OS level hardening, in light of Vault 7 revelations

...

kek'd

elaborate

What distros are you claiming are uncompromising? Ignoring the hardware complication

We wont need the internet anymore when we create our own.

What revelations? That viruses and exploits exist? That shadowy government agencies use viruses and exploits and even have an in house version of Metasploit? I have yet to hear anything new with this leak in relation to home computers when compared to what Snowden already leaked.

Just follow the normal rule of presenting an attack surface inversely proportional to your level of paranoia. When did this board get so full of children?

Where are all those PDF featuring the high tech NSA mobile units like massive Satellite dishes and WiFi dongles in a van?
Would love to refresh my memory on those.

Checked

The userbase is at this point a bunch of holdovers from GG. The vast majority of 8ch is just the intersection of Holla Forums and Holla Forums. 8ch has never made anything good in its entire existance. Its mostly stale memes copied from 4chan at this point. 4ch /g/ is even better than this place these days. Sometimes on Holla Forums, when its not getting raided by /freech/ or Holla Forums, this place averages maybe one post every three hours. This place is fucking done, I rode it out to the end. I'm fucking calling it: Holla Forums is dead. Another failed attempt at Chanology. I never went on Reddit except by way of a web search and I'd say that Reddit is superior to 8ch in terms of thoughtful discussion. That's right, this shithole has less redeeming value than that SJW-infested shithole.

I have never seen any anons on 8ch do anything of value. The best they have ever done is serve as a boogeyman for the leftist media. But as far as actually making an impact, its a pathetic waste of man-hours. I spend more time watching technology tutorial on YouTube and learn a hell of a lot more about technology than I get from this site. Even 4chan has more smug anime girl faces, better smug anime faces. Its fucking over for 8ch, nothing personal kiddo.

No, that's fucking retarded. Win10 is actively spying on you 24/7 by default. That is far more harmful than using an OS that could potentially get targeted and exploited by the CIA.

Then leave you cancerous namefag

They had to develop a lot of malware for various OS, in order to break into people's systems (exception: Windows 10, because it is the malware). So if you want to make it hard on them, use an OS that's hardnened to the max and doesn't have a lot of bullshit installed like binary blobs and desktop environments or other things that do shit behind your back for "convenience".
Simpler programs = less code = less bugs = less exploits
BTW, the big browsers like Chrome, Firefox, etc. are not simple at all. Unfortunately a lot of the modern mainstream web is unusable without them. So now you get to decide what's important: playing browser games and visiting social media sites, or defending your property.

You just can't help being a sloppy turd sandwich, can you? This is the end, its no different than 7ch at this point, just an IRC cabal that keeps the front-end going with bot posts. Its worse than worthless, and you have the temerity to call me cancerous? Wew lad, smh tbh fam.

So Parabola Linux won't even boot on my laptop because it nags about firmware blobs

Am I fucked?

He's right. You are cancer. You run around with your name and unwarranted self importance while complaining about IRC cabals? You are the cancee killing this place. The very concept of the imageboard is dead anyways so you're not accomplishing much if killing this place with no survivors was part of your master plan anyways.

You can fuckoff anytime now

HELP
BUMPING FOR THIS

My importance is beyond contestation. I have done more and will continue to do more than you could ever dream.

Its a bad habit to keep coming here.

Wait a sec, I remember hearing that wikileaks was compromised a while ago, between being unable to provide a timestamped image of anyone there and a key mismatch, has it been resolved?

Assange is dead and WikiLeaks is being run by various intel agencies. Its a ruse cruise. Has anyone done jail time based on these so-called leaks since they started? No. What more do you need to know about it?

Disregard what I just said, I suck cocks.

No, I'm Spartacus!

Anyone have a good list of Linux Kernel configuration options for security hardening?

Actually, the exploits on Linux were about having the malware already in the system. But how they plant it, it didn't discuss. If you don't install untusted software and only use the official repos and not plug in untrusted usb drives, you should be fine.

The namefaggot is actually right. If half the people here didn't migrate to Holla Forums within the last week they would have seen threads on both Holla Forums and Holla Forums where the hashes failed. Hell you can see this on fucking reddit if you search for it.

These leaks are simply Snowden 2: chilling free speech electric boogaloo.

Install Gentoo is still, and has always been, a solution. Hardened Gentoo with musl, perhaps only amd64 (for purity, not security) is more than safe enough.

Luckily for me I have an x200 with Libreboot. Waiting on Librecore.

Also, make sure you have

USE="hardened deblob -bindist -systemd -pulseaudio -poettering"
ACCEPT_LICENSE="-* @FREE"

in your make.conf

Install Gentoo is still a solution or you could go for a hardened *BSD variant. It's still possible to browse without compromising your OPsec. If you're truly worried airgap the computer with your ultra rare pepes from everything else on your network.

