Comment by justsid
8 days ago
This is such a naive view on computer security. It’s not just about spyware, which is also not exclusive to commercial vendors.
8 days ago
This is such a naive view on computer security. It’s not just about spyware, which is also not exclusive to commercial vendors.
It's not, though. There simply wasn't enough malware to worry about. Why would I run a firewall when I was unlikely to ever encounter a malicious program?
I mean, supply chain attacks are a thing that could have happened even in the earlier days. Linux almost got backdoored in 2003.
Also with the number of remote code execution exploits that have occurred in Web browsers over the years it's hard to know for sure if what you installed hasn't been hijacked unless you spent all your time on gnu.org
Yes, but the probability of the average user getting pwned was so small that it wasn't worth the constant firewall babysitting.
What else is this about? Debian repositories still contain no malware and if you install software exclusively from them, you'll be safe.
Run OpenSnitch for a while and you'll quickly realize how much of your system does phone home. Off the top of my head:
- GNOME Shell (extension updates without a way to disable this, weather),
- GNOME Calculator (currency exchange rates),
- NetworkManager (periodic hotspot portal checks in most configurations),
- GDB (debuginfod enabled by default),
- Firefox (extension updates, push notifications, feature flags, telemetry, ..., some parts cannot be disabled),
- VSCodium (Open VSX callbacks even when installing extensions from disk with updates disabled, JSON schema auto-downloads, extensions making their own unsolicited requests, ...),
- Electron (dictionary updates from Google servers, no way of disabling; includes any application running on top of upstream Electron, such as Signal, Discord, etc.),
- GoldenDict (audio samples fetched from the Internet on word look-up, no way to disable)
Of course, this is nothing compared to Windows [0] and macOS [1], but the malpractice of making Internet connections without asking, by default, has unfortunately been finding its way everywhere since modems stopped making audible sounds.
Having read about PRISM and seen the leaked dashboards of Paragon Graphite (said to be used by ICE), and with LLMs bridging the gap between mass and targeted surveillance, I don't want any of this.
[0] https://github.com/microsoft/calculator/blob/ffd0519676019a0...
[1] https://sneak.berlin/20201112/your-computer-isnt-yours/
> GNOME Calculator (currency exchange rates),
Which would crash (technically hang) if you blocked it. [0]
[0] https://forums.debian.net/viewtopic.php?p=818264
Approximately 10-15 years ago I used an early Android app that synced contacts across multiple (local) accounts and deduplicated and merged them. It had Internet permission for some reason; on asking the developer why a dedicated contact management app would need to go online (in a time where I was using XPrivacy to prevent other apps from seeing my contacts), they said there was no real reason for it, and it was removed in an update two days later. This is the only time I've ever seen an app remove the ability to access the internet, and I really wish it was more common.
Of course, about 5-6(?) years ago Google removed it from both the play store and my devices (I allowed it because silly me assumed I could still get it again) because it requested a sensitive permission and didn't support runtime permissions.
Are these malware ?
3 replies →
People still care about these things on Debian. But as is said 20 years ago there was no need, because the default was to be sane.
Problem with updates is that without automatic ones, users could stay on outdated systems and possibly get hacked through some vulnerability(of which there are many). While on the other hand, having explicit confirmations for each network request would be crazy annoying.
Maybe some middleground of having the tool OP sent built-in would be a good option.
1 reply →
you could always run kwin_wayland and prevent all that phoning home...
Does it contain Firefox? How about Chrome?
Quote from LittleSnitch:
> Little Snitch for Linux is built for privacy, not security
What's your definion of malware in this context?
It contains Firefox and Chromium. You are right that they may call home, but at least it's very limited and easily configurable. Could be too much for you but fine with me. Also Debian does change their config by default to minimize privacy issues: https://news.ycombinator.com/item?id=32582260
3 replies →
Ads, trackers, general boost to privacy. Not every protection tool is just about malware.
Yeah I will also be safe if I never turn on the PC, but some of us use computers to do actual work.