The NSA made SELinux.. can you trust it?

You might be using this right now without even realizing it? Is that ok?

There’s this fancy word called “Mandatory Access Control” or MAC. Don’t be fooled by how big a word it is, it’s simple. It just decides what a file or program can access on the system with clearly defined rules and labels.

Think of the analogy of a nightclub. The bouncer at the front is like the firewall rules or you deciding to download it. But then once it’s inside the club, where can it go? Can it go into VIP? That badge you’d wear for VIP is like MAC, it’s labels that define what stuff can do or access.

There’s two main MACs, SELinux and AppArmor. SELinux is stronger security, but it’s made by the NSA. AppArmor is less strong, but easier to use.

What has SELinux by default?

All Android phones

Fedora

ParrotOS

What has AppArmor?

Whonix

Tails

Ok so the NSA made SELinux, and it scores higher on security audits and has more fine-grained control. But can you trust it? I’ll present some pros & cons, but keep in mind that this article is heavily biased against authority and not neutral.

Pro: It’s open source and been reviewed by many

Con: Most vocal anti-government groups aren’t well-funded. I question how many independent non-American influenced audits it’s had. You’d need massive expertise and money to do this. Do Russian hackers trust it? Doubt it.

The NSA backdoored into OpenSSL, which had MANY people review it. [3] This proves both that its possible to deceive rigorous inspection in the real world, and the NSA has a history of doing so.

It’s also been proven in academic study that malicious code can be inserted even into inspected open source. The contest nicknamed “The Underhanded C Contest” from Binghamton University had contestants purposefully create malicious code to pass open source inspection. Some entries were able to not only pass even strict scrutiny and win, but did so with very low amounts of characters maliciously used. [4] And these are academic students, so if they can do it, then so can the NSA.

Pro: I question the skill of the researchers doing the Underhanded C audits compared to SELinux or the Kernel. In fact, it’s in the Linux kernel already. So you can’t hide anyway

Con: Support for it is not the same as actively using it with it enabled. That’s like saying owning a gun is the same as shooting your balls off

_______________________________________

Pro: The only guy I trust, Edward Snowden, promotes GrapheneOS all the time, and that’s SELinux. You’d think he’d mention if he knew the NSA had a backdoor into ALL android phones, and SELinux was made before his leaks.

Con: Security expert Bruce Schneier has pointed out the NSA has put backdoors in encryption standards in the past [1], and when he posted about the NSA making SELinux on his own website, he didn’t comment [2]. Which I interpret in my personal subjective analysis that he doesn’t trust it, suspects a backdoor, but can’t prove it.

_______________________________________

Pro: AppArmor starts up slower than SELinux. So Fedora by default is faster than Ubuntu/Debian.

Con: True, that’s valid. But keep in mind SELinux is complex, so you’re wasting hours/days learning something to save a second?

_______________________________________

Pro: SELinux restricts access by default, which is far more secure than AppArmor’s default permissiveness. Furthermore, SELinux gives much more fine-grained control, by allowing you to label files, which is based on their true purpose. While as AppArmor bases it on the file path, which is a weaker way to do it.

Con:, True. But SELinux is more complex and requires newer users to debug errors. So it’s only more secure if you actually know what you’re doing. Otherwise, you may be allowing malicious software higher access than it needs, just to get rid of confusing errors.

Pro: That’s a good point, but AppArmor doesn’t even have the ability to do complex setups for large organizations with critical needs.

Con: If SELinux is so complex, how can we trust these open source audits?

_______________________________________

Conclusion

In conclusion, many academic and corporate researchers praise SELinux over AppArmor for security, and it’s easy to see why large organizations use it. However, for a lone wolf individual with an extreme distrust of the NSA, it’s easy to see why they wouldn’t, even if it’s open source. And if you are bugging out bro, consider subscribing on Session messenger with the Session ID: Simple.

The Rise of #Linuxia: A Comprehensive Guide to the #Linux Operating System

Why is Google bad for your business?

Does your company mandate Google docs, email, or meet? Well, everyone knows Google docs are free, and so any random clown can access them. Because of the complete lack of any type of exclusivity or advanced knowledge, we present compelling arguments that to use them in a corporate setting, not only gives the appearance of poverty and laziness, but encourages decreased revenue and team building.

