One is a profile that I exclusively run in a Linux network namespace, where all traffic is routed over a wireguard VPN. A shellscript sets up the namespace, connects to a randomly selected VPN server, sets up routing and launches the Firefox profile in that namespace. That shell script is launched through a custom key shortcut.

The "normal profile" does not have many anti-tracking measures and privacy extensions enabled. I use this one for online banking or other personal activities which I don't want to route over a VPN. It's also synced with my phone.

A third profile is restricted to certain websites. It's pretty much a default Firefox, except for ublock. ublock filters ensure that only selected websites can be browsed in this profile. This profile does not clear cookies on exit etc. I use mainly it for web apps that require login.

Comments URL: https://news.ycombinator.com/item?id=37239753

Points: 1

# Comments: 0

One might also achieve comparable effects by drinking baking soda.

>"We think the cholinergic (acetylcholine) signals that we know mediate this anti-inflammatory response aren't coming directly from the vagal nerve innervating the spleen, but from the mesothelial cells that form these connections to the spleen," O'Connor says.

>While there is no known direct connection between the vagal nerve and the spleen -- and O'Connor and his team looked again for one -- the treatment also attenuates inflammation and disease severity in rheumatoid arthritis, researchers at the Feinstein Institute for Medical Research reported in 2016 in the journal Proceedings of the National Academy of Sciences.

O'Connor hopes drinking baking soda can one day produce similar results for people with autoimmune disease.

https://www.sciencedaily.com/releases/2018/04/180425093745.h...

Comments URL: https://news.ycombinator.com/item?id=37061642

Points: 4

# Comments: 1

Comments URL: https://news.ycombinator.com/item?id=35399793

Points: 2

# Comments: 0

I gave Ubuntu Touch a chance, particularly as I was longing for something comparable to Maemo on the Nokia N900. At first it was great. OpenSSH, bash, etc. I had some fun hacking on it. However, I quickly realized they threw a beta product at the people.

I missed phone calls because of race conditions. I couldn't connect to my wifi because my password was too long.... It overall really seemed the team at Canonical didn't have enough man power.

Eventually, these things got fixed, but too late for me. In some ways it's cool that the community hasn't given up on Ubuntu touch, unlike Canonical. I don't know how much has changed under the hood, but one can only hope the software stack is more reliable now.

Comments URL: https://news.ycombinator.com/item?id=34532373

Points: 130

# Comments: 80

Comments URL: https://news.ycombinator.com/item?id=33966527

Points: 3

# Comments: 1

https://pubmed.ncbi.nlm.nih.gov/24799686/ https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9071023/

https://www.youtube.com/watch?v=OpTG02x6w5o https://www.youtube.com/watch?v=EWHRumILOOk

In short, the breathing increases epinephrine (adrenaline), which causes a spike in anti-inflammatory cytokines, and decreases inflammatory cytokines such as TNF-a.

It should be added that on the web I found several reports about increased tinnitus symptoms, which usually subside after the breathing is stopped, but for some it was permanent. This is why I am not doing it regularly, as I also get some ringing, but thankfully it was not permanent.

Nevertheless, I find this very method very exciting. I am glad Radboud took a look into it. However, I would love to see clinical trials on the method at last.

>.. So how do we get it that simple on Linux? I believe the answer is to find someone with enough free time to figure out how to use SECCOMP BPF to implement pledge.

> There's been a few devs in the past who've tried this. I'm not going to name names, because most of these projects were never completed.

I guess I am also one of those. I am giving it a shot with my WIP sandboxing library, which aims at making sandboxing easier for applications in general: https://github.com/quitesimpleorg/exile.h. It also aims to fix the "file system blind spot" mentioned in the article, by using Landlock and Namespaces/chroot.

Though I am calling my attempt "vows" instead of "pledge" to avoid misunderstandings. At the the end of the day, pledge() cannot be pledge() on Linux, due to limitations which the article also mentions.

Nevertheless, as has already been mentioned in this thread, as all attempts, mine also suffers from the fact that one has to keep up constantly with kernel releases and all software must recompiled from time to time against new library releases. This is a suboptimal situation. Secondly, there systems calls with currently cannot be filtered with seccomp BPF, such as openat2() and clone3() and so on.

Therefore, at this time you cannot have pledge() on Linux properly. So I am putting it on hold until deep argument inspection lands.

Overall, my experience led me to believe in order to have true, partical pledge() on Linux, it must be implemented in the kernel ultimately.

Comments URL: https://news.ycombinator.com/item?id=31642999

Points: 2

# Comments: 0

eBPF is used in systemd's firewall code though, which allows filtering the IP addresses a service can contact. If this feature is not needed, eBPF can probably be disabled without impacting the other sandboxing features of systemd.

Powered by a wiki I wrote in C++ (long story), not much going there right now besides links to my projects. I added feeds recently as I plan to start blogging at some point.

>...

>seccomp / landlock security things

Landlock does not use *BPF.

Seccomp can only use BPF at this point, not eBPF (though there has been some work on it).

- qssb.h: A header library to make sandboxing applications on Linux more easier. Currently at an early stage though: https://github.com/quitesimpleorg/qssb.h The original aim was to make utilizing namespaces and seccomp easier without dealing with nuances. Currently working to get landlock in, then perhaps a CLI utility and test cases.

- raou: I found sudo too complex for the simple taks of switching users on a system. Given sudo also had some vulnerabilities in the past, I decided to write an alternative in Rust: https://gitea.quitesimple.org/crtxcr/raou

- qsni: https://github.com/quitesimpleorg/qsni At times I simply wanted to cut off a few applications from the network or to assign some specific firewall rules: https://github.com/quitesimpleorg/qsni