Re: [gentoo-user] Firefox and VPN, plus security in generla
On Sun, Jun 12, 2016 at 8:57 AM, Dale wrote: > Howdy, > > I ran up on a video website that had some info on it. I found it > interesting and was curious about what it said and another question I > been wondering about. It mentioned using a VPN so that the NSA, my ISP > and others couldn't "see" what was going on. So, my first question, > does that work and does it require the site on the other end to have it > set up as well? Bonus question, is it easy to use on any site if it > doesn't require the other end to use it? I'm thinking of using this for > my banking/financial sites as well if it is a good idea. > Firstly I suggest you dont consider the NSA your adversary, because; 1. They're probably not interested in you 2. If they are interested in you, just adding a VPN is not going to make much difference. So lets just consider an employee at your ISP. There's typically no need to use a VPN when accessing an HTTPS website, as the SSL/TLS already provides most of the privacy that a VPN would supply. The extra that the VPN gives you in this case is to hide which websites you're visiting. So the data is protected in both instances, but the VPN also hides the connection metadata. So if you use just SSL/TLS then your ISP can deduce which bank you have an account with. If you use the VPN as well, then cant even tell that. There are issues with SSL/TLS that could allow someone in the path between you and the bank to decrypt your traffic, and if they can do that they would be able to log into your account if the bank uses simple password/passphrase style auth. The two main SSL/TLS issues are; 1. Improperly issued certificates 2. Older/weaker crypto The trust system around certificates can be summarised as "you trust any certificate as much as you trust the least trustworthy certificate authority in your trusted certificate store". Your browser ships with many CA certificates in its trusted certificate store. Any of these CAs can issue cryptographically valid certificates for any domain. So, if I manage to fool a CA that I am bigbank.com then i can buy a certificate to bigbank.com. Or, I can just find a staff member of a CA in a very poor country and offer them a big bag of sweet cash to have them issue the certificate for me. Certificate pinning reduces this exposure significantly so use a browser that supports it like chrome or firefox. Weak crypto? Turn off all SSL, TLS 1.0 and 1.1 in the browser, and disable RC4 crypto. That might block you out of some sites with weak crypto that you may still want to use. Assuming your bank has good crypto, use chrome or firefox with the weak crypto disabled for your banking, and another browser for everything else. This is something I been wondering about and I've seen a few posts here > that bump around the edges of this question. As most here know, I use > Gentoo. It's a older install but I keep it up to date. I sit behind a > DSL modem, a older Westell one, and a Linksys router, the old blue nosed > one. Neither modem or router has wireless stuff included. Is that > hardware and my Gentoo install pretty secure for most hackers? If one of those devices is PATing your IP, then that effectively blocks all inbound sessions, so it will prevent anyone on the internet scanning your system, and attempting inbound connections. This makes you much more secure. If there's no PAT, then you need to turn off all unneeded network services (use netstat to show what ports are open), and harden any services you leave on. For example, you could run sshd with only the stricter crypto enabled (this stops most bots as they havent implemented those functions), and run fail2ban to lock out any IPs that are running password guessing attacks. > In other > words, since I don't keep the formula to run car/truck engines on water > here, would this stop most since there is nothing worth stealing here? > I'm not interested in a NSA based hardened install here, just reasonably > secure. > Ok - ignore previous comment on NSA :) > > Basically, I'm just wanting to make sure I'm reasonably secure here. > > With regular patching and the above, you should be in pretty good shape. Next step after that would probably be to look at gcc's stack protector. In gcc 4.9.0+ -fstack-protector-strong is enabled by default. And in the kernel .config set CONFIG_CC_STACKPROTECTOR_STRONG=y. Then after that take a look at hardened sources and PaX (still on my todo list)
[gentoo-user] Re: Recommend a simple video editor?
On 2016-06-14, Deven Lahoti wrote: > kdenlive is apparently usable, though I haven't tried it I was sort of hoping that Shotcut would work, since it was specifically recommended by the MLT developer as the best way to use melt. That was going to be my last resort, since I didn't really want to install KDE stuff. Openshot and Shotcut both required Qt, but not KDE. Flowblade would probably be next on my list to try, since it's Gtk based and wouldn't pull in the 30-40 packages that a Qt app does (or Dog-only-knows how many for a KDE app). -- Grant Edwards grant.b.edwardsYow! In 1962, you could buy at a pair of SHARKSKIN SLACKS, gmail.comwith a "Continental Belt," for $10.99!!
Re: [gentoo-user] Re: Recommend a simple video editor?
kdenlive is apparently usable, though I haven't tried it
[gentoo-user] Re: Recommend a simple video editor?
