walterw

Yes, this is very true, and well-said. What are your thoughts on the new Linux phones coming out such as the Librem5?

I was running unbound in conjunction with DNSSEC to basically ensure that responses aren't tampered with (because it is plaintext, if there is a malicious party in between me and the DNS server, it could modify the response without me knowing). Now, if I run unbound by itself in this manner, basically, my DNS queries are sent out in the open, plaintext and then unbound will do all of that magic for me, ensuring that the IP address for google.com is indeed what it should be. Now, not all zones to my knowledge are signed. Now, if I'm worried about someone seeing what my DNS traffic is, then they're going to be able to see my IP traffic too, so I don't see how much benefit there is to hide my DNS traffic. Yes, the IP address might be used by many domains, but they might all be fairly closely related. Now, if I were using forwarding DNS queries to another provider, I am basically delegating that responsibility to them and may or may not be able to validate the result. Is that an accurate assessment? And, since they may not provide DNSSEC, if the DNS provider isn't offering DoH or DNSCrypt, then I have no guarantee that the IP address returned is accurate?

Hi, Is 1.1.1.1 just no logging or does it also filter out ads / spam as well - I think it supports DoH so at least if you don't have DNSSEC, then you can be sure your DNS isn't tampered with. My concerns would be: 1. is this DNS record valid, how can I be sure 2. is this DNS record for ads / malware / spam / etc. - use a blacklist / blocklist (uBlock)

I do have liberation-fonts installed. I built terminator for python 3.6, I see it is looking for python 2.7. Also, on a possibly related note, I was attempting to watch videos in VLC and on my new image, the video doesn't play very well at all. I suspect there may be an issue with my opengl setup? Perhaps it is related? It does report file not found for libGldispatch.so.0 and lib64/charset.alias.

Agreed, so what you need me to do is to switch back to the default and then I think I have a utility installed that lists all the open files (strace?) during execution and see which ones are reported as file does not exist? Then, that should be very clear which font is missing? I would be happy to do that, just need a teeny, tiny bit of guidance (if the above approach sounds reasonable) :).

Okay, I think you're right. So, I think I thought I must have selected a monospaced font, but did not. When I selected the Deja Vu Sans Book Mono, it looks good, but when I select just a Deja Vu Sans (non-mono), I have the problem. Okay, that explains it.

I installed xfce4-terminal and st and both display just fine. I am leaning toward migrating to xfce4-terminal since it is fairly lightweight, written in c versus python (I've had some annoyances in the past where terminator would hangup when I was doing a fair amount of I/O in the terminal), and still has tabs. I use a tiling WM, so terminator doesn't provide anything I cannot do with my WM with better performance. I am curious as to what happened that is causing this issue, but in the end, I am planning to migrate back toward xfce4-terminal. Walter

Thanks - I don't have an .Xresources and I did try playing with those font settings. Also, my old system does not have a .Xresources either. On a random note, I noticed that between 1.3 and 1.4, the path to libraries has changed, I think the 64 was dropped and it is just /lib or something. I wonder if that might be related ... Also, I'm not sure if it helps or not, but the fonts all look perfectly fine when previewing them in terminator's configuration, but once I choose them, that is when the appear squished like above. Walter

I recently rebuilt my system to use the new 1.4 release and am still working out a few kinks which may be self-induced. I kept many of the previous use flags I had before, so maybe I should start anew? In any case, I compared the list of packages from my old image to the current one and don't see anything around fonts. The fonts also work well everywhere else, chromium, libreoffice, geany, etc. The only place where they're "messed up" is in terminator. Even if I go to an old console (from bootup), the fonts are easy to read and not squished together. The characters are over top of one another horizontally making it very difficult to read. I tried playing with the font settings, but that didn't get me anywhere.

Yes, those are both great applications for communicating securely. I think the "problem" I'm trying to address is general web surfing where: 1. The source may not be reputable and information legitimate. It can plant an idea in your head. 2. The tracking, either through general surfing, use of "apps", OS-level monitoring, hardware monitoring (microphone / camera). 3. malicious apps / insecure apps / websites which harvest private information or are used to exchange private information, but may not be secure and could be intercepted by an adversary. Having said that, if I were to run SSL Bump via Squid on myself, I could leverage ClamAV to screen the content before it gets to a browser which may help prevent malicious content from opening an exploit. Perhaps I could also leverage some additional peer proxy that would "monitor" the data being exchanged and either block just the data in question or terminate the request altogether. Ie. if I were unexpectedly transmitting my phone number (or some PII), I could potentially be notified in real-time then either terminate the request or allow it, etc. However, there are ways around that. At the end of the day, I think it comes down to trust. If the site I'm visiting is trustworthy, the likelihood they would do nefarious things is small ... This is what I'm looking for for mobile devices: http://newport.eecs.uci.edu/~ashuba/publication/2015_antmonitor_s3/ I would imagine the same thing can be done more easily on an actual computer.

