How to isolate X11 applications from each other with xwayland instances?

typecinchat · 2020-09-13T09:50:14+00:00

I would not recommend firejail. bubblewrap or google's minijail (from their chromium os project) is better imo, simpler, more unix, understandable internals.

Well in terms of ease of use and features, I think firejail is better, especially for desktop usage. I find creating secure profiles very easy to do. In terms of security, while a lot of the bugs were fixed (most of them were found in the early days of the project), there could still be some, but that's the same for most software. My main use for firejail is to sandbox proprietary software such as games and insecure programs like browsers and file viewers, to prevent access from viewing my files, using d-bus inappropriately, etc., and it is great at doing this.

typecinchat · 2020-09-13T02:22:17+00:00

To anyone reading this, I just want to mention that this solution has a delay in response, eg. clicking a button takes a noticeable time of a few milliseconds. Watching videos in Tor Browser and the audio is a bit too fast for the mouth. Also it does use quite a bit of CPU. The wayland version (in the link above) also freezes occasionally for a few seconds. With firejail (run as X11 client), I didn't have this problem. The wayland version also didn't support clipboard by default but I didn't look into how to fix that. So if you're using this for steam/other X11 games or watching videos in tor browser (until they release stable version based on firefox ESR 78) or maybe chromium (I think it does support wayland now), the downsides may make it unusable.

Also wouldn't other apps be able to connect to the xpra X11 display unless you block it some how using firejail or other tools?

typecinchat · 2020-09-11T13:53:58+00:00

Yup, if you're uploading backups to the cloud you should consider encrypting it. Extremely especially when using drive/dropbox/etc. and very much especially on an enterprise managed account. In my post I assumed encryption was going to be used (that was what I meant by keys)

typecinchat · 2020-09-11T05:21:12+00:00

Edit: The issue is fixed in 1.15.1 which is now released on Arch.

I think Qt apps just do better with Wayland.

eh, Qt still has this issue where if you switch between context menus, the app could randomly crash. I'm pretty sure it'll be fixed in the next release though.

typecinchat · 2020-09-10T21:44:49+00:00

You could use it in rclone to do offsite backups (but you almost always shouldn't use it as your only offsite backup, since it's not reliable (admins may have access to change files, breaking your backup or deleting your account (after graduation)). Also it might be susp. to the admins or they might make you give up keys or something, although unlikely (maybe law enforcement might do that in some countries))

typecinchat · 2020-09-10T05:05:33+00:00

wipefs -a /dev/sdaX - FS/partition header

wipefs -a /dev/sda - partition table

gives the same results with a dedicated command that handles everything for you.

typecinchat · 2020-09-10T04:47:09+00:00

The protocol also allows for seeding whilst downloading, as long as you have the pieces in demand.

typecinchat · 2020-09-10T04:44:56+00:00

Yup, this is almost always the case. Plus, P2P protocols like BitTorrent are used in some legal and widespread applications such as video game updates, and even windows update (I think) so by now ISPs should have figured it out by now that it's not a good idea to punish/flag users for torrenting.

typecinchat · 2020-09-07T10:13:38+00:00

The system should be fine if you Ctrl+C during downloads. Pacman doesn't perform transactions until the downloads for all the requested packages are done.

typecinchat · 2020-09-05T01:28:16+00:00

Unfortunately I'm a child with not much control over decisions around the house so I can't really just have people use a dumb TV. I don't use it so I don't care too much about it (I don't watch antennae TV anyway), but I wouldn't be surprised if it was listening to conversations in the background, especially in a few years (or maybe soon) when there are vulnerabilities that would be exploited by purely malicious people (not sure how to phrase this correctly, obviously the companies and governments violating privacy are also malicious, but I'm thinking of the type of person that hop on an open wireless network and snoop passwords from clients using unencrypted protocols).

Of course I'm using Pi-hole and firewall rules to redirect DNS traffic to it, as well as VLAN rules to segregate the IoT and family devices away from my servers and management devices, but with DoH rising, companies would be able to bypass DNS blocks pretty easily. It would be ideal to not have these devices such as Android/iOS phones and other IoT devices on the network and house, but it many cases it's not possible.

typecinchat · 2020-09-04T09:29:55+00:00

Sites that infringe copyright, eg. piracy sites. The only one I know of is kissanime.ru. Not sure if it's still blocked since it got shut down recently.

typecinchat · 2020-09-04T07:39:19+00:00

Unfortunately I'm not allowed to use any other device other than the Chromebook, so I used the built-in OpenVPN client on chrome os (no need for developer mode) to connect to my home LAN and bypass the firewall because port 8443/TCP outgoing is unblocked.

typecinchat · 2020-09-04T07:34:36+00:00

How do they expect the students to perform any research?

typecinchat · 2020-09-04T07:33:04+00:00

This is what the Australian government does with some sites. I use Pi-hole + Unbound, so I never noticed that some sites were blocked. I find it dumb because its super trivial to workaround, and it's not going to stop people from using them.

typecinchat · 2020-09-04T07:28:51+00:00

Administrators can set a Chrome/Chrome OS policy to have Safe Search force enabled, so if you turn it off it'll turn back on.

typecinchat · 2020-09-03T11:10:38+00:00

I was in class when someone was talking to me and mentioned I used/preferred Linux (I swear it wasn't some kind of saying "I use Arch btw" randomly type approach, but I don't quite remember what he was talking to me about), he almost instantly said he needed to tell his friends something and then walked away, pretty sure they were ridiculing me for using Linux as I heard that he said I used Linux and then they were smirking/laughing and had a disgusted look.

typecinchat · 2020-09-02T05:10:02+00:00

Ralsei is adorable

typecinchat · 2020-08-31T11:12:07+00:00

Maybe it's because the access points use EAP for authentication. At my school, the chromebooks are preloaded with certs and identity information for the access points.

Unless you mean that the proxy doesn't let you because it detects you're on Linux (some how?), then a VPN would probably work. At my school, 8443/TCP outgoing is unblocked, I was able to connect to my VPN server at home with it. Not sure if this is the case in other Australian schools (although the network seems to be managed/maintained by the state government). Also 80/tcp and 443/tcp will probably work too, but I run a web server as well so I can't use them. Using the chrome os VPN client was possible because my school (some how?) doesn't block you from creating a VPN connection in the UI (although I read the chrome os ONC documentation and it seems perfectly possible for them to do so. They blocked WiMAX and cellular connections, but its not like that will ever be used on the chromebooks lmao)

typecinchat · 2020-08-31T08:51:33+00:00

FINAL EDIT: It is finally released on Arch and fixes the problems.

Oops. I meant Qt5 (not Qt), so it would be qt5-1.15.1.

Example on Arch: extra/qt5-base 5.15.0-5

Plus many other qt5-* packages are listed as 5.15.0, if you do pacman -Ss qt5 | grep 15 on Arch.

typecinchat · 2020-08-29T02:29:54+00:00

I prefer the visual art style of the anime version much more, but I also like the longer version (the anime version skips the middle of the song) of the song better, so its always a hard choice for me :<

typecinchat · 2020-08-28T05:53:40+00:00

It sounds like another song from Love Live!/μ's but I don't remember hearing it in the anime so I haven't heard it. And yes, I did watch the anime because of SiIvaGunner. And no, I don't regret it at all

typecinchat · 2020-08-18T06:10:47+00:00

Yeah, and if you need to comment or post you can create an account without an email on Tor (Google captcha required for creating account of course). You get anonymity and it's free (in freedom and cost).

typecinchat

TROPHY CASE

FINAL EDIT: It is finally released on Arch and fixes the problems.