and the ones finding apes on a planet just short ahead or into the beginning of those 10000 years might think “well lets teach them how to stack stones and let them call us gods for just showing some of our million years old and cheap replicated tech gadgets pewpew, how amusing! but now lets go on, this planet has water but way too much oxygen and also there is axial precession that would change weather over only few hundrets of thousands of years if not less, not the planet of choice for eternals like us, duh!”

Often children that are rescued are taken out immediataly and irrevocably for their security, this is done due to sometimes very realistic dangers to their life as well as to protect them from manipulation. Without such external help, a victim would have to do all alone what police in groups with lots of money sometimes struggle to accomplish. keeping kids safe (and that is true even when police does not have child abusers in their mids) is not always easy.

They don’t have anywhere else to turn :(

yes, i think that very often they have nowhere to turn to, and partly this is intentionally deployed by the abusers like cutting contacts with everyone that the child might be willing just to talk to so that some few words could reveal what really happens.

Also by schools that report kids bad behaviour to parents (which in general is seen somewhere between unproblematic and good, but to the abused child, the school working hand in hand with the abuser, does not help with anything). But the hope to “leave forever once grown up” can help do the (mental) split (possibly there are other solutions like living in fantasy worlds or such or combinations) But leaving for real also has(!) to wait until the abusers are not officially “responsible” for the victim any more, otherwise gov could make sure that the situation gets even worse and this is a very realistic horrifying danger to the victim and regularily happens too. Having to wait means a child of i.e. 5 years may have to decide to wait until it is like 18 years old to actually be able to do the escape it so badly needs to develop its own life, this means it would have to decide to wait another 3times of its current lifetime/age just to securely be able to leave for real and start with developing its own life while the abusers have plenty of time to go on damaging the victims life, body, mind and soul. Also please be aware that countries exist where government is running (as in organising, financing and protecting from any justicial consequences) projects that involve getting hands on helpless kids, handing over those helpless kids to known previously convicted pedophile sex abusers (explicitly selected because(!) of the criminal record as a pedo sex abuser…), then protecting the abuser as well as the knowledge about the explicit handover “to a selected known child abuser” from the public knowledge while presenting “protecting the child” as the official reason for not making details public or even investigating how suizidal (i.e.) that kid actually is.

That victims in general should seek help in such official child"care" facilities (which were the ones known to do the handover to the abusers) would not only be a slap in their face but could also might pose other serious threats to them. Already knowing a little bit how to handle and prevent worse abuses by that first abuser but beeing faced with a new unknown “parent” that is abusive too but maybe in other ways, is a huge risk and might get them in additional trouble just because they would have to start try protecting themselves but again with no knowledge about the new threat they are confronted with.

“Officially” stopped (as in “a single one” of those child"care" offices has only stopped doing the handovers) projects tend to go on very long (just look how long we still have pirates on the seas despite the british crown and others took back those “letters of marques” once payd by a gov, a legalized crime will go on for centuries especially if the abusers happen to be protected by gov) From that stopped “handover helpless childs to convicted pedophile sex abusers” project (kentler “experiment”) up until now AFAIK not a single child has been rescued so far (thus the project continues with happy abusers and likely suicidal thinking victims)

So in some lesser civilized countries (which usually thrive to call themselves the most civilized…) the official childcare much more looks like a real trap to face even more abuse.

Some abusers build psycological traps for their victims like offering help but turn it into desaster then making the child (or even adults) responsible for any bad outcome (wich might as well be preparedly forged bad outcomes by the abusers. mind control bastards are in fact evil). Such experience could harm the victims overall acceptance of ‘help’ from anyone, effectively preventing offered true help from beeing accepted.

Now say what to choose where an abused child “should” turn to “in general” and how the help has to be organised and offered to those children to actually help.

Social workers often say that every abusive situation is very special while at the same times the schemes are often very similar.

No matter what, the solution is never easy unless the abuser dies by a true accident or real health issues and luck lets the child find (luck no2) someone really trustworthy - no matter by which way. When thinking of humans and eternal life the point of abusers never dying is the one point where i would say if abusers could also live forever in case that humanity in general could, then it would be better humanity in general could not live forever.

But also love IS part of human beeings, loving someone else makes us feel better and also heal a bit, pple say that sharing comes back twice and i think this is part of it. We humans do need to care for someone else or we get illminded, maybe feel the need of becoming richer and richer, more powerful and even more powerful every day, may it be in politics or in controlling other peoples lifes or minds effectively abusing them, becoming an abuser or such) that is loosing ground in our own minds and loosing real control over ones own life then sometimes raises the need to control others instead if that seems more easy or maybe more realistic or maybeveven pleasant, i don’t know. Maybe the love given by abused victims to their abusers is just that, keeping themselves sane, even if that sounds insane by itself, but given the circumstances sometimes could seem to be the smalles loss while loosing a whole life but just “not yet” every day :( which i see as a whole-life torture.