Everything is compromised at the hardware level and the old stuff has known exploits but if you can deny access you're still fine. Not much has changed just more information is out in the open about things we already knew is all.

Yea sounds about right, all of you should be ashamed for taking this bait. The only thing you've been correct about so far is Assange begin dead. Why don't you drop the ego and contribute good posts if you're so concerned about the board quality?

why do you bully pottering

It doesn't help the CIA any if they paint themselves in a bad light. If they were really in control of wikileaks, none of this would have surfaced.

Lennart has no heart.
systemd don't fit with me.
Poetteringware? I don't care.
Bloat don't float.
PulseAudio? Got to go.
Not GNU? Bad for you.
Red Hat? Fuck that.
etc.

Why aren't you using the best OS with industry standard compatability and stability?

...

OP, ignore the all hope is lost shills. Look at Qubes and their recommended hardware. Disable ME if possible or use a third party NIC if not.

Elinks and w3m work pretty good with most things.

I wish I was good enough at Linux to install Gentoo. I tried once, but it took hours, eventually I just gave up.

1478962773/10, you have underflowed the rating.

You've just got to be patient and let that shit compile. It can take days if you are doing it on a toaster. Gentoo isn't really that hard these days. The nerve wracking part is already done for you. Just follow the book and let it crunch away at the code

It's called a limited hangout operation.

And on the topic, I would recommend everyone to use openbsd and use the highest operational security in day to day tasks as possible.

It's not so "limited" if all their tools and docs are getting dumped. So far wikileaks only released like 1% of what he got.

Are all desktop environments that run on HAL compromised?

So... how would you go about determining whether or not you are running on compromised hardware?

Fascinating, pls tell more.

Does electricity go through it?
It's botnet

=[

As far as I know, our hardware options are basically
Intel up to 945 or AMD up to Piledriver. coreboot/libreboot/librecore hardware is best, but I would guess a pre-EFI BIOS would generally not be malicious. A ThinkPad T60/X60 is probably about the newest you want to go for truly secure laptops.
AFAIK, the best options are pretty much dual core 1GHz Allwinner A20 chips. Newer Allwinner hardware has spotty mainline support. H3 might be okay with another year or so of mainline development. I'm not very familiar with non-Allwinner SBCs. There might be some good ones I don't know about.
There are no known privacy issues on POWER/PowerPC. The cheapest options are old Macs, but PPC32 support has disappeared from almost every distro except Gentoo, NetBSD and OpenBSD. OpenBSD's PPC ports don't have working heavyweight web browsers anymore NetBSD actually never had PPC64 support, only PPC32. The 64-bit G5 towers are basically slightly cut down POWER4 workstations. Some of the fastest water cooled G5s (>=2.5 GHz, I think) are known to have O-rings in the water cooling systems that go bad, spilling corrosive coolant all over the motherboard and PSU. If the leak is detected quickly enough, the O-ring can be replaced before any damage is done. The slower models are air cooled, and are generally reliable. Used POWER7 and POWER8 hardware costs five or ten times more than new x86 hardware for similar performance.
We could go full RMS and get Yeelongs. Slow, expensive, rare. I can't think of any other practical MIPS hardware.
They're still out there. I don't know much about them, but I hear that they're good in the privacy and security department. OpenBSD likes them because subtle bugs in new code tends to show up on SPARC first.
Not available yet, but it sounds like it might be a good arch in a few years, if it ever catches on.
You could put that old 386 or 68030 machine in the closet to use. It will also give you an excuse to open that box of 2DD floppies that somebody bought in 1993 and never used. It won't do anything more than word processing and spreadsheets, but it's a good air gap system. If it has 4 MB of RAM and a 40 MB hard drive, NetBSD probably runs on it. That would give you modern crypto to encrypt those floppies with.

Software options
The Gentoo you know and love, just one profile selection and "emerge hardened-sources && emerge -e system && emerge -e world" away. Security approach is basically a hardened compiler and toolchain, and a Linux kernel with the grsec patches on top of it to help prevent exploits. Runs on almost everything you can think of. Don't forget to do this too.
Lightweight distro with libressl by default and linux-grsec kernels available. Uses busybox, musl, and OpenRC instead of GNU and systemd like most distros. Works on x86 and ARM.
Comes with libressl by default, but no kernel hardening. Still probably better than most distros. Uses the runit init system, and optionally musl instead of glibc. Works on x86 and ARM.
Avoids most exploits by writing software correctly to begin with. I personally think this is the best approach. OpenBSD has also repeatedly pioneered security features that find their way into Linux years later, if at all. The tradeoff to their correct code policy is that development takes longer, and OpenBSD doesn't support newer hardware as quickly as Linux does. Radeon 7700+ support still doesn't exist five years later, for example, but it will work great on your old ThinkPad and the FX-8150+6870 gaming rig you built a few years ago. Works best on x86, but supports lots of other architectures.
Honorable mention for older or offline computers. It is a very lightweight OS that will run on

How much do you want to trade usability for security? You'll have to make that choice for yourself.

