Just +1 to Tillitis, they’re doing awesome stuff with FOSS hardware.

I regularly remote into in order to manage, usually logged into KDE Plasma as root. Usually they just have several command line windows and a file manager open (I personally just find it more convenient to use the command line from a remote desktop instead of directly SSH-ing into the system)

I’m not going to judge you (too much), it’s your system, but that’s unnecessarily risky setup. You should never need to logon to root desktop like that, even for convenience reasons.

I hope this is done over VPN and that you have 2FA configured on the VPN endpoint? Please don’t tell me it’s just portforward directly to a VNC running on the servers or something similar because then you have bigger problems than just random ‘oops’.

I do also remember using the browser in my main server to figure out how to set up the PiHole

To be honest, you’re most probably OK - malicious ad campaigns are normally not running 24/7 globally. Chances of you randomly tumbling into a malicious drive-by exploit are quite small (normally they redirect you to install fake addons/updates etc), but of course its hard to tell because you don’t remember what sites you visited. Since most of this has gone through PiHole filters, I’d say there’s even smaller chance to get insta-pwned.

But have a look at browser history on the affected root accounts, the sites along with timestamps should be there. You can also examine your system logs and correlate events to your browser history, look for weird login events or anything that doesn’t look like “normal usage”. You can set up some network monitoring stuff (like SecurityOnion) on your routers SPAN, if you’re really paranoid and try to see if there’s any anomalous connections when you’re not using the system. You could also consider setting up ClamAV and doing a scan.

You’re probably OK and that’s just paranoia.

But… having mentioned paranoia… now you’ll always have that nagging lack of trust in your system that won’t go away. I can’t speak to how you deal with that, because it’s all about your own risk appetite and threat model.

Since these are home systems the potential monetary damage from downtime and re-install isn’t huge, so personally I’d just take the hit and wipe/reinstall. I’d learn from my mistakes and build it all up again with better routines and hygiene. But that’s what I’d do. You might choose to do something else and that might be OK too.

Thunder.
It is simple to use, has elegant design and does absolutely everything I need it to do.

Edit: link: https://github.com/thunder-app/thunder

Just waiting for systemd-kernel to replace the “old archaic” Linux kernel. j/k j/k j/k don’t block me yet!

I used to be very much against systemd and I still don’t like the interdependencies to everything (as highlighted in the OP), but at the same time - this is a decade old discussion and everything that was worth saying was already said back then and nothing has really changed much.

Most popular distros adopted systemd and that’s that and we’ve since then kept piling in more eggs to that same basket. There are options (distros) available if you don’t like it, but most of the “Linux community” chose systemd and that’s where we’ve been for a decade.

I don’t really have strong opinions these days - systemd boots my computer and most days I don’t need to know about it. I still have to check the manpages for usage because the flags are just archaic as fuck, but that’s more of a “me problem” than problem with the software.

I am worried about IBM though. The steps RedHat has been taking under their new mothership have been worrying and I have a feeling we “parasites” (as the RH CEO called us) might have just seen the beginning of this new strategy.

This isn’t systemd specific fear, but while the “well we just fork it” is a nice thought, I’m not sure were “we” have the resources and money to continue maintaining it.

Anyway, that’s just idle speculation from my part. Systemd discussions tend to be as constructive as “vi vs. emacs”. Sides have been picked. Time has passed.

It is what it is.

Thanks for the share.
Obviously Perens is one of the FOSS OG figures and he makes a lot of good points. Lately the RHEL/IBM situation has shown a mere license text file isn’t going to keep megacorps from finding ways to circumvent the ideology and the purpose behind it. They have simply too many resources both in development and in legal departments and too many ways to work around the legalese of its intended purpose .

Also there’s been an increasing trend where products (Elastic etc) start off with FOSS license and as soon as they gain critical mass, they split their product and switch to their own FOSS-light license and gimped “community edition” downloads. Again, all still legally above the board, but at the same time completely ignoring the intended purpose of the license in the first place.

I think what Perens is proposing is too complicated. I understand that “contract” has far more binding legal fire power compared to a “license”, but as he also points out in the article, it complicates things to the point where it’s hard to adopt. The problem is of course far deeper than just licensing and has its roots deep somewhere in late-stage capitalism and deregulation of corporate entities and those are of course not problems that Perens or the free software community can easily solve. Unfortunately.

It’s clear that something new is needed and I appreciate the work he is doing. I’m not sure it’s the right direction to take, but can’t say I have any rabbits I can pull out of my hat either, so I’ll follow this with interest.

Well, that article was a hot mess.

I appreciate the authors effort and they are correct about lack of “what is VPN” articles that are not written by VPN-vendors in marketing purpose. But I’m not sure if this was it.

Writing an article meant to “debunk” misconceptions and getting two core concepts, Security and Privacy mixed up right from the start wasn’t very good.

A lot of time was spent on explaining HTTPS and how it somehow magically makes you and your data secure on the Internet and it completely missed to mention who the potential threat actors thwarted by HTTPS are?

