> There also seems to be a small group of devout followers who travel from the Palemoon forums to other parts of reddit, HN and github to spruik the project and derail criticism. I've observed (without naming names) it's the same names doing it over and over again.
They always use the same phrases too "nazi" and "fake news", "false narrative" etc. They tend to refer to themselves as "power users" with a clear tone of superiority to their comments.
> The terrible user experience of slack and discord is why I started using IRC even more. emoji, images, link previews, and the like all lead to annoying/awful spam. Instead of a conversation you get a stream on memes and image macros along with link and twitter spam.
I have experienced that to a certain extent on Matrix, but only in certain rooms that permit it. They are not usually #some_project but rather general channels like #linux
What I have found good is code sharing, (nothing a pastebin can't solve, except for the fact if it's a publicly logged channel the link may not work in the future). I only tend to hang out in technical related rooms.
> I find it derails the conversation and clutters the screen. Nothing less fun than trying to have a conversation and some idiot is posting "related" image macros flooding the chat with garbage.
> The bottom line is I want to talk to someone using text. IRC does exactly that.
I find the same with mailing lists vs bulletin boards. I think the barrier to a certain extent means people that have something worth adding will be bothered. A bit like this place. Imagine how HN would be if it was like 90% of Reddit these days shivers.
I did a similar thing in order to implement network segregation via VLANs and VPN routing.
Personally I think Alpine Linux is one of the better distributions to use for routers because it uses musl which is ultra small. https://www.etalabs.net/compare_libcs.html
I have separate VLANs:
• VLAN 1: Management (no tag, null route)
• VLAN 2: Untrusted (routes direct to ISP via ppp0)
• VLAN 3: Trusted (routes direct to ISP via ppp0)
• VLAN 4: Trusted (routes via tun0 - VPN connection for private browsing etc)
• VLAN 5: Null route for devices that do not require internet access of any kind, desk phones printers etc.
(Doesn't have to be a Raspberry Pi, you can use anything that Alpine Linux runs on which is x86_64, x86, ppc64le, s390x, armhf, aarch64 (ARM8 like Raspberry Pi 3), armv7 (Raspberry Pi 2, and friends).[1]
> Can you explain a bit more on your VPN setup? Did you create it on the same machine as the router itself?
Yes.
Essentially it operates as a mult-home router.
Traffic on VLAN2 goes directly out to the ISP. This is useful for low latency needs such as online gaming. It is useful when you need your real IP address and do not want to trip security systems such as a online banking site might have.
VLAN 3 is used for everything else, downloading packages (apt, pacman etc, and all my web browsing). The router will send all traffic through the VPN ie tun0.
In addition I can be on VLAN3, and have "exceptions" such as to my mailserver even when on VLAN3 (my VPN VLAN).
I used CONNMARK, for this. In these circumstances the connections from VLAN3 are normally marked with a connection mark[0].
I am at the moment finishing up the configs as Jinja templates, so that one may just input their configuration into the JSON configuration files and it will populate all the configs with envtpl https://github.com/andreasjansson/envtpl it would be trivial for one to extend this into an implementation orchestrated by something like Ansible.
I use that on combination with Yadm https://yadm.io and store it in my dotfiles.
I know my ISP logs my metadata (by law), whereas I trust that my VPN provider does not.
Essentially VLAN2 all traffic is routed direct to my ISP, and VLAN3 all traffic is routed to VPN. My machine normally sits in VLAN3. I make sure not to log into anything social media related or tied to my real identity.
If I need to do banking, Facebook or something like that I'll use a device in VLAN2 (a separate computer).
All phones and devices like that are broadcasting information anyway so those are in VLAN2 as well, unless they are devices with LineageOS and no Google Apps.
> A vpn is not a cure-all. It is only as private as you're willing to make it. If you want to pirate movies and chat on facebook at the same time, you're probably gonna have a bad time. What you do is absolutely a part of your advertising/tracking profile.
See in this scenario I would have a system in VLAN3 that I use for my downloading, and another computer in VLAN2 that is used for the facebooking. I use a hardened browser with https://github.com/ghacksuserjs/ghacks-user.js that hardens the browser and helps against fingerprinting.
I also use a number of addons, for various purposes
I use CookieAutodelete on my mobile because unfortunately the container API isn't available on the Android version of Firefox.
The reason I don't use it on my desktop is because there are certain types of things that cannot be cleared.
> APIs do not exist to allow clearing IndexedDB, Service Workers cache, appCache, or cache by host. Clearing cookies & localStorage on their own, and leaving orphaned persistent data is a false sense of privacy.
Honestly I wouldn't go anywhere near Palemoon. Not unless you feel like using an antiquated browser such as Firefox 28 which is where it forked.
I expect their shills will be deployed to this thread shortly.
It's certainly not more secure when you've got all your extensions running at highest level privileged (not WebExtensions), the sandboxing code "removed" because mattatobin a Palemoon developer says that it "doesn't work", without giving any specific use case and their non-compliance with the HSTS spec RFC6797 [0]. There's probably countless other things wrong with it, but that's what I spotted after a cursory look.
Many of your sentiments there are demonstrated in that very thread. One of the developers (mattatobin) repeatedly avoids answering my questions and just says "fake news" and goes all trumpian on me.
Don't bother trying to ask on their forums about this they will just delete your posts and go on about "the untrue narrative" without addressing your questions.
If you contact them on twitter they will block you. It seemed like their while mode of operation was very "alt-right" if that makes sense. They live in a small "social bubble" it would seem.
I also found it rather lol that a so called "privacy browser" has to resort to using google advertising on their main page.
I'm sorry for your bad experiences with the Palemoon guys. You are obviously not who this software is meant for.
I don't need or want sandboxing for my extensions -- I can take care of my own sandboxing external to the browser profile instance. And I don't want it either, because it makes them less flexible and powerful. XUL based extensions turn my browser into a power tool, Chrome is a toy.
I don't know why you are upset, because the vast majority of the Internet agrees with you. Most people are happy to have Google control their web browsing experience. Why do you engage with them if they make you so upset?
Why are you threatened by a small group of users who want a browser their own way?
As for the HSTS thing, I'm sorry nobody explained that, I'd be happy to elaborate a bit more for you. My computer belongs to me, and I get to decide what runs on it. I can choose to use Palemoon how I want to. Not implementing HSTS according to the RFC is harming nobody except potentially myself. The way HSTS is written is self serving for the powers that be. It reenforces the SSL certificate infrastructure, and takes away user choice in the name of "security". For practical reasons, being able to disable HSTS is important for development. And even without Palemoon, there are still plenty of ways to bypass HSTS. All Palemoon is doing is saving users time.
Besides, Google, Apple, Facebook and Microsoft happily trample on the RFCs when it's convenient for them. Chrome itself was infamous for this when it first came out. I remember seeing Chrome users clobbering webservers and violating protocol to get slightly more speed. Of course, Chrome now sets the standards.
I have to disagree with your characterization of Palemoon users as fascists.
If you don't like Palemoon, then you are more than welcome to not use it and leave the community alone. The Palemoon community represents a dying breed. Soon enough, most hardware will be forced to use their browser, and will only be permitted to go to websites that they approve of. And mandatory DRM. Mozilla also loves DRM.
Anyway, if you have any more questions I'd be happy to answer.
> I'm sorry for your bad experiences with the Palemoon guys. You are obviously not who this software is meant for.
Who is it meant for if it's not meant for users? Are they intentionally trying to turn away certain people?
> I don't need or want sandboxing for my extensions
I think you'll find with all security, it's best to have the "principal of least privilege" https://en.wikipedia.org/wiki/Principle_of_least_privilege at all levels of software. The reason for this is because if something happens to exploit one area of your setup, the hope is that it will be stopped somewhere else.
> I can take care of my own sandboxing external to the browser profile instance.
As do I. I use multiple VLANs (network segregation), Virtual Machines, and other things in addition to browser profiles. Most people however do not. Software should be designed for "most people".
> And I don't want it either, because it makes them less flexible and powerful. XUL based extensions turn my browser into a power tool,
There's plenty of frameworks out there. Perhaps what you're trying to do shouldn't be a browser extension.
> Chrome is a toy.
Okay if you mean high performance web browser with a lot of market share that Mozilla must compete against in order to stay relevant?
> I don't know why you are upset, because the vast majority of the Internet agrees with you.
They do because I am right. I rarely say this as I do often like a good debate, however in this situation I will.
> Most people are happy to have Google control their web browsing experience. Why do you engage with them if they make you so upset? Why are you threatened by a small group of users who want a browser their own way?
I didn't engage with them. They came to our bug tracker and started to push their software on us. I contribute to the privacytools.io website. I was explaining why that particular piece of software did not belong there.
> As for the HSTS thing, I'm sorry nobody explained that, I'd be happy to elaborate a bit more for you. My computer belongs to me, and I get to decide what runs on it. I can choose to use Palemoon how I want to. Not implementing HSTS according to the RFC is harming nobody except potentially myself. The way HSTS is written is self serving for the powers that be. It reenforces the SSL certificate infrastructure, and takes away user choice in the name of "security". For practical reasons, being able to disable HSTS is important for development. And even without Palemoon, there are still plenty of ways to bypass HSTS. All Palemoon is doing is saving users time.
