Re: [DNG] The audacity of it all...
On Tue, 24 Aug 2021 22:44:39 -0400 tempforever wrote: > Neat. Thanks for the info. I was actually wondering about just that > very thing (how to block a program's network access) when the audacity > topic restarted. Hi, with this methods it will be a never ending cat and mouse game and you give legitimation to audacity's new policy. The only solution is fork and remove from the repos because we have seen in the past what "we don't will be evil" promises are worth. Ciao, Tito > Mason Loring Bliss wrote: > > On Tue, Aug 24, 2021 at 06:41:59PM -0400, Mason Loring Bliss wrote: > > > >> So, whether you set it persistently or not, you start with: > >> > >> sudo sysctl -w kernel.unprivileged_userns_clone=1 > >> > >> ...and then you can run something that has no configured network: > >> > >> $ unshare -n ping 4.2.2.1 > >> unshare: unshare failed: Operation not permitted > > Didn't follow up here. One also needs to be mapped to root inside the > > namespace: > > > > $ unshare -r -n ping 4.2.2.1 > > connect: Network is unreachable > > > > Without that, it doesn't do much. =cough= > > > > > > ___ > > Dng mailing list > > Dng@lists.dyne.org > > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] The audacity of it all...
Neat. Thanks for the info. I was actually wondering about just that very thing (how to block a program's network access) when the audacity topic restarted. Mason Loring Bliss wrote: > On Tue, Aug 24, 2021 at 06:41:59PM -0400, Mason Loring Bliss wrote: > >> So, whether you set it persistently or not, you start with: >> >> sudo sysctl -w kernel.unprivileged_userns_clone=1 >> >> ...and then you can run something that has no configured network: >> >> $ unshare -n ping 4.2.2.1 >> unshare: unshare failed: Operation not permitted > Didn't follow up here. One also needs to be mapped to root inside the > namespace: > > $ unshare -r -n ping 4.2.2.1 > connect: Network is unreachable > > Without that, it doesn't do much. =cough= > > > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] The audacity of it all...
On Tue, Aug 24, 2021 at 06:41:59PM -0400, Mason Loring Bliss wrote: > So, whether you set it persistently or not, you start with: > > sudo sysctl -w kernel.unprivileged_userns_clone=1 > > ...and then you can run something that has no configured network: > > $ unshare -n ping 4.2.2.1 > unshare: unshare failed: Operation not permitted Didn't follow up here. One also needs to be mapped to root inside the namespace: $ unshare -r -n ping 4.2.2.1 connect: Network is unreachable Without that, it doesn't do much. =cough= -- Mason Loring Bliss (( If I have not seen as far as others, it is because ma...@blisses.org )) giants were standing on my shoulders. - Hal Abelson signature.asc Description: PGP signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] The audacity of it all...
When I first heard about Audacity's plans to start shooting data back to the mother ship, I was dismayed. But then I thought, "boy, we have some technical tools to address this" and I started digging. The obvious answer, since AppArmor made it into Devuan Beowulf, was to use that to block Audacity from using the network. After all, it can do absolutely everything I want without network access. Sadly, I soon ran into this, in apparmor.d(5): Some features are not supported on Debian yet: Network Rules DBus rules Unix socket rules I thought I'd check Debian Bullseye since it's out now, but it has the same limitation, which means Chimaera will have the same limitation. However, in digging, I noted that the same thing can be accomplished with the unshare(1) command. I tried "unshare -n" but it didn't work: $ unshare -n ping 4.2.2.1 unshare: unshare failed: Operation not permitted Turns out, there's a sysctl that defaults to "0" in Buster/Beowulf, but "1" in Bullseye/Chimera, that lets regular users do this. However, in addition to turning that on, as an additional step you have to say "map me to root in a new/cloned namespace so I can then have the privilege to drop the existing namespace". So, whether you set it persistently or not, you start with: sudo sysctl -w kernel.unprivileged_userns_clone=1 ...and then you can run something that has no configured network: $ unshare -n ping 4.2.2.1 unshare: unshare failed: Operation not permitted It's conceivable that a process running in this new space could note that it had no configured network and construct something, and as such this might not be as complete as the AppArmor answer would have been, but this has the advantage of being possible today. There's also an iptables-centric method: https://serverfault.com/questions/550276/how-to-block-internet-access-to-certain-programs-on-linux Either way, this is a good model for semi-trusted things that ought not to be allowed to use the network. -- Mason Loring Bliss (( If I have not seen as far as others, it is because ma...@blisses.org )) giants were standing on my shoulders. - Hal Abelson signature.asc Description: PGP signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] ..tenacity replaces Audacity like Devuan replaces Debian? Tenacity ditches spyware.
Dr. Nikolaus Klepp wrote: > This is a strict no-go. Any software even with the "option" to get you > prosecuted by any countries laws will get you in trouble. Any sane person > should stay away from that crap as far as possible. Unfortunately you’ll struggle to stay away. There is a lot of free/open software that can get you into trouble - without you doing anything wrong. DeCSS is still (AIUI) illegal in the USA - but is needed to watch a DVD on Linux. Many tools (e.g. WiFi scanners, network sniffers) can get you into trouble because they have a use as “hacking” tools. Basically any tool which could be considered to have sinister uses, even if that’s only in the eyes of a technically illiterate law enforcement officer, can get you into trouble. Heck, even using a web browser can get you into trouble - there have been a few cases of people, for example, simply editing the URL and being accused of hacking. Now, back to the original story. If any business collects data, then they may be required to hand that data over to the law enforcement authorities in their country in accordance with the laws of that country. That is certainly the case with the UK and the USA - but normally there is a process that must be followed rather than them simply turning up and telling you to hand it over. In other countries it may be “accepted practice” for someone to turn up and tell you to hand over data, with a firearm to provide some incentive to comply. Furthermore, in some countries there is a legal requirement to collect certain data - there certainly is in the UK with some service providers. The best option from a privacy PoV is for anyone to collect the least amount of data that’s compliant with their laws - that way they minimise what they could be asked to hand over. If you are interested in finding out how users actually use your product, e.g. which features are used and need maintenance vs those that are unused cruft, then you might want to collect some usage stats. IFF that is done openly and with the user’s permission then I don’t see that as a big problem - each user can make the decision as to whether they are happy to help with that. The biggest problem with Audacity is that they did it without adequately explaining what they were doing, using a third party with a “dubious” record on privacy, and generally having a track record of putting self interest above the interests of it’s users. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Awkishness [Was: Re: Steam, Mumble, Valheim, Alsa and shared audio
Dear Erik, dva...@internode.on.net - 24.08.21, 07:25:07 CEST: >I hope that interests someone. It's not often that an > opportunity to espouse the original text Swiss army knife presents > itself. Thanks! Nice one. Best, -- Martin ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng