Ideally, your operating system shouldn&rsquo;t be allow this to happen, but this is a very real problem Flatpak wants to solve, especially as Apple and Google have figured out how to do this already (with Android, ChromeOS, and iOS, MacOS has sandboxing too, but it&rsquo;s opt-in for developers, so <a href="https://www.grc.com/sn/sn-364.htm">tyranny of the default</a>).</p>
<p>The technology Flatpak is built to provide an answer to both of these problems. Flatpak is also integrated in major Linux app stores like GNOME Software, Discover, and pamac. Flatpak also provides a container folder which separates your data from your raw home folder, keeping your system and all the data inside organized.</p>
<h2 id="wayland-only">Wayland Only</h2>
<p>To take full advantage of Flatpak, you need to be using the Wayland display server. While you can use Flatpak on X11, it can&rsquo;t properly sandbox applications using X11 only because X11 does not provide any GUI isolation whatsoever and will work against your security. After all, in order to future-proof our stuff, we need to use Wayland to get that sweet fractional scaling and HDR support (coming soon™).</p>
<h1 id="why-not-snaps-or-appimages">Why Not Snaps or AppImages?</h1>
<p>Since Linux has no sandboxing at all, you NEED to be using something that provides sandboxing. Almost every Linux distro will not do this for you.</p>
<h2 id="appimages">AppImages</h2>
<p>AppImages, another universal format that while nifty, still won&rsquo;t do for you, especially since you are just trusting random packages on the internet, rather than a centralized store. This also results in the same user behavior that happens on Windows (and MacOS to a good degree) and we shouldn&rsquo;t go back to.</p>
<p>AppImages also pack duplicate versions of programs. If you install Electron apps like the private messenger Session and the note-taking app Standard Notes, you now have duplicate copies of Electron, which eats up more space.</p>
<p>There are people who argue Flatpaks also duplicate on multiple different versions of libraries, but this is greatly mitigated by compression, which AppImages don&rsquo;t allow for. That way, you aren&rsquo;t downloading the full package.</p>
<p>It has also come out the main dev of AppImages is a dunce who refuses to use Wayland and to update the FUSE module to work with modern systems.</p>
<h2 id="snaps">Snaps</h2>
<p>Canonical&rsquo;s snap packages also seek to solve the same issues Flatpak does, but it&rsquo;s mired with problems.</p>
<ul>
<li>Many people don&rsquo;t like Ubuntu pushing snaps or packaging Chromium/Firefox as a snap (even though Debian&rsquo;s maintainers are way too taxed to properly maintain Chromium fast enough).</li>
<li>Many people don&rsquo;t like the concept of snap&rsquo;s backend being proprietary (in my opinion this is silly because even if it was open-source, there would be no way to verify if Canonical were actually using the open-source code or not).</li>
<li>Snaps auto-update and don&rsquo;t allow users to disable it except through experimental settings.</li>
<li>Snaps&rsquo; sandboxing doesn&rsquo;t apply to legacy apps (&ldquo;classic snaps&rdquo;) and requires AppArmor. The sandboxing is worthless if you use SELinux or systems without mandatory access controls.</li>
<li>Many people, including me, also hate that Canonical logs everything you install, <a href="https://snapcraft.io/docs/snap-store-metrics">which assigns a unique ID to on installation</a> and for Canonical to do who knows what with. Anonymized statistics will <strong>always</strong> eventually be deanonymized, so it&rsquo;s only a matter of time, even if it&rsquo;s something like the flavor of Linux you use, the branches you enable, or the timezone you reside in. There&rsquo;s no way to opt out either.</li>
</ul>
<p>No doubt people will pick something to hate, but for me, inescapable telemetry and lack of SELinux is reason enough to give snaps a wide berth, unless you are locked into an application that absolutely needs it.</p>
<h2 id="flatpaks-are-better">Flatpaks Are Better</h2>
