Skip Navigation
InitialsDiceBearhttps://github.com/dicebear/dicebearhttps://creativecommons.org/publicdomain/zero/1.0/„Initials” (https://github.com/dicebear/dicebear) by „DiceBear”, licensed under „CC0 1.0” (https://creativecommons.org/publicdomain/zero/1.0/)CH
Posts 26
Comments 237
Found in the wild: The world’s first unkillable UEFI bootkit for Linux
  • They are stored behind luks and I think they are readable only by root. But bootkit can probably only infect UEFI from Linux that is running on that machine. And to interact to UEFI you probably have to be root, right?

    I'll look into more options, either store keys on a seperate luks usb key or on a hardware securety key like Nitrokey. For sbctl there is already a roadmap feature for hardware security keys, I hope this comes soon :)

  • Found in the wild: The world’s first unkillable UEFI bootkit for Linux
  • Well... if you have your own keys (like I do) you have to store them somewhere. That somewhere is probably somewhere on a computer where they are used so you can update the kernel. If you have private keys, you can probably bypass secure boot.

    Is there a way to have private keys stored on a nitrokey that has to be plugged in for every kernel update?

  • Process of Degoogleing
  • Nice stuff, I use a lot of them. And for things that are missing:

    Phone: Fossify Phone

    Contacts: Fossify Contacts

    VPN:

    • Self-hosted: Great for public wifi and access to homelab
    • Free: Proton
    • Paid: Mullvad

    Office: Collabora Office

    PDF viewer (when full office app is jut too much): PDF Viewer from GrapheneOS Apps Store

    PDF scanner: OSS document scanner

    Camera: Stick with preinstalled, it always works the best.

    YT Music: Harmony Music

    Maps: Organic Maps

    Keyboard: FlorisBoard

  • Pixel 7a battery issue

    I have a batterry problem for around a week now. Battery seems better. Its draining a little slower than normaly. But between 30 and 70% (each time its different) in a few seconds it goes to 20 and 3 and 0 and shutdown... I found only 1 post about this and there are no good answers and its on Reddit: https://r.darrennathanael.com/r/pixel_phones/comments/1f3qdh8/pixel_7a_battery_issue/#

    Im running GrapheneOS so warranty is probably voided.

    2

    XHTML 1.0 Transitional parser?

    So I'm trying to parse school's website for some info. I'm trying to get some values using xpath. So I found a html 5 parser and it can't properly parse the first line. Then I figure you it's actually XHTML and not HTML. After quick Google search I found out XHTML can be properly parsed using any XML parser and so I found one and... It can't parse the first line. So I ask LLama3.1 (like a real programmer) why I can't parse the first line with any parser. It explained so nicely that I did not destroy my keyboard when I was told that this document is "XHTML 1.0 Transitional" and it's a mix of HTML 4 and XHTML and can't be parsed with HTML nor XML parser. I hate the guy that invented that so much...

    So I can't find a crate to parse XHTML 1.0 transitional? Or a crate to convert xhtml to something else? Any advice?

    7

    What watches can run Rust?

    Maybe a little weird question but do you maybe know a smart watch that can run rust? I got running Egui on my Galaxy Watch 4 with WearOS and I'm thinking if any other watch (other than Galaxy and Pixel) can do that?

    5

    My Privacy Setup

    Hi! 2 and 4 months ago @Hellfire103 and @Charger8232 made a post about their privacy setup. So I though I would also share mine.

    Remember these rules:

    • Be respectful! Some people are early on in their privacy journey, or have a lax threat model. Just because it doesn’t align with yours, or uses some anti-privacy software, doesn’t mean you can downvote them! Help them improve by giving suggestions on alternatives.

    • Don’t promote proprietary software! Proprietary software, no matter how good it may seem, is against the community rules, and generally frowned upon. If you aren’t sure, you can always ask! This is a place to learn. Don’t downvote people just because they don’t know!

    -** Don’t focus solely on me!** I want to mention that this thread is not designed to pick apart only my setup. The point is to contribute your own and help others. That doesn’t mean you can’t still give suggestions for mine, but don’t prioritize mine over another.

    • Be polite! This falls under “Be respectful”, but be kind to everyone! Say please, thank you, and sorry. Lemmy is really good about this, but there will always be someone.

    Here is my setup:

    Web browsing

    • I use Librewolf for almost everything.
    • For 3D stuff (games, 3d modelling) I use Brave.
    • On mobile I use Vanadium.
    • My preferred search engine is Kagi.
    • Most if the time I have MullvadVPN enabled.

    Desktop and laptop

    • I have self-build Ryzen + Radeon PC and Ideapad with Ryzen CPU.
    • I use Arch Linux BTW!
    • I have disk encryption and Nitrokey as a decryption key (or a long password of course).
    • I have secure boot with locked BIOS.
    • I'm running self-compiled linux-hardened kernel.
    • I'm using Gnome (Wayland).
    • I have only open-source apps installed.

    Mobile

    • I have Google Pixel 7a with GrapheneOS.
    • I have different 5 profiles: main, google, school, finance, anonymous.
    • I have PIN on every profile and also fingerprint for main and school profiles.
    • I always use VPN, either Mullvad or self-hosted Wireguard.
    • I don’t use a privacy screen protector (for now).

    Messenger

    • Signal for my family.
    • Viber for my schoolmates.
    • MS Teams for school.
    • Matrix for help with some open-source projects.
    • Discord for voice chat and local scouts group. I have Aliucord on mobile and Armcord on desktop.

    Online accounts

    • Passwords are safe in self-hosted Bitwarden (Vaultwarden).
    • I use 2FA if I can. Either hardware 2FA - Nitrokey, or TOTP with Aegis.
    • I use SimpleLogin for email aliases and randomly generated usernames and passwords.

    Video streaming

    • I watch only Youtube. Newpipe on mobile and Invidious on desktop.

    AI

    • I do not use AI a lot, but if I do I use locally running LLama3 8B or Duckduckgo's LLama3 70B

    Social Media

    • I had Instagram, Snapchat and Viber accounts, but I've deleted them.
    • I use only Lemmy on clearweb and Dread on darkweb.
    • I have Mastodon account, but I don't use it.

    Email

    • I use ProtonMail.
    • One of the best privacy things you can do is use SimpleLogin (or other email alias service).

    Shopping/Finance

    • IRL I use cash most of the time.
    • Online I use Monero if I can, otherwise just my credit card.
    • Cashew app for helping managing my purchases.

    Music streaming

    • I use only RiMusic on my phone, that's it.

    TV shows

    • I use a VPN, that's all I'm gonna say...

    Gaming

    • Minecraft, Veloren, SuperTuxKart, and some Steam games.

    Programming

    • I forgot how to code in Python, because Rust is so much better.
    • VS Codium.

    Productivity

    • LibreOffice for simple stuff.
    • Typst for proper documents.

    Paid services

    • ProtonMail - 4$ per month
    • SimpleLogin - 30$ per year
    • MullvadVPN - 5$ per month
    • Kagi - 10$ per month. For 5$ you get 300 searches, I use ~350 searches so I will try to lower my searches.
    • Domain - 13$ per year

    Self-hosted

    • Everything runs on Raspberry Pi 4 with encrypted micro SD card.
    • Pi-Hole for blocking ads on network level.
    • Bitwarden (Vaultwarden) for storing all my passwords.
    • Wireguard server (with pihole as DNS) for connecting back home from anywhere.
    • Ntfy for self-hosted push notifications.
    • MollySocket for Signal push notifications.
    • FindMyDevice if I lost my phone.
    • Cloudflare DDNS, because I don't have static IP.
    • Nginx Proxy Manager.
    • Watchtower automatically updates docker containers.
    • My website.

    Misc

    • I have Samsung Galaxy Watch 4 classic. I'm trying to do something about it...
    • I'm using Syncthing to sync documents and pictures between my devices.
    • I don't have a car (because I can't - I'm 17) and I won't have one for quite some time. I have a bicycle and my parents have 2 (smart/spy) cars.
    • I'm into crypto (mostly XMR) and I'm trading a little (making a trading bot) on MEXC. I also have Ledger Nano S Plus.
    • I have a 3d printer and it's fun and usefull :)

    TODO

    • self-host Git repos for my projects.
    • Buy a privacy screen protector when I break my current one.
    • Buy a faraday bag, just in case.
    • Do something about my spywatch (maybe sell).
    • Make backups... Yep, I don't have any yet.
    • Monitor and harden all my devices.
    • Memorize cryptowallet's private key in case it gets lost.

    Thanks for reading!

    45

    Use Galaxy Watch without Google?

    I have Galaxy Watch 4 and Pixel with GrapheneOS. Currently I have second profile with galaxy wearable and google play services for connecting to the watch. Before I've installed graphene I was using my watch as any other person, for notifications, sports, etc. Now I use it only for checking what time is it and developing apps. I can see my sports activity only for a week back, because samsung health only works on main profile.

    Is there a way for me to use my watch on main profile without google and samsung apps? Maybe with some alternative app? Or should I sold my watch and buy a new one? I've heard good things about garmin and polaris? I would love option to develop my own apps on them.

    4

    I found a worm on my USB

    This is probably not the right community but I haven't found a better one.

