sloppy_diffuser @ sloppy_diffuser @sh.itjust.works

Posts

0

Comments

392

Joined

2 yr. ago

No programming knowledge required.

Graphene only supports Pixels due to the titan chip. The versions with "a" are cheaper. Check when they go end of life to find the cheapest if you care about updates. So probably the 6a or 7a if you want at least 2 years of updates.

1. Not sure on this one.
2. The auditor is to make sure you are installing an authentic version of graphene. That it is not a modified version that has been tampered with (e.g., backdoors).
3. Automatically enables MAC randomization. This can help with being tracked on public networks. Fingerprinting techniques have gotten better though with deep packet inspection and even measuring radio characteristics. I've seen demos of two brand new and identical models of iPhones being distinctly picked out due to variances in the radios during manufacturing.

Doesn't help with advertisers tracking behavior based on IP. VPNs help with "blending-in" by putting multiple users behind the same IP. Provider matters here. Needs to be a VPN provider that won't just sell your data or cave to law enforcement. Mullvad is my preference. Paid with crypto. RAM only logs. That said, use Tor or I2P for anything you don't want subpoenaed.

For additional tips:

• Can't remember if its on by default, but auto-reboot to put data at rest (encrypted and not in RAM). This is for a state-actor threat level, and less about advertisers.
• I prefer pin codes to unlock my device and don't use biometrics. Graphene has a feature to randomize the pin pad every time to protect against a recording of the pin be entered. Specifically where the numbers aren't picked up on the video but the pattern your hand makes can be seen. Again, more of a state-actor threat level.

Thought I was seeing a post from AI Generated Porn for a second.

Brian Govern?

Less public / archived spaces as well. Videogame lobbies were rampant with Trump / MAGA messaging in 2019. Not sure what its like now as I quit all online gaming. Anyone 14-17 during that period who are now of voting age has likely gotten a massive dose of right wing propaganda.

No. Its all text file config. You wouldn't use live CD mode. You define your own how you want it to work.

Its a steep learning curve so if looking for off the shelf solutions, don't use nix. If you need something custom but through a single config paradigm, nix is awesome.

Soap boxing here but I feel these kinds of use cases is what NixOS is built for.

Declarative config to setup the system, users, and apps.

Declarative and customizable impermanence exactly how you want it.

I use Tails as well but NixOS is my daily driver. Anything not marked explicitly to persist is dropped each reboot. I'm the only user so I keep the last 30 days of non persisted data for like a power outage but that's something I had to go out of my to setup for my use case.

1000% this. I'm now rediscovering my rather fluid gender identity and attraction to both genders that started in my late 30s. Looking back, all the signs were there, I just kept things private as it wasn't socially acceptable. Had some outlet with the teen goth scene, which was nonexistent in college. Grew up in a heavily catholic influenced region.

Have an awesome wife who is supportive and revealed she is (now was) also closet bi from the same generation.

We moved away from there, but when I visit family all the churches are run down and closed. I smile every time knowing their grip is loosening. All the LGBT hate today just tastes like desperation.

There is anonymity and pseudonymity.

Do you need your opsec to be resistant to state-level actors (oppressive regime, censorship, illegal activities)? Well then you need to make sure you don't introduce anything that will deanonomize you.

Are you trying to be resistant to mass data collection efforts used for profit? Being on the pseudonymity spectrum is a good step.

Dealing with the latter is like dealing with a bully. Make it not worth their time. They just want to put you in bucket X so they can estimate the most likely way to influence you for reason Y. Pseudonymity is about having multiple aliases that get put into different buckets so their privacy invasive efforts are less effective.

I'm both experienced and know jack shit because there is just too much to learn. I just started using it (1998ish) to make cool looking UIs. Its been my daily driver for 15 years now.

You will never learn it all. Over time you may become more familiar with the terminal or you may not. Doesn't matter. You do you.