<p>Flatpak doesn&rsquo;t collect any telemetry, lets you add/host your own repositories, also doesn&rsquo;t require root, so it&rsquo;s more secure for you to use and more convenient for desktop users who want to download their favorite applications. Flatpaks also provide a powerful permissions access system, which controls exactly what programs are allowed to access.</p>
<p><em>Flatpak may be imperfect, but <strong>some</strong> sandboxing is better than none at all.</em></p>
<h3 id="the-cons">The Cons</h3>
<div style="position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;">
			<iframe allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen" loading="eager" referrerpolicy="strict-origin-when-cross-origin" src="https://www.youtube-nocookie.com/embed/xtsB38nyKtc?autoplay=0&amp;controls=1&amp;end=0&amp;loop=0&amp;mute=0&amp;start=0" style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;" title="YouTube video"></iframe>
		</div>

<ul>
<li>Many people cite <a href="https://flatkill.org">flatkill.org</a>, which at the time, presented valid points. Unfortunately, that site hasn&rsquo;t been updated in years and some of what was said then is no longer true now. However, Flatpak is still irrevocably broken because of the fact it&rsquo;s built more to be a container than an application sandbox. As a result, this makes it really easy to bypass, but the devs are working on a solution.</li>
<li>Flatpak&rsquo;s poor security realistically could be fixed in the future through apps makers their sandboxes based on a standard (say, XDG portals) by coding their apps to distrust certain permissions by default. In fact, Whonix&rsquo;s devs are working on a sandboxed app launcher and Chromium has stronger native sandboxing than Flatpak.</li>
<li>Flatpak relies on every application operating off of the same libraries. This can result in dependencies not updating while some programs play catch up. Flatpak&rsquo;s developers appear to be aware of this and <a href="https://github.com/flathub/flatpak-external-data-checker">developed an internal tool</a> for making sure their package manifests are up to date.</li>
<li>Wine and 32-bit dependent gaming needs a lot of work. While some programs like Heroic work flawlessly, I&rsquo;ve seen problems with Lutris where some games will not install where they installed on the native package.</li>
<li>Flatpak strongarms people into Pipewire. While there are still some edgecase holdouts, we need to be moving towards more secure defaults rather clinging futilely to PulseAudio. In fact, when I was testing Pipewire when it first came out years ago, I had far less issues in its beta state than PulseAudio.</li>
<li>Some developers do not support Flatpak altogether. I had mentioned Session in the last video, but the Flatpak is not official. Many other programs fall into this category, so it&rsquo;s vital you analyze the build manifest. <del>As of the time of recording, the beta Flatpak site gives direct link to the manifest and with a teeny bit of know-how, it&rsquo;s pretty easy to figure out what&rsquo;s going on.</del> Flatpak now has a pretty simple and robust verification system to mitigate this, but anything without a checkmark should be suspect.</li>
</ul>
<h1 id="using-flatpaks">Using Flatpaks</h1>
<p>Forget about all this technical jargon! I&rsquo;ve talked about why you need Flatpaks, some &ldquo;drawbacks,&rdquo; but let&rsquo;s put this practice.</p>
<h2 id="how-to-setup--use">How to Setup &amp; Use</h2>
<p>First, add the Flathub remote. This gives you access to the main Flathub store.</p>
<pre tabindex="0"><code>flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
</code></pre><p>Using flatpaks is also easy! Flatpak uses the same syntax as apt and dnf:</p>
<ul>
<li><code>update</code> to update the repositories</li>
<li><code>upgrade</code> to run software upgrades</li>
<li><code>install</code> to install</li>
<li><code>remove</code> to uninstall</li>
<li><code>search</code> to search applications in your Flatpak remotes</li>
<li><code>uninstall --unused</code> to remove unused dependencies.</li>
</ul>
<h2 id="whatwhere-should-i-download">What/where should I download?</h2>
