Hi everyone :).

Just getting started with Manjaro as daily drive to get some easier arched based distro. Except for the LVM bug with calamares everything is pretty smooth :).

But at first boot, I saw they have added their personal Manjaro logo on boot and I directly though of the bug exploit logoFAIL I heard a few month ago and It made me curious if this is something that could be exploitable by Manjaro.

Probably not, this would harm their image and hard worked system, but I'm still curious... If someone smarter/more knowledgeable than me could chime in and give some valuable information on this topic regarding Manjaro, I would really appreciate it !

Thank you !

Hi everyone !

Right now I can't decide wich one is the most versatile and fit my personal needs, so I'm looking into your personal experience with each one of them, if you mind sharing your experience.

It's mostly for secure shared volumes containing ebooks and media storage/files on my home network. Adding some security into the mix even tough I actually don't need it (mostly for learning process).

More precisely how difficult is the NFS configuration with kerberos? Is it actually useful? Never used kerberos and have no idea how it works, so it's a very much new tech on my side.

I would really apreciate some indepth personal experience and why you would considere one over another !

Thank you !

Hi everyone :)

For those interested, I share my just finished personal Firefox user.js. It's based on the latest arkenfox and has the same privacy features, with some personal tweaks to fit my workflow. And also easier to read 😅.

https://github.com/KalyaSc/fictional-sniffle/blob/main/user.js

KEEP IN MIND

Except for the privacy focused entries, some are personal choices for an easy drop-in Firefox preferences backup. This is what I consider a good privacy model and some entries could break YOUR workflow, especially if you don't have self-hosted alternatives (Vaultwarden, Linkding, Wallabag).

I'm not an expert, but most of those entries are the same as Arkenfox's user.js. I really encourage you to read their file for better understanding on what each entrie does. While my file is easier to read, one downside is the lack of documentation for each entries.

Also, this is not just a COPY/PAST. It took a lot of effort, time, reading, testing and understanding. I kept a similar naming scheme for cross referencing.

I learned a few things and hope that you also will enjoy, edit, read and learn new interesting things.

Happy hardening !

Features

• Automatic dark mode theme (Keep in mind you still need Dark Reader or similar plugin for web pages in dark mode.)
• Deep clean history on every Firefox quit. Only cookies as exception are kept. I need them for my self hosted services.
• Disable password/auto-fill/breache. Vaultwarden takes care of everything.
• All telemetry disabled by default except for the crash reports. To also disable the crash reports, comment the begining of the following lines with //:

user_pref("breakpad.reportURL", "");
user_pref("browser.tabs.crashReporting.sendReport", false);
user_pref("browser.crashReports.unsubmittedCheck.enabled", false);
user_pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false);

• DoH disabled (got my personal VPN with DoH enabled)

user_pref("network.trr.mode", 5);

• Disable WebRTC. If you need it for video calling, meetings, video chats:

Comment the following line:

user_pref("media.peerconnection.enabled", false);

Uncomment the following (arkenfox default, it will force WebRTC inside your configured proxy)

//user_pref("media.peerconnection.ice.default_address_only", true);
//user_pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true);

• FIxed Width and Height (1600x900) (Finger print resistant) arkenfox's default
• Resist Fingerprinting (RFP) which overrides finger print protection (FPP)
• Alot of other tweaks you can discover while reading through the file.

How to use/test this file ?

Open firefox, type about:profiles and create a test profile. Open the corresponding root folder, put in the user.js and launch profile in a new browser.

After testing and happy with the result, BACKUP your main Firefox profile somewhere safe and put the user.js in your main profile to see if it fits your workflow.

Room for improvement / TODO.

Alot of the settings in the 5000 range form arkenfox's user.js need further testing and investigation, because they could breake and cause performance/stability issues.

• JS exploits:

- javascript.options.baselinejit
- javascript.options.ion
- javascript.options.wasm
- javascript.options.asmjs

• Disable webAssembly
• ...

