You're right. That was my dyslexia interfering, and trying to do different things at the same time. That caused me to miss the encrypted part.but how would you circumvent the password/key to access encrypted data?
You're right. That was my dyslexia interfering, and trying to do different things at the same time. That caused me to miss the encrypted part.but how would you circumvent the password/key to access encrypted data?
Let me say two things: “open source” and “peer review”.There are 400-500 people with source commit bit (the list is in the Developers handbook). How do you know that none of them was ever approached by a government agency, offering money for a backdoor?
Much of this stuff related to security is a matter of trust. E.g.There are 400-500 people with source commit bit (the list is in the Developers handbook). How do you know that none of them was ever approached by a government agency, offering money for a backdoor?
freebsd-update IDS
: who checks the keys visually to prevent a man-in-the-middle attack? Who uses a verified checking tool from authorized media (else the keys can look ok but the tool is compromized)? I can only trust that the relevant parts of the source code are beeing conscientiously peer-reviewed and do what they're documented to do. And then, still there will be bugs. Remember the OpenSSL fiasko of Debian & derived distros.AD/HD doesn't make things better either.Man, dyslexia, freudian associations to BDSM, what comes next?
I've got ideas for that one.That won't prevent anyone from circumventing them if they have local access to the machine.
#General
kern.randompid=1
security.bsd.see_other_uids=0 #Unprivileged processes may not see subjects/objects with different real uid
security.bsd.see_other_gids=0 #Unprivileged processes may not see subjects/objects with different real gid
security.bsd.see_jail_proc=0 #Unprivileged processes may not see subjects/objects with different jail ids
security.bsd.unprivileged_read_msgbuf=0 #Unprivileged processes may not read the kernel message buffer
security.bsd.unprivileged_proc_debug=0 #Unprivileged processes may use process debugging facilities
security.bsd.hardlink_check_gid=1 #Unprivileged processes cannot create hard links to files owned by other groups
security.bsd.hardlink_check_uid=1 #Unprivileged processes cannot create hard links to files owned by other users
security.jail.sysvipc_allowed=0
security.bsd.stack_guard_page=1 #1
#Ip
net.inet6.ip6.use_tempaddr=1
net.inet6.ip6.prefer_tempaddr=1
net.inet.sctp.blackhole=2
net.inet.udp.blackhole=1
net.inet.tcp.blackhole=2
net.inet.icmp.drop_redirect=1
net.inet.tcp.icmp_may_rst=0
net.inet.ip.maxfragpackets=0
net.inet.ip.maxfragsperpacket=0
net.inet.ip.check_interface=1
net.inet.ip.process_options=0
net.inet.ip.random_id=1
net.inet.ip.redirect=0
net.inet.tcp.cc.algorithm=cubic
net.inet.tcp.icmp_may_rst=0
#Adres map randomization
kern.elf32.aslr.pie_enable=1
kern.elf32.aslr.enable=1
kern.elf64.aslr.pie_enable=1
kern.elf64.aslr.enable=1
#Firefox bug
kern.elf64.aslr.stack_gap=0
kern.elf32.aslr.stack_gap=0
I'm actually a teenager that loves unix and is more than average with computer exploits. I plan to read the FreeBSD handbook soon but right now i'm trying to improve my spagetti coding . I was giving a example of what I will have to run into perhaps if I were to deal with the wrong person. My goal is to make a operating system based on FreeBSD (Plan on mixing other kernels together) for a private device that will give strong anonymity, a retarded ammount of security that could break the system. But alot of the reasons I don't want to use pkg when doing things is that I wan't to write all the programs myself for satisfaction and the way it connects to the internet is going to be weird. I have already started programming it. It will have a custom computer based on a raspberry pi zero (Maybe with AMD64 instead) with a hardware firewall that will go into the computer using a microcontroller. And other stuff. I'm creating new ideas as I go and I am crazy about privacy, security and more. Also like elazar said "Governement Backdoors", as far as I am aware because I watched a conference about alot of Snowden document and have a 2gb copy of the files. I have studied all of that stuff. And I know that nothing is hack proof, but the goal is to make it hard to traverse and if they disable things like a firewall they can't because the system will detect any file changes and shutdown quickly and also the hardware firewall can't listen to the pc. Only send data to the pc. Sorry for making this long I try to make my text small and remove things I don't need..As long you keep on posting unencryted, that's perfectly ok... Man, dyslexia, freudian associations to BDSM, what comes next?
Much of this stuff related to security is a matter of trust. E.g.freebsd-update IDS
: who checks the keys visually to prevent a man-in-the-middle attack? Who uses a verified checking tool from authorized media (else the keys can look ok but the tool is compromized)? I can only trust that the relevant parts of the source code are beeing conscientiously peer-reviewed and do what they're documented to do. And then, still there will be bugs. Remember the OpenSSL fiasko of Debian & derived distros.
If you have my laptop, which I secured up to the max, you can simply pull out the battery & CMOS battery, wait an hour or night, and then reset the BIOS, e.g. search the internet for how to disable many parts of the ME & break a stolen machine. S/t such procedure is even neccessary when you bought a refurbished system. Older laptops have a hole to stick in a small nail to reset the BIOS. But that wouldn't be it: just take out the HDD/SSD... I'm not aware of how to make some machine specific token part of the key, so that the non-volatile storage does only work w/ a specific machine.I've got ideas for that one.
I am decent with understand networking. But I could have sworn there was a way to use a proxy in the url like 127.0.0.1:8080/google.com or something. But I couldn't find anything like it. If I can do that then I can probably add proxifying to the system rn. As the custom programs all run under the same process for the most part. And it will use os command injection to take some commands away from the machine.For you self written IDS FreeBSD has the filemon(4) kernel module, to enhance your online privacy & anonymity see this thread.
