Despite all the warnings not to install kali linux, I decided to install kali linux and I am now encountering an issue I would not face had I chosen to use a linux distro designed with normal desktop use in mind. Can anyone help me?

Actually, modern kali is a lot more usable than the older kali. Kali used to only have a root user, so chromium and electron apps wouldn’t start since they don’t run as root.

Despite this, nowadays I generally recommend new people away from kali, because I believe the process of installing the tools that kali provides on other distros is a valuable learning experience.

Kali is great for the professional, but but learners I prefer they get to experience the package manager or other aspects of system management.

UWP 💀

UWP is Microsoft’s “new” app format, it’s what the windows store and the xbox use.

It also isn’t compatable with wine, and my pet theory is that this was the entire point of it. Combined with Windows S mode, which doesn’t let you install apps other than from the windows store, the goal was to lock down the windows ecosystem by having apps that can’t be made to run on linux.

I remember seeing a compatability layer for UWP apps a while ago, and I am pleased to see that it has come this far. Great work!

Edit: wait this uses a windows VM. Still good though and lets people escape the windows ecosystem.

As simpler and easier to use alternatives, check out voidauth and kanidm.

Both have products with varying degrees of quality. Don’t follow companies around, follow specific named model lines instead.

I don’t really understand why this is a concern with docker. Are there any particular features you want from version 29 that version 26 doesn’t offer?

The entire point of docker is that it doesn’t really matter what version of docker you have, the containers can still run.

Debian’s version of docker receives security updates in a timely manner, which should be enough.

I recommend libvirt + virt-manager as an alternative to hyper v.

The cool thing about virt manager is you can do it over ssh.

You are adding a new repo, but you should know that the debian repos already contain docker (via docker.io) and docker-compose.

https://music.youtube.com/playlist?list=PLXW0UFGge4IU4SZE1rsCkKlVbmYgATN96

My curated playlist of entirely “nerdcore”, which is music inspired by (but not directly from), anime and video games.

I use authentik, which emables single sign on (the same account) between services.

Authentik is a bit complex and irritating at times, so I would recommend voidauth or kanidm as alternatives for most self hosters.

Except debian testing doesn’t receive security updates in a timely manner.

It’s designed exclusively for testing, not really for people to actually use it.

Would you use the cli?

One of the cool things I liked about calibre is that extensions worked via the cli interface as well, which made it easy to do batch workflows of operations on ebooks.

No, they added a beta vpn feature.

Does it require docker installed and being in the docker group, with the docker daemon running?

Just an FYI, having the ability to create containers and do other docker is equivalent to root: https://docs.docker.com/engine/security/#docker-daemon-attack-surface

It’s not really accurate to say that your playbooks don’t require root to run when they basically do.

I just installed Ciliium (another Kubernets CNI), and it also comes with a host based firewall, and an observability tool.

I didn’t have Hubble (observability tool enabled), but I previously didn’t have a firewall, and I finally decided to enable it, which caused my ceph deployment to fail. This will help me figure out where it is failing and what rules are needed to remediate it.

https://shulker.jeremylvln.fr/

Which uses: https://agones.dev/site/#td-block-1

But your question is somewhat vague.

Share your lsblk output. It’s likely that your system still leaves the bootloader unencrypted on the disk, even if the kernels and bootloader config are being encrypted (they aren’t encrypted by default on most installs).

It is theoretically possible to have only one partition that is luks encrypted, but this requires you to store the bootloader in the UEFI, and not all motherboards support this, so distros usually just install it to an unencrypted partition. The UEFI needs to be able to read an unencrypted bootloader from somewhere. That’s why it’s somewhat absurd to claim that the ESP can be encrypted, because it simply can’t.

From your link:

One difference is that the kernel and the initrd will be placed in the unencrypted ESP,

Project Zero

Project zero was entirely humans though, no GenAI. Project big sleep has been reliable so far, but there is no real reason for ffmpeg developers to value project big sleeps 6.0 CVE’s over potentially real more critical CVEs. The problem is that Google’s security team would still be breathing down the necks of these developers and demanding fixes for the vulns they submitted, which is kinda BS when they aren’t chipping in at all.

Anyway there’s a big difference between submitting concrete input data that causes an observable crash, and sending a pile of useless spew from a static analyzer and saying “here, have fun”

Nah, the actually fake bug reports also often have fake “test cases”. That’s what makes the LLM generated bug reports so difficult to deal with.

With a concrete bug report like “using codec xyz and input file f3 10 4d 26 f5 0a a1 7e cd 3a 41 6c 36 66 21 d8… ffmpeg crashes with an oob memory error”, it’s pretty simple to confirm that such a crash happens

Google’s big sleep was pretty good, it gave a python program that generated an invalid file. It looked plausible, and it was a real issue. The problem is that literally every other generative AI bug report also looks equally as plausible. As I mentioned before, curl is having a similar issue.

And here’s what the lead maintainer of curl has to say:

Stenberg said the amount of time it takes project maintainers to triage each AI-assisted vulnerability report made via HackerOne, only for them to be deemed invalid, is tantamount to a DDoS attack on the project.

So you can claim testing may be simple, but it looks like that isn’t the case. I would say one of the problems is that all these people are volunteers, so they probably have a very, very limited set of time to spend on these projects.