TODO

• Disable non-modern cipher suites
• Control TLS versions
• Disable SSL session IDs [FF36+]

Also those settings are another beast that needs further testing/investigation on how they work.

The user.js file

https://github.com/KalyaSc/fictional-sniffle/blob/main/user.js

WARNING

Arkenfox advise agianst addons who scramble and randomize your fingerprint characteristics (like chameleon).

WHY? Because resist fingerprint takes care of most things. See 4500: RFP (resistFingerprinting) in arkenfox user.js.

[WARNING] DO NOT USE extensions to alter RFP protected metrics

    418986 - limit window.screen & CSS media queries (FF41)
   1281949 - spoof screen orientation (FF50)
   1330890 - spoof timezone as UTC0 (FF55)
   1360039 - spoof navigator.hardwareConcurrency as 2 (FF55)
 FF56
   1333651 - spoof User Agent & Navigator API
      version: android version spoofed as ESR (FF119 or lower)
      OS: JS spoofed as Windows 10, OS 10.15, Android 10, or Linux | HTTP Headers spoofed as Windows or Android
   1369319 - disable device sensor API
   1369357 - disable site specific zoom
   1337161 - hide gamepads from content
....

Very long list !

Final words

I'm open for any constructive criticism or any constructive comment that could help me out to improve or understand something new or something I misunderstood. Sure that's not 100% my work, but as I said it took a lot of time, testing, searching, reading... Please don't be a crazy Panda...

Credits

https://github.com/arkenfox/user.js

https://github.com/pyllyukko/user.js/

https://wiki.archlinux.org/title/Firefox/Privacy

After the discussion in the following post I dug a bit deeper the rabbit hole.

While I mostly relied on Exodus to see if an app has trackers in it... I was baffle to see all the sketchy requests it made while dumping the DNS requests with PCAPdroid...

Over 200 shady requests in a few seconds after login... here's a preview:

While I don't use AdguardVPN, I have Adguard Home as my DNS server in my homelab... I think It's time to switch to pi-hole !

Edit: VPN pcapdroid

Solved

After interesting/insightful inputs from different users, here are the takeaways:

• It doesn't have some critical or dangerous impact or implications when extracted
• It contains the tared parent folder (see below for some neat tricks)
• It only overwrites the owner/permission if ./ itself is included in the tar file as a directory.
• Tarbombs are specially crafted tar archives with absolute paths / (by default (GNU) tar strips absolute paths and will throw a warning except if used with a special option –absolute-names or -P)
• Interesting read: Path-traversal vulnerability (../)

Some neat trick I learned from the post

Temporarily created subshell with its own environment:

Let’s say you’re in the home directory that’s called /home/joe. You could go something like:

> (cd bin && pwd) && pwd
/home/joe/bin
/home/joe

source

Exclude parent folder and ./ ./file from tar

There are probably a lot of different ways to achieve that expected goal:

(cd mydir/ && tar -czvf mydir.tgz *)

find mydir/ -printf "%P\n" | tar -czf mytar.tgz --no-recursion -C mydir/ -T - source

~~The absolute path could overwrite my directory structure (tarbomb) source Will overwrite permission/owner to the current directory if extracted. source~~

I'm sorry if my question wasn't clear enough, I'm really doing my best to be as comprehensible as possible :/

Hi everyone !

I'm playing a bit around with tar to understand how it works under the hood. While poking around and searching through the web I couldn't find an actual answer, on what are the implication of ./ and ./file structure in the tar archive.