By putting it on it's own filesystem. Like /tmp in fstab(5):In fact "/usr/local" could be a read-only mount except at the moments you do "pkg upgrade".
But you can shoot yourself in the foot by complexity. I don't know a good way to do this
I also don't know how you can have "/" a read-only mount but "/var/tmp" a read-write mount.
none /tmp tmpfs rw,size=8G,nosuid,noexec,mode=1777,gid=0,uid=0 0 0
That won't work, my program is designed to detect if there's a intrusion by monitoring change dates of files, their contents and size in bytes. So that if they are edited (it will check when the tui starts/boots, it will quickly say what it found and shut down. Then I can reset it.Or maybe create a read-only environment?
There are some hints on this here:
#options COMPAT_FREEBSD4 # Compatible with FreeBSD4
#options COMPAT_FREEBSD5 # Compatible with FreeBSD5
#options COMPAT_FREEBSD6 # Compatible with FreeBSD6
#options COMPAT_FREEBSD7 # Compatible with FreeBSD7
#options COMPAT_FREEBSD9 # Compatible with FreeBSD9
The real question is what the OPs goals are.An individual would be much better off starting with Plan 9.
You would be best to buy a beaglebone black, grab minix for arm and hack away.I'm actually a teenager that loves unix and is more than average with computer exploits. I plan to read the FreeBSD handbook soon but right now i'm trying to improve my spagetti coding . I was giving a example of what I will have to run into perhaps if I were to deal with the wrong person. My goal is to make a operating system based on FreeBSD (Plan on mixing other kernels together) for a private device that will give strong anonymity, a retarded ammount of security that could break the system. But alot of the reasons I don't want to use pkg when doing things is that I wan't to write all the programs myself for satisfaction and the way it connects to the internet is going to be weird. I have already started programming it. It will have a custom computer based on a raspberry pi zero (Maybe with AMD64 instead) with a hardware firewall that will go into the computer using a microcontroller. And other stuff. I'm creating new ideas as I go and I am crazy about privacy, security and more. Also like elazar said "Governement Backdoors", as far as I am aware because I watched a conference about alot of Snowden document and have a 2gb copy of the files. I have studied all of that stuff. And I know that nothing is hack proof, but the goal is to make it hard to traverse and if they disable things like a firewall they can't because the system will detect any file changes and shutdown quickly and also the hardware firewall can't listen to the pc. Only send data to the pc. Sorry for making this long I try to make my text small and remove things I don't need..
The /var file system should always be separate from the root file system (/), except maybe for very small (embedded) machines like NanoBSD. Making the root file system read-only is not really much of a problem, you only have to keep in mind that you won’t be able to make changes to files in /etc (you’ll have to enter single-user mode for that).In fact "/usr/local" could be a read-only mount except at the moments you do "pkg upgrade".
But you can shoot yourself in the foot by complexity. I don't know a good way to do this
I also don't know how you can have "/" a read-only mount but "/var/tmp" a read-write mount.
That would surprise me. Note that theQuestion on the kernel.
Let's say i remove each of these one by one in my kernel config.
I would not surprise me if compat_freebsd4 has non solved security problems due to it's ancienty.
COMPAT_FREEBSD*
options just implement systemcalls compatible with older versions of FreeBSD. That does not mean this is ancient code. When a problem with a systemcall is discovered – no matter if it’s a compatibility systemcall or a regular one – the problem is fixed promptly, of course.Well, as I mentioned above, those options enable legacy systemcalls used by older binaries. Note that you will also need to install the appropriateHow far can i go before I run into serious problems ? [ I did not found any info ]
compat*x
port/package that provides libraries and other files needed by such older binaries. One doesn’t work without the other (except maybe statically compiled binaries that don’t require libraries).COMPAT_FREEBSD*
kernel options nor the accompanying compat*x
package.COMPAT_FREEBSD*
option in your kernel is also very valuable when upgrading to a new major version of FreeBSD. That way your installed ports / packages continue to work, and you can upgrade (reinstall) them without pressure. Also, when something goes wrong during the update and your machine ends up with a new kernel but with old userland binaries, you might be in trouble if you don’t have the compatibility option in your kernel.This does not mean there's ancient source code, but only the old interface to system calls. E.g. the order & type of parameters, name of variables & functions, etc.Thanks.
Question on the kernel.
Let's say i remove each of these one by one in my kernel config.
I would not surprise me if compat_freebsd4 has non solved security problems due to it's ancienty.
How far can i go before I run into serious problems ? [ I did not found any info ]
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
options COMPAT_FREEBSD5 # Compatible with FreeBSD5
options COMPAT_FREEBSD6 # Compatible with FreeBSD6
options COMPAT_FREEBSD7 # Compatible with FreeBSD7
options COMPAT_FREEBSD9 # Compatible with FreeBSD9
options COMPAT_FREEBSD10 # Compatible with FreeBSD10
options COMPAT_FREEBSD11 # Compatible with FreeBSD11
Yes, in particular, a lot of systemcalls have grown larger arguments, for example device numbers where changed from 16bit to 32bit, block counts (of files) where changed from 32bit to 64bit, and so on. That’s why the stat(2) systemcall has gone through several versions during FreeBSD’s evolution. The old compatibility syscalls of stat(2) basically just copy theThis does not mean there's ancient source code, but only the interface to system calls. E.g. the order of parameters, name of variables & functions, etc.
struct stat
and change the width of its elements as appropriate, the call the “real” (current) implementation of stat(2).