This was the first search hit about ffmpeg cve’s, from June 2024 so not about the current incident. It lists four CVE’s, three of them memory errors (buffer overflow, use-after-free), and one off-by-one error. The class of errors in the first three is supposedly completely eliminated by Rust.

FFMpeg is not just C code, but also large portions of handwritten, ultra optimized assembly code (per architecture, too…). You are free to rewrite it in rust if you so desire, but I stated it above and will state it again: ffmpeg made the tradeoff of performance for security. Rust currently isn’t as performant as optimized C code, and I highly doubt that even unsafe rust can beat hand optimized assembly — C can’t, anyways.

(Google and many big tech companies like ultra performant projects because performance equals power savings equals costs savings at scale. But this means weaker security when it comes to projects like ffmpeg…)

This is so sad, because rust is kinda the perfect example of a game where moderators or deputization could handle cheaters. Instead of a matchmaking system, you just join a server and play there. Why not ensure those servers have active moderators to ban cheaters?

I stopped gaming (for now?), but I’m still really fond of what happened with SCP secret labaratory, which had 20-40 player lobbies. There would almost always be a mod online, and I could get cheaters kicked instantly when by reporting them in the menu, then a mod would spectate them, and then they would get banned.

Rust seems to have more players per server (a quick search says some of the extra mega ultra large servers go up to 900 people), but it does have a distinct server model, with admins and mods.

EDIT: the other fun stuff of having active and actually good mods was when they ran fun events. Like I remember they set up a sharks and minnows type game mode instead of the regular stuff. Fun times.

AI tools were apparently used for locating the bugs but the reports were real and legit.

Yes, but the FFMPEG developers do not know this until after they triage all the bug reports they are getting swamped with. If Google really wants a fix for their 6.0 CVE immediately (because again, part of the problem here was google’s security team was breathing down the necks of the maintainers), then google can submit a fix. Until then, fffmpeg devs have to work on figuring out if any more criticial looking issues they receive, are actually critical.

It’s nuts to suggest continuing to ship something with known vulnerabilities without, at minimum,

Again, the problem is false positive vulnerabilities. “9.0 CVE’s” (that are potentially real) must be triaged before Google’s 6.0 CVE.

It would be great if Google could fix it, but ffmpeg is very hard to work in, not just because of the code organization but because of the very specialized knowledge needed to mess around inside a codec. It would be simpler and probably better for Google to contribute development funding since they depend on the software so heavily.

Except google does fix these issues and contribute funding. Summer of code, bug bounties, and other programs piloted by Google contribute both funding and fixes to these programs. We are mad because Google has paid for more critical issues in the past, but all of a sudden they are demanding free labor for medium severity security issues from swamped volunteers.

Being able to find bugs (say by fuzzing

Fuzzing is great! But Google’s Big Sleep project is GenAI based. Fuzzing is in the process, but the inputs and outputs are not significantly distinct from the other GenAI reports that ffmpeg receives.

Those approaches would be ridiculous bloat, the idea is just supply some kind of wrapper that runs the codec in a chrooted separate process communicating through pipes under ptrace control or however that’s done these days.

Chroot only works on Linux/Unix and requires root to use, making it not work in rootless environments. Every single sandboxing software comes with some form of tradeoff, and it’s not ffmpeg’s responsibilities to make those decisions for you or your organization.

Anyway, sandboxing on Linux is basically broken when it comes to high value targets like google. I don’t want to go into detail, but but I would recommend reading maidaden’s insecurities (I mentioned gvisor earlier because gvisor is google’s own solution to flaws in existing linux sandboxing solutions). Another problem is that ffmpeg people care about performance a lot more than security, probably. They made the tradeoff, and if you want to undo the tradeoff, it’s not really their job to make that decision for you. It’s not such a binary, but more like a sliding scale, and “secure enough for google” is not the same as “secure enough for average desktop user”.

I saw earlier you mentioned google keeping vulnerabilities secret, and using them against people or something like that, but it just doesn’t work that way lmao. Google is such a large and high value organization, that they essentially have to treat every employee as a potential threat, so “keeping vulns internal” doesn’t really work. Trying to keep a vulnerability internal will 100% result in it getting leaked and then used against them.It would be great if Google could fix it, but ffmpeg is very hard to work in, not just because of the code organization but because of the very specialized knowledge needed to mess around inside a codec. It would be simpler and probably better for Google to contribute development funding since they depend on the software so heavily.

It’s nuts to suggest continuing to ship something with known vulnerabilities without, at minimum, removing it from the default build and labelling it as having known issues. If you don’t have the resources to fix the bug that’s understandable, but own up to it and tell people to be careful with that module.

You have no fucking clue how modern software development and deployment works. Getting rid of all CVE’s is actually insanely hard, something that only orgs like Google can reasonably do, and even Google regularly falls short. The vast majority of organizations and institutions have given up on elimination of CVE’s from the products they use. “Don’t ship software with vulnerabilities” sounds good in a vacuum, but the reality is that most people simply settle for something secure enough for their risk level. I bet you if you go through any piece of software on your system right now you can find CVE’s in it.

You don’t need to outrun a hungry bear, you just need to outrun the person next to you Cybersecurity is about risk management, not risk elimination. You can’t afford risk elimination.