Its pretty easy to test drive. Grab a distros "Live CD" version, put in on a thumb drive, reboot and play around. This wont be persistent. When you're ready, install it on an external SSD. Play around some more now that your edits will be persistent. You'll mess up. Take notes. Start again once you've hosed your system.

GrapheneOS provides an auto-reboot feature which reboots locked devices after a set period of time to put data at rest. A countdown timer is started each time the device is locked, and the device will reboot if a successful unlock doesn't occur before the timer reaches zero.

https://grapheneos.org/features#auto-reboot

Essentially it drops the decryption key derived from your unlock pattern / code. Attacks to access files while the decryption key is loaded, even if the phone is locked, are mitigated. The only things that works after a reboot are phone calls, SMS, and the alarm clock. I have mine set to reboot every 4 hours of inactivity.

I believe this feature is to not only to mitigate your average attacker but also law enforcement threat levels who purchase exploit kits. Can't do much without the decryption key so they are left with slow brute force attacks.

There are libraries that do just this like https://effect.website/docs/guides/schema/introduction.

Appreciate the write up though! All too easy to rely on libraries without understanding what's under the hood.

Thanks for sharing, it was a good read.

This is why we trust but verify. Thanks mom for teaching me that cruel lesson of unplugging the phone cord to get me to bed (dial up days). It lasted about a week before I caught on you always came up from the basement before bed.

I'm so glad you never noticed I swapped my line with the guest bedroom. Also glad that ancient block in the basement could be hand wired.

The original used XI where it was 9 or 11 depending on the side.

edit: Nope I was wrong. That post links this one, lol.

https://infosec.pub/post/19153879

For our lower environments we use rsync like the author but skip the pipeline altogether. The servers have a watch script to restart when files are rsynced. We then have a local watch script that rsyncs on file changes.

Relatively instant deploy (2-5s) whenever a file is saved.

Sounds like one of my 10 alarms, all with different tones, to make sure I wake up. This one is Krypton on Android.

Good call on a simulated failure. When I first set it up, it was LVM/BTRFS or ZFS as my top choices. It was a coin toss at the time because I hadn't built this sort of setup before.

I use immutable nixos installs. Everything to redeploy my OS is tracked in git including most app configurations. The one exception are some GUI apps I'd have to do manually on reinstall.

I have a persistence volume for things like:

• Rollbacks
• Personal files
• Git repos
• Logs
• Caches / Games

I have 30 days (or last 5 minimum) of system rollbacks using BTRFS volumes.

The personal files are backed up hourly to a local server which then backs up nightly to B2 Backblaze using rclone in an encrypted volume using my private keys. The local server has a mishmash of drives in a mirrored LVM setup. While it works well for having mixed drives, I'll warn I haven't had a drive failure yet so I'm not sure the difficulty of replacing a drive.

My phone uses the same flow with RoundSync (rclone + GUI).

Git repos are backed up in git.

Logs aren't backed up. I just persist them for debugging and don't want them lost after every reboot.

Caches/Games are persisted but not backed up. Nixos uses symlinks and BTRFS to be immutable. That paradigm doesn't work well for this case. The one exception is a couple game folders are part of my personal files. WoW plugin folder, EvE online layouts, etc.

I used to use Dropbox (with rclone to encrypt). It was $20/mo for 2Tb. It is cheaper on paper. I don't backup nearly that much. Backblaze started at $1/mo for what I use. I'm now up to $2/mo. It will be a few years before I need to clean up my backups for cost reasons.

The local server is a PC in a case with 8 drive bays plus some NVME drives for fast storage. It has a couple older drives and for the last couple years I typically buy a pair of drives on sale (black Friday, prime day, etc). I have a little over 30TB mirrored, so slightly over 60TB in total. NVME is not counted in that. One NVME is for the system, the others are a caching layer (monero node) or temp storage (transcoding as it also my media server).

I like the case, but if I were to do it again, I'd probably get a rack mountable case.

Peter tingle.

Take the red pill Neo and wake up.

Wakes up to all the injustices in the world.

Noooo Neo, not like that!!!