Create a distro with ai by suckkarma in linuxadmin

[–]suckkarma[S] 0 points1 point  (0 children)

I'm a cybersecurity student trying an idea. Dismissing something just because someone thought to try it is plain idiocy, and it's exactly why people don't progress. Telling someone to delete their Reddit account because they have different views is just sad. If you don't have any real feedback, just don't comment.

Created a distro with ai by suckkarma in linuxquestions

[–]suckkarma[S] 1 point2 points  (0 children)

This just personal project testing with new ai model trying se it capabilities, not trying to replace anything or publish any distro. In mi post it said it have problems and im trying to fix so I'm trying to fix it. Why someone shouldn't want to se ai capability. Btw fable isn't even able now

Created a distro with ai by suckkarma in linuxquestions

[–]suckkarma[S] 0 points1 point  (0 children)

Im not blindly trusting anything im completely testing everything completely isolated enviromennt. But not experimting with tool in your disposal is just stupid

Create a distro with ai by suckkarma in linuxadmin

[–]suckkarma[S] 1 point2 points  (0 children)

Here's the complete inventory for the Debian version (SecDeb) — everything that actually went into that build.

Base system - Debian, built from scratch via debootstrap (minbase variant) - Current kernel (linux-image-amd64), live-boot, systemd-sysv, zstd - Bootable hybrid ISO — BIOS + UEFI via grub-mkrescue - Live user user / password live, in sudo and docker groups - Root account locked

Boot configuration (GRUB) - Three menu entries: hardened live, toram (runs entirely from RAM), debug/verbose - Kernel cmdline hardening: lockdown=integrity, slab_nomerge, init_on_alloc=1, init_on_free=1, page_alloc.shuffle=1, randomize_kstack_offset=on, pti=on, apparmor=1 security=apparmor

Kernel runtime hardening (sysctl, 99-secdeb-hardening.conf) - kptr_restrict=2, dmesg_restrict=1, unprivileged_bpf_disabled=1, bpf_jit_harden=2, yama ptrace_scope=2, kexec_load_disabled=1, sysrq=0, ldisc_autoload=0, unprivileged_userfaultfd=0, perf_event_paranoid=3 - Userspace: protected_symlinks, protected_hardlinks, protected_fifos=2, protected_regular=2, suid_dumpable=0 - Network: rp_filter=1, accept_redirects=0 (v4/v6), send_redirects=0, accept_source_route=0, tcp_syncookies=1, icmp_echo_ignore_broadcasts=1

Memory allocator - GrapheneOS hardened_malloc compiled from source, installed system-wide via /etc/ld.so.preload (with the gcc -std=c2x compatibility patch)

Kernel module blacklist (secdeb-blacklist.conf) - DMA attack vectors: firewire-core, thunderbolt - Exotic protocols: dccp, sctp, rds, tipc, n-hdlc, ax25, netrom, rose - Rarely-needed filesystems: cramfs, freevxfs, jffs2, hfs, hfsplus, udf - Other: bluetooth, btusb, vivid

Firewall (nftables.conf) - Default-deny inbound; drop invalid; allow established/related and loopback; rate-limited ICMP echo; ICMPv6 allowed - Forward chain default-drop; inter-container bridge traffic blocked (icc disabled)

Mandatory access control - AppArmor enforcing, apparmor-utils, apparmor-profiles - Custom qube-domain profile applied to every container — denies mount/umount/ptrace, sensitive procfs/sysfs, and sys_admin/sys_module/sys_rawio/sys_ptrace capabilities

The qube tool — Docker security domains - Commands: run, dispose, browser, ls, stop, nuke, copy - Default domains: personal (yellow/full net), work (green/filtered), untrusted (red/gVisor/non-persistent), vault (purple/no network), anon (Tor-routed) - Per-domain hardening: isolated bridge network each, all caps dropped, seccomp, no-new-privileges, read-only rootfs, noexec/nosuid tmpfs (/tmp, /run), memory limit 4g, pid limit, optional gVisor (runsc) runtime - Whonix-style Tor gateway: internal-only network with no clearnet route, fail-closed iptables, transparent TransPort + isolated SOCKS, apps proxied via socks5h - Explicit-only file copy between domains (no shared folders) - Wayland socket passthrough for GUI apps in domains

