Joe Rogan Experience #1368 - Edward Snowden

https://invidio.us/watch?v=efs3QRr8LWw

Edit: the forum is having trouble embedding the video.

Invidious link: https://invidio.us/watch?v=efs3QRr8LWw

YouTube link: https://www.youtube.com/watch?v=efs3QRr8LWw

2 Likes

“No video with supported format and MIME type found”

Looking at the HTML of the web page, the URL embedded in the page is different from the URL that you have given in your post. Copying both URLs out and trying them in a separate tab confirms that the explicit URL works and the embedded URL gives an error (video unavailable).

I have no idea whether that is something that you have done or something that the forum is doing (wrong).

1 Like

The content of my post was literally

`https://invidio.us/watch?v=efs3QRr8LWw`

https://invidio.us/watch?v=efs3QRr8LWw

Edit: I edited the original post to contain links rather than an embed.

1 Like

Snowden talked about an app that watches all connections which each app makes, and then gives the possibility to block that connection or app from talking.
I would love to see this on the Librem.

It’s around the 2:37 mark

2 Likes

Yep 100% I don’t know how hard / possible it is but this would be a huge benefit to the privacy and security community, and this project as a whole :slight_smile:

Quis custodiet ipsos custodes?

2 Likes

Had to lookup that phrase. I like it!
Was thinking off a system-app, built in to PurismOS and FOSS.
Then it’s about trusting one app vs trusting 20.

Well besides the security concerns of such an app, supposedly nullified if it is FOSS based, I’d just be worried about the overhead for such an app. Something running on top of everything, needing to poll all the time. I just think it would be much better, to just be aware of the software you are using, and the connections it needs.

That being said, I would look into using an app like this if it existed. I just think it is a band aid for the real problem.

1 Like

why, netstat -tunp gives all connections and associated processes, suffice it to add simple gui to convert netstat entry to iptables entry - by either src/dst or pid.
I was thinking once to make such an app, but always resorted to manual processing as i don’t do it frequently.

5 Likes

You totally should, and then submit it for inclusion as part of default PureOS :heart: :wink:

2 Likes

I second that, even though it’s less of an issue on the PC it would be really nice to have a GUI on the phone

1 Like

nice one but too important to conceal in such a way …

2 Likes

Isn’t the most natural way to implement restrictions on a *nix system by limiting user permissions? To that end, requiring applications to run as a system user & group named for the application and a generic application group as a generic way to apply default permissions. That should make it easier to have a generic UI for managing access restrictions, I think most of that would is already done. Network restrictions would need to be added, but you can restrict network access via iptables by user, which is far easier to implement than pid, when factoring in system reboots. This has the added benefit of limiting filesystem access by default too. It also makes monitoring a bit easier to automate.

This would pose the problem of implementing and enforcing a standard across the OSS community and getting all the package maintainers on-board. But, it would likely be easier on system resources than say going with some kind of a container system.

Edward Snowden: "i had a 24 inch waist when i joined the army … broke both my legs … " from the interview

i got the book … should make for a good read in the cold season

debian apps i presume are kind of trusted (system) and flatpacks will have own cgroup, so instead of user rules could be bound to the cgroup.

1 Like

I assumed that most people who use the internet are capable of looking it up for themselves. :slight_smile:

So I was making two points.

  1. The more obvious point: If you have a “watching app” then the watching app itself needs watching, and it can’t watch itself. As @2disbetter says, not as much of an issue in an open source environment, but it does still need to be watched, particularly if it becomes a single point of failure / attack.

  2. The more subtle point: We may think that our problems are new problems, but they are not. They were having the same problems thousands of years ago. Only the implementation details have changed.

Not necessarily. If the right hooks are there, there should be no need to poll.

That would be a natural way to do it on *nix but is that the actual way that things are going to work on the Librem 5?

I don’t know that that would necessarily cover all scenarios however e.g. things that occur within a web browsing environment might require changes to the browser itself in order to make the above even approximately achievable.

2 Likes

Here’s an existing app that might help, it’s a GNU/Linux implementation (not port) of Little Snitch, the “reverse firewall” kind of app on macOS that interrupts you any time a piece of software wants to connect to a network resource and asks you to allow or deny it, temporarily or not, etc.

Never tried it in Linux however…

2 Likes

The Librem 5 is to run PureOS, which is based on Debian, which is Linux and thus falls under the generalisation of *nix. As such, has same user based authentication system as any other distro.

A web browser is an application and as far as the OS is concerned and should be treated as such. There are already Ad blockers and such which allow restriction on the sort of other connections a web page you’re visiting can open. Along those same lines, having a browser extension that would work in conjunction with an application to provide a single interface of control would do the trick. The alternative of course would be rolling your own browser. I have dabbled in this a little and it seems like an interesting pet project.

Without user level granularity, the application would essentially be a port sniffer with a configurable list of connections to allow/block. I think this would be tricky to write a simple UI for.
With user level granularity it would be easier to restrict individual applications. With the addition of a browser extension, you could allow a further fine grained control over what websites do from your computer.

i’ll post this here since it’s an after image of the interview with a 2019 unboxing of the L15

Yes! In The Dark Years (when I was between OS/2 and Linux), I used WinNTx. The only thing that kept me sane was vis a vis Security was Sygate Firewall. I believe it was free (as in free beer, not freedom), but not open source, an application firewall for both inbound and outbound traffic that was totally user configurable. Sygate was bought by Symantec, so integrated some of the functionality into Symantec Endpoint Protection, but of course Sygate was abandoned and eventually it died.

Snitch was a MacOS Sygate analog that looked interesting… but MacOS only. Now we have OpenSnitch for GNU/Linux, so I need to check it out.