Output 1

sudo find ./testar -maxdepth 1 -type d,f -printf "%P\n" | sudo tar -czvf ./xtractar/tar1/testbackup1.tgz -C ./testar -T -

#output
> tar tf tar1/testbackup1.tgz 

text.tz
test
my
file.txt
.testzero
test01/
test01/never.xml
test01/file.exe
test01/file.tar
test01/files
test01/.testfiles
My test folder.txt

Output 2

sudo find ./testar -maxdepth 1 -type d,f  | sudo tar -czvf ./xtractar/tar2/testbackup2.tgz -C ./testar -T -

#output
>tar tf tar2/testbackup2.tgz

./testar/
./testar/text.tz
./testar/test
./testar/my
./testar/file.txt
./testar/.testzero
./testar/test01/
./testar/test01/never.xml
./testar/test01/file.exe
./testar/test01/file.tar
./testar/test01/files
./testar/test01/.testfiles
./testar/My test folder.txt
./testar/text.tz
./testar/test
./testar/my
./testar/file.txt
./testar/.testzero
./testar/test01/
./testar/test01/never.xml
./testar/test01/file.exe
./testar/test01/file.tar
./testar/test01/files
./testar/test01/.testfiles
./testar/My test folder.txt

The outputs are clearly different and if I extract them both the only difference I see is that the second outputs the parent folder. But reading here and here this is not a good solution? But nobody actually says why?

Has anyone a good explanation why the second way is bad practice? Or not recommended?

Thank you :)

Hello everyone !

I have no idea if I’m in the right community, because it’s a mix of hardware and some light code/command to extract the power consumption out of my old laptop. I need some assistance and if someone way more intelligent than me could check the code and give feedback :)

Important infos

• 12 year old ASUS N76 laptop
• Bare bone server running Debian 12
• No battery (died long time ago)

Because I have no battery connected to my laptop It's impossible to use tools like lm-sensors, powerstat, powertop to output the wattage. But from the following ressource I can estimate the power based on the Energy.

time=1
declare T0=($(sudo cat /sys/class/powercap/*/energy_uj)); sleep $time; declare T1=($(sudo cat /sys/class/powercap/*/energy_uj))
for i in "${!T0[@]}"; do echo - | awk "{printf \"%.1f W\", $((${T1[i]}-${T0[i]})) / $time / 1e6 }" ; done

While It effectively outputs something, I'm not sure if I can rely on that to estimate the power consumption and if the code is actually correct? :/

Thanks :).

Edit:

My goal is to calculate the power drawn from my laptop without any electric appliance (maybe a worded my question/title wrong?). While It could be easily done with the top package or lm-sensors, this only work by measuring the battery discharge, which in my case is impossible because my laptop is directly connected to the outlet with his power cord (battery died years ago).

I dug a bit further through the web and found someone who asked the same question on superuser.com. While this gives a different reference point, nobody actually could answer the question.

This seems a bit harder than I though and is actually related to the /sys/class/powercap/*/energy_uj files and though someone could give me a bit more details on how this works and what the output actually shows.

This is also related to the power capping framework in the linux kernel? And as per the documentation this is representing the CPU packages current energy counter in micro joules.

So I came a bit closer in understanding how it works and what it does, even tough I’m still not sure what am I actually looking at :\ .

First of all, thank you to all the amazing things you do for the self-hoster, FOSS comunity ! We won't be able to have those shiny things without you ! I'm not a dev and have just played arround with python (and I know how most of you feel about it 🤫) so I have very limited knowledge regarding programming languages.

I know whats a low level language (C, C#, rust?), general scripting tools and even heard about assembly. And it always baffles me how all those coding lines rule and make our microchips communicate and understand each other, but that's another story ! This is about golang !

As a self-hoster enthousiast, when I'm looking at a github repository, I always check the programing language used, even though I have no idea if those integrate well with each other or if it's the best programming language for that kind of application.

And everytime I see golang, It makes me smile and have a feeling it's going to be a good application. I know it also depends on the programmer skills and creativity, but all my self-hosted Go apps works like a charm.

Traefik is the best example, I never had any issue or strange behavior, except for wrong configuration files on my side,

Or navidrome a music server compatible with subsonic, also written in go, is working great and fast AF !

Or Vikunja, the todo app... and many more !

I'm probably biased because I have no idea of how the programing realm works, but I have the feeling that Golang is a certificate for good working and fast applications. Just to bad it's backed/supported by google (uuhhg)

Feel free to debate and give me your personal opinion of the Go language, if my feelings are right or Am I just beeing silly :).

Thanks for reading through 👋