I stopped getting scared of `if` and `of` about a decade ago when I started explicitly saying (in my head) "input file" and "output file" rather than "if" and "of." You still can mess up the order, but imo no more easily than you can swap `cat in > out` for `cat out > in`.
> Friends don't let friends use `dd` where `cat` can do the same job.
Technically yes... but I like being able to explicitly set block sizes and force sync writes.
I think you both are arguing about how to fight a bear with your bare hands. To win in that, you simply need to not fight with a bear.
Let's say someone made an expansion board with a cool feature: there are 5 documented I/O addresses, but accessing any other address fries the stored firmware. What would you do? No, not leaving a lot of comments in code in CAPS LOCK. No, not printing the correct hexadecimal values in red to put the message on the wall. You make a driver that only allows access to the correct addresses, and configure the rest of the system to make sure that it can only work through that driver.
Let's say there's a loading bay at the chemical plant with multiple flanges. If strong acid from the tanker is pumped into the main acid tank, everything is fine. If it is pumped into any other tank, the whole plant may explode and burn. What should be done? No, not promising that drivers will be fired, then shot by the firing squad if they make a mistake. Each connection is independently locked, and the driver only gets a single matching key.
You have wonderful programmable devices that allow you to solve non-standard problems with non-standard tools. What should be done is making a wrapper for dd that just does not allow you to do anything you don't want to happen. Even the most basic script with checks and confirmation is enough.
You can however set the block size to something quite large, which means you write the same random pattern spread out over multiple blocks repeatedly. If you pick an "odd" block size (like say, your native block size multiplied by 47), it's highly unlikely your disk under test will be swapping around "groups of 47 blocks." (I usually just do a nice multiple, like 4K16, but if you're super paranoid a weird multiple should be pretty much good enough). You won't get reporting of which exact* blocks on the drive are failing, but these days, that isn't really useful information - if any blocks are failing, warranty or ditch the drive.
Yes, that’s right, don’t buy any new car, any phone, any television. Hell don’t buy any x86 laptop or desktop computer, since you can’t disable out replace Intel ME/etc.
SSH should not become a different user; it should call something like `/bin/login` which uses PAM for authentication and is capable of starting user sessions.
Because I go long periods of time without internet access, and I don't want to have to "sudo apt install" a fucking thing, ever. Especially not a tiny utility that is all of 172k in size, that I might need for something. Understand?
I want EVERYTHING that I might use installed AT ALL TIMES, FROM DAY ONE, so that I can IMMEDIATELY USE IT when required.
This is only one of many reasons why I abandoned the giant dumpster fire that is mainstream Linux. I do not agree with their idiotic philosophy, on practically every level.
You've now discovered that there are sections of God's Green Earth that you never knew existed! One of many benefits of stepping outside the Matrix for a moment.
I would never ever install your distro for this reason alone.
Someone has already pointed out that old/deprecated/obsolete software like a telnet client represent tech debt.
Removing the telnet client was, in part, a recognition that its complementary server was deprecated and unsafe. If everyone was transitioned to ssh and nc, [and custom MUD clients], why keep telnet around?
Any software like this represents tech debt and a support burden for the upstreams and distros which carry them. You have unnecessarily assumed a burden in this way.
Furthermore, ask the maintainers of OpenBSD or any hardened OS about attack surfaces. The more software that you cram into the default distribution, the more bundled features an OS or system has, you are multiplying your potential vulnerabilities, your zero-days, and your future CVE/patch updates.
Especially in the face of growing supply-chain attacks and LLM-automated vulnerability disclosure. Your focus should be on limiting attack surface in every regard.
It is good practice for everyone to uninstall unnecessary apps and software. Whether you use Android, iOS, Mac, Linux, BeOS or Plan9 or Inferno. Do not install and maintain software that you do not use or need. It will come back to bite you.
> Furthermore, ask the maintainers of OpenBSD or any hardened OS about attack surfaces.
OpenBSD still ships with telnet.
Their developers don't entertain nonsense virtue signaling about things that are "unsafe" and they know their users are not idiots that need to be coddled.
Hammers and matches are unsafe if you use them wrong.
> I would never ever install your distro for this reason alone.
And you are? Completely mystified as to why you'd think I would care. I built this distro for me and my people, not you. That's the whole point. We're getting off this ride.
> Someone has already pointed out that old/deprecated/obsolete software like a telnet client represent tech debt.
Not a subscriber to this religion. There is nothing about new software that inherently makes it safe, and nothing about old software that inherently makes it vulnerable.
New flaws are introduced all the time, and old bugs do get found and fixed.
I can patch old code. I can't guarantee that new code doesn't contain bugs.
The ONLY way to ensure code is flawless is through validation--mathematical proof. When you have devised a proof framework that I can use across my distro, get back to me. At this time you're nowhere near that level, and are therefore unqualified to lecture anyone about security.
> Removing the telnet client was, in part, a recognition that its complementary server was deprecated and unsafe.
Unsafe? On my personal LAN? I think not.
You don't get to just 'deprecate' things that I might need, or want to use for perfectly valid reasons.
That's the entire point of my distro: computing the way I WANT IT, not the way Ubuntu wants it.
> If everyone was transitioned to ssh and nc, [and custom MUD clients], why keep telnet around?
Because it's 172 kilobytes. Contrast with the giant bloated carcass of everything else they shove in there that's oh-so-needed by the herd.
> Any software like this represents tech debt and a support burden for the upstreams and distros which carry them. You have unnecessarily assumed a burden in this way.