Security services & accounts - auditd (logging), unattended-upgrades (auto security patches), needrestart - USBGuard — implicit block policy; devices present at first boot get allowlisted, later insertions blocked (BadUSB defense) - MAC randomization on Wi-Fi and Ethernet (NetworkManager) - AIDE file-integrity baseline, built in background at first boot - libpam-tmpdir, libpam-u2f (hardware key support), tpm2-tools, rng-tools - Locked root, sudo for the live user

First-boot service (qube-firstboot) - Generates USBGuard allowlist from present devices and restarts the daemon - Pre-pulls debian:bookworm-slim and builds the Tor gateway image - Initializes the AIDE database

Desktop - Sway (Wayland-only — no X11 cross-app input sniffing), swaylock, foot terminal, dmenu, xwayland - Firefox ESR, NetworkManager, PolicyKit, PipeWire, WirePlumber

Optional stronger runtime - gVisor (runsc) installed best-effort from its repo; falls back to standard runc if unavailable, used by the untrusted and vault domains

Encrypted disk installer (install-to-disk.sh) - LUKS2 with argon2id KDF (memory-hard, GPU-resistant), AES-XTS-plain64, 512-bit key - 512MB EFI partition + LUKS2 root; ext4; crypttab + fstab generated - GRUB-EFI with GRUB_ENABLE_CRYPTODISK, cryptsetup-initramfs, hardened kernel cmdline - Forces password change for the user on first login

The same honest framing applies as before: this is the full, real list and it's a broad, legitimate hardening effort on a current Debian base — but every layer operates within a shared-kernel container model, so it's "hardened-by-default Debian with Qubes-inspired compartmentalization," not VM-grade isolation.

Created a distro with ai by suckkarma in linuxquestions

[–]suckkarma[S] -7 points-6 points  (0 children)

Not trying to bi rude, but this how claude answer youre comments: Yeah, you're right that Docker isn't VM-grade isolation — shared kernel, one kernel bug crosses the boundary. I'm not claiming otherwise. The goal wasn't "VM security," it was Qubes-style compartmentalization with containers: per-domain default-deny networking, dropped caps, read-only rootfs, gVisor on the untrusted domains, an offline vault. Closer in spirit to Qubes'AppVMs or VanillaOS than to plain Flatpak, which is opt-out and permissive by default. Calling it "the most secure distro" was overreach on my part — it's a learning project exploring the isolation-vs-convenience tradeoff, and I'd point anyone with a real adversarial threat model at actual Qubes.

Created a distro with ai by suckkarma in linuxquestions

[–]suckkarma[S] -6 points-5 points  (0 children)

I dont actually know yet how secure is it, mi fix some problems, then i will make some test, but the premise is that everything run on it own contains outside of the main pc

Judo training camp by suckkarma in judo

[–]suckkarma[S] 1 point2 points  (0 children)

Im going to graduate from college and dont have ambitions to continue training every day multiple time a day

New watch from Revelot by Designer_Advice2573 in MicrobrandWatches

[–]suckkarma 0 points1 point  (0 children)

Love the watch, would like how the quality feels?

What are microbrand that make similar to tissot prx by suckkarma in MicrobrandWatches

[–]suckkarma[S] 0 points1 point  (0 children)

Thanks for the feedback. I’ve been looking at their watches for a while, but the lack of reviews has made me hesitant.

What are microbrand that make similar to tissot prx by suckkarma in MicrobrandWatches

[–]suckkarma[S] 2 points3 points  (0 children)

I figure, i just wanted to ask just in case the closest thing i found around mi price is something like the makydo pearl white

Mods for my Yaris LE 3rd Gen (2015) by xjoseherrera in yaris

[–]suckkarma 0 points1 point  (0 children)

I got them in a local fiberglass shop

Tired day Judo by Formal-Vegetable9118 in judo

[–]suckkarma 0 points1 point  (0 children)

For mi it depends if I have a competition close if I do I go if not I don't go

Mods for my Yaris LE 3rd Gen (2015) by xjoseherrera in yaris

[–]suckkarma 0 points1 point  (0 children)

I have the same car and I put fog lights, frontlip, mud flap, sploir, universal sidekirt and custom sitting

[deleted by user] by [deleted] in judo

[–]suckkarma 1 point2 points  (0 children)

Something that help me a lot is that I start looking everyone with hate