<p>Now that we have access to Flathub, this pretty much is the whole kitchen sink to download anything we want. Of course, I do want to address a common thing I&rsquo;ve read from other people online or seen in other content creators is people is something like this (first to last):</p>
<ol>
<li>Distro package</li>
<li>Flatpak</li>
<li>AppImage</li>
<li>Third party repo (AUR, PPA, etc)</li>
<li>Snap</li>
<li>Tarball/provided by developer</li>
<li>Compile from source</li>
</ol>
<p>This has been the way most people have seen packaging on Linux for a long time, but instead, I want to encourage all of us to look at this differently:</p>
<ol>
<li>Flatpak</li>
<li>Snap (if you use Ubuntu)</li>
<li>Distro package</li>
<li>Tarball/provided by developer</li>
<li>Third party repo</li>
<li>Snap (non-Ubuntu)</li>
<li>AppImage</li>
<li>Compile from source</li>
</ol>
<p>Flatpak, especially for graphical applications, needs to be your top priority as to where you download a package. Flatpak is far more flexible than many of its distro counterparts and is much robust at providing a secure window to a program without much tradeoff.</p>
<p>The other reason the vast majority of sandbox systems on Linux are unsufficient compared to Flatpak. Only Snap comes close, but Snaps come close and are definitely more suited for command-line programs, but if you don&rsquo;t use AppArmor, the protections that Snap provides are useless. The sandboxing of Snaps is also very flawed in that the experience is only really geared for Ubuntu as you need <a href="https://forum.snapcraft.io/t/snapd-still-requires-out-of-tree-apparmor-patches-for-strict-confinement/19632">a completely separate patch from Canonical for AppArmor</a> to achieve acceptable sandboxing.</p>
<h2 id="the-time-to-say-no">The Time to Say No</h2>
<p>The other issue people need to look at is the landscape of apps in Flatpak, but consider whether or not you should use them. Here&rsquo;s some of what find valid reasons to use a Flatpak:</p>
<ul>
<li><strong>The application is old and never received an update to match upstream.</strong> For example, one of the packages I could never recommend to anyone in Flathub is a really old copy of <a href="https://flathub.org/apps/com.adobe.Reader">Adobe Reader for 32-bit Ubuntu 12.04</a>. While this application is an amazing achievement at demonstrating the fact Flatpak can run multiple architectures, I could never recommend running it because of Adobe abandoning the project and many unfixed security holes remain.</li>
<li><strong>Unverified applications.</strong> On the topic of unofficial applications, Flathub implements a pretty simple and reliable verification system. Basically, this means you can trust any application with a blue verified checkmark. But what happens with apps that aren&rsquo;t verified? In these scenarios, you should view the &ldquo;build manifest,&rdquo; so you can verify what&rsquo;s happening. Chances are because of <a href="https://discourse.flathub.org/t/flathub-in-2023/3808">new vetting processes</a> odds of these being malicious are highly unlikely, but be cautious and read the code. If you can&rsquo;t read the code, how many other people submit issues and star the manifest on GitHub? Do your best here, but odds are you will be fine.</li>
</ul>
<h1 id="manage-your-permissions-with-flatseal">Manage Your Permissions With Flatseal</h1>
<div style="position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;">
			<iframe allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen" loading="eager" referrerpolicy="strict-origin-when-cross-origin" src="https://www.youtube-nocookie.com/embed/fAqcpVk3GNw?autoplay=0&amp;controls=1&amp;end=0&amp;loop=0&amp;mute=0&amp;start=0" style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;" title="YouTube video"></iframe>
		</div>

<p>However, if you use Flatpak, I would strongly recommend double-checking your permissions using Flatseal. Flatpak is way too permissive by default, especially it allows most programs access to whatever they ask for on install silently.</p>
