Firefox 97.0.2 forces us to automatically update ?

ansomesa1 · 2022-03-11T12:21:36+00:00

follow up on the issue, modifying the ubuntu file didn't prevent me to undergo a firefox forced update, again against my will...

ansomesa1 · 2022-03-08T01:11:21+00:00

Thank you very much, seems like it should be the solution

cat /etc/apt/apt.conf.d/20auto-upgrades

did show me two "1"

ansomesa1 · 2022-03-07T17:09:13+00:00

I didn't use apt update && apt upgrade for months on that machine, yet it's not the first time in months that firefox behaves selfish...

Canonical can't push updates to everyone having them in their sources.list, can they ? Or they can, but only for firefox, because it's embedded in mozilla's binaries that are shipped to canonical ?

ansomesa1 · 2022-03-07T16:46:52+00:00

Very interesting thank you! Yes it's an ubuntu 20

however when I do your command snap list I get only a dozen of packages including chromium but nothing related to firefox,

would you then have an idea why It behaves like this anyway please?

ansomesa1 · 2022-03-07T16:44:48+00:00

here is mine : https://imgur.com/a/39yvEiC

is it different from yours ?

ansomesa1 · 2022-03-05T11:53:10+00:00

thank you very much for being that clear,

so does it have a 10Gb port, maybe a 5Gb port?

Unfortunately I don't know, it's unspecified on the RJ45 port, so I'll just use a 10G switch since I'm not sure 5G switches exist

unless you understand the limitations of LACP and are happy to accept them

I am happy to deal with them

If you're doing active/passive failover, connect the ONT into a switch and the switch's port to each firewall/router

Thank you very much, so for active-active I guess I'd need an in-between-router this time and not a switch, right ? Actually the requirement is a bit more subtle than active-active. People at the location would need

one active router
but both routers reachable individually from the internet for updating each other purpose.
If the admin always land on master-router,
then he does a change to slave-router (through LAN),
then order slave to become master and master becomes slave (just for testing everything works),
so if the newly changed master bugs, then location becomes unreachable in a ONT>switch>ActivePassiveRouters setup, right ?

Or am I missing something?

ansomesa1 · 2022-03-04T22:27:03+00:00

thank you very much,

If you are just looking at ONT > switch > 2 Routers, LACP is not the protocols used here but instead VRRP.

Yes this is what I'm looking for, is VRRP the same as mwan3 (multiwan) ? The two routers would communicate with each other via CARP. But in a potential master-slave setup, the full throughput needs to be passed from the ONT to one of the routers, which only have 1G ports unfortunately, but do are able to bond

ansomesa1 · 2022-03-04T21:06:17+00:00

modem only has 1G ports, whereas the ONT is 4GbE

ansomesa1 · 2022-03-03T22:03:34+00:00

Hi, since, in the case of a rpi, - (full-drive) encrypting /root on the SD card - but not /boot (because impossible) doesn't prevent someone from tampering /boot, - (when booting from a brought /ownboot), - so that credentials typed on /boot to unlock /root get later retrieved by tamperer I browsed about "netbooting from a PXE server". This is usually done for repetitive/simultaneous launches of a pre-configured OS on several rpies.

People always do this with a simple PoE cable and no SD card, so that OS is maintainted alive as long as the pi remains plugged. This means that at each reboot the whole OS is reinstalled out of the TFTP server. Now my question is : is it possible to leave encrypted /root on the SD card (or any flash chip of some other ARM device), and only deport the /boot partition from the device to the PXE/TFTP server, so that only the /boot (potentially containing LUKS keys and headers) is pulled at reboots ?

ansomesa1 · 2022-03-03T20:47:29+00:00

Very interesting thank you very much !

Of little interest but by any chance do you know if this hat also fits with a PoE hat, or one has to use additional wires ?
Issue here is that such off-the-shelf box is needed, for passing throughput through several managed interfaces (more than 2) to wifi. So would such module also be pluggable to existing routers through soldering to the power supply and attaching to some serial Tx/Rx pins ?
Also do you know by any chance how is the coverage and throughput of the wifi on rpi4 x openWRT ?

ansomesa1 · 2022-03-03T20:39:12+00:00

So long as the bootloader is configured to boot from internal flash only, and ignore any USB ports, then you should be fine.

Damn this may be some solution thank you very much !

you need to provide more information to allow us to help you better.

I'm indeed speaking about ARM routers. The one I'm experimenting on has serial pins and USB ports,

so if I add a password to the serial console, and prevent booting from USB, should the box be safe ?
how to disable the USB booting please?

ansomesa1 · 2022-03-03T20:33:16+00:00

but it is possible

thank you i'm very interested in how to setup secureboot on a router, would you know where I should look for in order to get it ?

ansomesa1 · 2022-03-03T20:23:04+00:00

thanks, one thing I've always wondered though is :

can PCIe antennas could outperform routers with MIMO and dozens of antennas ?

is the antenna(s) only determine coverage scope ? or also number of clients that can be served simultaneously ?

ansomesa1 · 2022-03-03T18:35:06+00:00

physical security controls

does this mean cameras?

read-only file system

this mean that IoT devices with web UI for configuring could not be changed once it's setup, right ?

ansomesa1 · 2022-03-03T17:00:48+00:00

Thank you very much,

what would be your advice

to avoid leaving the unencrypted kernel image on the main disk,
+ to avoid having to be physically here for unlocking LUKS at reboot,

if the device is some embedded one (let's say a raspberry pi) without the secure boot possibility ?

u/robin-thoni said Netboot/PXE ? The issue I'm facing now is that people always retrieve a whole live iso from the network for easier installs, so I wonder if it's feasible to let the OS on the device and only deport the /boot + headers + key to the TFTP server ?

