Replying now to Luke ([email protected]): Thank you, that's interesting! I appreciate that you're contributing a meaningful answer to my questions, and I also appreciate that you're nice to me. :) Also [email protected] seems to be nice to me, unless I misinterpreted what they said (I'm not sure, sorry).
~ | ~ | ~ | ~ | ~ | ~ On Thursday, March 28, 2024, Jan Stary <[email protected]> wrote: > On Mar 28 21:16:45, [email protected] wrote: > > You didn't "Reply All", so I didn't get your reply in my inbox. > > Apparently, you did. No, I did not. You're assuming I reply to your message in my inbox; that's a wrong (and fallacious) assumption. I checked marc.info for replies when not logged into my email (as this is more convenient than logging in repeatedly). When I saw your reply in marc.info, I logged into my email to reply to you but couldn't find your message in my inbox, and didn't know why. Fortunately, I am smart, so I created a new message with the same subject line (including the "Re:" part at the start) and CCed the mailing list so marc.info would detect it as if it's in the same thread, and apparently I succeeded. I also copied your sentences from marc.info and pasted them into my reply, along with prepending > signs. > > > (The person > > you're replying to should be in the To field, and the mailing list in the > > Cc field.) > > I replied to the list. > If you are not subscribed to the list, > you don't get the list replies. I did not know that. I really am not subscribed. I don't want to subscribe to the entire mailing list, I just think it's useful to get replies to my thread only; perhaps there's a way to accomplish that? > > > >Even on windows; this has nothing to do with intercepting ctrl-alt-del. > > False. Ctrl-Alt-Delete cannot be intercepted on Windows without first > > compromising the integrity of the operating system. The Windows kernel is > > hardcoded to forward Ctrl-Alt-Delete to Winlogon, and Winlogon runs in a > > separate Secure Desktop mode that takes over the entire screen and no > other > > programs can intercept keystrokes from or send keystrokes to. > > https://security.stackexchange.com/a/34975 > > https://learn.microsoft.com/windows/win32/winstation/desktops > > Repeat after me: I can display what looks like a login screen; > I don't to have anything to do with ctrl-alt-del to display that. I do not need to repeat mantras. I did not deny that programs can do that, quite the opposite: I explicitly acknowledged that programs can do that, and asked what mechanism OpenBSD provides to ensure, at the user's request, that the operating system temporarily takes over with a real login prompt that cannot be interfered with or snooped on. Windows can already do that with Ctrl-Alt-Delete, but I couldn't find anything on the web to suggest that OpenBSD can do that. > > And it has nothing to do with OpenBSD. Ditto. > > > >I don't believe that's true. > > >"Dear X11, what is $user typing into his firefox textarea"? > > I'm not an X11 expert, and I'm not sure if the example provided in the > > following link is because the program and the desktop it's running under > > have different UIDs (rather than locking the desktop, logging into a > > different user with a new desktop session using a SAK like > Ctrl-Alt-Delete, > > and running it there), but I found this old blog post, by whom I believe > is > > the founder of Qubes OS, being cited somewhere: > > https://theinvisiblethings.blogspot.com/2011/04/linux- > security-circus-on-gui-isolation.html > > It is common knowledge that X11 is insecure by design, not (only) by the > > ancient code, so even if the blog post isn't relevant anymore, it > wouldn't > > surprise me if such attacks could still be done. > > Ah, so that's what you have "learned": a 13y old blogpost. Which is supposed to be relevant. Age isn't directly related to relevancy, especially when talking about much older tech (X11, which is 39 years old according to Wikipedia) that's still used today (2024, which is 0 years ago). Furthermore, I was linked to that article from madaidans-insecurities.github.io (a blog of one of the developers of Whonix). > Fine, show me how you read another user's keystrokes under X. Showing a proof of concept is not a necessity to convey or prove a point in an online discussion, and I don't follow orders from you. So I have no obligation whatsoever (including for the sake of argument, which is the most important here) to do that. > > > >>I saw that Chromium, Firefox, and Tor Browser on OpenBSD (at least when > > installed from the OpenBSD package manager/ports) are sandboxed with > > pledge(2) and unveil(2). > > >find /usr/ports/ -name pledge\* > > Already done: > > https://openports.pl/search?file=unveil > > This only lists third-party