Blobs
Most wifi chips require blobs, which would be most easily exploitable considering they sit between the OS and the network card itself. Atheros cards are good, available in both internal PCI/PCIe and USB flavors. The AR9280 is a good 300 Mbps 802.11n card for a laptop, but you should check to see if your machine has a whitelist that will try to stop you. Often, the whitelist can be bypassed somehow. Also worth considering that a DMA attack might be possible over PCI, but not over USB, so keep that in mind.
Nvidia has bad drivers, but they don't require blobs except for video decode and on very new hardware. Intel GPUs have good drivers, but are usually slow, except on new hardware. Most hardware doesn't require blobs, but Skylake changes this. AMD GPUs have the best support in Linux, but require a blob to make the open source drivers work. With a proper kernel design, these blobs shouldn't be exploitable, but I don't know how this matches up with reality.

Hardware security
Any compromised machine can turn a microphone on to spy on you or to exfiltrate data at frequencies higher than your hearing range. You may wish to disconnect it from a laptop if this bothers you. They can even use the microphone to guess
your keystrokes.
Many chipsets can run speaker circuits in reverse to turn the speakers into a microphone. Better disconnect these, too. Use headphones instead if you need sound at all, and don't plug them into a combination headphone/mic jack.
If you have one, disconnect it. Use a USB one if you need to so that you can unplug it.
Don't enable FireWire, PCMCIA, or ExpressCard support, and block off any other externally accessible PCI lanes. On a ThinkPad with a dock, you can lock the dock to the machine to make it harder to get to the dock port. They can pick the lock of course, but it's a deterrent. External video outputs are also suspect, as they may provide DMA to the video card through a bug in EDID parsing, and thus allow somebody to exploit the GPU driver.
You can make an effective version of secure boot using a laptop with coreboot and a GRUB payload. Basically, install a GRUB config in your coreboot payload to load a kernel off of an encrypted partition. Then, the only thing they can do is open the hardware to reflash the machine. To detect this, you can get some glitter paint and paint all the screws on the bottom of the machine. Then, take a high resolution picture of the glitter on the screws, and compare each time you leave the hardware unattended. This way, somebody who uses a screwdriver will have to repaint the screws, and the glitter will be in different places on the screws, which you can detect by comparing to the pictures you took.
For 100% paranoia, stick to your laptop's onboard keyboard, and fill your USB ports in with hot glue. For a desktop, just glue everything into the back of your computer, and never connect or disconnect anything.
Consider wifi encryption to be broken already. Local traffic should take place over Ethernet (it's faster anyway). Traffic going to the internet will be intercepted by your ISP, so it's less of an issue there. Assume any wifi card that requires a blob connects your kernel directly to the CIA.
If running less than DDR3, you'll need to be aware that they can take out your RAM and dump the contents. It may be a good idea on a desktop to rig something up to immediately poweroff when the case is opened to buy a few more seconds for
the memory contents to fade. You could use this with an electromagnet or thermite to nuke your hard drives as well. For laptops, never use suspend on an unattended laptop. Always turn it off.
SSDs don't reliably erase data. Don't use them. Use a hard drive with full disk encryption. I would also recommend sticking to ext2 on Linux or FFS on BSD so that you can securely erase your data. It's not as reliable to secure erase data
on newer file systems like ext3/4, XFS, ZFS, etc.

2/3

Software security
Disable anything you don't need, as it is probably vulnerable to something.
Put browsers and other heavy programs into their own user accounts, and access them through an SSH connection to [email protected]/* */, or press Ctrl-Alt-F2, and login to the account directly. chroots are reasonably secure on a hardened system, and can be used to lock down daemons.
Block all incoming connections. If extra paranoid, firewall all non-essential outgoing connections as well.
Every package you install is possibly vulnerable to something. Trim it down to the bare essentials. Don't even install X11 unless you absolutely have to, as it is a steaming pile of vulnerabilities by itself.
Grsec security policy mechanism. It's like umatrix for your OS. Not easy to live with for a regular desktop user.

3/3

Thanks, user.

That headline screengrab is hilarious! It's like normies asking for the chans (well established synonym for autist gathering place) to come and help them, when they never wanted to fuckin' listen in the first place.