Hi, Thanks for your thoughts. Yes, that is something I think about, and you're right the 2 are inversely proportionally related. Yes, clearing cookies / browser cache is one step. From the desktop / end computer standpoint, I feel securing the system is much easier than a mobile device as the knobs are much easier to get at. Google / Apple give developers more control over security / privacy than the end user. Back to your philosophical view, so my concerns are: 1. I would like to minimize the blatant advertising that I am exposed to (here, privoxy works fairly well, but only for HTTP unless you're running an SSL Bump proxy). DNS / IP blocks work okay at this. 2. The more subtle advertising such as studies showing how blue light keeps you up at night and why you need these blue-light filtering glasses are also a nuisance (this is just a recent pertinent example). This is a more difficult problem to solve because often times the sources for these advertisements are reputable and will not be in a blocklist. This type of stuff is pervasive and gets into your mind without necessarily appearing as advertising directly. 3. From the mobile "app" perspective, when installing an "app" you're handing over much of your private information just to use the "app". The only choice you have here is to not use it. I think Android is getting better at selecting what permissions you give apps, but this is still the wild west. If you want to "secure" this information or data from "leaking" it is very difficult to do at the gateway level even with SSL Bump. Another option is to run the app inside of a sandbox such as VirtualBox where you have that app running in isolation. Sometimes you can do this, other times, the app needs to be on the device to be useful.

Thanks, I think I'm back in business now.

Thanks, I am trying that now.

I am unable to install xorg-server, I am having a problem with gl? This looks oddly familiar to this: However, I have already done the same... Furthermore, to disable glamor, I removed support for ATI video cards since everything I run is Intel: /etc/make.conf VIDEO_CARDS="intel nouveau" /etc/portage/package.use/xorg x11-base/xorg-server -glamor -glvnd udev checking for GL... no configure: error: Package requirements (glproto >= 1.4.17 gl >= 9.2.0) were not met: Package dependency requirement 'gl >= 9.2.0' could not be satisfied. Package 'gl' has version '1.2', required version is '>= 9.2.0' Consider adjusting the PKG_CONFIG_PATH environment variable if you installed software in a non-standard prefix. Alternatively, you may set the environment variables GL_CFLAGS and GL_LIBS to avoid the need to call pkg-config. See the pkg-config man page for more details. !!! Please attach the following file when seeking support: !!! /var/tmp/portage/x11-base/xorg-server-1.20.5/work/xorg-server-1.20.5_build/config.log * ERROR: x11-base/xorg-server-1.20.5::xorg-kit failed (configure phase): * econf failed * * Call stack: * ebuild.sh, line 93: Called src_configure * environment, line 3608: Called xorg-2_src_configure * environment, line 4661: Called autotools-utils_src_configure * environment, line 995: Called econf '--docdir=/usr/share/doc/xorg-server-1.20.5' '--enable-shared' '--disable-static' '--disable-selective-werror' '--enable-ipv6' '--disable-debug' '--disable-dmx' '--enable-glamor' '--disable-kdrive' '--disable-libunwind' '--disable-xwayland' '--enable-record' '--enable-xfree86-utils' '--enable-dri' '--enable-dri2' '--enable-glx' '--disable-xcsecurity' '--disable-xephyr' '--disable-xnest' '--enable-xorg' '--enable-xvfb' '--enable-config-udev' '--without-doxygen' '--without-xmlto' '--without-systemd-daemon' '--disable-systemd-logind' '--disable-suid-wrapper' '--enable-install-setuid' '--enable-libdrm' '--sysconfdir=/etc/X11' '--localstatedir=/var' '--with-fontrootdir=/usr/share/fonts' '--with-xkb-output=/var/lib/xkb' '--disable-config-hal' '--disable-linux-acpi' '--without-dtrace' '--without-fop' '--with-os-vendor=Gentoo' '--with-sha1=libcrypto' * phase-helpers.sh, line 718: Called __helpers_die 'econf failed' * isolated-functions.sh, line 119: Called die * The specific snippet of code: * die "$@" * * If you need support, post the output of `emerge --info '=x11-base/xorg-server-1.20.5::xorg-kit'`, * the complete build log and the output of `emerge -pqv '=x11-base/xorg-server-1.20.5::xorg-kit'`. * The complete build log is located at '/var/tmp/portage/x11-base/xorg-server-1.20.5/temp/build.log'. * The ebuild environment file is located at '/var/tmp/portage/x11-base/xorg-server-1.20.5/temp/environment'. * Working directory: '/var/tmp/portage/x11-base/xorg-server-1.20.5/work/xorg-server-1.20.5_build' * S: '/var/tmp/portage/x11-base/xorg-server-1.20.5/work/xorg-server-1.20.5' >>> Failed to emerge x11-base/xorg-server-1.20.5, Log file: >>> '/var/tmp/portage/x11-base/xorg-server-1.20.5/temp/build.log'

Given the complexity of the systems today and the vast number of interconnected devices, it is challenging to both secure the devices and ensure privacy. Setting up a firewall used to be sufficient; however, that is just one small piece. What components do you use and at which level? ie. firewall, SIEM, proxy server, DNS filter, IP blocks, etc.