Thats about the main parts of what i think why, not a single reason but a bunch of maybe’s one worse than the other.

this is part 2 of 2

the “love” part is - as always - difficult to define. its a word widely abused by those who abuse in other ways anyway, while in non-abuse circumstances, “love” is kind of a word without clear definition. In some aspects this is very similar to love itself - as love has many ways and facets to it that can vary greatly - okay, but that possibly is only a thought fed by a lack of a more precise language and overall use of way too generic words.

A young child that is abused might not have experienced love in its short lifetime, yet it might use the word it once heared in different context out of just trying to get word meanings - that is learning to speak - or trying to figure out what could stop the abuser from abusing it, while their abusers might personally use the word “love” instead of “abuse” because abusing others - for the abuser - might be the one thing which makes them feel something that most closely matches what others say about how love feels. For the kid, love then is a wierd word with very contradicting meaning, which in turn would be said to be so by nearly all adults, but mostly for other reasons. Please try to be more precise when talking about serious love questions about abusive contexts =) let me now do a step aside to the literally cold part of the world. One knows snow and ice, but i once read in a documentation that some culture in an icy region has 32 words for different types of ice and snow for their daily use and i assume that this happened due to the need of definition what type of snow to expect ‘over there’, or maybe “tomorrow” or in discussions where to settle or how to reach a site… that is having only one word that has to fit-them-all yet beeing so important and prone to be abused(abuse of the word here) it seems to me that the lack of words for defining a bit more precisely if it is loving like a (non-abusive) mother loving like a real friend loving sth like an enthusiast … could probably have a slightly bigger role in the overall problem than anticipated in general.

but yes, the brain is programmable, you do it when learning to ride a bicycle. Social programming may work differently, but is also possible. See how many people are trained like apes to always shout how great their country is, how civilized etc they are, yet if you really look it, all the lies just stinc horribly and that so called civilisation is very far away from beeing civilised. yet all the programmed apes prodly shout the greatness does not even exist there, but maybe it exists in their dreams (only)…

but now to answer the question with what i personally think:

while the mind is still developing to actually come into existance, conciousness still is a rare visitor as it comes into play and drifts away again without having a way to make it stay, one has only few things randomly choosen that can be directly remembered and huge parts of time inbetween conscious moments which start with a fast-forward in time while the inbetween is like the memory of a bad dream, blurred, not in order etc, but yet is the actual reality consciousness then stepped into. Stepping in of not yet developed consciousness may also have an incontrollable timing of stepping in-and-out, making decisions very urgend to do before blurrtime starts again and consciousness stepsl out. While not having consciousness at hand alltime, one can - during conscious times - only act or even think so little until unconscious time of “instinc-only” starts again. Again in nonconcious time contra-abuse actions cannot be performed or even thought of. body screams in pain, making the abuser causing more pain to victim which causes body to scream more until finally passing out. however thinking how to get out is only available in moments when the currently developing consciousness actually steps in again which can be quite short and not so easy to predict when that happens or when it ends again.

In later stages where consciousness - while not fully developed - at least is nearly alltime available -that is until passing out of course- actions can be adjusted to like not(!) crying in pain when waking up from passing out (while still beeing abused though) so to disrupt this specific downward spiral of screaming-is-punished-by-more-abuse.

In later stages when beeing able to observe the little hints of psychological instabilities of the abusers and their “abuse triggers” a “profile” becomes visible -that is when the victim has sort of a years long running statistics about that broken abusers “personality” not because the victim wants to make statistics but because of intentionally forgetting things is just not yet available to the under-stress-developing personality / brain functions of the victim as same as also intentionally remembering things (in general or circumstances related) too is a not yet available brain function. Also some parts of a more developed brain hide horrible experiences from consciousnes while other parts try to reach the memories to not only complete development but also to maybe find solutions to get out of the danger by analyzing memories of what happened when and why, when did it stop and maybe what caused the stop so one can start to handle it somehow. So it all forms a rather horrible yet “luckily incomplete” statistics done under stressfull fight against oneself then later called maybe hust “experience” or trauma etc. while the victim should learn to cope and handle and develop its own body or brain functions or even personality, to prepare for life, it is >500% overload-occupied with learning to cope with the junkyard of the abusers “personality” to prevent the small quantum fluctuations in the inbalances of the abusers psycholigical radioactive mess to avoid at least passing out due to abuse. trying to prevent the abuse is then the only available way of trying to survive, which is also instinct driven and surviving is n1 priority of the child, that is if course unless the child develops suicidal thoughts as a result of abuse. If and only if the victim somehow survives this mentally and becomes capable of doing the splits (mind, not sports) it is then eventually able to try to analyse how it could be possible and plan ahead solving the problem by maybe leaving forever or maybe finding other solutions, beeing on a constant lookout for what might bring security instead of learning to live or enjoying life let alone build up his life. Children don’t know what possibilities society in general offers or the risks child"care" offices pose to them (neither the other way around). They only rely on that little they know which is only their own experience and the “experience” of all ancestors combined and inherited in “instincts”, which are both unreliable in such cicrumstances: instincts are sort of predictable by adults and often abused by abusers thus bad to rely on in an abusive context when still a child. The own experience is still very little, likely poisoned by abusers and logic (brain instinct?) also needs all relevant variables to make good decisions while the lack of experience causes a lack of knowing what variables would be relevant or do exist at all also again likely beeing poisoned by abusers. Decisions are made out of the visible(!) possibilities which are likely also intentionally reduced overall by abusers for this very reason maybe by cutting the cholds connections to others, telling the child that those neigbours were very evil persons etc.

Some types of abusers intentionally destroy their victims believe in themselves. this makes it very hard or impossible for the victim to get out on his own, sometimes the victims mind may even start to think (what narcisists heavily work on to achieve) that the current abusive situation was the best possible outcome of their life, which then stops the “want” of leaving the abusive context as result of the psycoligical trap the abuser intentionally layed.

Also leaving abusive circumstances always is risky, and one should be thoughtful about risky decisions in general, right? Obviously abusers already are ok with substancially harming the victims body, mind, life and soul. Also they usually fear to face consequences (not sociopath or psychopath they don’t fear consequences), some would rather completely destroy the life of their victim than facing the consequences of their actions. Narcisists would probably make the friends of the victim believe the narcisist was the victim and the victim was the offender, deliberately destroying all friendships A sociopath would probalby cause unimaginable damages of any type to the victim not preventing even damage to himself, while a psychopath would maybe kill the victim for any reason including removal of evidences. Considering all of this does not make “leaving” abusive situations an easygoing task but a decision that can possibly and realistically end very horrible. Additionally victims might fear to get similar punishments from others when telling the truth so in fear might not even tell the truth when help would really be at the tip of their nose. Then saying weird things could be such an instinct kicking in and maybe not(!) a thoughtful decision. Saying such things (out of trained fear) that protect the abuser or even add insult to the victim itself (as trained by the abuser that the victim always has to insult and calling itself beeing responsible for all bad things or face even worse punishing) might also affect the victim to start to believe really untrue thing about itself. Most people struggle to get out if a single devils-circle, but what if a second circle was added?

this is part 1…

looking at the official timeline it is not completely a microsoft product, but…

1. microsoft hated all of linux/open source for ages, even publicly called it a cancer etc.
2. microsoft suddenly stopped it’s hatespeech after the long-term “ineffectivenes” (as in not destroying) of its actions against the open source world became obvious by time
3. systemd appeared on stage
4. everything within systemd is microsoft style, journald is literally microsoft logging, how services are “managed” started etc is exactly the flawed microsoft service management, how systemd was pushed to distributions is similar to how microsoft pushes things to its victi… eh… “custumers”, systemd breaks its promises like microsoft does (i.e. it has never been a drop-in-replacement, like microsoft claimed its OS to be secure while making actual use of separation of users from admins i.e. by filesystem permissions first “really” in 2007 with the need of an extra click, where unix already used permissions for such protection in 1973), systemd causes chaos and removes the deterministic behaviour from linux distributions (i.e. before systemd windows was the only operating system that would show different errors at different times during installtion on the very same perfectly working hardware, now on systemd distros similar chaos can be observed too). there AFAIK still does not exist a definition of the 'binary" protocol of journald, every normal open source project would have done that official definition in the first place, systemd developers statement was like “we take care for it, just use our libraries” wich is microsoft style saying “use our products”, the superflous systems features do harm more than they help (journald’s “protection” from log flooding use like 50% cpu cycles for huge amount of wanted and normal logs while a sane logging system would be happily only using 3%cpu for the very same amount of logs/second whilst ‘not’ throwing away single log lines like journald, thus journald exhaustively and pointlessly abuses system resources for features that do more harm where they are said to help with in the first place), making the init process a network reachable service looks to me like as bad as microsoft once put its web rendering enginge (iis) into kernelspace to be a bit faster but still beeing slower than apache while adding insecurity that later was an abused attack vector. systemd adding pointless dependencies all along the way like microsoft does with its official products to put some force on its customers for whatever official reason they like best. systemd beeing pushed to distributions with a lot of force and damage even to distributions that had this type of freedom of choice to NOT force their users to use a specific init system in its very roots (and the push to place systemd inside of those distros even was pushed furzher to circumvent the unstable->testing->stable rules like microsoft does with its patches i.e.), this list is very far from complete and still no end is in sight.
5. “the” systemd developer is finally officially hired by microsoft