The sad thing is, that no one can save these idiots. It's about HOW you use the tech, not about patching security bugs. They would have to stop being idiots and lazy assholes, and that's about as hard for a normie to do as it is for an autist to be a normie.

"Connect it to the internet and someone's gonna own it."

Very easy:
- air gapped whatever hardware/OS for personal shit
- Cloud Internet NOW! Powered WINDOWNS*/IOSX*/GNU* for everything else

Run a hypervisor, get a switch capable of PVLANs. Run anything which needs to connect to the internet in its own VM on a isolated PVLAN. Its what I do. Even if it gets hacked, it cant access anything else on the network. You'll never prevent compromises, but you can greatly limit the amount of damage they cause.

Is generic chinese ARM hobby shit backdoored?

If you were running BSD on a Rasuberu Piru Chinese Knockoff you'd probably be safe.

What, why do you think OpenBSD works best on x86?

Did you look at the Vault 7 material?
They've been breaking air gaps by e.g. hiding the data in chan images you save wikileaks.org/ciav7p1/cms/page_13763247.html

That's only useful as a data carrier if the air-gapped machine is already compromised. Otherwise any data they hide this way is just useless noise.

Assuming you meant to reply to me.

There's a few other codenames mentioned with respect to air gap, but let's talk about this one.
I don't run an air gapped system, so I am not that knowledgeable about it - help me understand.
By air-gapping, you cut the network so you can operate under the assumption of no incidental data transfer.
Doesn't this violate that assumption?
The rebuttal of "it's only data being transferred" - wouldn't that train of thought allow you to just plug an ethernet cable into your machine? Networking is only data.

I hope you understand I'm not saying an air gap useless - I think it's excellent depth.
I still think there's more to talk about than "just air gap".

I've tried it on PowerPC and ARM. My experience on PowerPC is that although the OS works, some of the drivers such as fan control on my particular box are incomplete. I've also had a long history of buggy SMP, but that bug seems to have been recently fixed. ARM support isn't even really there. It's almost nothing but Ethernet and USB support on three or four boards. The heavier web browsers, while technically not a part of OpenBSD itself, won't build on non-x86 architectures. I don't have any experience with VAX, MIPS, HPPA, loongson, or SPARC, and can't really speak to their hardware support, but the web browser issue would still apply, hence my comment.

Works great on PowerPC for me, where as Debian barely worked at all.
The web browser issue is the same no matter what OS you are using, it is not an OpenBSD problem.

Right, air-gap means you disconnect all network cables, wifi devices, etc. Ideally you even remove the antenna of wifi devices, and ideally just take out the cards entirely (assuming they're not part of the motherboard). Probably you also get rid of or unplug stuff like bluetooth, infrared, webcam, microphone, and whatever else could be used for some form of primitive networking (PC speaker + microphone = comms via audio carrier).
Now you have a computer that's about as networked as an 80's micro without modem. Except that it unfortunately has USB ports instead of real serial/parallel ports and floppy/cassette drives. Unfortunate because USB is much more complicated than those, and it already has been used as an attack vector ("badusb").
So now, some image files that you downloaded from Internet happen to have data embedded inside them. You copy them to your offline system somehow, and then they sit there forever or until you delete them. And that's it... There's no 2-way communications possible, and the data embedded inside the images is effectively just noise. It probably makes the images more bloated, or adds subtle artifacts to the picture. It's a waste of bytes, but it doesn't accomplish anything interesting on its own.
To actually do anything useful, the data would have to be formed in such a way that it exploits a bug in your image viewer, a bug serious enough that it can be used to execute arbitrary code. The problem with that is: your offline machine can be literally any OS and architecture, and nobody will know exactly what it is except you. So any attack will be going in blind, and hoping for the best (that you're running some really common combination of hardware and OS). So this is where you become a deviant, and refuse to run anything remotely "normal" on your offline machine.
You can even go so far as to write your own image viewer entirely from scratch, using no common libraries (no imlib, libpng, etc.) You start from scratch, and with an eye on correctness and simplicity. Maybe you even convert all your images to one simple format on your Internet-connected machine, before transfering the images to your offline system. Simpler code = easier to audit, so less bugs. This image format could even be a custom one you created yourself!

No it isn't. Gecko browsers just work on Gentoo. Firefox ESR even gets stable keywords. I don't know if there's anything special that needs to be done to get it to compile on OpenBSD, but other Linux distros with an official PPC port don't have an excuse for Firefox and Seamonkey to be broken.
Debian has always frustrated me. There's always something that doesn't work right, regardless of the architecture. Back when I was distro hopping, my Debian experience on several machines would end when dpkg took a dump and corrupted the database of installed packages. I got tired of constantly fixing things and moved on. Ironically, I found that Gentoo needs the least amount of cleanup for what I need out of an OS.