I'm a distro maintainer. Hello? Telnet represents ZERO maintenance burden for me. There are no operators standing by on hotlines to "support" any of this. It's a 172 kilobyte utility.
> Furthermore, ask the maintainers of OpenBSD or any hardened OS about attack surfaces. The more software that you cram into the default distribution, the more bundled features an OS or system has, you are multiplying your potential vulnerabilities, your zero-days, and your future CVE/patch updates.
Nobody can magically teleport themselves inside my computer and compromise my telnet client. Nobody is injecting packets into my LAN.
> Especially in the face of growing supply-chain attacks and LLM-automated vulnerability disclosure. Your focus should be on limiting attack surface in every regard.
You're concerned about supply chain attacks, so your mitigation is...doubling down on getting the Latest Updates to everything? Because new code is inherently good.
Telnet has to go--way too risky to keep that around--but KDE/Gnome/systemd/dbus/etc stays?
'traceroute' is useless and dangerous, but let's keep the giant QT framework with its vendored copy of Chromium? (That's QT5 and QT6, each with a vendored Chromium, mind you.)
Chromium, by the way, itself represents tens of gigabytes of code/data now inside its repository, with 'third party' directories vendored three or even four levels deep. But a 72k traceroute utility is likely to be packed with security flaws and should be avoided.
> It is good practice for everyone to uninstall unnecessary apps and software. Whether you use Android, iOS, Mac, Linux, BeOS or Plan9 or Inferno. Do not install and maintain software that you do not use or need. It will come back to bite you.
Completely wrong and misleading theory of security you are proposing here.
I devised this new distro exactly because I was tired of my computing experience being shaped and controlled by clueless kids with intellectually bankrupt arguments and/or wolves in sheeps' clothing.
You talk about me, my, mine, my network, my computer. But you're promoting a "distro". That means you're distributing software. It's not yours anymore.
Attackers on a network will use techniques to "pivot". Once a "foothold" is established then they scan for other places to attack. They will indeed get inside "your" computer, or router, and then compromise your telnetd.
It comes back to the liberty of swinging your arms vs. the proximity to my nose. If your distro is connected to a network, then you're responsible and accountable for security issues that result. There are thousands of distro kiddies sending out their favorite flavor of Linux, but how many audited it like Theo de Raadt?
You don't seem to understand the CVE under discussion. It doesn't even affect telnet(1). Practically nobody runs telnetd(8) anymore since the introduction of encryption, ssh, and the like. MUD players use MUD clients. Network admins use nc(1). The reason "telnet" was deprecated is: it's just not really useful anymore without its complementary service. telnet(1) isn't inherently dangerous, it's just superfluous, and distros pretty much evaluated that it wasn't worth hanging on to.
As for "traceroute", I'm not sure it's "useless or dangerous", but it can be misleading and definitely superfluous. It is widely misinterpreted by novices trying to prove something about their WAN connectivity. It misrepresents network topology and doesn't work real good with modern equipment or protocols. It was a judicious decision to bundle it with network debugging tools, because not everyone needs to debug networks. Especially the ones who believe that they can.
I would say that any network debugging tool available is also useful to your attackers with a foothold. A "living off the land" attack will leverage your telnet client, will run traceroutes on your network, and they will use all the software cruft that you didn't uninstall! I am pretty sure there are distros that simply don't come with development environments, C compilers, or various interpreters anymore, and it is for this reason: they are not inherently insecure or vulnerable, but "living off the land" will weaponize them every time.
However, I must concede that your temperament and tone is well-suited to being a distro administrator. You remind me of Linus Torvalds vs. Andrew Tanenbaum, or Theo de Raadt vs. FreeBSD. Perhaps Scott Adams vs. the world. Carry on, good sir.
> I have a 21 yo car and a 12 yo car and will eventually have to get something 'modern' (worse) that forces spyware/subscriptions on me just to get from point at to point b
I daily a 30 year old car. There exists a sweet spot of reliability, safety, and comfort (probably the early-mid 2000s) that in theory, you should never have to buy a vehicle outside of, newer or older. There will always be clean old cars in good shape you can buy, you don't need a new vehicle.
Unless you can't buy gasoline anymore. But that's still quite a long ways away imo.
luckily I don't drive much. The one car is just falling apart and is ridiculously expensive to maintain (don't buy a used Mercedes, ever). The other is just not fun to be in but at least it gets reasonable gas mileage. I really want an electric vehicle, especially the way things are going right now, but buying anything built in the last 10 years is just depressing at best and electric vehicle life is much lower on average than ICE lifespan due to battery life. Ah well. Maybe this will push me to an electric scooter for all the in-town travel and I will only need a 'real car' once a month or so.
> He finally found a safe spot and successfully pitted the car to a stop.
No such thing as a safe spot to PIT someone, ever, let alone while they're asleep at the wheel. This is a great example of why people hate all cops, anyone with two brain cells to rub together would get in front of the car and gradually slow to a stop.
I agree with the recommendation that you yourself replied to: move in front of the vehicle, and gradually slow to a stop, with lights and sirens optional but recommended
I am thrown by the question of "What else should have been done" though, after grandparent made an explicit recommendation
Damn, is this the first time ever the east coast is doing better than Colorado? We’ve had record snowfalls all over Quebec, I spent all day last Friday skiing in a foot of fresh powder. Unheard of on the ice coast*.
*not literally. But still, crazy amount of snow this year so far
> Friends don't let friends use `dd` where `cat` can do the same job.
Technically yes... but I like being able to explicitly set block sizes and force sync writes.
reply