Brasil

This is an automated archive made by the Lemmit Bot.

The original was posted on /r/diwhy by /u/vince_aphelion on 2024-11-27 08:02:00+00:00.

After being released by the Giants, Jones will head to a club in the NFC North.

^^^^

For Thanksgiving! Since I didn't want to make pie this year. It's nice and creamy, without the sometimes grainy feel pumpkin pie can have. I'll have to try and get some graham crackers to sprinkle on top.

https://en.wikipedia.org/wiki/Dutch_(1991_film)

Source: Sheddit

From Owl Rescue Centre

This sneaky little lady has been living inside a Shoprite store in Thokoza for the last few weeks. She was a difficult customer, had all her hiding spots well mapped out, just in case some owl rescuers came knocking. That's Jacob in the photo, he's their security gent who offered a great deal of help in rescuing her. We don't often tag company rescues anymore, but we know Shoprite South Africa loves owls

Summary

Donald Trump’s appointment of far-right commentator Sebastian Gorka as deputy assistant to the president and senior director for counter-terrorism has sparked backlash.

Critics, including former Trump officials John Bolton and HR McMaster, have labeled Gorka unqualified and controversial, pointing to his brief tenure in Trump’s first term and his promotion of extreme policies.

Gorka has a history of inflammatory rhetoric, ties to far-right groups, and legal troubles, yet remains a polarizing figure in conservative circles.

The appointment has intensified concerns about Trump’s administration favoring ideological loyalty over expertise in key national security roles.

It does it randomly so I think it is trying to tell me something.

Lets try to keep this topic around a basic-intermediate level when you try to explain things.

What I mean in the most simple words is a way for me to know if my laptop or any of the accessories such as charger, mouse, keyboard, camera, mic, etc, have been tampered with while I left them in my hotel room while I went out on some tourist attractions.

Adversary could be a local gang with hackers hired as hotel maid, or the adversary could be a corrupt/over reaching authority/intel who thinks citizens and tourists shouldn't have privacy and if they put a lot of effort into privacy then that means they are extremists and must mean they have something to hide.

I know of 3 ways to check for tampering:

1. AEM or Trenchboot or Heads.
2. Glitter nail polish.
3. A device which monitors your room for intrusion.

If there is proof of tampering then the solution is to destroy the hardware and throw in the trash because it's practically impossible with 100% certainty remove any tampering that was done. Better to buy new hardware.

Now to elaborate on each of the 3 ways...

1, Trenchboot is better than AEM or at least it will become better when it supports TPM 2. The plan is for it to replace AEM completely. So to make this simpler we can keep this discussion about trenchboot vs Heads and leave out AEM.

TPM 2 is good and something we should want depending on how important this method of tamper proof is. Because TPM 1.2 is old and weak encryption.

But I've read so many arguments about Trenchboot vs Heads, it's very difficult to understand everything and requires very deep and advanced knowledge and I just don't know, maybe I just have to keep on reading and learning until I eventually begin to understand more of it.

Glitter nail polish is supposed to make it practically impossible to open up the laptop (removing screws) to access the ROM chip and any other hardware. That makes this method of tamper proof perfect and simple and works on all laptops. But there are vulnerabilities:

USB is not protected by glitter nail polish. And if any malware compromises your system it could flash the ROM.

I don't think the malware is much of a threat if we are using QubesOS because it's too unlikely for the malware to escape the Qube, it would mean a 0-day vulnerability in Xen hypervisor.

But an adversary could easily use a bad usb when they have physical access to the computer and glitter nail polish doesn't detect that. I guess that this is why nail polish isn't sufficient on its own and why we need also either trenchboor or Heads.

One downside of Heads is that it's Static Root of Trust for Measurement (SRTM) which means it only checks for tampering when you boot the computer. But I think if the only threat is a bad usb attack because glitter nail polish protects against everything else that can tamper with the hardware, then this Heads downside of being SRTM doesn't matter.

This could be an app on the smart phone which uses the sensors to check for sound, movement and light changes, vibrations. Or it could be a more professional device as a surveillance camera or motion detector.

This way of tamper proof solves all problems if you assume that someone entering the room means that the hardware has been tampered with. But unfortunately this is not a good assumption to make if you are traveling or sharing accommodation. There are plenty of dumb people who would enter your room even if you told them not to even if they have no malicious intentions and are not an adversary. That means this method would give a lot of false alarms.

But if you are using video surveillance the you would know exactly what they did while in your room and you can clearly see if they even touched your hardware. So, with video surveillance you maybe don't need trenchboot or Heads and glitter nail polish.

Another reason to have this tamper method is in case they put any camera in your room to watch what you're doing or watch your enter passwords. If you have for example a motion detector giving an alarm, you can spend some time looking for hidden cameras. There are cameras that are good for this, I think they are called infrared cameras, they can find the heat which a hidden camera would give.

