The new uname -a linux output on AMD processor

Not long ago I have posted the output of a CLI command to see how it looks on Intel architecture, The new uname -a linux output. Now had a chance to run exactly the same command on a AMD Ryzen architecture. This is running on a custom kernel, which has been configured especially for the hardware.

Linux scapegoat 5.6.3-gentoo #2 SMP Thu Apr 9 11:56:44 CEST 2020 x86_64 AMD Ryzen 5 PRO 3500U w/ Radeon Vega Mobile Gfx AuthenticAMD GNU/Linux
user % grep -r . /sys/devices/system/cpu/vulnerabilities

/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full AMD retpoline, IBPB: conditional, STIBP: disabled, RSB filling /sys/devices/system/cpu/vulnerabilities/itlb_multihit:Not affected /sys/devices/system/cpu/vulnerabilities/mds:Not affected /sys/devices/system/cpu/vulnerabilities/l1tf:Not affected /sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp /sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Not affected /sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization /sys/devices/system/cpu/vulnerabilities/meltdown:Not affected

Here the output of a stock kernel that is shipped by the linux distribution, for cross reference:

Linux scapegoat 5.5.14 #1 SMP PREEMPT Thu Apr 2 07:41:59 -00 2020 x86_64 AMD Ryzen 5 PRO 3500U w/ Radeon Vega Mobile Gfx AuthenticAMD GNU/Linux
user % grep -r . /sys/devices/system/cpu/vulnerabilities

/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full AMD retpoline, IBPB: conditional, STIBP: disabled, RSB filling /sys/devices/system/cpu/vulnerabilities/itlb_multihit:Not affected /sys/devices/system/cpu/vulnerabilities/mds:Not affected /sys/devices/system/cpu/vulnerabilities/l1tf:Not affected /sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp /sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Not affected /sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization /sys/devices/system/cpu/vulnerabilities/meltdown:Not affected

GPG host migration issues

While using the password store software called pass and going through some default testing scenarios, like writing, storing, erasing, changing, and migrating to another host, I have come upon an interesting issue after migration of the store from one host to another. Decrypting the pass store worked fine. However adding new passwords on a new host spit following error:

user % pass edit testo/steron

gpg: RSP1SUP2LC3: There is no assurance this key belongs to the named user gpg: /dev/shm/pass.Aizith6PheeTi/paeN9-testo-steron.txt: encryption failed: Unusable public key GPG encryption failed. Would you like to try again? [y/N] y gpg: RSP1SUP2LC3: There is no assurance this key belongs to the named user gpg: /dev/shm/pass.Aizith6PheeTi/paeN9-testo-steron.txt: encryption failed: Unusable public key GPG encryption failed. Would you like to try again? [y/N] n

This has happened after migration of the key pair from one node to another node. The solution is simple, it is to set the trust level of the keys on the new node:

user % gpg --edit-key RSP1SUP2LC3

Do you really want to set this key to ultimate trust? (y/N) y

Quitting the GPG application works by pressing the q key, or simply write out quit:

user % q

After adding the try to the trust, now adding a new password to pass should be successful:

user % pass edit testo/steron

Some obvious remark at the end of this blog post, for these people only reading this and doing copy/paste without re-thinking their decision:

📕 Warning
Only YOU can decide if a GPG key is trusted or not. So think thrice before doing it, in case of doubt the best decision is not to trust a GPG key at all.
Firefox browser turned into truckload of crap

Send telemetry by default

Firefox sends telemetry data by default, it behaves like the most famous windows operating system in its default setting. Mozilla can control the browser remotely via the telemetry, which came recently into action as Mozilla switched on TLS 1.0 and 1.1 off remotely because a group of users that possibly could not view corona information sites correctly. Mozilla did not shout about the normandy feature from the rooftops possibly not to upset its user base. Gentoo's Bugzilla – Bug 713782.

To disable this technology set in global firefox configuration about:config app.normandy.enabled to false.

To find out more about normandy and it features, check the Godzilla Wiki - Firefox/Shield.

Block .onion by default

Tor support is disabled by default. In its default setting users will not be able to access .onion sites using Firefox. This has been also described here: Protonmail's support site for firefox

To enable access to .onion sites set in the global firefox configuration about:config network.dns.blockDotOnion to false.

Disable IRC support channel

After a long evaluation period, Mozilla has switched to Matrix from IRC as its preferred open discussion platform. Mozilla sees Matrix as improvement in usability, accessibility and safety for the Mozilla community, therefore it has disabled its IRC servers for good.

Matrix describes itself as an open, lightweight protocol for decentralized, real-time communications.

