Lmst

#BashCore is secure because it's based on #Debian, but don’t expect a fortress like #Kicksecure, #Whonix or #Tails...
It’s a Swiss knife: light, flexible, powerful.

For those who like to play hard: #Lynis is included, so you can test your setup and fix what you break. Have fun! 🤪

#Linux #CyberSecurity #Pentesting #InfoSec #Hardening #MinimalLinux

#Debian splash!

Fig 1. Neofetch can’t get past hypervisor to profile hardware in #Qubes

Fig 2. But even with permission hardener and and hide hw info from security misc in #Kicksecure,
admin can still get to #baremetal

How to block self-consciousness?
There are known unknowns, the unknown unknowns,
and the not to know in order to know unknowns . . .

Tips for latest Qubes: security-misc applied to #Whonix GW and WS, firejail dvm captive portal, onionize Dom0 sources and Whonix, remove xscreensaver

Fig 3. TB thinks https is a onionsite down ; )

Defenses for Sensitive .state (R/W)

#Rust memory safety
https://doc.rust-lang.org/book/ch04-01-what-is-ownership.html
https://yewtu.be/watch?v=VFIOSWy93H0

#Kicksecure & #Whonix – compare live to SUID controls
Permission Hardener
https://kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener
/wiki/Security-misc#SUID_Disabler_and_Permission_Hardener
User-SysMaint-Split
https://kicksecure.com/wiki/Dev/user-sysmaint-split
https://github.com/adrelanos #PatrickSchleizer

Flaws in #Cloud / #Virtualization (https://lemmy.world/post/24009127)
Ultravisor – can’t trust hyper anymore… (24:45) “protected memory areas”
https://media.ccc.de/v/36c3-107-the-challenges-of-protected-virtualization
https://www.kernel.org/doc/html/v5.9/virt/kvm/s390-pv.html
RPC and IRQ - #IBM
https://forum.osdev.org/viewtopic.php?t=23159
good/bad memory
https://en.wikipedia.org/wiki/Page_%28computer_memory%29

#Oracle Sovereign Cloud AI “Sentinel” – #LarryEllison tech profile and #technototalitarianism
https://www.youtube.com/watch?v=YHGztqtmlug
https://www.youtube.com/watch?v=5Hj-HtW-zRo
https://jbs.org/audio/analysis/the-collusion-against-your-freedom/ #ElonMusk
https://www.whiterabbitneo.com/
https://www.whonix.org/wiki/KVM#Why_Use_KVM_Over_VirtualBox?
VS. https://igniterefereeing.com.au/ 7GB for netinst!?

Mateusz Chrobok – #3mdeb #fightingforfreedom, State Considered Harmful, #OpenAI
https://3mdeb.com/why-fight-for-freedom/
https://www.youtube.com/watch?v=gke8WF6_UE4
https://blog.invisiblethings.org/papers/2015/state_harmful.pdf

#Libreboot (https://lemmy.world/post/17204445)
SpiSpy
https://trmm.net/Spispy/
https://cfp.3mdeb.com/qubes-os-summit-2024/talk/FCENX9/

Confidential Computing
https://www.kicksecure.com/wiki/Dev/confidential_computing
https://www.kicksecure.com/wiki/Verified_Boot
#kicksecure

On Mobile Phone Security
https://www.kicksecure.com/wiki/Mobile_Phone_Security
#SS7 and #baseband #vulnerabilities

What about #mobian hardening on a #MechaComet with a cellular hat? Then there's only carrier protocol weaknesses...

If ISPs use microwave relays (the hated 'air' - remember Max Headroom) and NSA access points, is domestic broadband really secure either? But the cable or fiber doesn't have 'carrier' vulns.
https://www.kicksecure.com/wiki/Router_and_Local_Area_Network_Security

#kicksecure #whonix #docs #security-misc

#ElSalvador #crypto #BTC #ETH #XMR
https://www.reuters.com/markets/currencies/el-salvadors-bitcoin-wallet-be-sold-or-discontinued-after-deal-with-imf-official-2024-12-19/

Developing secure crypto systems
https://www.kicksecure.com/wiki/Live_Mode
#Debian #Kicksecure #Whonix #Monero
https://forums.kicksecure.com/t/live-kicksecure-host-live-whonix-vm/779

Opt out of being robbed of sense to pay for your own oppression. No need to be complicit in the subjugation of yourself and others. Privacy and security for the people, transparency for the tyrrants! We need a confidential layer to enforce our Rights.

Encryption enforces Rights, the government violates them.

https://www.cryptopolitan.com/free-roger-ver-gains-momentum-charles-hoskinson-adds-support-as-open-letter-reaches-2744-signatures/

Tor subtleties:
stable Entry Guards makes it harder to detect using #TAILS

...but then taking additional steps like removing oniongrater from Whonix GW or adding Vanguards usually decreases the range of function for applications but also hardens and protects guards from deanonymization.

https://gitlab.tails.boum.org/tails/blueprints/-/wikis/persistent_Tor_state/

https://www.whonix.org/wiki/Tor_Entry_Guards

https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters/

https://www.whonix.org/wiki/Dev/onion-grater

#TorProject #Whonix #Kicksecure #Debian #tor

@DukeDuke I use #QubesOS every day. Right now I am also trying #Kicksecure as a hardened template for QubesOS. You can run #whonix on top of QubesOS too.
You can read about the basic ideas here https://www.qubes-os.org/doc/how-to-organize-your-qubes/.

Make sure that you use disposables whenever possible. But know limitations too. While QubesOS provides strongest isolation right now probably, the damage from compromising even one compartment can be significant sometimes (e.g., messaging apps).

@SoLSec i noticed the debian hashtag in your profile - have you checked out #kicksecure tho?

https://kicksecure.com

has anybody tried applying kicksecure's security-misc to proxmox?

https://github.com/Kicksecure/security-misc

#proxmox #kicksecure #security #homelab

i shouldnt have any problems setting up ivpn on a kicksecure-based qube on qubes os, right?

@ivpn

#IVPN #qubes #qubesOS #kicksecure

#PAM (Password Authentication Module) has a big problem, at least in Debian derived OSes. #bugbounty

Must be PAM because there is no way people can read minds and change your log10=23+ passphrases to a different one unknown to you, right? I've seen this happen multiple times now. Not easy to do.

W^X (#Kicksecure) and "stateless" computing solutions to controlling R/W are necessary unless you want to start over everytime someone wants to F a persist / LUKS remotely.

Maybe clues toward a solution here here:
https://blog.verbum.org/2020/08/22/immutable-%E2%86%92-reprovisionable-anti-hysteresis/

But I think #Spectrum is approaching a point where matter is just a matter of energy, so really, how can you control information and memory from being altered with just the right energy?

#TheIllusionOfReadOnly

if i go with proxmox, i'm gonna see if i can apply #kicksecure 's hardening to it (or at least as much as possible)

if xcp-ng, i'll probably just leave it mostly as-is tho i'd like to see if i could use a more recent base distro for dom0