    So I watched a video from Seytonic where he mentiond that some malware creates a windows link with the name of the usb on a usb. So I checked my usb because I remembered that I had to click 2 times on my usb to opened it. I found a link that contained cmd.exe and a name of a file next to it. Upload to the virustotal showed Raspberry Roblin worm.

    I use Linux but my familly uses windows so I will have to go through all familly computers and remove the worm. Where can I find info how to remove this specific worm - Raspberry Roblin? On google I found a description about how the worm works but not specific files it creates and how to remove it.

    The first page that shows up is microsoft.com and it says that windows defender detects the worm, but clearly it doesnt.

    Edit: The worm was on one computer and it did not have windows defender installed. Seems like malware removed it and also disabled automatic updates. I installed MalwareBytes and sucessfully removed the worm :)

    77

    What to do with old phones?

    I found a few old phones from my family. II cleaned them, installed LineageOS and rooted most of them. On one I installed postmarketOS, one is still stock Android and one is lets say bricked (after installing lineagesos it stay on boot logo for ever, before that I installed lineageos and nethunter on it). One one disk encryption doesnt work for some reason.

    Phones (all samsung galaxy):

    • S4
    • A5
    • A5 (bricked)
    • A5 (postmarketOS)
    • J3
    • J4+ (no encryption)
    • A31 (stock)

    What can I do with them? Something like Monero node or Tor relay, but I'm already running that on old pc. For something that needs speed I have rpis (like a website). Camera security system? Tracking device?

    Is it possible to run (and autorun) cli apps and/or services that can access interent, bluetooth, gps, sensors, camera, files, etc. just like on linux? I'm a programmer and I don't like making normal android apps for a simple project.

    24

    PQC key establishment and authentication

    Hi, I'm working on a PQC key establishment and authentication protocol. Currently it works like this:

    1. Client and server each generate ECDSA and Dilithium identity keys and share them between each other, with usb for example.
    2. Client sends to the server single-use ECDH public key, single-use Kyber public key, timestamp, ECDSA and Dilithium signature of everything before it.
    3. Server verifies the message using clients identity keys, generates 2 secrets, one from ECDH and one from Kyber and then it uses blake3 kdf to derive a key from both secrets. Then it sends response with single-use ECDH public key, Kyber ciphertext, timestamp, ECDSA and Dilithium signature of everything before it.
    4. Client verifies the message using servers identity keys, and generates 2 secrets, one from ECDH and one from Kyber ciphertext and then it uses blake3 kdf to derive a key from both secrets.

    Kyber: kyber1024 ECDH: secp256k1 ECDSA: secp256k1

    I will use the key for XChaCha20-blake3 aead. I don't know yet how will I generate and keep track of used/unused nonces.

    Building this was interesting and fun, but I want more. How can I improve this key exchange, make it more secure, faster, and smaller? Both messages are huge (6268 bytes), because of Kyber and Dilithium.

    Any ideas for what application could be this used?

    1

    Hardening Arch Linux

    Hi, I'm in a process of making fast, (extrenely) secure, and modern laptop. Currently I have Arch Linux with encrypted root partition (unlocked with Nitrokey or long password), secure boot, linux-hardened, firewalld, etc.

    I'm running linux-hardened with custom config. I enabled AMD SME, kernel lockdown, added some xanmod patch for more specific cpus, and disabled some unnedded drivers (only those that I'm 100% sure I don't need - Intel, NVidia, Microsoft, Google, Amazon, Virtio). Currently it takes ~50 minutes to recompile the kernel. Are there any tutorials what drivers to disable to speed up this process? After doing that I will try to compile it with -O3 and LTO. Do you know any patches for performance?

    I'm planning to enable encrypted swap, install ClaimAV and install flatpak versions for every non open-source app I have.

    I also want to have SELinux. Does anyone know where can I learn it? I had it on Fedora and it was not fun using it.

    What are other ways I can make my laptop more secure?

    23

    PC constantly crashes, won't even boot.

    I have Arch Linux on Ryzen 7 3700X, 32gb of ram, and some Gigabyte motherboard with updated bios.

    Few weeks ago my computer would startet crashing (screen would freeze) soon after login or even at boot about 50% of the time. I was lazy so when it crashed I just forced rebooted it (the power button). Then crashes became more common untill my system wouldn't even boot.

    So I reinstalled and I had some trouble generating dracut bundles, because some zstd copression was corrupted. After booting freshly installed os it would crash again right before the login should show up. Switching kernel (from hardened to zen) fixed the problem. Then I installed basic apps (browsers, office, crypto stuff, steam, etc.) I rebooted and when I typed the password for my encrypted root it was wrong (Im sure I typed it correctly).

    I have no idea wtf went wrong with my system. I have almost the same everthing on my laptop (hardened, btrfs, luks encrytped drives, systemd boot, etc.) and it works great. And I never experienced any crashes on live usb on my pc.