On 2016-06-14, Grant Edwards wrote: > The git version of MLT installed fine, but shotcut failed to compile: > > cd src/ && ( test -e Makefile || /usr/lib64/qt5/bin/qmake > /var/tmp/portage/media-video/shotcut-/work/shotcut-/src/src.pro > 'PREFIX={D}/usr/' -o Makefile ) && make -f Makefile > Project ERROR: Unknown module(s) in QT: websockets > Makefile:95: recipe for target 'sub-src-make_first' failed > > I could probably figure out what's wrong and fix it, but... The shotcut ebuild above is missing dependancies on qtwebsockets and jack-audio-connection-kit. Once I added those, it built cleanly. It doesn't _work_, but it builds. When I run it it just dipslays a small balck rectangle in the middle of the display and then locks up. I must say I'm pretty unimpressed with the state of GUI video editors on Linux (or at least on Gentoo). There are probably three or four more I could try, but I think I'll stick with the command-line rather than waste any more time on trying to build and use half-finished apps. -- Grant Edwards grant.b.edwardsYow! I'm using my X-RAY at VISION to obtain a rare gmail.comglimpse of the INNER WORKINGS of this POTATO!!
[gentoo-user] Re: Recommend a simple video editor?
On 2016-06-11, Grant Edwards wrote: > I've got a handful of mp4 video clips (a minute or two each). All I > want to do is > > 1) Concatenate them with fade-in at beginning of each clip and fade-out > at the end of each clip. > > 2) Superimpose a title at the beginning for a few seconds. > > Can anybody recomment a simple video editor? > > > So far I've tried Openshot and Cinelerra and niether is usable even > for my trivial task. [...] > I may try Cinelerra 2014, but I'm not optimistic -- Cinelerra is known > for it's slow rate of change. I tried the 2014 (~amd64) version of Cinelerra, and it still doesn't recognize the AAC audio in the MP4 files my Moto G phone produces. I also tried the downloaded binary of Shotcut, but it it requires old versions of libraries and wouldn't run. So, I tried building it using the shotcut- ebuild and the mlt- ebuild from https://gpo.zugaina.org/media-video/shotcut https://gpo.zugaina.org/media-libs/mlt The git version of MLT installed fine, but shotcut failed to compile: cd src/ && ( test -e Makefile || /usr/lib64/qt5/bin/qmake /var/tmp/portage/media-video/shotcut-/work/shotcut-/src/src.pro 'PREFIX={D}/usr/' -o Makefile ) && make -f Makefile Project ERROR: Unknown module(s) in QT: websockets Makefile:95: recipe for target 'sub-src-make_first' failed I could probably figure out what's wrong and fix it, but... Meanwhile, I was experimenting with the "melt" command-line video editor that's included in the MLT library. https://mltframework.org/twiki/bin/view/MLT/MltMelt https://www.youtube.com/playlist?list=PLcUid3OP_4OWC-GJ6KfHK7dIK_yRKKn0e It's pretty cool, if somewhat cryptic. The documentation is a little scarce, and what exists is somewhat hidden from Google by the use of a common English word as the program name. But, the developer was kind enough to offer a couple hints on the mailing list, and it did a great job. Using the x264 codec it produce an output file that was 1/3 the size of that produce by Openshot and the improvement in video quality over Openshot was Yuge(tm)! I cranked up the x264 bitrate some (filesize is now a little over half of that produced by Openshot), and the video quality is great -- it's indiscernible from the input files which are almost twice as large. The interesting thing is that Openshot and melt both use the same MLT backend, so Openshot _should_ be able to generate the exact same output -- assuming it exposes all the required codec selections and settings. -- Grant Edwards grant.b.edwardsYow! I have a TINY BOWL in at my HEAD gmail.com
[gentoo-user] Re: Change from udev to eudev?
