You're right. That was my dyslexia interfering, and trying to do different things at the same time. That caused me to miss the encrypted part.
You're right. That was my dyslexia interfering, and trying to do different things at the same time. That caused me to miss the encrypted part.
Let me say two things: “open source” and “peer review”.
Much of this stuff related to security is a matter of trust. E.g.
freebsd-update IDS: who checks the keys visually to prevent a man-in-the-middle attack? Who uses a verified checking tool from authorized media (else the keys can look ok but the tool is compromized)? I can only trust that the relevant parts of the source code are beeing conscientiously peer-reviewed and do what they're documented to do. And then, still there will be bugs. Remember the OpenSSL fiasko of Debian & derived distros.
AD/HD doesn't make things better either.
I've got ideas for that one.
#General
kern.randompid=1
security.bsd.see_other_uids=0 #Unprivileged processes may not see subjects/objects with different real uid
security.bsd.see_other_gids=0 #Unprivileged processes may not see subjects/objects with different real gid
security.bsd.see_jail_proc=0 #Unprivileged processes may not see subjects/objects with different jail ids
security.bsd.unprivileged_read_msgbuf=0 #Unprivileged processes may not read the kernel message buffer
security.bsd.unprivileged_proc_debug=0 #Unprivileged processes may use process debugging facilities
security.bsd.hardlink_check_gid=1 #Unprivileged processes cannot create hard links to files owned by other groups
security.bsd.hardlink_check_uid=1 #Unprivileged processes cannot create hard links to files owned by other users
security.jail.sysvipc_allowed=0
security.bsd.stack_guard_page=1 #1
#Ip
net.inet6.ip6.use_tempaddr=1
net.inet6.ip6.prefer_tempaddr=1
net.inet.sctp.blackhole=2
net.inet.udp.blackhole=1
net.inet.tcp.blackhole=2
net.inet.icmp.drop_redirect=1
net.inet.tcp.icmp_may_rst=0
net.inet.ip.maxfragpackets=0
net.inet.ip.maxfragsperpacket=0
net.inet.ip.check_interface=1
net.inet.ip.process_options=0
net.inet.ip.random_id=1
net.inet.ip.redirect=0
net.inet.tcp.cc.algorithm=cubic
net.inet.tcp.icmp_may_rst=0
#Adres map randomization
kern.elf32.aslr.pie_enable=1
kern.elf32.aslr.enable=1
kern.elf64.aslr.pie_enable=1
kern.elf64.aslr.enable=1
#Firefox bug
kern.elf64.aslr.stack_gap=0
kern.elf32.aslr.stack_gap=0I'm actually a teenager that loves unix and is more than average with computer exploits. I plan to read the FreeBSD handbook soon but right now i'm trying to improve my spagetti coding
. I was giving a example of what I will have to run into perhaps if I were to deal with the wrong person. My goal is to make a operating system based on FreeBSD (Plan on mixing other kernels together) for a private device that will give strong anonymity, a retarded ammount of security that could break the system. But alot of the reasons I don't want to use pkg when doing things is that I wan't to write all the programs myself for satisfaction and the way it connects to the internet is going to be weird. I have already started programming it. It will have a custom computer based on a raspberry pi zero (Maybe with AMD64 instead) with a hardware firewall that will go into the computer using a microcontroller. And other stuff. I'm creating new ideas as I go and I am crazy about privacy, security and more. Also like elazar said "Governement Backdoors", as far as I am aware because I watched a conference about alot of Snowden document and have a 2gb copy of the files. I have studied all of that stuff. And I know that nothing is hack proof, but the goal is to make it hard to traverse and if they disable things like a firewall they can't because the system will detect any file changes and shutdown quickly and also the hardware firewall can't listen to the pc. Only send data to the pc. Sorry for making this long I try to make my text small and remove things I don't need..If you have my laptop, which I secured up to the max, you can simply pull out the battery & CMOS battery, wait an hour or night, and then reset the BIOS, e.g. search the internet for how to disable many parts of the ME & break a stolen machine. S/t such procedure is even neccessary when you bought a refurbished system. Older laptops have a hole to stick in a small nail to reset the BIOS. But that wouldn't be it: just take out the HDD/SSD... I'm not aware of how to make some machine specific token part of the key, so that the non-volatile storage does only work w/ a specific machine.
I am decent with understand networking. But I could have sworn there was a way to use a proxy in the url like 127.0.0.1:8080/google.com or something. But I couldn't find anything like it. If I can do that then I can probably add proxifying to the system rn. As the custom programs all run under the same process for the most part. And it will use os command injection to take some commands away from the machine.
By putting it on it's own filesystem. Like /tmp in fstab(5):
none /tmp tmpfs rw,size=8G,nosuid,noexec,mode=1777,gid=0,uid=0 0 0That won't work, my program is designed to detect if there's a intrusion by monitoring change dates of files, their contents and size in bytes. So that if they are edited (it will check when the tui starts/boots, it will quickly say what it found and shut down. Then I can reset it.Or maybe create a read-only environment?
There are some hints on this here:
#options COMPAT_FREEBSD4 # Compatible with FreeBSD4
#options COMPAT_FREEBSD5 # Compatible with FreeBSD5
#options COMPAT_FREEBSD6 # Compatible with FreeBSD6
#options COMPAT_FREEBSD7 # Compatible with FreeBSD7
#options COMPAT_FREEBSD9 # Compatible with FreeBSD9The real question is what the OPs goals are.
You would be best to buy a beaglebone black, grab minix for arm and hack away.I'm actually a teenager that loves unix and is more than average with computer exploits. I plan to read the FreeBSD handbook soon but right now i'm trying to improve my spagetti coding
The /var file system should always be separate from the root file system (/), except maybe for very small (embedded) machines like NanoBSD. Making the root file system read-only is not really much of a problem, you only have to keep in mind that you won’t be able to make changes to files in /etc (you’ll have to enter single-user mode for that).
That would surprise me. Note that the
COMPAT_FREEBSD* options just implement systemcalls compatible with older versions of FreeBSD. That does not mean this is ancient code. When a problem with a systemcall is discovered – no matter if it’s a compatibility systemcall or a regular one – the problem is fixed promptly, of course.Well, as I mentioned above, those options enable legacy systemcalls used by older binaries. Note that you will also need to install the appropriate
compat*x port/package that provides libraries and other files needed by such older binaries. One doesn’t work without the other (except maybe statically compiled binaries that don’t require libraries).COMPAT_FREEBSD* kernel options nor the accompanying compat*x package.COMPAT_FREEBSD* option in your kernel is also very valuable when upgrading to a new major version of FreeBSD. That way your installed ports / packages continue to work, and you can upgrade (reinstall) them without pressure. Also, when something goes wrong during the update and your machine ends up with a new kernel but with old userland binaries, you might be in trouble if you don’t have the compatibility option in your kernel.This does not mean there's ancient source code, but only the old interface to system calls. E.g. the order & type of parameters, name of variables & functions, etc.
Yes, in particular, a lot of systemcalls have grown larger arguments, for example device numbers where changed from 16bit to 32bit, block counts (of files) where changed from 32bit to 64bit, and so on. That’s why the stat(2) systemcall has gone through several versions during FreeBSD’s evolution. The old compatibility syscalls of stat(2) basically just copy the
struct stat and change the width of its elements as appropriate, the call the “real” (current) implementation of stat(2).