If anybody actually has this much time on their hands, they should write some software for farbfeld. It's a very simple lossless image format. If compressed with bz2, file sizes are sometimes smaller than png.

tools.suckless.org/farbfeld/

reminder assange is probably dead

Not sure why Firefox works on Linux but not OpenBSD.
marc.info/?l=openbsd-ports&m=144533213823472
marc.info/?l=openbsd-ports-cvs&m=144312613721859

On PowerPC Gentoo worked allot better than Debian for me.
How long did it take you to compile Firefox?

It takes about 3-3.5 hours to compile on this system. I'm using =sys-devel/gcc-4.9.4, CFLAGS="-O2 -pipe -mcpu=970 -mtune=970 -mabi=altivec -maltivec -fomit-frame-pointer" and MAKEOPTS="-j3" on a dual 1.8 GHz G5 with 2 GB of RAM.

Thanks for the links. I'm not a C++ programmer, but I'll look at it and see if I can figure it out.

SOMEONE EXPLAIN THIS

youtube.com/watch?v=ohmajJTcpNk

Real time face mapping. It's exactly what it sounds like.

cia nigger, i use templeOS!

WHAT

this cant

In Assange's Reddit AMA in January, he would not provide anything signed with his PGP key despite there being a legitimate concern over his identity. This is good proof that PGP works, and that the CIA can't break it.

reddit.com/r/IAmA/comments/5n58sm/i_am_julian_assange_founder_of_wikileaks_ask_me/

Assange is either dead or locked in a CIA torture dungeon.

well then

does this imply that wikileaks is compromised?

WEW LAD

It would. What is interesting is that if Wikileaks is CIA-controlled, one would think that they wouldn't paint themselves in such a bad light with the contents of the Vault 7 release. I haven't figured that part out yet.

Here's the beginning of the story for those of you that missed it. Skip straight to the eight item list.

conservativedailypost.com/breaking-assange-missing-for-days-announced-dead-embassy-stormed-after-airport-lockdown/

perhaps it was done to instill paranoia and cause in-fighting? or to be like "oh no there go our totally secret secrets, guess they found it ALL out, yep theres nothing more to discover, thats totally all our secrets"

any of you guys know how to get kail running in qubes os, I made a standalone vm with dom0 console and I emulate the iso inside of it and the installation works fine but afterwards it just boots into dead gray pixels

oh please

huh, i never implied pol knew anything or even mentioned them, and that demeaning language you're using sure seems like you're trying to talk down to me to make my thoughts seem ridiculous.

suuuuure seems like a cia nigger is trying to make me look bad so no one considers my theories

...

SHILL DETECTED

In order for the Phoenix to rise anew, it must first become engulfed in its own flames and fall to the Earth.

...

Pour all the bad press on the old carcass, slay it, and build a new one from scratch which basically does the same thing.

Actual solution: Enclose a room in a Faraday cage, and use a computer with no speakers/microphones (due to imperceptible audio-based hacking techniques), and use full-disk encryption. No connections to the internet whatsoever; if you want to connect to the outside world, use a different computer and manually bring files over to the other computer.

Is it impractical? Yup.
Will it make you seem like a freak? Yup.

But that's where we are at right now.

Theories mean nothing without credible evidence. I can claim my theory that Trump eats newborn babies for breakfast but it means nothing without credible evidence.

Billions of people have this much time on their hands. It's just that they spend that time on TV, video games, booze, drugs, etc.
In the 80's, it wasn't uncommon to just make shit up from scratch, especially since there was very little awareness of what other people were doing. Even commercial developers often made their own tools and file formats. You even had custom languages, for example:
anotherworld.fr/anotherworld_uk/page_realisation.htm
en.wikipedia.org/wiki/Z-machine
Nowadays people will look at you funny if you do your own thing from scratch, instead of using common libraries or tools. They have become brainwashed into always using 3rd party stuff. Maybe some environments like Lisp and Forth still encourage the old way to some degree. TempleOS falls under that category as well. In one of his videos, Terry even mentions that in the old days, you "brought your own tools with you" (he means the tools you wrote yourself, on your 8-bit micro). You can learn a hell of a lot this way, and it's more fun.

It's called productivity. You can get more functions done by reusing the functions that other people have designed and matured before you did. The software functions of the 80's were simple enough that it was feasible for everyone to reinvent the wheel. As people demand to get more functions out of their software, the amount of work required to deliver that demand also increases. This is why libraries and frameworks exist.

But it's mostly a lot of bullshit. All those huge web frameworks that get more complicated every year are effectively random bug and security hole generators. I could only see some merit if they were made for simplicity, clarity, and well-audited. But instead they're all about endless features. Plus they make the client interface more complicated as well. Now you have all these bloated browsers with megabytes of JS needed to just display some text on the screen. Huge waste!
Anyway you won't learn much from using them.