i said that systemd was a microsoft product long before its developer was then hired by microsoft in 2022. And even if he wasn’t hired by them, systemd is still a microsoft-style product in every important way with all what is wrong in how microsoft does things wrong, beginning with design flaws, added insecurities and unneeded attack vectors, added performance issues, false promises, usage bugs (like i’ve never seen an already just logged in user to be directly be logged off in a linux system, except for when systemd wants to stop-start something in background because of it’s ‘fk y’ and where one would 'just try to login again and dont think about it" like with any other of microsofts shitware), ending in insecure and instable systems where one has to “hope” that “the providers” will take care for it without continueing to add even more superflous features, attack vectors etc. as they always did until now.

systemd is in every way i care about a microsoft product. And systemd’s attack vectors by “needless dependencies” just have been added to the list of “prooven” (not only predicted) to be as bad as any M$ product in this regard.

I would not go as far to say that this specific attack was done by microsoft itself (how could i ?), but i consider it a possibility given the facts that they once publicly named linux/open source a “cancer” and now their “sudden” change to “support the open source world” looks to me like the poison “Gríma” used on “Théoden” as well as some other observations and interpretations. however i strongly believe that microsoft secretly actually “likes” every single damage any of systemd’s pointlessly added dependencies or other flaws could do to linux/open source very much. and why shouldn’t they like any damage that was done to any of their obvious opponents (as in money-gain and “dictatorship”-power)? it’s a us company, what would one expect?

And if you want to argue that systemd is not “officially” a product of the microsoft company… well people also say “i googled it” when they mean “i used one of the search engines actually better than google.com” same with other things like “tempo” or “zewa” where i live. since the systemd developer works for microsoft and it seems he works on systemd as part of this work contract, and given all the microsoft style flaws within from the beginning, i consider systemd a product of microsoft. i think systemd overall also “has components” of apple products, but these are IMHO none of technical nature and thus far from beeing part of the discussion here and also apple does not produce “even more systemd” also apple has -as of my experience- very other flaws i did not encounter in systemd (yet?) thus it’s clearly not an apple product.

Before pointing to vulnerabilities of open source software in general, please always look into the details, who -and if so - “without any need” thus also maybe “why” introduced the actual attack vector in the first place. The strength of open source in action should not be seen as a deficit, especially not in such a context.

To me it looks like an evilish company has put lots of efforts over many years to inject its very own overall steady attack-vector-increase by “otherwise” needless increase of indroduction of uncounted dependencies into many distros.

such a ‘needless’ dependency is liblzma for ssh:

https://lwn.net/ml/oss-security/20240329155126.kjjfduxw2yrlxgzm@awork3.anarazel.de/

openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma.

… and that was were and how the attack then surprisingly* “happened”

I consider the attack vector here to have been the superlfous systemd with its excessive dependency cancer. Thus result of using a Microsoft-alike product. Using M$-alike code, what would one expect to get?

*) no surprises here, let me predict that we will see more of their attack vectors in action in the future: as an example have a look at the init process, systemd changed it into a ‘network’ reachable service. And look at all the “cute” capabilities it was designed to “need” ;-)

however distributions free of microsoft(-ish) systemd are available for all who do not want to get the “microsoft experience” in otherwise security driven** distros

**) like doing privilege separation instead of the exact opposite by “design”

 HISTCONTROL=ignorespace
 unset RANDOM
 RANDOM=4
 clear
...

If RANDOM is unset, it loses its special properties, even if it is subsequently reset.

HISTCONTROL If the list of values includes ignorespace, lines which begin with a space character are not saved in the history list.

RTFM can save your server AND your bet ;-)

it is cheating of course if the predefined rules tell us about such requirements and if these are not met any more when unsetting RANDOM ahead of it.

i have two other possibilities at hand, that do not involve two SSDs:

1. don’t use intentionally broken software in the first place ;-)
2. use another device for bootloader, could be a readonly CD or a usb drive, PXE/bootp could also do it.

And if your company wants you to use rotten software, they also want you to give them the delays, downtimes and annoyances that naturally come with rotten decisions, just keep that in mind.

Here is one thing to remember and why i call it rotten software and rotten decisions:

Microsoft offers a free “blame the ransomware people” to any CTO who just wants to receive money without working at all or not having to “think” during work. That same CTO can get a bonus after “solving” the ransomware issue and then: “look how ‘invaluable’ that CTO is to the company” he “worked” for month ( yelling at engineers he previously told to install rotten software???) and resolved the ransomware issue!! This is same to those who work. no law has ever given people that many payed breaks from work as “rotten software” vendors did. and if you made a mistake and did not get trained before, you could blame bot beeing trained.

