Given that the UUID changed, you almost certainly made a new LUKS container, overwriting the old one. That’s bad, because the LUKS header is the only source of the actual encryption key that was used, and making a new one will overwrite both the main header as well as its backup copy immediately. Your password/keyfile/whatever is merely used to decrypt the part of the header that has the actual encryption key, and that’s gone in that case.

Unless you have access to a header backup from before that, there’s a fairly strong chance it’s irrecoverable. I’d suggest going through any archives you might have to see if you have such a backup - most of the instructions on the Gentoo wiki encourage making one, so you might have made one through the power of copying & pasting instructions. Should be a file of around 16MB.

This is a shot in the dark, but since the permissions look fine to me, the only other thing that comes to mind is that the SELinux contexts might not have been copied. Fedora is one of the few distros that enables SELinux in enforcing mode right out of the box. That can be very complex to understand if it breaks.

There is a Fedora documentation page about SELinux. The /var/log/audit/audit.log log file should be full of errors relating to your /home if it broke. I believe that stat /home and stat /new_home should display the SELinux context if SELinux is active, and they should be identical.

Also possible I’m totally off the mark, though, it’s just a possibility.

For the port thing, you can set the net.ipv4.ip_unprivileged_port_start sysctl to a lower value like 80 (may need to go lower if you also do email). It also applies to IPv6.

The default of 1024 is for security, but the actual security granted by it is not really that relevant nowadays. It stems from a time where ports < 1024 were used by machines to trust other machines using stuff like rsh & telnet, and before we considered man-in-the-middle attacks to be practical and relevant. Around the start of this millennium, we learned better. Nowadays we use SSH and everything is encrypted & authenticated.

The only particularly relevant risk is that if you lower it enough to also include SSH’s default port 22, some rogue process at startup might make a fake SSH server. That would come along with the scary version of the “host key changed” banner so the risk is not that high. Not very relevant if you’re following proper SSH security practices.

Within 15 days of making the account, to add. If you missed it or decided you’d rather not give them the password to your previous email account (the alt objective for the Gmail-specific thing) you don’t get a second chance.

I get that it’s free but I trust them much less because of the way they handle that.

Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental

Do note that despite not being enabled by default, it is enabled in the official binary packages.

There’s a funny amount of layers to this thing but as far as I’m concerned, if it’s a feature you ship in the default binary packages on your site, that is definitively enough for a CVE even if it’s disabled by default.

Technically always has, ROCm comes with a “backported” amdgpu module and that’s the one they supposedly test/officially validate with. It mostly exists for the ancient kernels shipped with old long-time support distros.

Of course, ROCM being ROCM, nobody is running an officially supported configuration anyway and the thing is never going to work to an suitably acceptable level. This won’t change that, since it’s still built on top of it.

Even worse than that, they need to be able to make an arbitrary container from an arbitrary attacker-provided Dockerfile, or make fairly arbitrary calls to the Docker daemon (in which case you’ve already lost).

They’re rather uninteresting for anyone self-hosting containers as the runc vuln doesn’t offer a way to escape from within an already running container, while the BuildKit vulns all have fairly odd preconditions or require passing untrusted input. Quite the annoyance if you’re running some kind of public cloud or public CI/CD service, though.

DMA-BUF being marked as “unstable” for a decade was a fucking joke. It’s a protocol that’s required to get any kind of meaningful hardware accel going, which nearly every app does nowadays. Within Wayland circles, it’s been understood it’s not going to change for years, as doing so would break nearly every single existing app, yet all kinds of bikeshedding prevented it from being moved to stable.

Hopefully this marks a turning point for many other similarly important protocols stuck in unstable/staging hell too, like pointer constraints and text input. If devs can’t rely on basic functionality to be present and it takes more than say three years to commit to it, it’s time to admit that either the process or the protocol is broken.

There are community backports (like Sury’s Debian builds) for PHP, including a branch of PHP 5.6 originally released in 2014. Most other notable languages and major packages have something likewise as well, right down to major packages like Drupal 6. It’s not always easy, but it’s doable and the work is usually either already done or can be paid for.

Weird things that are truly too difficult to support are also often excluded. Eg Spectre/Meltdown fixes were non-trivial and had to be backported to a fairly wide range of things but that only went so far back. Some old systems just never got those fixes and instead have to be ran with a workaround (“don’t run untrusted code”). I don’t know how things are with the new offering but large complicated packages with lots of moving parts like OpenStack used to be excluded from the full extended support cycle before as well.

Windows software running in Wine/Proton can bypass the Windows layer and call Linux stuff directly. This is fine; Wine isn’t intended to be a security layer by itself. Some of the Proton bits that Valve made to build a bridge between Windows games & the Linux Steam client does this, as well as pretty much every other bit of Wine internals.