As far as hardware goes, to my knowledge there is not evidence to suggest AMD CPUs are compromised. Intel and Qualcomm have built-in back doors. I'm not saying AMD definitely don't, but that is not in any of the info so far released, and it would be strange to not mention it if they did.

The only reasonable soultion is to get a thinkpad X60 install libreboot remove the hard drive and only use the internet with TAILS on public wifi.

I'm thinking of going full stallman.

The only way out is to kill youself.

Zen and the APUs have PSP built in, which is probably a backdoor. The FX-series is still okay and you can get about i5 level performance for i3 price nowadays, I think a couple of the later Opterons also have libreboot compatible motherboards

Don't use any AMD CPU's only use intel CPU's but only before the core 2 series and before.

AMD has plenty of non-compromised CPU's. What are you, a paid intel shill?

They probally have some But there modern ones are compromised.

Most of the FX series is still safeto use, as another user mentioned above. I do think some of the most recent ones are compromised, iirc. I dunno, I'm still using the FX-8150. She still treats me right and compiles like a fucking champ.

I'm using the Intel core 2 quad.

this seems like a very plausible tactic to me... there was already a higher organisation that had made them obsolete.... and this is them using CIA as a scapegoat

just because there's huge wasteful web frameworks doesn't mean GTK or QT aren't invaluable when you want a cross platform GUI application.

wew
there's already a simple image file format available with no nontrivial compression(RLE), bmp. If you really want a trivial image format, use that instead of coming up with some trivial, but useless abomination and hoping compression will fix it. You should check out the png spec, png is actually a really nice and sane format. Yes, png compression isn't trivial, but neither is bzip2 or whatever you have to use with farbfeld because the unconditional 64-bit per pixel will blow up file size ridiculously. pic related, 4 MB with farbfeld

No way cia-san!

Probably other agencies too
Others probably knew shit was fucked

speaking from total ignorance here but how safe would windows xp be on a decade old computer?

Alright so it's time for plan B. We need to create a secret chan society where our identities are directly hidden via masks and we use a system of well trained carrier pigeons which are distributed among a larger network of privately owned pigeon providers (POPPs). I'm sure no two of us live far enough apart for a pigeon not to fly. As long as someone here lives in iceland I think we should be good.

if memory serves right windows has had a backdoor since nt4, so no you're fucked unless you install a FOSS os. on the bright side your computer is probably fine

Those are pretty nasty, and have gotten bloated over the years. Now Gtk even wants systemd, for some reason.
Anyway I'm not a GUI fan at all, and one of the reasons I went straight from DOS to Linux (thus bypassing Win95), was because I prefer text interface. Links+ is ok though.

I am a dedicated Gentoo GNU/Linux-Libre user, and I can assure you there's never been a confirmed backdoor in windows

I'm not going to pretend to be an expert at image file formats, farbfeld included, but the idea behind farbfeld isn't best compression, it's ease of implementation. Their approach is that the farbfeld format is just a magic value, XY size, and a list of pixel values, with no need for compression in the file system itself. They don't want to reinvent the wheel when the OS already does compression for them. This makes it very easy to parse without having to implement all the garbage that goes with most image formats. It's sort of like how HTML is often compressed with deflate or gzip over HTTP to save bandwidth without switching to a binary format. bz2 is already on every system and have their own command line tools and libraries. bzip's decompressed tarball is 2.3M, ff's is 40K. The lel image viewer is another 30K tarball. libpng by itself is 5.7M, more than twice the size of the entire ff implementation. In the context of a hardened system, a person theoretically using exclusively ff would not have nearly as much code to audit and maintain. It sounds like you'll love blind, the suckless video format. Only 30 MB per 720p frame. tools.suckless.org/blind/

Your pic came out to 3.6M raw, but as a .ff.bz2 was only 67K.

Again, not claiming it's a better or worse format than what's out there, just trying to explain why it exists and why it would work on a hardened system.

NSAKEY comes immediately too mind. Not a smoking gun, but still suspicious. t. Gentoo user

That website is fucking cancer.

Found very amusing the whole #TrumpWillFreeAssange at the end. Complete propaganda.

This people's channel.
youtube.com/watch?v=La3AiTmIWwY

No known exploits for RK3188. Hardware's real cheap. Runs gentoo hardened real nice.

Just sayin'

not an argument

Frameworks exist because most computing problems are easily served in terms of the framework. Features go into the framework because people take the time to put it in. These frameworks are normally open source so anybody is free to fix bugs when they find it. Once again productivity is important. NIH syndrome is a waste of time.

