UnOrdinary

  • 14 hours ago
  • Joined Jun 10, 2022
  • In Linux Desktop Sucks (Terminal IS OK)

    SudoMason Debian has much worse security than the baseline of an OS that's receiving proper updates and not applying very misguided patches and configuration changes including enabling a bunch of services by default upon installation. Recommend using Fedora or Arch if you want to at least have the baseline security provided by the upstream projects, which is quite poor for a lot of that desktop software stack but you can at least avoid having ancient software with a subset of security patches backported and many new problems introduced.

      • In About Nextcloud Security & Privacy

        Nextcloud suffers from a bloated PHP codebase and lacks first-class support for end-to-end encryption and 2FA (it has native FIDO2 passwordless though). The thing is, it's the only option for a self-hosted centralized cloud server with decent clients on the main platforms.

        I'm not going to enumerate all the risks associated with self-hosting, but unless you use E2EE, there will always be a risk for your data. Server-side encryption doesn't do much, especially with the default master key mode where the encryption key sits on the drive right next to your "encrypted" data. Disabling it in favor of user key mode makes it a bit better, but the key to decrypt your data is in the server's memory once a client connects to your account.

        All in all, E2EE should be preferred but as I said, it lacks first-class support despite being advertised as a huge feature on their website. It wasn't usable until recently and there are still many quirks.

      • In ChromeOS privacy

        While I haven't Wiresharked the entire thing, here are some points to consider regarding ChromeOS and privacy:

        • A Google account is mandatory, unless you want to use guest mode forever (which might be ok in certain use cases, actually). However, what the Google account does, is largely up to the user. You can just use it as a throwaway login, or you can use it as your full digital identity including for e-mail, social media, backups etc. Keep in mind that most people actually benefit from a built-in password manager, cross device syncing, Google Drive and reliable backups, but using those is absolutely not mandatory.
        • If you want to compartmentalize your activities, you can use multiple accounts on the same machine, similar to GrapheneOS. One account could be completely minimal and also routed through Orbot or a VPN, for more "private" activities
        • Telemetry is completely optional, similar to the browser Chrome
        • Additionally, you are free to use the alternatives of your choice (e.g. DuckDuckGo, e-mail PWA such as Tutanota, messengers like Element or Wire) to decouple your activities from your Google account
        • If you want to use common Linux apps like LibreOffice, Tor Browser, Thunderbird etc., you can do so using the Linux environment. You can even create separate guest VMs for each of them, completely isolating them from the rest of the system

        Keep in mind that while this sounds like a tedious "selective privacy" approach, you can really disable practically everything, including Play Store and Google Drive integration, and then just use some PWAs in Chrome and isolated Linux apps you trust. You will still benefit from very timely OS updates, full verified boot, sandboxing and running hardened Linux VMs with dm-verity that you will have difficulties finding elsewhere.