For software that is distributed to the public certain 'sane' defaults are expected for the software to be labeled as secure. These are usually according to spec as I pointed out in https://github.com/privacytoolsIO/privacytools.io/issues/375... there are a number of reasons why software developers should make certain choices for users.
There are a couple of reasons for this:
> 1. Users could be socially engineered into bypassing the warning
> 2. The warning gets "ignored" because lazy users just want to "visit that website", without thinking of or understanding the consequences.
> 4. Website owners will fix errors as it will mean their customers, visitors will not be granted access.
The fact is, if Mozilla designed software for "a small group of users who think they know everything" nobody would use their software as the majority would have a poor user experience.
What I mean by that is allowing users to override certain security (they may not understand and may put them at risk) is not a solution to lazy site owners who have TLS errors. It is very good that those site owners must now fix their problems, or the sites simply won't work.
> Besides, Google, Apple, Facebook and Microsoft happily trample on the RFCs when it's convenient for them. Chrome itself was infamous for this when it first came out. I remember seeing Chrome users clobbering webservers and violating protocol to get slightly more speed. Of course, Chrome now sets the standards.
Maybe so, and those are separate issues. Those issues should be constructively criticized when they come.
> I have to disagree with your characterization of Palemoon users as fascists.
I didn't say their users were. I said that certain developers certainly give off that vibe. I also said that they do engage in censorship, on their forums and on Twitter https://news.ycombinator.com/item?id=13395682. I've read about that here on HN and Reddit, ie 'forums' that they do not control. I witnessed it in that thread when one of them attempted to brigade the GitHub issue I was conversing in.
> If you don't like Palemoon, then you are more than welcome to not use it and leave the community alone.
[Insert Leave Britney Alone meme] The point is I only made an argument as to why it would not be added to privacytools.io the "defenders of Palemoon" came there and accused me of spreading "fake news", and spreading "false narrative". They didn't however refute what I said in a technical sense, which is what is expected in technical communities.
If you want to say someone is wrong, then provide proof/examples, or you'll be laughed at.
> The Palemoon community represents a dying breed.
Progress will do that.
> Soon enough, most hardware will be forced to use their browser, and will only be permitted to go to websites that they approve of.
I don't believe that for a minute. The big tech companies have been very active in standards forums like the IETF.
> And mandatory DRM.
That only happens when you want to use content like Netflix, and then it's a part of the user license agreement that Netflix MUST agree to in order to satisfy content creators/rights owners etc.
Mozilla never says that a site must use DRM, but does provide the option should they need to.
> Mozilla also loves DRM.
You mean they implement it so their browser can use things like Netflix? Sure, because if they didn't everyone would just use Chrome.
> Anyway, if you have any more questions I'd be happy to answer.
This is the point, though isn't it. The "Palemoon defenders" never refute what I say with actual evidence.
I never got to read your reply. Look I'm sorry for any negativity. I think there is a place for you and what you are doing. But I'd like to make my own software my own way.
I don't agree with your paradigm for how people should use computers, but that's ok. I know I can very vocally disagree with the direction software is going, but I'd very much like for us to coexist peacefully.
Pale Moon's JavaScript support was atrocious last time I checked, indicating that it's not actually keeping pace with Mozilla. I was developing a user script at the time and had to ask a user to stop using what amounts to a copy of Firefox that's several years past it's expiry.
Who knows what kind of issues are lingering around? Given that Pale Moon users advertise themselves as power users they might make quite a valuable target.
> Anti-cheat software seems like a great platform to launch targeted malware in-order to achieve a beachhead on a computer network: highly targeted, and effectively undetectable.
> I would expect most software developers don't sandbox their gaming machines from their work-from-home environments.
I have been worried about this for some time. In my country we have a lot of issues with metadata retention so I set something up like this[0].
I have separate VLANs:
• VLAN 1: Management (no tag, null route)
• VLAN 2: Untrusted (routes direct to ISP via ppp0)
• VLAN 3: Trusted (routes direct to ISP via ppp0)
• VLAN 4: Trusted (routes via tun0 - VPN connection for private browsing etc)
• VLAN 5: Null route for devices that do not require internet access of any kind, desk phones printers etc.
(Doesn't have to be a Raspberry Pi, you can use anything that Alpine Linux runs on which is x86_64, x86, ppc64le, s390x, armhf, aarch64 (ARM8 like Raspberry Pi 3), armv7 (Raspberry Pi 2, and friends).[1]
Upgrading to managed switches, I had thought about making a bunch of VLANs in a similar manner. But I ended up settling on something much simpler.
There are essentially just two segments / types of switch ports (I may have stuck with the many-vlans thing if switch ports had RGB LEDs showing what zone they were in...). First, the "trusted" network, which does switch management, servers, reasonably-behaved hosts, etc.
