@volpeon weird thought but, I think Matrix is actually a good way to fix this, because you can easily set up bridges to other platforms, allowing you to pull discord, telegram, etc together, and connect them, so that when people have to jump from one to another place, nothing truly changes, and it also invites people when they see things happening in other places in the same channels they usually communicate. I've been thinking of building an integrated community for a while.. maybe I should.

RE: https://mastodon.social/@joyousjoyness/115856065753191855

shelled water puppies

@verymetalsite mwoah ik heb lennart ontmoet bij FOSDEM 2025, op zich aardige neurd met best veel goede ideeen. Systemd doet heel veel leuke dingen, en is verassend licht (lichter dan sysVinit), en zeker als hoster snap ik die 'auth backdoors' volledig want nu kan je gewoon standaard images gebruiken met wat KVM parameters. Maar als klant wil je dat niet altijd en als iemand die graag alles dichtschroeft en beveiligd ook niet.

er is niet echt een perfecte oplossing, maar zeuren kan altijd

@verymetalsite er zijn wel wat maartjes daaraan, systemd in hun oneindige wijsneusheid heeft sinds versie 256 automatisch SSH sockets aangemaakt, zie deze draad: https://social.treehouse.systems/@astraleureka/115844218496725551

weet niet precies hoe fedora hiermee omgaat maar is wel goed om te noemen

@verymetalsite ja die vond iedereen bizar, maar is ook echt een linux server ding en niet een client. het ging om een ssh backdoor, en de meeste desktops hebben de ssh poort niet in gebruik.

overigens ook vervelend dat systemd er zo lakoniek over deed, want die malware werkte alleen omdat systemd letterlijk overal auth keys vandaan probeert te halen, zelfs de smbios strings, waar ik zelf geen fan van ben. maar ja dit soor dialoog is waarom linux veilig blijft, windows fixt dit soort dingen niet

@terrance_shaw @volpeon the main barrier is that people use whatever everyone else uses. In the paraphrased words of the Mastodon creator, 'if everyone used smoke signals for social media, that's what everyone would keep using'.

my current fear is that the alternatives are far between. Signal might be good but is centrally controlled. Matrix I personally like but is too complicated for some (especially if you want video/voice calls) and their E2EE is not perfect either. Tempted to write smthing

@verymetalsite je zou clamav idd niet nodig moeten hebben op een desktop, maar t mag altijd. zover ik weet zijn de paar linux virussen die er zijn gericht op (web)servers, en zelfs als je daar alleen SELinux en zo aan hebt staan en geen vage of hele outdated dingen host komt t meestal wel goed.

enige desktop virus-achtige dingen die ik ken was een gnome extensie die je zelf moet installeren met sudo etc als je dat soort dingen niet doet komt t wel goed. maar tweaken mag altijd natuurlijk!

that's slopslop, you only like it because it's sloppy

what if all those evil villains wringing their hands when they get all excited about their plans are actually just stimming 🥺

- signed, someone who totally does not stim by wringing their hands and is also totally not an evil villain out for world domination

@astraleureka @dalias that too, there are so many ways they could mess with your system, hypervisors kinda suck. In that sense having dedicated servers as option is much better (although even there they could inject smbios strings and what not so eh, technically all foreign hardware/software is a liability I guess and selfhosting is the only truly safe option :v)

@dalias @astraleureka personally my main gripe is that systemd scraping all kinds of sources for keys to use for auth makes it much harder to harden your system even outside of hypervisor situations. if something altered your system's smbios strings somehow, or manages to open a socket with systemd over an unauthenticated channel, or other things alike, they could just inject root ssh keys.

I guess for me the main takeaway is that root should be disabled, and systemd neutered for hardening

@dalias @astraleureka I mean, I do agree it feels dirty, but, if you don't trust the hypervisor you're running under that has a whole host (pun intended) of other implications

like they could just:
- extract keys from your RAM (volatility tool, https://github.com/ZarKyo/awesome-volatility/blob/main/README.md )
- reboot your VM and inject malicious boot params into your grub/whatever
- technically even alter instructions on the fly
- etc

while it does make me feel dirtier to run systemd, hypervisors are always kind of a problem tbh.

@dalias @astraleureka this is a valid point, because it seems it actively use credentials from elsewhere than the filesystem, such as the SMBIOS strings, though that's not specific to this and more a general systemd concept as outlined here: https://systemd.io/CREDENTIALS/

I'm... undecided on what to feel about this though, because if you don't trust the hypervisor you're running under that is a problem of its own. but it does make me feel somewhat uneasy that systemd accepts creds from everywhere.

@astraleureka that is the recommended way, which also seems weird to me, but just to be complete, you can supposedly also mask the socket(s):

sudo systemctl mask --now sshd-vsock.socket
sudo systemctl mask --now sshd-unix-local.socket

and you can also remove the ssh server.

but it's definitely.. awkward that they implemented it like this, as much as SSH is fairly safe in terms of protocols

no-JS disco engaged (I'm not refreshing, the thing itself insists on refreshing endlessly until you enable JS)

@konstruct 3:

@konstruct define flirting

@SwiftOnSecurity conclusion: the wheels on the bus *must* go round and round