    I ran some random test (its passmark memtest86 v9.3 pro) on my medicat usb. Right now its 92% finished with 1070 errors. This just can't be good :(

    Now I will play with some bios settings (like disable xmp), reflash other version, maybe switch a ssd... I will also try other distro, but I can't daily drive them. Arch gives me a ton of flexibility and I don't want to lose it. Maybe NixOS or Gentoo, but gentoo doesnt have systemd (I want to use Mullvad as my vpn and their app reqires it).

    Do you maybe know what could be wrong and how to fix it. Thank you for reading this post and thank you very much for answering.

    I don't know if this is arch bug or its something wrong with my system. If this is not right community to ask this, plese direct me to the right one (just please not reddit).

    Edit: I ran memtest again without one ramstick and it gave me no errors! Thank you for all help and suggestions :)

    Edit: I also tried only the faulty ram stick and the PC wouldn't even boot.

    Edit: Booting PC with only the faulty ram stick corrupted my bios... I guess I will have to reflash bios anyway.

    19

    Need help with understanding how XMR (sub)addresses work

    Hi, I've just paid for Mullvad VPN (personally recommend) with XMR. That looked like this:

    1. I copied the address (one time subaddress) and the amount, checked if everything matched (and it did) and pressed send.
    2. On my Ledger I checked the fee, accepted, checked the amount, accepted, checked the address... REJECTED, because the address was different.
    3. Repeated the step above probably 2 times, installed ClaimAV and started full scan of my machine for malware.
    4. Because the Monero Wallet GUI was freshly installed from official Arch Linux repo and it showed the right address I decided to still accept the transaction. Worst case I lose 10 €.
    5. While the transaction was pending I tried to prove payment using LocalMonero's block explorer and I got an error. So I basically got hacked and lost 10 € ...
    6. Checked Mullvad VPN app and... it was paid???

    Can someone explain me what just happened? My ledger showed a different address than what I copied, but the transaction still went to the right person. I started using Ledger only a month ago and I haven't been paying with it much. If this is all good and right, how can I tell if I'm being scammed on my Ledger?

    4

    What do you think about OXEM?

    OXEN is a fork of Monero that uses proof of stake instead of proof of work and supports instant transactions. Lokinet (onion router, like tor) and Session (messanger) are build on top of it. I just discovered it a week ago and I'm suprised that I hadn't heard of it before. In my opinion It's a better Monero (except that Monero has higher and more stable price)? What do you think about OXEM? Is it better or not, and why?

    12

    NFC payments on GrapheneOS

    Hi, I want to pay with online prepaid visa in person. I could add it to Google Pay, but Google Pay doesn't support NFC payments on GrapheneOS. Do you know any other app that lrts you do that?

    15

    Trade with API no KYC

    Hi, I made trading bot using binance api. Is there any platform that has api, but doesnt require kyc?

    0

    Simple but modern website

    I want to make my own website, like a blog where I talk about tech and tutorials and such. Something like https://kerkour.com and https://lukesmith.xyz. Any ideas for simple but modern design?

    43

    Block AI bots from your website

    Hi, I'm building a personal website and I don't want it to be used to train AI. In my robots.txt file I blocked:

    • ChatGPT-User
    • GPTBot
    • Google-Extended
    • FacebookBot

    What bots should I also add? Are there any other ways to block AI bots?

    IMPORTANT: I don't want to block search engine crawlers, only bots that are used to train AI.

    17

    Where to buy domain for your personal website?

    Hi, I'm thinking of building a personal website about tech, privacy, open source, etc. Any recommendations about where can I buy domain? .com is taken, but everything else is not. Shuld I take .tech (few dolars more expensive) or something more basic?

    31

    Pi-Hole vs AdGuard vs NextDNS

    I use Pi-Hole and works great. I've heard about AdGuard and seems the same thing as PiHole, but you have to install an app/extension. Everyone in this community recommend NextDNS. Whats the difference between them?

    41

    Distro for experienced Linux user

    Hi, I'm looking for a distro for my laptop. My first distro was Pop!_OS, then I switched to Fedora, then Arch for a year and 2 months ago I switched to Fedora Silverblue, because I wanted to try immutable distro that relies on containers and flatpaks to be usefull. Silverblue is great but not so much for me, its not flexible enough.

    I'm thinking of switching to Arch but maybe it's time for something else. Maybe NixOS or Void, Gentoo probably not, I don't have time for compiling everything. What do you recommend?

    It must support full disk encryption, secure boot with signing with YOUR OWN KEYS, systemd (because of MullvadVPN), everything else I think can work on any distro (Gnome, podman, kvm, etc.).

    60

    How to sell Pi?

    Hi, where can I spend/sell/trade Pi cryptocurrency?

    3