Could have probably used a chapter on how actual threats (both security and privacy) work and how don’t have much to do with the level of encryption your TCP/IP connection happens to encapsulate.

The last chapter with the first 3 bullets was pretty good though. That could have just been the whole article and it would have been alright.

Oh well. Attempt was made.

Hmm… ProtonVPN team solved this in better way. They put the repo configuration stuff into DEB file, so it’s just a matter of double clicking it and clicking install

I was wondering how they’d solve signature checking and key installation - and looking at their page they seem to recommend skipping checking package signatures which, to be honest, isn’t a super good practice - especially if you’re installing privacy software.

Please don’t try to check the GPG signature of this release package (dpkg-sig –verify). Our internal release process is split into several part and the release package is signed with a GPG key, and the repo is signed with another GPG key. So the keys don’t match.

I get it’s more userfriendly - and they provide checksums, so not a huge deal, especially since these are not official Debian packages, but the package signing has been around since 2000, so it’s pretty well established procedure at this point.

Maybe we’ll climb to 4% marketshare!

As others have already pointed out, a lot of Linux software is installed from repositories in a standard way, and once you do that, it updates automatically.

However, as you’ve already discovered, there’s more than one way to install Linux software. Repositories are still the most common way, but installing single .deb’s (Debian based distributions) or .rpms (RedHat packaging format) is still there and there are more like Snap, Flatpak and Appimage. You can also often just download the source and compile it yourself. It’s a very diverse ecosystem, not like the controlled worlds of WIndows and Mac.

In this case you can download the .deb file, and pretty sure you can even install it through the file manager, just like in Windows (I don’t use Ubuntu, but I think it will just start GUI installation if you double-click on a .deb file).

But lot of things in Linux are still done through the terminal, like changing configurations and, yes, installing things.

Getting used to it takes a while, especially if you’re not used to modern Windows administration through PowerShell.

The important part is trying to figure out what each of the commands do and that the output actually means. Software that supports Linux normally has very clear instructions (like in this case), but it does require willingness to change habits, technical curiosity and some trial and error (patience). It’s not quite as polished experience as the commercial OS’s. There’s still a lot of rough edges for the user.

Good luck on your Linux journey!

I do security as my dayjob (more blue team stuff these days, but used to do pentesting in the past).

Software development normally comes down to a holy trinity of Speed/Cost/Quality. You can only pick two.

Commercial software has time/cost constraints so they often pick speed and cost over quality initially. FOSS software doesn’t need to “get to the market”, but also doesn’t have any money, so you often get cost/quality over speed.

However - in larger enterprises there’s so much more, you get the whole SDL maturity thing going - money is invested into raising the quality of the whole development lifecycle and you get things like code reviews, architects, product planning, external security testing etc. Things that cost time, money and resources.

FOSS software is generally going to be missing this, unless the project gets popular and picked up by some big megacorp that bankrolls the development (Google, IBM etc). Look at mission critical projects like OpenSSL that was (until Heartbleed) more or less one man project.

Commercial software also needs to invest in licensing, support, documentation, certifications, training and potentially integration partners. It’s a whole different playing field. FOSS has easier time, because it’s generally just pointing at the code and saying “well send a PR”.

Then you have the whole devops thing, where you might take FOSS software and build a whole commercial service around it.

And all of this is just generalizing of course, because unless we’re just comparing small programs, there’s really no way to do objective comparisons between “commercial” and “free” without writing a full 50 page thesis.

Running FF on Pixel 7. Have only uBlock Origin, no other addons. Runs great, never any problems. Syncs with my desktop.

Dell supports pre-installed Ubuntu on the XPS Plus configuration. You can order it with Ubuntu installed out of their webshop. They also have repos for all the drivers.

I’ve been using XPS 13 as my “daily driver” for about 4-ish years now (I think the 9300 model came out in late 2019? Maybe 2020. I can’t remeber tbh). It’s been running Debian and I’ve never really had any problems with it. I didn’t order the Developer Model as I wasn’t going to run Ubuntu and I don’t really need Linux preinstalled (and as added bonus, it comes with Windows OEM license, which you can use in your QEMU).

It has a shit battery time, but so does every Linux laptop. I don’t want biometrics on my devices, so I’ve never used the facescanning or figerprint sensors, no idea if they work, I’d assume they do.

I’ve connected it to a USB-C hub with dual 1080p screens, webcam, microphone, external USB etc in the office. Works perfectly. I travel quite a lot, it’s light and easy carry, I bought a small USB-C travel charger. Trackpad palm detection in Linux is bad, so I normally carry a small travel mouse with me and disable the trackpad if I need to do some writing.

It’s got a SD-micro card slot, which is very useful, I can store my disk encryption keys on it and take it with me when I need to leave the laptop in hotel rooms etc.

Never had a problem connecting it to any presentation display at customers. I miss ThinkPad keyboard layout, but it is what it is. Not a dealbreaker.

Overall, it’s served me well over these years - and there’s not much signs of wear and tear on it. Solid build quality.