<p>There are plenty of easy ways to use graphical programs to tweak your Flatpak permissions like Flatseal. Flatseal is a program that generates &ldquo;override&rdquo; files that change what programs are allowed to do on your system, stored in <code>~/.local/share/flatpak/overrides</code>. If you use KDE, KDE has a built-in frontend identitical to Flatseal.</p>
<p>These permissions might be confusing and overwhelming, but I&rsquo;m going to try my best simplify how they work:</p>
<ul>
<li><code>Network:</code> Does GNOME Calculator or LibreOffice really need the internet, especially when Flatpak manages their updates? Audacity and Musescore adding telemetry? Let&rsquo;s kill the internet for the apps that don&rsquo;t need it. Most applications typically only enable it because they need it for their internal updating.</li>
<li><code>Interprocess Communications (IPC):</code> Allows program to read other processes and resources on your host machine. <a href="https://docs.flatpak.org/en/latest/sandbox-permissions-reference.html?highlight=permissions#f1">&ldquo;Is not necessarily required&rdquo;</a> unless you use X11, but you shouldn&rsquo;t be using X11.</li>
<li><code>socket=pulseaudio:</code> PulseAudio is a common vector for attack on desktops, since it grants access to your microphones if it&rsquo;s being used by another application. Applications that don&rsquo;t need to play audio (e.g. LibreOffice and ONLYOFFICE for example), should have this revoked.</li>
<li><code>filesystem=:</code> make sure you want your program to choose what folders it can access. Look out for global accesses and selectively pick folders to add using &ldquo;Other files&rdquo; in Flatseal.</li>
<li><code>device=all:</code> Don&rsquo;t want an app accessing PCI and USB devices, like your webcam? Limit this, but it is needed if you use security keys, webcams, microphones, etc.</li>
<li><code>Fallback to X11</code>: As X11 is a legacy technology, we should avoid it like the plague. Older applications like Chromium/Electron-based applications, Krita, and Minetest still need it, but applications like OBS, LibreOffice, KeePassXC don&rsquo;t because they support Wayland natively; just experiment with what works.</li>
<li><code>talk-name=org.freedesktop.secrets</code>: D‑Bus access to secrets stored on your keychain, like say, your GNOME Keyring or KDE Wallet data. This is needed for Chromium/Electron-based apps.</li>
</ul>
<h1 id="takeaway">Takeaway</h1>
<p>But what&rsquo;s the point of this discussion? Why are you even covering this? Because you need to use Flatpak because secure solutions need to be easy otherwise people aren&rsquo;t going to use them. Flatpak truly makes it easy and brings the Linux desktop one step forward to being that much greater.</p>
<p>I&rsquo;m going to go out on a limb here and strongly recommend you install as many of your applications as Flatpaks. In fact, go uninstall your applications that have Flatpak versions, move your config folders to the Flatpak sandbox, and embrace the future as we wait for the next best thing.</p>
<h1 id="more-resources">More Resources:</h1>
<ul>
<li><a href="https://flatpak.org/setup/">Setting up Flathub on various distros</a></li>
<li><a href="https://flatkill.org/">Flatkill (2019-2020)</a> discusses how the default permissions set by Flatpak need to be more strict.</li>
<li><a href="https://theevilskeleton.gitlab.io/2021/02/11/response-to-flatkill-org.html">Response to flatkill.org</a>, TheEvilSkeleton&rsquo;s rebuttal for Flathub not addressing security advisories.</li>
<li><a href="https://madaidans-insecurities.github.io/linux.html#flatpak">Flatpak gives complete access to /proc and /sys</a> by madaidan</li>
<li><a href="https://docs.flatpak.org/en/latest/flatpak-command-reference.html#flatpak-override">Flatpak Command-Line Overrides, by the official documentation</a></li>
<li><a href="https://github.com/rusty-snake/kyst/tree/main/flatpak">rusty-snake&rsquo;s Flatpak overrides</a></li>
<li><a href="https://github.com/tommytran732/Flatpak-Overrides">tommytran732&rsquo;s flatpak overrides</a></li>
<li><a href="https://github.com/flatpak/flatpak/issues/4031#issuecomment-748891490">How does Flatpak handle security?</a></li>
</ul>
]]></content:encoded>
    </item>
  </channel>
</rss>
