enrique's view

[enrique]

Please do not read pass the 1rst 3 lines.
It is a waist of your time.
You been warned.

This is a thread to clarify enriques's view of the world. This is totally personal info. This forum do not agree with the view of enrique.

I constantly use the subjects: THEM and THEY it is same thing. So who is THEM?
Quick answer is: NOT YOU
See in the world population. There is YOU and the rest is THEM.

THEM I guess it depends on the topic. Can be 1 person, a group, a goverment or goverments. Yes is an easy way to finger point, but without naming who.

Simple example is Android.
You go and pay $1000's on the best phone, YOU claim is yours and only yours. Now that is because you did not read the fine prints. If you do then you can read: that YOU are not the owner. You are license to use it under the legal terms(Rules). You can used it provided you used it as the Rules said. Time: Until the Rules said. The Rules always reserve the right to change the Rules as the may fit better. So the Rules reads that your device will received constant upgrades to meet new Rules. And the Rules always reserve the right to eliminate current privileges.

Now if YOU are honest with your self and with at least 2 fingers of forehead, at this time you have figure out that you own nothing. You are not the true owner of that phone. You are the User and only been allow to use it.

Now who is THEM.
Well in this sample as I said before: NOT YOU.
Now in this case we can quickly know it is not neither your neighbors, the homeless on the street, any of your family members nor the Judge or Mayor of your Town. We can in fact eliminate most of your patriot country men.

In this sample I could bet we could include: Your Phone Provider, Your Phone Manufacture. But always the CPU manufacturer reserve its own right, so we need to include him. In android there is always Google. And depending on the Color that you see the word you may include Government Agency in particular those related to Surveillance and Intelligence. I know there are people that see the wold in lovely Pink. So if you are one of them ignore last sentence.


Regards Google.
Googles is every where. But if you did have those 2 fingers I mention, you had realize that Googles is in any situation it can gather/collect Data(Info) from users. Google knows where you are at all the time. Yes we are stupid enough to never forget our phones. Googles always listen. Funny, yes it listen to all near wifi signal and map all routers to your current location. So even with no GPS it knows where you are by inspecting what routers you are closed to. Googles have all your data. Yes you gave google consent to upload all your personal data, you enable sync on all devices you have. And you even intentionally store your DATA in their clouds. Little by little all email providers has been force to closed since 911. The ones that resist where bought by Google. 99% of all of you used anyway gmail. Let me stop here as I can go on and on.

Point is, an organization who's only purpose is to do surveillance is ___________? You can use the best world you can have. I call it what they are, an none affiliated & unnamed US Intelligence agency. Just go to wiki and search for surveillance, mass surveillance, espionage, etc.


Cloudflare
Where do you think Google has invest....
So servers where been install out of US reach. What a problem?
Not anymore... Their best service was anti-DDOS attack. So THEY attack that server day and night. Yes THEY in this case is hackers. And our Hero Cloudflare came to the rescue, providing 100% FREE service for FREE DDOS attack. Now ALL, Legal, None Legal and in between hide behind Cloudflare protection. Again if you have 2 fingers you know that now Intelligence agency do not have to go to a 3rd word hidden server. As all the illegal data pass thru their servers. No it is not Illegal as all this servers volunteer in to signing for that service.

For those of you that did not follow my advice not to read any further that the 3rd line. Just go and watch a movie and try to forget what I did wrote. Sorry for disturbing you.

To moderators. I answer here apart so that you can dispose of this tread as you please. But constantly I am ask who are them or they. If you allow this thread I will not have to answer on those main important topics. Look at this as a Joke, as I bet you have laughs a little.

[enrique]

VPN - Virtual private network

https://en.wikipedia.org/wiki/Virtual_private_network

extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.

And this is what was intended to be used. Notice that the server is PRIVATE and was usually your your job or company. The secrete keys used to encrypt are in the server. You security is as good as those keys been private.

*** PLEASE notice there is no Public Server between the users/clients and the Network where the clients intent to connect.
It does not have to be work place, you can build you own at home.

Proxy_server
https://en.wikipedia.org/wiki/Proxy_server

In computer networking, a proxy server is a server application or appliance that acts as an intermediary for requests from clients seeking resources from servers that provide those resources.[1] A proxy server thus functions on behalf of the client when requesting service, potentially masking the true origin of the request to the resource server.

***Here we can see a Public Server(Proxy-server). Notice that what THEM offers to you is in reality a Proxy. It is NOT a VPN,


About Security of VPN
Simple answer: Do you see your Bank or financial institution using VPN?
VPN the way you intent it to use offer NO Security. There is still a MAN In The Middle. It is the Servers itself.

Now, VPN are good to STOP secondaries man in the middle. Yes you can use a Public Hotspot and more or less feel a little better secure. But you will never have to forget that at the server there are people that can see your data in the clear. And this include all connection from the server forward to internet. All connection pass of the server is in the clear.

The proposed WireGuard VPN kernel module will NOT improve security while connected to a Public server. Instead WireGuard will become a Risk itself, as data can be Tunneled tru some one else server without the knowledge of the user!! And do not forget that security keys are in the server. So all data collected at the server is in the clear.

*All picture here are from wiki, in fact the knowledge comes from wiki.

[enrique]

I am opposed of adding to the kernel anything that do not belong there, more if it can be manipulated and become a Risk. In this case a so called VPN module. It just happens that it been said that such a module with a name of WireGuard will show soon in our kernels.

I am not opposed on any true FREE service on any kind. I welcome all. Wao this include Claudflare and Google services. No doubt about.

"If you want to bash Cloudflare", No It is not my real intention. Now it happens that what I say seem that. If anyone see a comment that I say that is not true I am happy to delete and amend it. I metaphoric called then wolf. As in waiting for an easy pray to capture. Again this is what all are doing with this new thing(service). Waiting for new clients to fill their wallets.

"Wiregard ... Only 1% of the code needed (compared to OpenVPN), and uses best and newest crypto schemes"

Lets take it by parts.

I know there are many commercial Performance test out there. Ones are just advertisement that only purpose if for you to press in the Download Link (Connect Link). Yes the Wolf thing. Then there are the Bloggers that only repeats what they read.

I doubt that an new and more complex code has the foot print of 1% of the previous. But I will take that word. But what this means? 10MB, 100MB. Security is not about 100MB of code. What importance have that?

"best and newest crypto schemes" This new thing can have Code from the Future or from "Shield / Avangers" as in the Movies. So what. Their million bit unbreakable crypto means nothing. The keys are originating from a PUBLIC server making the security as good as any less complex man in the middle scheme. They have the keys they have the data in the clear. They = Free PUBLIC Server/Service.

If latest crypto is needed. We can take any Open source project and add any crypto we like. Or delete all the not needed stuff to make it smaller. That is why sources are Open. But to my knowledge except for Governments, no single hacker or group can crack AES scheme. Yes practically unbreakable.

I give you an example of what is correct. See this post written by tommy from Italy.

Softether VPN client compiled for 32bit Puppies

I do not promote Softether, this is as good as any other OpenSource project. But tommy does like. Now the importance here is that tommy is creating a REAL VPN. NO PUBLIC Server is used. He owns and control the server and its Security Keys. tommy does have a Virtual Private Network.

[enrique]

Any one can post here. Hopefully we can show our point without a fight.

The porpoise of this thread is to allow moderators to delete 1 single thread instead of cleaning 10 or 100 of thread.

I am not opposed or against the goodness of any so called Open Source project, or true free services, this include Googles services or wireguard. All are welcome by me.

I am against a force inclusion of a VPN module in the Kernel. A risk that the module can be use to re-route or tunnel data without the knowledge of the user.

Data transmission security

About CRIME and BEAST attack
I am no expert on security, so I can be REALLY WRONG. But to my knowledge all this chit chat where trigger by the so called CRIME and BEAST attack. People in a REAL VPN setup, there is no CRIME and BEAST attack. The vpn clients connect for the most part only to the Private server.

