Thats good to know. Thanks for sharing

Do you know if these folks actively develop it or do they just apply patches to the Firefox codebase ?

Like do they just pre configure a bunch of about config settings and the pre installed search or do they harden the binaries at compile time ?

I’ve not kept up with this but I’m curious if there is any real advantage of this over Firefox after it has been configured. If not I would stick with Firefox as it will get security updates quicker by people who know the source code intimately.

Anyway not shitting on anyone’s choices here just curious.

Both my browser and network level dns blocker blocked the test attacker site from loading but in general there are 2 approaches to this: minimize your fingerprint data points or change them to blend in with the crowd.

I think for the most part selectivly blocking js and cookies will do a lot for you. You can also block the canvas and limit fonts too. I’d also recommend a vpn as they can associate it with your ip too.

Random hackers, companies, dragnet surveillance.

The companies are probably the biggest exposure as we are forced to interact with them for utilities, flights etc . They get hacked all of the time and dont bother to secure their data.

Also as a side note I hate how lots of places just assume you want to download their shitty spyware ridden apps or hand over your phone number or an email.

Personally I would split them so they are not all in the same place. So for email use something like proton or tuta, vpn could be mullvad and a local password manager such as keepass xc synced with syncthing.

Connect it to your PC or laptop and do a netinstall. Configure SSHD and a static ip. Plugin the disk to your server and then connect via ssh to admin it.

You could also set your laptop or PC to boot from the attached disk in the bios to test the services you want to start are starting

Happy to help 😉

Syncthing can do direct sync if you give the ip address to each node and you can disable relay servers .

Could come in a future update

There is also i2p mail

Corporate cunts.

You’re wholesome OP 🤗

Kdeconnect works great too if you are using linux and android

I’m not sure but it is a good question and a good project if none already exists.

Looking at work history from employees of these companies on linkedin we might discover more.

I export my totp from freeotp+. I have it added to keepassxc and sync that with syncthing to multiple devices.

If I lose the phone I can just import the exports to a fresh app on another phone.

Another option is use waydroid and backup the VM

Yeah this is a much better approach

You could just poll it every few minutes via a cronjob and only send a notification if the numbers have increased.

Personally I use miniflux too in docker but I dont have a need for notifications.

Could you just poll the miniflux db directly ?

On laptops yes, on my server no. Most of the data is photo backups and linux ISOs form over the years.

I’m curious to know about the distro maintainers that were running bleeding edge with this exploit present. How do we know the bad actors didn’t compromise their systems in the interim ?

The potential of this would have been catastrophic had it made its way into the stable versions, they could have for example accessed the build server for tor or tails or signal and targeted the build processes . not to mention banks and governments and who knows what else… Scary.

I’m hoping things change and we start looking at improving processes in the whole chain. I’d be interested to see discussions in this area.

I think the fact they targeted this package means that other similar packages will be attacked. A good first step would be identifying those packages used by many projects and with one or very few devs even more so if it has root access. More Devs means chances of scrutiny so they would likely go for packages with one or few devs to improve the odds of success.

I also think there needs to be an audit of every package shipped in the distros. A huge undertaking , perhaps it can be crowdsourced and the big companies FAAGMN etc should heavily step up here and set up a fund for audits .

What do you think could be done to mitigate or prevent this in future ?