This is a good answer.
To add, for Linux kernels, the maintainer use a shim EFI package with the distro’s keys (e.g., Canonical’s keys for Ubuntu) which loads the maintainer-signed kernel. And Microsoft signs the shim to keep the chain intact.
I don’t deal with hardware much anymore, but I’d take Aruba over Cisco any day. But for everything else, yeah fuck HP.
I’m Ron Burgundy?
Yep that’s how I have Syncthing set up. All global and local discovery disabled, no firewall ports open on the clients, no broadcasting, no relay servers. Just syncing through a central server which maintains versioning and where the backups run. Works like a charm.
As another poster mentioned, QubesOS with anti evil maid will work, but that’s the defense against state actors too and is overkill for this threat model.
BitLocker or any FDE using SecureBoot and PCR 7 will be sufficient for this (with Linux you also need PCRs 8+9 to protect against grub and initramfs attacks). Even if they can replace something in the boot chain with something trusted, it’ll change PCR 7 and you’d be prompted to unlock with a recovery key (don’t blindly enter it without verifying the boot chain and knowing why you’re being prompted).
With Secure Boot alone, the malicious bootloader would still need to be trusted (something like BlackLotus).
Also make sure you have a strong BIOS password and disable boot from USB, PXE, and anything else that isn’t the specific EFI bootloader used by your OS(es).
And what about taking a nice drive down Jean Baptiste Pointe du Sable Lake Shore Drive?
Not that it’s my first recommendation for security reasons, and I would never do this in prod, but you can just add the self-signed cert to the local trusted root CA store and it should work fine. No reg changes needed.
If you do this, put it in the store of the user running the client, not LocalMachine. Then you just need to make sure you connect as something in the cert’s SAN list. An IP might work (don’t know since I never try to put IPs in the SAN list), but just use a hosts entry if you can’t modify local DNS.
Edit: after reading the full OP post (sorry), I don’t think it’s necessarily the self-signed cert. If the browser is connecting with https:// and presenting a basic auth prompt, then https is working. It almost sounds like there is a 301/302 redirect back to http after login. Check the Network tab of the browser’s dev pane (F12) to see what is going on.
Microsoft uses TPM PCRs 7+11 for BitLocker which is more secure than the Linux implementations mentioned in the article.
PCR 7 is the Secure Boot measurement which means it can’t be unlocked unless every signed boot component has not been tampered with up to the point of unlock by the EFI bootloader. PCR 11 is simply flipped from a 0 to a 1 by the bootloader to protect the keys from being extracted in user land from an already booted system.
The article is correct that most Linux implementations blindly following these kinds of “guides” are not secure. Without additional PCRs, specifically 8 and 9 measuring the grub commands (no single-user bypass) and initrd (which is usually on an unencrypted partition), it is trivial to bypass. But the downside of using these additional PCRs is that you need to manually unlock with a LUKS2 password and reseal the keys in TPM whenever the kernel and or initrd updates.
Of course to be really secure, you want to require a PIN in addition to TPM to unlock the disk under any OS. But Microsoft’s TPM-only implementation is fairly secure with only a few advanced vulnerabilities such as LogoFAIL and cold boot attacks.
most of those drinks are specifically designed with the ice in mind
Citation Needed
I use it for providing a text summary of YouTube videos that I can parse quickly. Because everything has to be a gorram video these days.
Linux on enterprise user endpoints is an insane proposition for most organizations.
You clearly have no experience managing thousands of endpoints securely.
An SSO-like payment system with tracking and revocation is a great idea and would be amazing for us consumers. I’m just not holding my breath waiting for the corpos to implement it.
While nowhere near perfect (far from it, really), as long as the sites you are shopping on are PCI-compliant (most should be), you don’t have to worry too much about a compromised site leaking your payment details for use elsewhere.
Basically just use a password manager and don’t worry about saving credit card (NOT debit card) details in the site as long as they aren’t extra-sketchy.
Same here. Sometimes the same/next day shipping can help in an emergency, but otherwise it’s local if possible, or direct from the vendor if not.
Amazon’s shipping has declined and everyone else’s has caught up to the point it’s not much of a difference anymore.
Looks like they found someone.
I agree with the first part but vehemently disagree with the third paragraph.
I suspect it varies wildly based on where you live, but in Chicago there absolutely ARE places with waitstaff worth getting a burger from.
I’d be careful about completely trusting any AV to give you any certainty that you aren’t infected.
As I mentioned in another comment, Pegasus is comprised of many different exploits. So just because Bitdefender can detect some older Pegasus variants, doesn’t mean it can detect all of them.
In fact it’s quite unlikely they can detect the latest variants.
I don’t know the full answer, but Pegasus isn’t one single piece of spyware, but rather a toolkit of many, many zero-day exploits.
A lot of them (the majority maybe?) are non-persistent meaning that they don’t survive a reboot.
That said, aside from keeping your phone up to date with security patches and rebooting frequently, I’m not sure there’s much the average person can do if you’re actively being targeted.
Holy shit, I remember being excited for 2.4 because of iptables. That was over twenty years ago.
I was one of those people. I still maintain hope, but the fear of what the algorithms will do outweighs that hope some days.
The thinking was that people’s core opinions are formed while they are young. They are mostly inherited from your family and society around you, so that information bubbles are formed early that are hard to break out of.
I thought that if people were exposed to multiple cultures and ideas from a young age through the Internet, they would understand them better – not just as foreign concepts told to them through a thick lens of bias from their parents and teachers.
However, I failed to predict the opposite powers. First were the echo chambers that formed, strengthening the deepest dark sides of humanity that, before, were kept locked away in basements lacking anyone with whom to discuss and provide validity. Then the corpos and MBAs figured out they could psychology game us all with algorithms. They didn’t necessarily know at first that the negative content would be the best for driving engagement; but they didn’t care either.
So right now I think the bad is outweighing the good. But I don’t think it has to stay this way forever.
I heavily use both and this is objectively untrue.