J. Roeleveld antarean.org> writes: > > On Monday, June 13, 2016 02:10:27 PM James wrote: > > wabe gmail.com> writes: > > Still, if you manage 1000 linux workstations, then systemd does have > > it's merits. > Serious question: What makes systemd more suitable to manage 1000 linux > workstations when compared to, for instance, OpenRC? > Joost Seriously? (note:: awkward position for me to defend systemd) Because RHEL says so? Why else would they promote systemd? Because It's what bloggers say that make systemd the Kool_aid of choice these days? Because really, I was just being polite and trying very hard to say something nice about systemd? Because Jim Morrison told me systemd is the way to nirvana, in a 60s laden pipe dream? Because, if you are not promoting systemd, you are just not Quool? Because, resistance, defined as the counterflow to Systemd flux, is futile? Reflectance is defined as the summation of your futile resistance area, under the curve. The endpoint being when you finally addopted (integrated) systemd into your hopes and dreams? Because cross-dressing the linux systems you manage, with different, custom scripts, is so 2010. We all need to wear the emperor's new clothes, to be hip, just like lennertd ? Because the NSA is funding systemd, and those that do not cooperate, will be barred from all GSA and large corporate contracts? Because Big, Corporate management believes that systemd will enable them to replace seasoned linux admins with mindless drones from the labor pool? (Note::Management is always the first to 'drink the Kool_aide' from other large, corporate vendors)? You do not want to know what else they do, after guzzling the kool_aide. Because, I think we all know that I'm no whiz at systemd, actually far from it; in fact I'll be a very late adopter (perhaps post mortem as they inject me with embedded linux micro-nomes on my way to an oceanic burial)? So, one of the common arguments you here is that Systemd can standardize management across different linux distros. If fact many promote systemd based on a standardization track, as a really good idea. So in a large installation, it provides the inter-intra-system discipline thereby reducing the tendency of admins to create fiefdoms (via unique scripts) within the different machines that different admins manage ( vs traditional divide and conquer strategies). Perhaps a workshop or conference is a good idea, should you want the latest, expert advice on systemd [1]; just pay attention to the "no smoking signs" posted near the kool_aid punch-bowl. (liar liar, hair on fiar) -- da doors, resurrection tour. [1] http://0pointer.net/blog/ it's been great fun defending systemd! James
Re: [gentoo-user] How to try custom-optimization in firefox
On Tue, 14 Jun 2016 18:39:54 +1000 Adam Carter wrote: > You missed another flag: USE="custom-cflags". You should really > > > read USE flag descriptions (/usr/portage/use.{,local.}desc): > > > > custom-cflags - Build with user-specified CFLAGS (unsupported) > > www-client/firefox:custom-optimization - Fine-tune custom compiler > > optimizations (-Os, -O0, -O1, -O2, -O3) > > > > So custom-optimization will only get -O[0123s] option from your > > CFLAGS, > > > That's all I want. However, the -O2 was still filtered even though i have > custom-optimization on. Yes, -O* are removed from CFLAGS, because firefox uses special .mozconfig option for -O* flags: mozconfig_annotate "Gentoo's default optimization" --enable-optimize=-O2 emerge --info is not accurate here, as it can't handle non-trivial stuff like mozconfig. Actually -O2 is default and if you want only this option, you may do nothing, since it is enabled by default. If you have any further doubts, please provide a full build.log (compress it or place somewhere outside of the list and provide a link). Though you should see -O2 yourself there: == Building firefox-47.0 with the following configuration --enable-application=browsermozilla.org default --enable-optimize=-O2 Gentoo's default optimization as well as in gcc commands below. Best regards, Andrew Savchenko pgpUQoGHe4GN_.pgp Description: PGP signature
Re: [gentoo-user] How to try custom-optimization in firefox
You missed another flag: USE="custom-cflags". You should really > read USE flag descriptions (/usr/portage/use.{,local.}desc): > > custom-cflags - Build with user-specified CFLAGS (unsupported) > www-client/firefox:custom-optimization - Fine-tune custom compiler > optimizations (-Os, -O0, -O1, -O2, -O3) > > So custom-optimization will only get -O[0123s] option from your > CFLAGS, That's all I want. However, the -O2 was still filtered even though i have custom-optimization on. emerge --info output; = Package Settings = www-client/firefox-47.0::gentoo was built with the following: USE="*custom-optimization* dbus gmp-autoupdate gtk2 hwaccel jemalloc3 jit pulseaudio -bindist -custom-cflags -debug -hardened (-neon) (-pgo) (-selinux) -startup-notification (-system-cairo) -system-harfbuzz -system-icu -system-jpeg -system-libevent -system-libvpx -system-sqlite -test -wifi" ABI_X86="64" LINGUAS="-ach -af -an -ar -as -ast -az -be -bg -bn_BD -bn_IN -br -bs -ca -cs -cy -da -de -el -en_GB -en_ZA -eo -es_AR -es_CL -es_ES -es_MX -et -eu -fa -fi -fr -fy_NL -ga_IE -gd -gl -gu_IN -he -hi_IN -hr -hsb -hu -hy_AM -id -is -it -ja -kk -km -kn -ko -lt -lv -mai -mk -ml -mr -ms -nb_NO -nl -nn_NO -or -pa_IN -pl -pt_BR -pt_PT -rm -ro -ru -si -sk -sl -son -sq -sr -sv_SE -ta -te -th -tr -uk -uz -vi -xh -zh_CN -zh_TW" CFLAGS=*"-march=amdfam10 -pipe"* CXXFLAGS="-march=amdfam10 -pipe" LDFLAGS="-Wl,-O1 -Wl,--as-needed -march=amdfam10 -pipe -Wl,-rpath=/usr/lib64/firefox"