No if we use a public proxy server to connect to the WWW that is another story, Yes that one, your advertise VPN service.

About Security.
Sorry but the outside community seem to believe ALL Puppy derivatives are insecure for default. Understandably, we download an OS build by unknown, downloaded from some servers that may do not have a security protocol in place. And we add packages with same quality assurance problems. That is a reality for that Outside Community. This have been discus here in the forum many times. Not necessary as crude as I have written.

Now I do recognize those comments, but a 100% Puppy user I personally think that the constant never ending update system use on those so called Secured OS as as bad as having no updates. Who is tracking this unlimited updates? In minutes a malicious update can install, do its crime, and then clean it self with the next update just in hours if not minutes.

OOOHHH, hold the horses. The Static OS (frugal install + the Optional puppy save mechanism) provides me the security level I can not find in a constant update security model. Not to mention that I can recover my FULL OS+DATA in minutes not days or 10ths of hours.

Conclusion:
What,s make Data transmission security more important than Puppy security it self.

I did a quick search and if needed I can find upgrades in openvpn server. See https://github.com/angristan

He propose an install server method for wireguard

Code: Select all

https://github.com/angristan/wireguard-install

But he also propose on for openvpn with all your AES GCM new encryption.

Code: Select all

https://github.com/angristan/openvpn-install

Interesting openvpn forks and starts are 10 times more than wireguard.

So here you guys have it, a server VPN installation of wireguard. To improve you security to the level you expect, now you can install your own and used it the correct way. NO Public Server.

Clearly this will not satisfy many as they in fact are not looking for a VPN, but a Free Public Proxy Server to hide their real location. This same people will refuse to admit that all the security chi chat make no sense as they are introducing a man in the middle them self, that have all the keys and the data transmission in the clear.

Final thoughts, I do use this Public Proxy Servers, yes they may be useful, in our attempt to TRY to hide who we are. This may partially works as our fingerprints in HTTPS in fact exposed who we really are.

[enrique]

I am back at my corner, where I can be confident that I will not be high-jacking any thread. But Feel free to post you thought as this is the Idea, to exchange thew way we all think different.

This time I am back here because I am concern. I see Puppy been used as the foundation of a company needs. That is ok. But then I read:

...the company will update all our laptops, within the end of the year, to Windows 10 with no legacy MBR.
Only UEFI...

Quick response: Be ware, this is trouble in the making.

Let me go back. There are a bunch of GOOD people in this forum. Many of then are already giving their best advise to you. I am happy for you. This are the type of Positive people that always see the Glass Half Full. Now there are a few ones like me that do not see this world to this Pink Glass that make everything looks beautiful. As result we see stuff others do not see, On the bad side same people judge us as we then see the Glass Half Empty.


You can not base the future of a Company on Puppy if the company intent to purchase "Windows 10 with no legacy MBR". Which for me means "secure boot ONLY"

You only need a Real or Fake crisis for Mcrosoft to Enforce Full Secure Boot. Just one Hacker to develop a hack that put Security of Win10 on the balance for a Day or a few Days. Giving Microsoft the excuse to Fully implements Secure Boot as it is intended. At that point ONLY Microsoft Certified Developers will be the only approved to Boot on MS/WIN10 Certified Devices. I can assure that NO One in the Puppy Development arena will be granted a MS Certification for a valid UEFI Key. This mean if I am correct that Puppy will not be able to continue use Ubuntu/Fedora ( or where ever people got their keys files) keys to boot on those devices. Or more simple Puppy will not boot.

I hope you see my point as I seem to be alone on my point. Time will tell. Good luck my friend.

Edit:
I am not telling you to for get about Puppy. Puppy is your Best choice.

What is wrong is base all this on "Windows 10 with no legacy MBR" devices.

[greengeek]

You only need a Real or Fake crisis for Mcrosoft to Enforce Full Secure Boot. .... Giving Microsoft the excuse to Fully implements Secure Boot as it is intended. At that point ONLY Microsoft Certified Developers will be the only approved to Boot on MS/WIN10 Certified Devices. I can assure that NO One in the Puppy Development arena will be granted a MS Certification for a valid UEFI Key.

