I remember times when supposedly low Opensource software quality was a constant complaint. On the other hand I think taking Linux as an example, I always found it to be significantly more stable than Windows.
That said, it's a funny choice for Manjaro to go for opt-out telemetry. As a simplified Arch it seems to be popular among privacy conscious users. (But I don't know the project goals, maybe that's just coincidental)
Opensource contains many things, but IMO limiting to core/ packages on arch and never installing anything from AUR will get great quality software, with far better security and privacy than similar proprietary software.
If one is very interested in security and privacy however, using VMs for isolation of different apps or services is important, so having an OS that helps that is useful.
Bare arch _can_ do this, but requires quite a lot of script development.
Qubes seems to be the answer many grab for, though much is still written in C, which comes with all of the vulnerabilities mentioned constantly. So, something like https://diosix.org/ (a Rust-based hypervisor for Risc-V) is a great option to make a start towards decently secure system. Of course if your threat model includes state actors or something, you're SOL (change your perspective or what you're doing) since they always have an easy backdoor into any hardware, but sometimes things like diosix can protect against the constant script kiddies and other individual hackers.
> There's no security model for desktops that works well.
> Like another commenter said iOS has no legacy cruft and could deliver the security model that made sense.
Yeah I just was wondering about this. In the presentation also Seatbelt is mentioned, I thought this was considered deprecated legacy since years. IIRC the last time I checked for sandboxing I basically couldn't find anything recent for the Application level
Yeah but I imagine the ice is getting thin. Sure, use of key pinning on the web failed - but for instance banking apps commonly use it. Once monitoring Certificate transparency logs gets more traction, things like that could get noticed.
1. AFAIK no government, even authoritarian ones, coerced a CA to misissue a certificate. There have, however, been plenty of other ways governments are able to get certificates, like seizing the domains/servers.
2. Even if they did, chrome has enforced certificate transparency, so a gag order on the CA/CT provider would simply result in the certificate being rejected.
Sure, but then it isn't related to the CA system anymore and any action from them wouldn't be under the radar anymore.
Also this problem would apply to any key like gpg. Well, as long as it's not in a Hardware security module. Of course they could also seize that but at some point it becomes logistically impractical, at least for mass surveillance.
Scrum can be stressful but as the graph rightly shows peak stress for Waterfall is way higher. I've been working more than a decade with Scrum. Every time I don't it shows, lower productivity, even higher stress, bogus tasks. If people want to do Waterfall fine, but then please also have proper project management with Gantt charts. Otherwise it's just Cowboy development
Yeah the question is always if the cure is better than the disease. I'm quite ambivalent on this. On the one hand I tend to agree with the "Anti AV camp" that a sufficiently maintained machine can do well when following best practices. Of course that includes SIEM which can also be run on-premise and doesn't necessarily have to decrypt traffic if it just consumes properly formatted logs.
On the other hand there was e.g. WannaCry in 2017 where 200,000 systems across 150 countries running Windows XP and other unsupported Windows Server versions had crypto miners installed. It shows that companies world-wide had trouble properly maintaining the life cycle of their systems. I think it's too easy to only accuse security vendors of quality problems.
Coming from Physics the first time I heard detailed information about Mathematica (in contrast to Maple) and the Physics related work from a Professor it was also accompanied with a huge disclaimer. Reflecting further on this, a lot of this is very niche and seems to be not explored fully in the spirit of peer review
True, while in the 90s/00s I used carefully built computers eventually I turned to laptops. Running a (powerful) 400+ Watts box that isn't mobile is very nice to have but won't really work for me anymore.
I must admit I therefore was only vaguely aware of the site. (During "my time" Tom's Hardware was quite a thing but probably they cater mostly to overclockers and gamers)
Would be nice to see a renaissance of DIY computing though. MacBooks do become a little bit boring :) On the other hand I do run a small homelab by now
That said, it's a funny choice for Manjaro to go for opt-out telemetry. As a simplified Arch it seems to be popular among privacy conscious users. (But I don't know the project goals, maybe that's just coincidental)
reply