Look at it from a “fingerpointer” point of view, one cloud always blame someone else for everything and the only one to blame is too big to fail and also untouchable due to their army of darkness lawyers. thus anything happened? no one could be guilty AND be held responsible. Also if one is slow at work, and so is his OS, obviously easy to blame someone else again.

so microsoft offers a “solution” to “boss wants you to work more and quicker” but remember, that same boss only “needs” a cover for his own ass to be able to point to someone else and the ones creating the rotten software do deliver that ;-)

i do not know any better wording for such a situation than “rotten” thus i name it so.

i am happy to have a raspberry pi setup connected to a VLAN switch, internet is behind a modem (like bridged mode) connected with ethernet to one switchport while the raspi routes everything through one tagged physical GB switchport. the setup works fine with two raspi’s and failover without tcp disconnections during an actual failover, only few seconds delay when that happens, so basically voip calls recover after seconds, streaming is not affected, while in a game a second off might be too much already, however as such hardware failures happen rarely, i am running only one of them anyway.

for firewall i am using shorewall, while for some special routing i also use unbound dns resolver (one can easily configure static results for any record) and haproxy with sni inspection for specific https routing for the rather specialized setup i have.

my wifi is done by an openwrt but i only use it for having separate wifis bridged to their own vlans.

thus this setup allows for multi-zone networks at home like a wifi for visitors with daily changing passwords and another fror chromecast or home automation, each with their own rules, hardware redundancy, special tweaking, everything that runs on gnu/linux is possible including pihole, wireguard, ddns solutions, traffic statistics, traffic shaping/QOS, traffic dumps or even SSL interception if you really want to import your own CA into your phone and see what data your phones apps (those that don’t use certificate pinning) are transfering when calling home, and much more.

however regarding ddns it sometimes feels more safe and reliable to have a somehow reserved IP that would not change. some providers offer rather cheap tunnels for this purpose. i once had a free (ipv6) tunnel at hurricane electronic (besides another one for IPv4) but now i use VMs in data centers.

i do not see any ready product to be that flexible. however to me the best ready router system seems to be openwrt, you are not bound to a hardware vendor, get security updates longer than with any commercial product, can 1:1 copy your config to a new device even if the hardware changes and has the possibility to add packages with special features to it.

“openwrt” is IMHO the most flexible ready solution for longtime use. same as “pfsense” is also very worth looking at and has some similarities to openwrt while beeing different.

calm down and see it as a joke. *ggg

would make a nice tshirt =)

woman would take care for a literal horse instead of going to therapy. i don’t see anything wrong there either.

just a horse is way more expensive, cannot be put aside for a week on vacations (could a notebook be put aside?) and one cannot make backups of horses or carry them with you when visiting friends. Horses are way more cute, though.

sorry if i might repeat someones answer, i did not read everything.

it seems you want it for “work” that assumes that stability and maybe something like LTS is dort of the way to go. This also assumes older but stable packages. maybe better choose a distro that separates new features from bugfixes, this removes most of the hassle that comes with rolling release (like every single bugfix comes with two more new bugs, one removal/incompatible change of a feature that you relied on and at least one feature that cripples stability or performance whilst you cannot deactivate it… yet…)

likely there is at least some software you most likely want to update out of regular package repos, like i did for years with chromium, firefox and thunderbird using some shellscript that compared current version with latest remote to download and unpack it if needed.

however maybe some things NEED a newer system than you currently have, thus if you need such software, maybe consider to run something in VMs maybe using ssh and X11 forwarding (oh my, i still don’t use/need wayland *haha)

as for me, i like to have some things shared anyway like my emails on an IMAP store accessible from my mobile devices and some files synced across devices using nextcloud. maybe think outside the box from the beginning. no arch-like OS gives you the stability that the already years-long-hung things like debian redhat/centos offer, but be aware that some OSes might suddenly change to rolling release (like centos i believe) or include rolling-release software made by third parties without respecting their own rules about unstable/testing/stable branches and thus might cripple their stability by such decisions. better stay up to date if what you update to really is what you want.

but for stability (like at work) there is nothing more practical than ancient packages that still get security fixes.

roundabout the last 15 years or more i only reinstalled my workstation or laptop for:

• hardware problems, mostly aged disk like ssd wearlevel down (while recovery from backup or direct syncing is not reinstalling right?)
• OS becomes EOL. thats it.

if you choose to run servers and services like imap and/or nextcloud, there is some gain in quickly switching the workstation without having to clone/copy everything but only place some configs there and you’re done.

A multi-OS setup is more likely to cover “all” needs while tools like x2vnc exist and can be very handy then, i nearly forgot that i was working on two very different systems, when i had such a setup.

I would suggest to make recovery easy, maybe put everything on a raid1 and make sure you have on offsite and an offline backup with snapshots, so in case of something breaks you just need to replace hardware. thats the stability i want for the tools i work with at least.

if you want to use a rolling release OS for something work related i would suggest to make sure no one externally (their repo, package manager etc) could ever prevent you from reinstalling that exact version you had at that exact point in time (snapshots from repos install media etc). then put everything in something like ansible and try out that reapplying old snapshots is straight forward for you, then (and not earlier) i would suggest that those OSes are ok for something you consider to be as important as “work”. i tried arch linux at a time when they already stopped supporting the old installer while the “new” installer wasn’t yet ready at all for use, thus i never really got into longterm use of archlinux for something i rely on, bcause i could’nt even install the second machine with the then broken install procedure *haha

i believe one should consider to NOT tinker too much on the workstation. having to fix something you personally broke “before” beeing able to work on sth important is the opposite of awesome. better have a second machine instead, swappable harddrive or use VMs.

The exact OS is IMHO not important, i personally use devuan as it is not affected by some instability annoyances that are present in ubuntu and probably some more distros that use that same software. at work we monitor some of those bugs of that software. within ubuntu cause it creates extra hassle and we workaround those so its mostly just a buggy annoying thing visible in monitoring.

“daily” maintenance for linux??? i think we call that “eier schaukeln” in germany.

so here are some reasons for having a firewall on a computer, i did not read in the thread (could have missed them) i have already written this but then lost the text again before it was saved :( so here a compact version:

• having a second layer of defence, to prevent some of the direct impact of i.e. supply chain attacks like “upgrading” to an malicously manipulated version.
• control things tightly and report strange behaviour as an early warning sign ‘if’ something happens, no matter if attacks or bugs.
• learn how to tighten security and know better what to do in case you need it some day.
• sleep more comfortable when knowing what you have done or prevented
• compliance to some laws or customers buzzword matching whishes
• the fun to do because you can
• getting in touch with real life side quests, that you would never be aware of if you did not actively practiced by hardening your system.

one side quest example i stumbled upon: imagine an attacker has ccompromised the vendor of a software you use on your machine. this software connects to some port eventually, but pings the target first before doing so (whatever! you say). from time to time the ping does not go to the correct 11.22.33.44 of the service (weather app maybe) but to 0.11.22.33 looks like a bug you say, never mind.

could be something different. pinging an IP that does not exist ensures that the connection tracking of your router keeps the entry until it expires, opening a time window that is much easier to hit even if clocks are a bit out of sync.

also as the attacker knows the IP that gets pinged (but its an outbound connection to an unreachable IP you say what could go wrong?)

lets assume the attacker knows the external IP of your router by other means (i.e. you’ve send an email to the attacker and your freemail provider hands over your external router address to him inside of an email received header, or the manipulated software updates an dyndns address, or the attacker just guesses your router has an address of your providers dial up range, no matter what.)

so the attacker knows when and from where (or what range) you will ping an unreachable IP address in exact what timeframe (the software running from cron, or in user space and pings at exact timeframes to the “buggy” IP address) Then within that timeframe the attacker sends you an icmp unreachable packet to your routers external address, and puts the known buggy IP in the payload as the address that is unreachable. the router machtes the payload of the package, recognizes it is related to the known connection tracking entry and forwards the icmp unreachable to your workstation which in turn gives your application the information that the IP address of the attacker informs you that the buggy IP 0.11.22.33 cannot be reached by him. as the source IP of that packet is the IP of the attacker, that software can then open a TCP connection to that IP on port 443 and follow the instructions the attacker sends to it. Sure the attacker needs that backdoor already to exist and run on your workstation, and to know or guess your external IP address, but the actual behaviour of the software looks like normal, a bit buggy maybe, but there are exactly no informations within the software where the command and control server would be, only that it would respond to the icmp unreachable packet it would eventually receive. all connections are outgoing, but the attacker “connects” to his backdoor on your workstation through your NAT “Firewall” as if it did not exist while hiding the backdoor behind an occasional ping to an address that does not respond, either because the IP does not exist, or because it cannot respond due to DDos attack on the 100% sane IP that actually belongs to the service the App legitimately connects to or to a maintenance window, the provider of the manipulated software officially announces. the attacker just needs the IP to not respond or slooowly to increase the timeframe of connecting to his backdoor on your workstation before your router deletes the connectiin tracking entry of that unlucky ping.

if you don’t understand how that example works, that is absolutely normal and i might be bad in explaining too. thinking out of the box around corners that only sometimes are corners to think around and only under very specific circumstances that could happen by chance, or could be directly or indirectly under control of the attacker while only revealing the attackers location in the exact moment of connection is not an easy task and can really destroy the feeling of achievable security (aka believe to have some “control”) but this is not a common attack vector, only maybe an advanced one.

sometimes side quests can be more “informative” than the main course ;-) so i would put that (“learn more”, not the example above) as the main good reason to install a firewall and other security measures on your pc even if you’ld think you’re okay without it.

This is most likely a result of my original post being too vague – which is, of course, entirely my fault.

Never mind, and i got distracted and carried away a bit from your question by the course the messages had taken

What is your example in response to?

i thought it could possibly help clarifying something, sort of it did i guess.

Are you referring to an application layer firewall like, for example, OpenSnitch?

no, i do not conside a proxy like squid to be an “application level firewall” (but i fon’t know opensnitch however), i would just limit outbound connections to some fqdn’s per authenticated client and ensure the connection only goes to where the fqdns actually point to. like an atracker could create a weather applet that “needs” https access to f.oreca.st, but implements a backdoor that silently connects to a static ip using https. with such a proxy, f.oreca.st would be available to the applet, but the other ip not as it is not included in the acl, neither as fqdn nor as an ip. if you like to say this is an application layer firewall ok, but i dont think so, its just a proxy with acls to me that only checks for allowed destination and if the response has some http headers (like 200 ok) but not really more. yet it can make it harder for some attackers to gain the control they are after ;-)

But the point that I was trying to make was that that would then also block you from using SSH. If you want to connect to any external service, you need to open a port for it, and if there’s an open port, then there’s a opening for unintended escape.

now i have the feeling as if there might be a misunderstanding of what “ports” are and what an “open” port actually is. Or i just dont get what you want. i am not on your server/workstation thus i cannot even try to connect TO an external service “from” your machine. i can do so from MY machine to other machines as i like and if those allow me, but you cannot do anything against that unless that other machine happens to be actually yours (or you own a router that happens to be on my path to where i connect to)

lets try something. your machine A has ssh service running my machine B has ssh and another machine C has ssh.

users on the machines are a b c , the machine letters but in small. what should be possible and what not? like: “a can connect to B using ssh” “a can not connect to C using ssh (forbidden by A)” “a can not connect to C using ssh (forbidden by C)” […]

so what is your scenario? what do you want to prevent?

I don’t fully understand what this is trying to accomplish.

accomplish control (allow/block/report) over who or what on my machine can connect to the outside world (using http/s) and to exactly where, but independant of ip addresses but using domains to allow or deny on a per user/application + domain combonation while not having to update ip based rules that could quickly outdate anyway.

i disliked an ad in tv before 2000 and decided to not buy the deodorant stick then because of that. like 10 to 15 years later i accidently bought the product- long forgotten that this was the one with that bad ad and actually liked the product and bought it regulary for some time (then remembering how bad that ad was, but okay the product was good actually). that was until they decided to put more plastics into packaging as well as less content into it (same price for package) just to make it more costly for me thus more profitable for them, whilst producing more litter and destroying more resources just for profit. The higher price would not have been too bad, but creating more litter for more profit made me then search a better product. then found a bio product with all natural contents, very few plastic packaging and even less pricy.

That ad made me NOT buy it. So that was the worst ad i’ve ever seen in two ways: it reduced my willingness to buy their product to far below zero lasting for a decade and i did not even want to try the product that i later found to be actually good, so worst case for the vendor AND the customer.

However that product later also had the “best” Price raise (by less content) for me ever as that made me search and find the then newly existing even better and more natural, less pricy product of their competitor.

Maybe good CEOs are rare.

and i hope that has nothing to do with my chaotic style of writing =D

you do not need to know the source ports for filtering outgoing connections.

(i usually use “shorewall” as a nice and handy wrapper around iptables and a “reject everything else policy” when i configured everything as i wanted. so i only occasionally use iptables directly, if my examples dont work, i simply might be wrong with the exact syntax)

something like:

iptables -I OUTPUT -p tcp --dport 22 -j REJECT

should prevent all new tcp connection TO ssh ports on other servers when initiated locally (the forward chain is again another story)

so … one could run an http/s proxy under a specific user account, block all outgoing connections except those of that proxy (i.e. squid) then every program that wants to connect somewhere using direct ip connections would have to use that proxy.

better try this first on a VM on your workstation, not your server in a datacenter:

iptables -I OUTPUT -j REJECT iptables -I OUTPUT -p tcp -m owner --owner squiduser -j ACCEPT

“-I” inserts at the beginning, so that the second -I actually becomes the first rule in that chain allowing tcp for the linux user named “squiduser” while the very next would be the reject everything rule.

here i also assume “squiduser” exists, and hope i recall the syntax for owner match correctly.

then create user accounts within squid for all applications (that support using proxies) with precise acl’s to where (the fqdn’s) these squid-users are allowed to connect to.

there are possibilities to intercept regular tcp/http connections and “force” them to go through the http proxy, but if it comes to https and not-already-known domains the programs would connect to, things become way more complicated (search for “ssl interception”) like the client program/system needs to trust “your own” CA first.

so the concept is to disallow everything by iptables, then allow more finegrained by http proxy where the proxy users would have to authenticate first. this way your weather desktop applet may connect to w.foreca.st if configured, but not e.vili.sh as that would not be included in its users acl.

this setup, would not prevent everything applications could do to connect to the outside world: a local configured email server could probably be abused or even DNS would still be available to evil applications to “transmit” data to their home servers, but thats a different story and abuse of your resolver or forwarder, not the tcp stack then. there exists a library to tunnel tcp streams through dns requests and their answers, a bit creepy, but possible and already prepaired. and only using a http-only proxy does not prevent tcp streams like ssh, i think a simple tcp-through-http-proxy-tunnel software was called “corckscrew” or similar and would go straight through a http proxy but would need the other ond of the tunnel software to be up and running.

much could be abused by malicious software if they get executed on your computer, but in general preventing simple outgoing connections is possible and more or less easy depending on what you want to achieve

hm, didn’t know i wrote about genetics. never mind, keeping attention or focus is not for everyone.

About brains beeing affected by chemicals… maybe this article is “funny” enough for you (not in english, i’m sorry, use a translator)

https://www.sueddeutsche.de/wissen/rauschgift-konzentration-es-liegt-was-in-der-luft-1.460890

The article is quite old now, but i’m sure no kid there actually breathed that air for longer than it takes to become an adult ;-)

maybe ask the question otherway around.

Do you think that without all of the evilish illminded so called “economic society” abuse-of-everything pyramid scheme there would be as much or even any sort of mental illness?

imagine not beeing confronted with thousands of commercial advertising lies a day (just walk the streets). imagine not beeing poisoned with all the industry waste they call food today … imagine not beeing manipulated by century-overpsanning massive propaganda against countries that literally have done no harm to you in the first place (propaganda that solely exists to create war and kill your could-be-friends before you can even try to know them)… and there is a statistically relevant connection between times when cities had lead pipes in fresh water systems and high occurance of murderers that also vanished together with the lead pipes, looking at historic data over decades. (dont have the link though) just by not living in a single place for too long would have prevented that lead-pipes-are-good-for-business that caused murders to cause too much damage to your mental health.

i do believe that there are lots of people who choose to disconnect from the mental illness swarm that calles itself western culture. and i guess that in countries where climate allows living without a “home”, some of them will choose to live just like that to “keep” their mental sanity and “not” get such illnesses.

also there are “homeless” insiders of the very same ill-mind-creating society, just think of “digital nomads”. and you do not need to have a mental illness to want to live such a lifestyle, do you? some countries have laws to attract difital nomads.

when it comes to mental healthyness and types of sports that include mental balance (like kung fu, yoga, etc) look at people who are fond of yoga, how they talk about how important yoga has become for them.

no, one does not need to have mental problems to choose to live any type of homeless lifestyle, but if you live a lifestyle within western “culture” you are more than a few steps closer to developing a mental illness by design(d by your “wealthy” billionaires) ;-) and if you add a mental balancing element like yoga or kung fu (or others) to your lifestyle that maybe also comes along with a philosophy of its own that is a trillion times more worth beeing lived than the whole western “culture” itself, then i am sure, one cannot persuade those, with no existing luxury, no advertising, propaganda, or other brainwash technics to leaver their “homeless” lifestyle. for what? (list of all low-value “luxuries” that any ill-minded society could “give” them while stealing everything of value from them to be added here)

humans have choosen to wander around, to walk to a different continent or to a religious site for lots of millenia, maybe since humans even exist. Doing such by walking on foot can take years or even decades but deciding to do so does not need a mental illness.

as far as i have met a few people that are on such a course by chance, my best guess is that you maybe just have to change your viewing point and direction to get in contact with some of them, maybe no matter where you are on earth (excluding antarctic and north korea maybe)

maybe make a test by your own, make a backpack travel for some month in a different country/continent, do not start unprepaired, plan how to do it, read and talk to people who have done it, look for a route that is common to do such, think of what you “need” to take with you and fits in a backpack not too heavy, reconsider to leave everything out you “might not” need or could buy on the way if really needed. when starting, stop your time schedule, follow your planned route somehow but allow side trips, talking to strangers for hours about anything if you like, tell your friends at home whenever your route changes, but let things happen and see who you meet. Getting lost can become an advanture with experiences you might not want to have missed for the rest of your life. But take care, there are dangers out there too (better not swim with crocodiles)

there is no substitute for getting your own glimpse of what freedom feels like.