I guess the day must come where it is not possible to buy hardware that runs Linux.

I have been thinking about buying 100 Raspberry Pi computers (or similar...) and keeping them in a cupboard in case one day the only hardware we can buy must run Microsoft, Apple, or Google.

That day could happen any time.

[Moose On The Loose]

[...]
I have been thinking about buying 100 Raspberry Pi computers (or similar...) and keeping them in a cupboard in case one day the only hardware we can buy must run Microsoft, Apple, or Google.

That day could happen any time.

On the other hand, ARM and RISC-V processors are getting more and more powerful. Already today one of those can do most of what people need done.

I think a bigger danger is that somehow a move will happen (in the name of security) that disallows any machine not running a certified OS from getting on the internet. We already have many ISPs blocking SMTP actions by user machines forcing everyone to have a web based "email system" instead of a real email system.

For those with skill in doing things with electronics, making your own processor board is within reach. It is the general public that is at the greatest risk.

The internet becoming like cable TV is sort of to be expected. When newpapers started lots of people printed them. Over time the ownership concentrated into the hands of the few. The same happened to radio and TV. The US may have the worst situation with this for the internet. There are only a few major ISP providers and they are now free to favor their packets over someone else's. The power to favor one is really the power to block the other. At some point they can make it so that no new streaming service competitor can start up in the US.

Because at this point all the radio spectrum from 8KHz to 60GHz has been allocated to someone, a new communications method using RF is unlikely. Nobody is going to let you start stringing wires across the nation and the cost of that is too high. In the US, the postal service appears to be going away. This leaves meeting in the public square as the way people can talk to each other. Oooops there's a bunch of morons with guns rioting there.

[enrique]

I hope not to confuse all, as I always do. I did not say Dooms or Judgment Day has come. I know we all can still buy this semi hackable Win10 Certified PC. And yes Puppy still survive.

What I try to say is that with every day that pass MS/WIN10 had manage to force the PC industry to accept their new Secure Boot design. And If is I am correct MS/WIN10 will only need a bad day where Win10 gets compromised for them to Unilaterally imposed a FULL Lock Bootloader by activating full enforcement of secure boot.

In conclusion we all need to be cautious of what this new PC hardware changes could do. Pretending to show that you had master UEFI and have it hack today is a false expectation. Without your very own MS/Verison UEFI CA authorized developer signing kit you are just wearing Pampers full of s..... As your false safe hack will not prevent you from any future fully implemented CMOS Lock bootloader situation if it arrives.

Secure boot is a security standard developed by members of the PC industry to help make sure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). When the PC starts, the firmware checks the signature of each piece of boot software, including UEFI firmware drivers (also known as Option ROMs), EFI applications, and the operating system. If the signatures are valid, the PC boots, and the firmware gives control to the operating system.The OEM can use instructions from the firmware manufacturer to create Secure boot keys and to store them in the PC firmware.

Code: Select all

https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot
https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process

Here another interesting testimony. Seems old but give you the Idea of what MS will do not to allow you to have your own keys.

Code: Select all

https://blog.hansenpartnership.com/adventures-in-microsoft-uefi-signing/

Regards pi, arm RISC-V.
RISC-V that I know RISC-V is just a goal, not a real alternative.

Clearly for servers all this Pineapple, Raspberry are options.
Now I been keeping an eye on Chrome development in this forum as PC hardware alternatives.

[greengeek]

There are only a few major ISP providers and they are now free to favor their packets over someone else's. The power to favor one is really the power to block the other.

During the lockdowns I have been watching with interest as people flocked to "Zoom" for their communication - and it stunned me how perfectly well the technology synched multiple audio and video streams with no apparent delay.

I came to the conclusion that the big software players like Google and Microsoft etc must have priority over the internet. How else can their software overcome the normal internet delays and variable packet delivery times that all other software encounters?

Betcha Puppy PSIP phone doesn't run as seamlessly as Zoom...

