Sometimes I wonder if Vanguard is actually a government pet project for practice blocking and executing malicious pci devices.
You take one of those pci dma cheat cards, put a modem in them, and you've broken secure boot. And nation states have done such a thing to compromise laptops or other devices after getting physical access to them for a bit.
They do it though. People all of a sudden are motivated and able to enable bitlocker and secure boot and update their bios when they need it to play le funni video game.
https://www.riotgames.com/en/news/vanguard-security-update-motherboard
I am so deeply annoyed that
Vanguard demands this level of control over user systems
Vanguard seems to be the only entity handling a threat vector most people simply ignore. I suspect not even crowdstrike and the like could handle malicious pci devices. Well, vanguard can't either, it's just a cat and mouse game. But they are definitely trying in an area where most seem to have given up, but it's absurd that it's a fucking game anticheat that's doing this.
Debian repos are basically guaranteed safe: https://programming.dev/comment/22863237
Flathub is much, much safer than say, the google play store, but it ultimately does follow a model of app developers submitting packages which get reviewed and approved. In theory, someone could sneak malware past that, although there haven't been any incidents (perhaps flathub's review is very effective?). But the snap store, which follows a similar model has had malware. But canonical hasn't been the best steward of that one.
In addition to this, not all stuff on flathub is open source, which is definitely concerning.
Thankfully, flatpak has a built in sandboxing system, which lets you limit what the appps have access to. KDE has a UI for it, and there is also the GUI app flatseal.
malicious code does occasionally sneak into Debian distributed apps
Do you have an example of this? The xz utils backdoor did not make it into debian stable, only unstable.
Debian stable essentially forks every package, maintaining a custom codebase. They then cherry pick security updates only (ignoring feature updates or minor bugfixes), and applying those. This makes it extraordinarily resilient to any form of supply chain attack.
Flatpak's show up in discover, and aren't by the distro. Usually it's flathub.
Journalists communicating with sources in censored regions
Whistleblowers sharing information securely
You and your peer agree on an encryption key (any string).
This is unacceptably unsecure for the usecases you mention. There is a reason why the most secure messaging apps don't use symetric encryption, don't use passphrases, and they also possess forward secrecy.
It's pointless to push this as a censhorship circumvention method when many other methods exist that already do so 10x better, in a secure way, over decentralized, hidden and unblockable infrastructure. (Tor's meek-azure bridges use microsoft's infrastructure, which nobody is able to block because everybody depends on it, even China).
I appreciate the project, and I am always happy to see people learning, progressing, and publishing their results, but you need to be honest about the weaknesses of your software compared to established solutions. It's not impossible for you to one day produce a secure messaging app, but today is not the day. Right now, using this is just a fast way to get killed.
It looks like they are using prepared statements, which prevent sql injection:
Also try wireguard over port 53. Often (udp) traffic to port 53 is unblocked because it's needed for DNS.
What is special about this setup is that it can sometimes get around captive portal wifi.
If you use kde, you can search for "profile manager", and it will show up, and can be launched from the app menu.
At least works for me. Before this was added, the KDE search/app menu also lets you run commands directly, so I would just run firefox -p in there. No need for a terminal.
Sample with fibonacci:
I don't hate on any language's syntax tbh, but the tooling for nix is absolutely miserable compared to similar.
People hate on yaml a lot, but I can start typing and then press tab and it completes a whole template for whatever k8s objecy I am trying to make. Having to copy from my other project's shell.nix/whatever into the new one feels miserable in comparison.