Easy Anti-Cheat detects that it’s running in Wine and if the game dev enabled Wine support, it downloads a binary that knows how to do that. That version of EAC doesn’t run at kernel level, but it does scan your Linux userspace for cheats, or whatever Epic feels like doing today. As with every userland anti-cheat, the company making it can update it more or less anytime you’re playing the game and since it’s running in the context of the game, it has access to everything the game does. Same thing for most anti-cheat software really.

A biggie you miss is the toolchain: the compiler/binutils/linux-headers/libc/libstdc++ combination. The libc and usually libstdc++ are key components of any install. The other parts usually don’t make it to non-dev-desktops, but the distro couldn’t be made without them, so they’re virtually always available as packages.

Only exception is if the entire distro is cross-compiled or it’s made exclusively for containers, but those kinds of special distros break every rule imaginable anyway. Some might not even ship a bootloader or a Linux kernel by themselves.

Don’t bother “securing” directories like that. The meaningful permission bit is the write permission on the directory holding the file. cat ~/.bashrc > ~/.bashrc.new; put-malware-in ~/.bashrc.new; rm -f ~/.bashrc; mv ~/.bashrc.new ~/.bashrc or the like will still work if you have write permissions to /home/username at all. Marking the file immutable with chattr +i as root might be slightly more effective, but realistically still not enough in a lot of cases as the parent directory can still be renamed. Not to mention you’ve only found some of the low-hanging fruit; your text editor most likely also has a few ways to accomplish arbitrary code execution in its config/scripting/plugin files but it absolutely doesn’t stop there.

Don’t bother buying old systems because they can have free firmware. Ever since Spectre, CPU vulnerabilities have made old machines completely unsuitable for high-security purposes time and time again. Not all mitigations are equally effective and with mitigations on, performance takes a massive hit on those 10 year old machines. If you can get a reasonably new system with free firmware, that’s good, though.

Yum, smells like microwaved ‘microwave-safe’ plastic!

I think most people don’t realize how unusual their company structure is. It feels like it’s set up to let them do exactly that. As far as I can tell, once you look past the smoke and mirrors, the board effectively controls both the non-profit and the for-profit.

“Open source” has more or less always meant something very specific as defined by the Open Source Definition. Adding restrictions on top like no commercial use or no lawsuits turns it into “source available”.

Monochrome/grayscale/otherwise extremely desaturated icons. Just… why? They’re so much harder to parse and remember.

OpenSSH’s server login component (the authorized_keys checking) can’t properly respect XDG_CONFIG_HOME because it won’t be set at the time it’s reading the authorized_keys file. The user’s home directory is stored in /etc/passwd but the XDG variables have a million different ways to set them, none of which are truly standardized. Best you could really do is hardcoding .config or the like, which you can do by changing the AuthorizedKeysFile in sshd_config.

If such a process existed, the entity in question would almost certainly end up being shut down by that process, unless they find a funny technical loophole around it, in which case that would be a failure of the law that should not be rejoiced by anyone.

But as it stands, that law and process does not exist; ISPs already can and will shut you down for things like downloading copyrighted content (with or without complaints from the copyright holder), tethering without approval, being a technical nuisance in the form of mass port scanning, hosting insecure services and other such stuff. “Hosting a platform solely dedicated to harassment and stalking and ignoring abuse complaints about it” absolutely deserves to be on that list.

“If we don’t let the oppressors roam freely, they might try to oppress you” is not something I expected to read from the EFF today. But well, here we are.

It has been standard internet behavior that if a platform does not have the proper response to abuse complaints, you move up a layer higher until you find someone that is receptive to it. This has been standard operating procedure for more or less for the entirety of the current millennium, and this article has done absolutely zero work to provide a good reason it should be anything otherwise, other than bringing up generic “free speech” stuff.

You should not get a path out of that process because one layer immediately above the problematic entity is actively choosing to disregard abuse complaints. You simply move up to the next step. And this process simply must keep existing, as doing anything otherwise is to allow people to pull off all kinds of bad things; scams, spam, illegal activity and far more.

And if you abolish the non-legal form of that process? Well, there’s still a legal process - and as soon as someone that wants to censor minorities gets control over the legal process, they will simply change the rules in their favor, as has happened countless times in the past.

I can’t really blame the manufacturers because the USB-IF’s suggested schemes would just confuse people even more. If people see 10Gbps on the box they’re gonna assume it can do 10Gbps, but tons of stuff ends up capped well below the USB link speed (most everything based on SATA<->USB converters internally is 6Gbps max).

It’s choosing between a bad naming scheme or something a lot of consumers would interpret as a straight up lie.