[ras]

I think a bigger danger is that somehow a move will happen (in the name of security) that disallows any machine not running a certified OS from getting on the internet.

To make machine certification truly effective, the implementation would also have to include a personal authenticator (possibly RFID?) to prevent someone from using a different machine.

[enrique]

ras
Is or not true UEFI requires an extra partition and space. It is or not true that Microsoft do have extra partitions too. So would you expect that the extra CA - Certification Authority information/Update could be place as a backup on those partitions. Please notice that true Authorized Developers are just a handful?

I have no Idea what is schedule to happen. Or how it will be implemented. All we know is the SAME C&P ALL bloggers do of the same old information that was posted back for Windows 8 about 7 years ago. The rest have been kept secret by MS Windows.

In any case we have Android as example. For the most part all new devices have bootloaders block. They do their thing and you do not notice it.


greengeek
Internet Throttling was approved by USA over a year ago. Europe follow.

Now that I know zoom is a Chinese Development. In fact up to March or April ALL communications where routed tru China. All until It was inquired. This is the reason why USA Department of State submitted an advice.

[Computer semi-expert]

I am back at my corner, where I can be confident that I will not be high-jacking any thread. But Feel free to post you thought as this is the Idea, to exchange thew way we all think different.

This time I am back here because I am concern. I see Puppy been used as the foundation of a company needs. That is ok. But then I read:

...the company will update all our laptops, within the end of the year, to Windows 10 with no legacy MBR.
Only UEFI...

Quick response: Be ware, this is trouble in the making.

Let me go back. There are a bunch of GOOD people in this forum. Many of then are already giving their best advise to you. I am happy for you. This are the type of Positive people that always see the Glass Half Full. Now there are a few ones like me that do not see this world to this Pink Glass that make everything looks beautiful. As result we see stuff others do not see, On the bad side same people judge us as we then see the Glass Half Empty.


You can not base the future of a Company on Puppy if the company intent to purchase "Windows 10 with no legacy MBR". Which for me means "secure boot ONLY"

You only need a Real or Fake crisis for Mcrosoft to Enforce Full Secure Boot. Just one Hacker to develop a hack that put Security of Win10 on the balance for a Day or a few Days. Giving Microsoft the excuse to Fully implements Secure Boot as it is intended. At that point ONLY Microsoft Certified Developers will be the only approved to Boot on MS/WIN10 Certified Devices. I can assure that NO One in the Puppy Development arena will be granted a MS Certification for a valid UEFI Key. This mean if I am correct that Puppy will not be able to continue use Ubuntu/Fedora ( or where ever people got their keys files) keys to boot on those devices. Or more simple Puppy will not boot.

I hope you see my point as I seem to be alone on my point. Time will tell. Good luck my friend.

Edit:
I am not telling you to for get about Puppy. Puppy is your Best choice.

What is wrong is base all this on "Windows 10 with no legacy MBR" devices.

BUT! Lenovo has announced that they will partner with Fedora to make Linux-friendly Thinkpads. (see https://fedoramagazine.org/coming-soon- ... o-laptops/) Presumably, if Fedora runs well on these laptops, other distros will run well on the laptops as well.

[enrique]

Yes you are correct. All can not be darkness.

When God shuts a door, He always opens a window

I am hopping that when times arrives, we will have some Official Linux escape hatches. Sadly Puppy on mainstream is considered insecure. So can easily be seen Puppy will have hard time with probability close to ~= 0% to be granted it own signing keys. And you can easily see that the current false Security Key system that allow Puppy users now to use Other UEFI signed files will not be available in the future. You can always argue that Puppy is in fact Ubuntu or Debian etc. So we should be allow to use their signed files. Time will tell.

We already have seen smart ideas. There is some info on microcode and coreboot. And there are like Open Source alternatives to UEFI popping up: LinuxBoot, tianocore, libreboot, etc.

[Mike Walsh]

Christ, you guys really are some "doom & gloom" merchants. Why do you always have to look on the BLACK side of everything, all the time...? Hm?