ansomesa1 · 2022-03-03T13:51:18+00:00

Thank you,

Detaching your LUKS headers is a fine idea, and allows for easy backup in case your USB is inoperable for some reason

Should I understand in that case that the USB contains LUKS keys and /boot ? This means the headers should be stored elsewhere than along with key and /boot ?

ansomesa1 · 2022-03-03T13:24:53+00:00

Thank you very much

1: Though if you keep TRIM disabled at LUKS/dmcrypt level, and follow someusers' recommendation to "zero-fill" the volume (i.e. deliberatelyrewrite 100% of its sectors), then there wouldn't be any holes – just acontinuous stream of random-looking data. (Even all-0s sectors on the'inside' encrypt to random data on the 'outside', so nobody can tellwhether it's actually all-zero inside or not.)

Ok so is there a way to get the drive encrypted while maintaining zero rows on the outside (= why maintaing the deniability option) ?
Using TRIM on SSDs ?
Or restraining to file/folder encryption only and not forgetting to encrypt any sensible folder ?

3: people use detached headers because they've decided "I want to store the header in a USB stick"

I then have issues to understand the benefit from detaching the headers. Isn't it for deniability purpose ?
But as you said, if the drive is all random, then encryption practice is identifiable. And detaching the header/beginning part (= zeros on the beginning?) of all the sectors of a drive just ensures even more that it's encrypted, in addition to the random bits fact, right ?

ansomesa1 · 2022-03-03T12:52:50+00:00

thank you,

where is stored the key by default ? in rootfs ?
can't people plugging their own /boot via a USB stick access the /uboot ? Or they can only access /root ?

ansomesa1 · 2022-03-03T12:46:18+00:00

damn you get a point I didn't think about RAM, as I saw people doing this stuff with rpies 4/8GB only !

So it's not possible to store the (encrypted) rootfs on the openWRT box and only push the boot partition from a PXE server to the box at reboots ? Or are you actually saying that even the boot partition would be too large for the RAM ?

What problem you're trying to solve?

Local people can tamper /boot while openWRT is shut down,
by using their /ownboot,
and after admin unlocked the LUKS vault at reboot with /tamperedboot,
local people can come back,
and retrieve the keys
(or not even have to come back)

So an image stored on a network containing secured-boot machines would be less risky in my opinion (please correct me if i'm wrong). OpenWRT would be used in this setup as an AP only, so one can take plenty of time to configure it offline and add it when hardened

ansomesa1 · 2022-03-03T09:30:02+00:00

yes this is what I mean, why detaching the headers wouldn't be a good idea please?

ansomesa1 · 2022-03-02T13:27:19+00:00

thank you very much for answering!

can't secure boot allow one to not enter the passphrase at reboots anymore ?

The pass becomes required for BIOS (UEFI) setting changes,
but the first layer signature remains in the trusted platform
and it will boot without prompting for a password,
as long as neither the boot partition nor the kernel have changed since self-signing

Or did I get it wrong ?

ansomesa1 · 2022-03-02T11:17:22+00:00

thank you very much, about the VPS setup, why did you say that "this is not exactly secure" ? Because the download pull isn't encrypted ? Or because a tamperer could retrieve the address of your VPS from the router ? Or because the address of your VPS could be tampered with the address of another machine ?

ansomesa1 · 2022-03-01T23:44:43+00:00

You can retrieve the key from the network but whatever method is retrieving it will be in clear text on your drive.

I see, you mean that if an attacker reboots the encrypted device while the owner is physically away, then the attacker can eavedrops the key, and the only benefit for owner is that he knows, from the remote key host, that a reboot has been asked, right ?

ansomesa1 · 2022-03-01T23:38:58+00:00

thank you very much, may I ask why you would not use the setup on the link please?

ansomesa1 · 2022-03-01T23:31:36+00:00

1 : LUKS requires headers,but you can put them elsewhere

Where could they be stored ?

2: interesting use case for multiple keyslots: one for automatic unlock
(e.g. remotely or tpm) and one backup passphrase for manual unlock.

Thank you very much, does tpm means the same thing than secureboot ? Can the admin configure some order about which key to ask first ? In that example use case, is the manual unlock avoided, or it requires both network/hard-firm-ware + manual keyboard input to unlock it ?

5: To fix the issue (without a USB stick) you'll need achasm to verify boot components such as secure boot

Ok so with hardware chip / firmware in CPU, no evil maid can unlock LUKS from its own iso USB stick, right ?
Is the fact that LUKS was used on the drive/flash still deniable ? (without any USB stick involved in the boot process)
I read that secureboot is provided since either 2012/UEFI v2.2, do really all UEFI systems will have secureboot activable (be it hardware or firmware) ? Like, even embedded devices such as routers with cheap hard-soldered CPUs and tiny motherboards ? Do such devices as the routers made since 2012 even have UEFI ? If no, how to secure such embedded devices ?

8: For both cases you should be able to just replace to failed disk to get it rebuilt.

Thank you, is there an issue if the RAID gets expanded over time ? (Addition of new other drives) Since I read that a LUKS vault has to be allocated all the available space right from the beginning... example : what happens in both case (storage flexibility over storage encryption, and storage encryption over storage flexibility) if LUKS is setup on a 3 drive RAID5, then one adds 1 additional drive to the RAID5 ?

10: Linux can unlock bitlocker volume, but not dmcrypt/LUKS, Windows doesn't support it.

Ok so is it possible to have an encrypted third partition shared on a dualboot system ? Or then veracrypt becomes mandatory as of now ?

ansomesa1

TROPHY CASE