The article is too vague for me to really comment on it, tho I gotta say that BitLocker with unattended boot on is basically the same as nothing unless Intel TXT or equivalent is present
Additionally, plz don't suggest anything by Proton, they are known to provide data to US law enforcement on request (it's a bit complicated, the request has to be approved by the Swiss government, but no government has your back)
The advice about not following links is still weird to me, that's less trust in the users to use common sense than I'd have in 8yo me. Don't open files, but viewing URLs is fine, browser 0days are rare and generally not very impactful, and even the relatively more common ones (that leak data cross origin can be defended against just by using a separate browser instance for untrusted links.
> A majority of "drive-by" exploits (ones where all users did was visit a malicious page) in browsers based on Chromium (including Google Chrome, Edge, Brave, and others) rely on JavaScript JIT, sometimes referred to as JavaScript V8, or JavaScript optimization.
No
atp CC: Sofia (npub1rtj…gqta) do you have the time to explain> but in the wrong hands, it can also in some cases be used to identify your location, or even expose you to hacking attempts – someone who knows the IP address you're currently using can use it to try to connect to you.
51.83.130.197 <- go wild, I have juicy data (including unpublished 0days for Linux :3)
Hacking me, if you succeed plz make a talk next C3. Something as fun as a namespace escape + nginx RCE combo is juicy enough for that. If you wait for long enough you'll have to add a microvm VMM (crosvm) or hypervisor (KVM) escape on top
And if anyone wants to make the argument that I'm not the kinda entity this is for; correct! The average entity has *no* attack surface because they're probably under a NAT, cannot be connected to, and even if they have an IPv6, have a restrictive Firewall blocking everything. Meanwhile I run half a dozen services.
> For these reasons, beings concerned about privacy and security should strongly prefer using open-source alternatives such as Linux (for desktops and laptops) or GrapheneOS/LineageOS (Android).
Suggesting fashware developed by bigots that don't even know what threat modeling is (GrapheneOS) is not exactly great.
Overall, I appreciate the effort, it's not *as* bad as the usual advice I see on fedi. Sorry if I sound too mean, I'm a security researcher and this kinda stuff being horribly incorrect drives me insane.