Ah, don't mind me. Whatever 'floats your boat', I guess.....


Mike.

[Computer semi-expert]

Christ, you guys really are some "doom & gloom" merchants. Why do you always have to look on the BLACK side of everything, all the time...? Hm?

Is the news about Lenovo and Fedora "doom and gloom"?

[wiak]

Even if all new machines had their bootloadrers locked, most current billions of machines do not, so that won't be a problem. Technically TCP/IP protocols could be altered or even just DNS such that ISPs could block requests from any comma not providing some special authentication or other. But Linux users are a relatively small community so seems hardly worth the cost of implementing such measures, which per usual could no doubt be hacked anyway. But never say never, there could become commercial reasons such as pay per packet... However, why bother with conjecture - that may never happen. Enjoy what we have since we have it.

wiak

[enrique]

I did started just as an attempt to informed UncleScrooge that planing his Puppy project upgrade for his Company, base on "no legacy MBR. Only UEFI... " laptops, was a BAD Idea on my viewpoint. That was my original mesage.


6 moth ago NOT a single soul in planet earth could imagine the lockdown of whole countries, even less the lockdown of the whole planet. Here we are.

Had you seen or seen any post regards Laptops on Black Screen or with just a blink cursor? I bet you seen it. I had even one of my PC burned its CPU on this. Yes Burned as in dead.

There are links on the net that suggest that some CMOS base on UEFI are rejecting the certifications of the drivers it contain. We are talking about UEFI firmware drivers, UEFI BLOBS or even microcode. Do not confuse it with the kernel drivers. As result the device that uses such rejected driver gets disable in that PC.

So yes doomsday is far away. But we can start smelling it. BOOOOoooooo.....

[enrique]

One more time back at my corner. Why? So that we do not contaminate other important threads. And a easy way for a moderator to delete all at once, just in case we break any rules.

This time I have to rise my concern on Intel Microcode and the kernel capability to update it.

Lets start with my concern. Intel Microcode is in fact a black box. One thing is the blablabla that they claim it does. Another one may be what it really doing. The people at wikipedia had not been able to agree on what to write about it. But my main concern is that It should never be allow to be part of the kernel and as result to be allow to be update on the fly. This is dangerous, they had given the tool to a hacker to be able to damage hardware. In fact just as a contradiction Intel reason is to correct a possible hack to destroy the CPU. But then they are opening the door for more hacks on the fly!!! I just do not understand this.

Now computer science "Microcode" have a few different meanings. Than can go as to disagree on the first computer. I personally adopted "Microcode=firmware". But be aware that what you know today as Firmware is not what it used to be. Today Linux Firmware is used as the part of the code that can be updated.

Now Intel gave a different meaning to "Microcode". This comes after their embarrass of Pentium. Yes the only CPU that can give different results to same computation.

As result Intel change the concept of CPU. Before a CPU was ALL or ONLY HARDWARE. But an Intel CPU today have hardware + "Microcode". Is the "Microcode" the one in charge of translating a Number ( OP Code ) in to a series of hardware sections. This sometime is called mapping.

Point is that changing "Microcode" can result in changing what the opcode does. I give you a fake example to help you understand. A very bad hacker can take the ADD instruction and change its function to SUBTRACT. Or as it had been insinuated to short circuit until CPU Burns!!!

Now In the past you where required to use a SPECIAL software to load the FIRMWARE of the PC. And this BIOS FIRMWARE in turns did update Intel "Microcode". See hackers had no access to insert their corrupted "Microcode" in the CPU. The hackers had to be physically in front of the PC and posses access to your PC to do the complicated procedure.

Not anymore. Thanks to the Kernel guys now we have this risk of an atack to the CPU as soon as the kernel start. Yes in real time Linux fashion.....

Now Intel are posting updates every 15 to 30 days like if your life depends on it. When in the past almost NO ONE had to update the Bios Firmware of the PC.

And we have people here that are building Kernels with the "Microcode" enabled like if this is the last coke in the desert. In my opinion this should not be enable. But that is me with my paranoid mind.