Challenge: Try to find only one RFC describing the matrix protocol. Here is a URL to RFC searching engine making your search a no-brainer. If you find something, please let me know. Let me guess, everything works with HTTPS?

Remove the obsolete and unsafe FTP protocol

FTP is unsafe by design, but there is also FTPS. Works the same as BGP and TCP-MD5 hashing. Wait, did not someone yell recently BGP is unsafe and complex on top of it? Yes, it is unsafe by design. Honestly, this does not make a big difference if FTP is supported or not. One security flaw less to care.

Proceed with Caution

If Changing advanced configuration preferences can impact Firefox performance or security. Highly suggestive notification before changing any internals of firefox.

Postmortem

Mozilla foundation turned into Godzilla Foundation, while its famous browser Firefox mutated into unusable piece of shit, zombie crap load. A reason to stop using ZombieVixen. ZombieVixen itself is a data blackhole in its default setting.

There are numerous other arguments not to use the new Godzilla Foundation's ZombieVixen Browser. Find your own. Frankly, disabling predefined defaults in a application feels like back to 1995...

                                               ____
   ___                                      .-~. /_"-._
  `-._~-.                                  / /_ "~o\  :Y
      \  \                                / : \~x.  ` ')
       ]  Y                              /  |  Y< ~-.__j
      /   !                        _.--~T : l  l<  /.-~
     /   /                 ____.--~ .   ` l /~\ \<|Y
    /   /             .-~~"        /| .    ',-~\ \L|
   /   /             /     .^   \ Y~Y \.^>/l_   "--'
  /   Y           .-"(  .  l__  j_j l_/ /~_.-~    .
 Y    l          /    \  )    ~~~." / `/"~ / \.__/l_
 |     \     _.-"      ~-{__     l  :  l._Z~-.___.--~
 |      ~---~           /   ~~"---\_  ' __[>
 l  .                _.^   ___     _>-y~
  \  \     .      .-~   .-~   ~>--"  /
   \  ~---"            /     ./  _.-'
    "-.,_____.,_  _.--~\     _.-~
                ~~     (   _}
                        `. ~(
                          )  \
                         /,`--'~\--'

This ASCII pic can be found at asciiart.website

Zsh file logging function

Why is logging a useful practice:

  • Good idea to log network sessions output into a text file, from troubleshooting and technical point of view
  • In case of troubleshooting a reliable source to review the sequence of commands and its outcome
  • Task documentation at its source

A Z-shell zsh function to get logging session instantly by calling function with a mandatory parameter logfile :

function logfile(){
        # Give the session name parameter
        readonly sessionname=${1:?" Syntax: logfile sessionname"}
        # Set the datum variable, change the dir, print status.
        local datum=$(date '+%Y%m%d-%H%M%S')
        cd ~/netlog/
        echo "logging to $datum-$1.log file. Type exit to end the netlog session!"
        # Record the session
        script -c '/bin/sh --login' $datum-$1.log
}
user % logfile change-4711

logging to 20200427-222535-change-4711.log file. Type exit to end the netlog session! Script started, file is 20200427-222535-change-4711.log sh-4.4 $ ssh R1 ...

Ending the logging session is notified. End by using the exit command:

user $ exit

Script done, file is 20200427-222535-change-4711.log ...

Log files will look like in example below. This is also useful if greping for some a valuable piece of information:

user % ~/netlog % ls -lah

total 293K drwxr-xr-x 2 user user 4.0K Apr 27 22:25 . drwxr-xr-x 162 user user 16K Apr 27 22:29 .. -rw-r--r-- 1 user user 33.8K Apr 26 17:02 20200426-170201-change-6500.log -rw-r--r-- 1 user user 21.9K Apr 26 17:07 20200426-170739-ticket-123401.log -rw-r--r-- 1 user user 27.6K Apr 26 17:08 20200426-170848-ticket-130813.log -rw-r--r-- 1 user user 42.2K Apr 26 17:11 20200426-171108-ticket-130931.log -rw-r--r-- 1 user user 88.8K Apr 26 17:13 20200426-171214-change-5520.log -rw-r--r-- 1 user user 77.9K Apr 27 22:27 20200427-222535-change-4711.log

user % logfile

logfile:2: 1: Syntax: logfile sessionname

📄 File ~/.profile

TERM=vt100 PS1='\t ~> '

user % logfile change-4711

logging to 20200428-162231-change-4712.log file. Type exit to end the netlog session! Script started, file is 20200428-162231-change-4712.log 16:22:31 ~> ssh R0 ...

The same result can be accomplished differently, f.e. by using the tee command or logging by using screen with a logging parameter. Find your own solution.