Then, a second "access" segment. Ports in this segment are setup to not be able to talk to one another through the switching fabric at all - the only thing they can talk to is the router. Ports on the same switch are prohibited from talking by the switch's config, and different switches are given different associated VLANs. This is good for visitors, Android, Internet of Trash, etc.
For routing, the horizon seen by each device is controlled directly by its own macaddr on the router itself. Two hosts on the same segment can see drastically different routing tables and Internet connections. This isn't perfect, as it can be easily spoofed unless I start pushing the switchport-mac mapping out to the switches. But it works for now.
But I believe "sandboxing" in the original comment was talking about the machine itself, not network access. So PC gaming means being disciplined about getting another machine, or at least a second GPU for PCIE passthrough in a VM. In general I think we're in a time of decommodification. The easiest way to sandbox between security boundaries is separate machines, of which there is an inexpensive surplus of. No need to have banking and games on the same tablet, when a second hand nexus7 (flo) is $40 on fleabay.
Carefully constructing a household network topology and being disciplined with separate physical machines appears to be a strong mitigation.
But will your colleagues who play competitive online games be willing to buy a separate machine used only for remote employment, and be willing (and able) to construct such a network topology correctly?
> Then, a second "access" segment. Ports in this segment are setup to not be able to talk to one another through the switching fabric at all - the only thing they can talk to is the router. Ports on the same switch are prohibited from talking by the switch's config, and different switches are given different associated VLANs. This is good for visitors, Android, Internet of Trash, etc.
Yes essentially that's what VLAN 3 and 4 are (trusted). They are able to talk to each other but VLAN 2 (untrusted) cannot. VLAN 2 cannot access my server on the LAN or any other network resources, except in certain situations where I open a single HTTP port to a specific directory that is read/only. This is where guests would be. I use this to copy 'certain' files to my untrusted hosts. The exploitation surface area is extremely low. Switch configuration can only occur when on VLAN 1 (management). I also can control which VLAN people access via WiFi via my Unifi Controller. One SSID is a trusted network, the other is untrusted. I only use EAP so I can control exactly what users have access to what VLANs via FreeRadius. All of this is documented [0][1]
> For routing, the horizon seen by each device is controlled directly by its own macaddr on the router itself.
Remember MAC Addresses can be spoofed which means you can get things like VLAN hopping if you're not careful. My Windows machine where my gaming happens is "untrusted" and is in port 2 on the switch, my trusted machines are in port 3 and 4. My other family members also have certain devices they consider 'trusted' and those are in VLAN 3/4 while they have devices that are 'untrusted' in VLAN 2. It took some time to educate everyone, but I drew pictures, and explained it nicely. Unfortunately this is the world we currently live in.
I was concerned that a APT (advanced persistent threat) might have the time to monitor the system for idleness and then attempt such an activity. At least that is what I would do.
> But I believe "sandboxing" in the original comment was talking about the machine itself, not network access.
Well they are sort of the same thing in this situation because it's physical sandboxing.
> So PC gaming means being disciplined about getting another machine, or at least a second GPU for PCIE passthrough in a VM.
> In general I think we're in a time of decommodification. The easiest way to sandbox between security boundaries is separate machines, of which there is an inexpensive surplus of.
Exactly.
No need to have banking and games on the same tablet, when a second hand nexus7 (flo) is $40 on fleabay.
This is exactly my point. In regard to my mobile phone I use a Redmi Note 5, with LineageOS, without Google Apps. If I tablet gamed I would have a 7" tablet specifically for that. I would tether it to my phone via WiFi AP and the CPU/GPU would probably be more powerful than you'd get in a phone anyway.
I only install things through F-Droid. I have made a significant attempt to de-google my life and have been successful.
To put it in term of your network, I didn't want to deal with having to differentiate between VLAN3/VLAN4 switch ports (and wanted to leave room to grow multiple outgoing VPNs).
Also I don't see the need for hosts on VLAN2 to be able to talk to one another. Which enables me to default to putting decently trustable things in my access zone as well (like say an RPi running Raspbian/Kodi).
> Remember MAC Addresses can be spoofed which means you can get things like VLAN hopping if you're not careful
Oh for sure, which is why I alluded to eventually pushing out per-port mac address config to the switches. But my primary concern is browser/pocketsurveillance traffic not going out my ISP's IP, and this suffices for now.
(Thanks for the dump of Free android apps you find useful. Not really on topic for the thread, but I personally appreciate it)
They vaguely have a clickbaity title, and then just say "people click links in email".... they can click links in anything so that's not specific to email.
Then they advertise a product at the end "best antivirus".