Bzip sounds kinda bloated. CP/M had some small & simple compression tools like this:
gopher://gopher.floodgap.com/1/archive/walnut-creek-cd-simtel/UTILS/SQUEEZE
Amiga and such also had small ones.
TempleOS has its own thing going on with .Z files, and probably a custom image format as well.

Nobody fixes that shit until it gets pwned, but already it's been exploited for all its worth by then. You can see how well your model works when a highly-critical library like OpenSSL has bugs for years, and nobody finds or fixes them. Then finally OpenBSD project says fuck it and tears the whole thing apart, because it got so bloated that it's unmaintainable. Well that's basically all your big libraires and frameworks right there, except there's even less people spending effort to find bugs in them, because they're not nearly as critical.
Almost everything open-source is bloated shit. Fuck this, I'm gonna do things my way.

but they DO
like i said, bmp is a trivial image format. Yes there's some historic cruft etc, but there's no need to support that. i. e. make a new image format that's a subset of bmp. Why? Because everyone can automatically read your "custom file format". And often they will be able to write it to, although you might have to supply an option or two.
It matters because even if you do write your own tools to view and process images nobody else can view your images they're useless. The article tries to solve this by suggesting to just convert it, but if you have to convert every incoming+outgoing image, aren't you dependant on libpng anyway? Also have you considered going the other way around? Instead of building up your own tools, strip down libpng to a bare minimum. libpng binarys are ~120kb currently, see how far you can go if you throw out optional features etc. The source code supports a lot of architectures and has a lot of comments, which increases file size without increasing code complexity.

Source on the first image: rpm.pbone.net/index.php3/stat/3/srodzaj/2/search/libpng-1.6.2

And your code somehow won't have bugs? It's literally impossible to write nontrivial bug free code.

That's why people keep bringing up clarity, simplicity, and lack of bloat/features as key points to focus on.

Open source doesn't guarantee perfect code. The only thing open source means that bugs get fixed whenever people want to do it.

What's even the point of using the Internet if you're not going to agitate tptb?

Compression doesn't do this shit.
Fuck, assange is dead.

Kys, CIA. Why do you keep trying to draw him out in the open? Can't get a clear shot?

USE THE FUCKING STICKIES

The stickies are for personal topics. "How do I do this homework assignment" and "why doesn't my computer boot" are useful for the people who post them but not for anybody else, except by accident. That's why those things aren't allowed as threads.

This is a general question. It's intentionally useful to many people. It's not personal, and it isn't going to get a definitive answer and then rot in the catalog for two weeks.

This actually makes more sense if you put on a Holla Forums hat and look at it from a social, not technical, perspective. A few days ago, Trump increased the CIA's legal cover to do blackops unaccountable drone strikes. This makes no goddamned sense if you think the Deep State including the CIA is still arrayed against him, so we have some clues as to what's going on. Here's my hypothetical sequence of events.

The shills say it's just "morph cuts" but that's bullshit, you don't do those in the middle of fucking sentences, you use them for smooth transitions between takes. Dunno if he's dead or not but that video of him is fake as fuck, he's either in deep hiding or they've got him.

This x1000. There have been other videos lately that were faked in a similar manner, including one of Hillary.

A secure system extends far beyond the OS/kernel.

How tinfoil am I on a scale of 1-10?

I never even saw this shit. They could have been more subtle about the deplorable trash thing. Literally parroting a Hillary talking point probably isn't something someone who knew a good chunk of her secrets would do. This is alarmingly suspicious and is most likely not actually assange.

This just adds to it honestly. I wonder what is secretly broken that no one is currently privy to.

Those are morph artifacts from seamless edits.
youtu.be/J6wPUtKg-Ac

kek

No NO NOOOO I NEED ILLUMIINATI TO BE REAL TO JUSTIFFY MY BROKED MARRIAGE

You're as bad as the people who think shape shifting lizards control the world

Alpine is probably the plain Linux distro created. Doesn't use or require GNU at all. I wonder why it isn't used all that much these days, but it's probably for the better.

Because Alpine tries to be minimal to the point of not being usable as a daily driver. It's used a LOT for containers on the other hand for the same reason.

I never used Alpine, but I can't see how being minimal would prevent one from using it as a daily driver. Sure, you pretty much can't use any proprietary shit on it, which you can consider a feature. And then there's the fact that a lot of software needs patches to compile against musl. That said, I would imagine that it would work quite well for your everyday shitposting needs. Hell, I think it has wine available in the repos. I wonder how well it would work for old school vidya.