Summary: You probably want all 3 methods because they complement each others weaknesses. Question remains regarding trenchboot vs Heads in the scenario I've explained here I suspect Heads is a better choice but I am mostly guessing. Maybe I'm not as lost in this rabbit hole as I feel like I am. I hope the more advanced and experienced people can give some comments and help.

Another point I almost forgot to make: This whole scenario is meant to be practical, a realistic lifestyle. For example, it's not realistic for most people to be able to bring all their hardware with them everywhere they go such as work. It also makes you a big target to be robbed if they get a hint of how much valuable equipment you have in your backpack. So this means we are leaving the hardware at home which could be a hotel room or a shared accommodation.

Also last point which I forgot to make as well: The accessories need to be tamper proof as well. I don't know if trenchboot or heads is capable of doing that, such as if they replace the charger or something. Maybe the only way to protect against this is one of two ways:

1. Bring the accessories with you but leave the computer at "home". This isn't great though because you might not be able to keep your eyes on your backpack at all time.
2. Have a box filled with lentils which you put the accessories inside when you leave your room. Then you can take before and after picture and compare them to see if the lentils have moved around or not. This would mean we actually have to use 4 methods to keep all hardware tamper proof. It's not so fun to have to pack all accessories into a lentils box every time you leave your room, and check pics of both glitter nail polish and lentils. It's a lot of work but maybe that's the only way?

I'm proud to share a major development status update of XPipe, a new connection hub that allows you to access your entire server infrastructure from your local desktop. It works on top of your installed command-line programs and does not require any setup on your remote systems. XPipe integrates with your tools such as your favourite text/code editors, terminals, shells, command-line tools and more.

Here is how it looks like if you haven't seen it before:

VMs

• There is now support for KVM/QEMU virtual machines that can be accessed via the libvirt CLI tools virsh. This includes support for other driver URLs as well aside from KVM and QEMU. This integration is available starting from the homelab plan and can be used for free for two weeks after this release using the new release preview
• You can now override a VM IP if you're using an advanced networking setup where the default IP detection is not suitable. For example, if you are using a firewall like opnsense on your hypervisor
• Fix remote VM SSH connections not being able to use the keys and identities from the local system
• There is now a new restart button for containers and VMs

File browser

• There is now a new option in the context menu of a tab to pin it, allowing for having a split view with two different file systems
• There is now the option to dock terminals in the file browser (this is only available on Windows for now). You can disable this in the settings if you don't like it
• The previous system history tab is now always shown
• You can now change the default download location for the move to downloads button

Other

• The application style has been reworked
• Improve license requirement handling for systems. You can now add all systems without a license and also search for available subconnections. Only establishing the actual connection in a terminal or in the file browser will show any license requirement notice. This allows you to check whether all systems and installed tools are correctly recognized before considering purchasing a license.
• Rework Windows msi installer to support both per-user and system-wide installations. The installer will also now respect the properties ALLUSERS. This makes it possible to install XPipe with tools such as intune
• Add download context menu action in file browser as an alternative to dragging files to the download box
• Fix proxmox detection not working when not using the PVE distro and not logging in as root
• The settings menu now shows a restart button when a setting has been changed that requires a restart to apply
• There is now an intro to scripts to provide some more information before using scripts
• Add ability to enable agent forwarding when using the SSH-Agent for identities
• Closing a terminal tab/window while the session is loading will now cancel the loading process in XPipe as well
• A newly opened terminal will now regain focus after any password prompt was entered in xpipe
• Add warning message when the incompatible coreutils homebrew package is in the PATH on macOS
• The .rpm releases are now signed

Shell sessions

Many improvements have been implemented for the reusability of shell sessions running in the background. Whenever you access a system or a parent system, XPipe will connect to it just as before but keep this session open in the background for some time. It does so under the assumption that you will typically perform multiple actions shortly afterward. This will improve the speed of many actions and also results in less authentication prompts when you are using something like 2FA.

Security updates

There's now a new mechanism in place for checking for security updates separately from the normal update check. This is important going forward, to be able to act quickly when any security patch is published. The goal is that all users have the possibility to get notified even if they don't follow announcements on the GitHub repo or on Discord. You can also disable this functionality in the settings if you want.

Fixes

• Fix Proxmox detection not working when not logging in as root
• Fix tunnels not closing properly when having to be closed forcefully
• Fix vmware integration failing when files other than .vmx were in the VM directories
• Fix Tabby not launching properly on Windows
• Fix SSH and docker issues with home assistant systems
• Fix git readme not showing connections in nested children categories
• Fix Windows Terminal Preview and Canary not being recognized

A note on the open-source model

Since it has come up a few times, in addition to the note in the git repository, I would like to clarify that XPipe is not fully FOSS software. The core that you can find on GitHub is Apache 2.0 licensed, but the distribution you download ships with closed-source extensions. There's also a licensing system in place as I am trying to make a living out of this. I understand that this is a deal-breaker for some, so I wanted to give a heads-up.

Outlook

If this project sounds interesting to you, you can check it out on GitHub or visit the Website for more information.

Enjoy!