creating-a-secure-system/

[utterances-bot]

Creating a Secure System

Having Fun with Technology

https://christitus.com/creating-a-secure-system/

[trtr4]

Just wanted to point out few errors within the article as well as the video.

First of all: I think Arch Linux actually comes with a firewall by default. It's not ufw (as I think it's only default on Ubuntu), but iptables which is default on most Linux distros (and ufw is actually a frontend to iptables). Though, that doesn't matter honestly. You seem to kinda suggest that without firewall, OS is completely vulnerable to any attacks which is not true, as without a process listening to a given port, any connection to that port would be just rejected. Firewalls don't really exist for blocking ports, as unused ports are kinda blocked by design, but rather for controlling/limiting access for open ports, by filtering IP addresses and more.

Also wanted to point out that KeePass is not self-hosted password manager. It's just an offline program that runs locally.

[trtr4]

Also the script for Firefox hardening is pretty outdated. The last update to config file was a year ago, which is probably several version of Firefox. I think much better recommendation would be arkenfox which is constantly updated by a larger community.

[simeononsecurity]

@trtr4 It hasn't been updated because it hasn't needed updating. Firefox hasn't added any new configuration options or features that we or any other leading organization has suggested that doesn't break a feature that we consider to be essential. That may be were our scripts come into play. We like a privacy and security first focus, however features that we believe would be absolutely breaking is something we try to avoid. Our configurations are based on https://github.com/allo-/firefox-profilemaker and the configurations suggested by https://privacytools.io But like Chris said in the video, it's a balance of privacy/security and convince. We try to strike a good balance of both.

Though we will give it to arkenfox, their repo is much better documented and supported by more users. Though just from skimming, we can already name over a dozen things that we know will break things. However if you're primary concern is privacy over anything else, then yeah go for it. It's got our thumbs up!

On the other hand, if you're interested, we have multiple firefox profiles available.

• https://github.com/simeononsecurity/FireFox-Privacy-Script/
• https://github.com/simeononsecurity/FireFox-STIG-Script
• https://github.com/simeononsecurity/FireFox-Security-Researcher

[jonaharagon]

and the configurations suggested by https://privacytools.io/

Maybe you should link to https://web.archive.org/web/20200904094547/https://www.privacytools.io/browsers/#about_config instead, since privacytools.io is run by somebody else now and no longer publishes the same information it did when your script was created :)

[simeononsecurity]

and the configurations suggested by https://privacytools.io/

Maybe you should link to https://web.archive.org/web/20200904094547/https://www.privacytools.io/browsers/#about_config instead, since privacytools.io is run by somebody else now and no longer publishes the same information it did when your script was created :)

Yeah, I've had this discussion with many others. It doesn't matter who is running the site as long as the information and recommendations are valid, secure, and actionable. The suggested resources on privacytools.io are. So we're keeping it. Thanks for the suggestion however @jonaharagon .

[jonaharagon]

But they don't provide Firefox config suggestions on their website at all, I had to find that old copy of the link in your repo from the Internet Archive myself 🤷‍♂️

[simeononsecurity]

But they don't provide Firefox config suggestions on their website at all, I had to find that old copy of the link in your repo from the Internet Archive myself 🤷‍♂️

Not specifically no. But it's a generalization. They have links to other third parties. It's semantics to argue about the sources of the configurations when they are linked in the readme of the more propular repo. https://github.com/simeononsecurity/Windows-Optimize-Harden-Debloat. The organizations the support said changes are there for name appeal. Not many people know the name ffprofile or ardvark or whatever. DoD, NIST, PrivacyTools.io, CISA, etc etc etc are more recognizable. And I got the original configurations from privacytools.io. Even if they aren't there any more. It's not my prerogative to find a new source for the same changes. I credited who I got the changes from if not from my own body of knowlege. I have detailed comments in the files themselves they tall you what they do and are for if otherwise they aren't obvious from the commands or code itself. If I spend the time to help everyone understand every line item, I'd spend more time on that than the changes themselves. I link to resources, I try oi make the code as easy to understand as possible. It's up to you to understand it and test it. My work is done. I do this for free. I'm not going to argue about semantics and arbitrary criticisms.