It's been a long time since I tried Alpine. But one thing that really annoyed me was separating manpages into separate packages. Yes, that makes perfect sense for a container or a small device OS where you really need to save space at autistic levels, but not for a daily driver. I read manpages all the fucking time and it's a pain to have to figure out every time which package I have to install to get some stupid manpage on my system. I know there are other things that really bothered me as well, but I can't remember at the moment. In any case it wasn't a problem with proprietary shit as I have no use for it anyway.

thanks. what about simply using something like qubes and all domains being subgraph with a router that uses OPNsense? is this good security? also having all traffic routed through a vpn in the netherlands that claims not to keep logs and questionable browsing being done also though that vpn but connected though whonix

I currently use Manjaro, but I'd be okay with something much leaner and simpler. I tend to choose the simpler option whenever I have the choice (sysvinit+openrc,dwm+dmenu,st,etc). And when it comes to stuff I don't trust, I use firejail to restrict what it can do. I mean, even if you don't use fully free software on fully free hardware, it's still worth minimizing your attack surface where possible, right? Basically, apart from emulators and wine for some proprietary retro vidya action and a way to sandbox said vidya, my needs are very basic. Is "install gentoo" truly the ultimate answer, or are there other viable alternatives?

Good votes you get, Awesome Cat.

I'd like to interject on that. http(((S))) is just snake oil, aka PLACEBO
The certificates for every site are ((((handled)))) by shady authorities
Sure, they do it for free, so we can download everything, for free...

Wait a minute and consider all the shit that's added with https.
Every time you go to httpS://freeporn.co.il you literally beacon
your MILF Keyword Search to third parties as CA Authorities.

They totally are linked with the omnioresent (((amazoncdn))) or JEWgleCDN.
They hotlink your ping to israeli porn sites to the NSA. Again, http(((S))))
is a scam. UK/USA based groups jusge which cyphers are good and which
are bad... Look at an alleged bad - not used - cypher as GOST.

GOST is russian, so UK/USA didn't like it [THEY HAVE NO BACKDOOR]
but their own cyphers are good to go. Yeah, and I'm cinderella.

Also, routers. I'm ready to try openwrt. ok, fine, let's look at some devices
that do fucking work then: Some good ASUS do work fine. Good!
But, alas, they are all routers, there's no modem/router werkin' :/

So, either run a modem linked to a router with openwrt
or use a modem/router with old linux kernel

UEFI is NSA. Trusted Platform by (((INTEL))) is MOSSAD.

Firefox is fucked from version 3.6.28 onward. Now it checks (((current version)))
at startup. Check the entry

datareporting.sessions.current.activeTicks is 0 only if you deactivate and get rid
of any URL in about:config

ITT antisemite

NO, the IMG is proof of collaboration between nazis and jewish settlers.
------------------------------------------------------------------------------------------------------

install gentoo

Yeah, good luck hardening proprietary botnet microcode embedded into your hardware. Did you even think about your router?

Yeah, need to add them to the checklist, CIA?

Ingenic SoCs
Router SoCs

Feels good.

All the more reason to make it harder for cia niggers to hack into your computer, because once they're in it's game over.

or you isolate your browsers, so you can use them without them being a threat to the rest of your computer
see qubes/chroot

I don't think you grasp just how bad things are. Just running random web JS is enough to be harmful, even in a sandbox or VM. Better to avoid all that and other bloated shit altogether.

lotta loyalty for a hired gun

WEAPONIZED
AUTISM

Just noticed he has a huge cavity.

What about unbound and dnscrypt? How important would you say they are?

And what about checking your router for any planted bugs? It's been reported that the government can intercept routers you order online mid-delivery and modify them.

And what about messages sent through electrical cables? I've heard it can be determined what movie you are watching, and in what room of your house, just by monitoring your electrical system.

checked but not witnessed.

0/10: dubs harder

...

you still need GCC to compile Linux

wikipedia.org/wiki/List_of_compilers#C_compilers

No, Linux only compiles on GCC. There is a project that tries to make Linux compile with clang, but I haven't heard about it in a long time.

namefag CIA_JOE here "user"

Since your doings are so very important to the security of our nation,we have taken a special interest in you user

All want privacy

Mentally ill paranoiacs or pedos?

Why are you disabling bindist? bindist removes patented features.

bindist also sends you prebuilt (i.e. risky) packages

who released the Nazgul?

Exactly. You can't defend from the matrix if you're plugged into it. The archons own your ass quite literally.

Fat smelly pieces of shit can fuck off anytime.
I'm also a girl btw :^)

I hate to kind of drag this thread back on topic, but what *nix distro can I used to replace my Win7 htpc? Kodibuntu, even with systemd? There's no point trying to 'harden' a Microsoft OS after what shadow cianiggers just released.

what about this list
prism-break.org/

just gonna leave this here..

https: //cryptome.org/0003/ clsid-list-09.htm