packages that have an OpenBSD > ports-originated > > addition of pledge/unveil configuration files; packages that use > > pledge/unveil without configuration files, or whose pledge/unveil > > configuration files originate from the upstream distribution, are not > > listed. > > And what would those be, given that pledge/unveil is OpenBSD specific? You know that apps can have OS-specific programming, right? pledge(2) and unveil(2) are usable by all apps by all developers, not just by OpenBSD developers that write software for the base OS or modify third-party software to be confined on OpenBSD. As an example: I've looked at the source code and issue tracker of upstream Firefox in the past and it has upstream support for pledge(2) and unveil(2). (Sidenote: I think I was wrong that the website I linked (openports.pl) only searches in ports-originated files, I think it actually searches the contents of packages for filenames, so that includes upstream-originated files.) > > > Chromium, Ungoogled Chromium, Firefox, Firefox ESR, and Tor Browser > > are sandboxed, which is excellent because Web browsing is one of the most > > popular desktop activity and browsers are meant to use networking and > > execute untrusted JavaScript/WebAssembly code, and parse untrusted data > > like media, CSS, etc. Contrary to servers, that if they're hacked then > some > > business might be ruined, personal computers are used to do banking and > > shopping online, chat with distant friends/family > > members/doctors/lawyers/coworkers/etc., and hold our personal thoughts > and > > memories, so I believe that they shouldn't get compromised just because > the > > user entered the wrong website on a bad day, or opened the wrong video, > or > > the wrong file, etc. OpenBSD already has the excellent system calls > > pledge(2) and unveil(2), and already uses them extensively in the base > > system and for the aforementioned browsers, but what about other > programs? > > That's a very general question. > Look at the program you care about (if there is one) > and grep the source/port for pledge. Duh. > > It's indeed a general question. What's the use of you mentioning the generality of my question? Are general questions not allowed on this mailing list?? Your "if there is one [program I care about]", "duh", and other things you've said so far to me and I haven't pointed out in this paragraph show that you're very disrespectful towards me. So I very not kindly will now tell you to shut the fuck up. ~ | ~ | ~ | ~ | ~ | ~ Replying now to Peter N. M. Hansteen ([email protected]): >On Thu, Mar 28, 2024 at 09:16:45PM +0000, Dan wrote: >> You didn't "Reply All", so I didn't get your reply in my inbox. (The person >> you're replying to should be in the To field, and the mailing list in the >> Cc field.) > >OH PUH-LEEZE. > >No. > >You send to a mailing list, people are supposed to reply to the mailing list. > >A select few may have their mail clients configured so the author of the message >will receive a courtesy copy (aka Cc:). > >If I seem unresponsive to any followups to this thread, a likely reason will be that >I will not see messages with your From: without putting in some extra effort. > >- Peter > >-- >Peter N. M. Hansteen, member of the first RFC 1149 implementation team >https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ I saw that I got replied to using marc.info, and proceeded to log into my email to reply, but then I didn't see that reply in my inbox. So I looked at an old thread I had a few years ago on this mailing list that I knew that worked well, and looked at the To and Cc fields in the exchange of messages, and I assumed this is how it's always meant to be. So I assumed that [email protected] made an minor accident when replying to me, so I tried being helpful by telling them what they should be seeing so I could see their next replies. As stated before, this isn't my first time using a mailing list, but I'm pretty sure it's my second time, and I'm fairly new to how mailing lists work. I deserve none of your disrespectful attitude and your wrong assumption of ill intentions from me; furthermore, you completely ignored the substance of the discussion in this thread, and did not contribute anything useful to the discussion. Your entire reply was meant to purposely be rude to me and attack me ad hominem. Take an example from Luke ([email protected]), they actually contributed something meaningful to the discussion and didn't act like an asshole to me. I recognize your name, I know you publish lots of material about OpenBSD, for example the links in your signature, and you're also part of the editorial team of undeadly.org, which I frequently visit. It's a shame you're such an asshole, though. Disgusting.