With online companies, their e-commerce websites are not their only “store front”, but also the websites their customers interact with. We can think of this with analogy of a brand’s “hotel lobby”. When you send a client a Google doc, you’re turning what could be a beautiful luxury hotel lobby into a homeless bus shelter. When you have a client paying for your expertise, you want to create the impression that they need you. You don’t want them to think “I can do Google docs on my own, maybe I can do all of this work on my own.” Even if you pay for Google Suite, now your employees or customers don’t respect you for paying for free docs.

Numerous business experts have studied these issues and reached similar conclusions regarding Gmail. YFS Magazine in their article “3 Reasons Why @Gmail.com For Business Is A Bad Idea” discusses how using Gmail makes your company look unprofessional and lack branding. [1] A different magazine TechnologyHQ repeats similar messages that using Gmail not only makes your brand unprofessional, but you also lose credibility. [2]

Not only does Google docs make your firm lose branding and look poor, but because Google sells all data on their platforms, it encourages employees to share as little as possible with each other. In our previous work, we discussed how Google doesn’t just sell ad space, but manipulatively sells user data directly through the use of a cookie. [3] We cited research from Dr Johnny Ryan, Chief Policy & Industry Relations Officer at Brave [4b], as well as documentation from Bhagyashree of PacktPub discussing Google violation of the European Union’s GDPR [4c]. Even usually “pro-marketing” publications such as AdExchanger, admit to Google’s corruption and rot of basic EU privacy law through cookies. [4d]

So if Google’s business model is to maliciously broadcast and sell as much data as possible, then basic logic would dictate that employees would be motivated to share as LITTLE as possible about themselves with any co-workers. And this is why using Google’s products pisses away your revenue. Research from TeamStage, demonstrates teams that communicate more, produce more revenue. [5] Their statistics show that twice the revenue can be generated by teams that are fully engaged and communicate about their personal lives. [5] But how can teams build this trust if the medium with which they communicate is malicious and insecure? [3]

Some might argue that most people are not aware of the malicious and illegal data sales of Google. However, this view assumes that you will be hiring only ignorant employees. Only the least technically savvy users, who give your company the most exposure to security vulnerabilities due to lack of internet knowledge, will not mind their data being sold.

And speaking of security, through Google’s corrupt and illegal sale of all data, the use of their products encourages phising attacks on your employees who have become identified to everyone and their mother. Having your employees’ mobile phone numbers sold by Google is much higher risk, when compared to the use of Element/Matrix, which would instead keep employee encryption credentials locally on employees’ hard-drives. End-to-end encrypted group chats encourages the use of audio confirmation to trust unknown encryption keys, all while incurring minimal expense to your organization.

(knock-out punch)

In conclusion, ignorant business owners will dismiss these claims saying “people don’t care”. This view simply dismisses the statistically proven power of branding or team building’s effects on revenue. It’s definitely true that SOME people don’t care, and so it encourages your firm to only hire less technically savvy users, which can expose your firm to lose money on security vulnerabilities.

So if you want to reduce invasive involuntary tech in your workplace, please consider sharing this.

#Yazi - terminal file manager

Google Pixel phones are not available in Turkey, so I bought myself an iPhone. In ideal circumstances, I would buy one and install GrapheneOS. But if you had to choose between an iPhone and an android device where you have no choice over privacy, which one would you choose?

If I'm not mistaken, your criticism is on Apple platfoms, not directly on the efforts of Damus team. And I find that little unfair to them. The usability, and the approach that they chose is unmatched. We're having a simple, private and elegant client to interact with everyone on the network.

One of their moderators posts here regularly:

grapheneos.org

nitter.cz/GrapheneOS

discuss.grapheneos.org

why do GrapheneOS has no presence in nostr yet ?

#linux #plebchain #privacy #linuxstr #tipstr

Vanadium version 121.0.6167.101.0 released:

#Ubuntu 24.04 Firewall: A Quick Guide

This linux distro is relatively straightforward for installing an on old machine

We’re issuing an official redaction of our criticism on Cloudflare running malicious Tor exits, when they are in fact running advanced data analysis Tor onions that don’t show up in the URL bar. Quote “Human Tor users and bots can be distinguished by our Onion services, such that interactive challenges are only served to malicious bot traffic.” Our new article goes over how the error happened and sets the record straight with an open source investigation into Tor exit decentralization for community benefit: