Open Source Software Community - it's about ethics in Code of Conducts

[Creative Username]

there is also the method qubes uses: have another vm with a special kernel just for the usb host controller, isolated using viommu
for maximum security make sure to use ps/2 mouse and keyboard so they don't get compromised when the designated usb shitting vm gets kernel exploited

 

[Ferryman]

there is also the method qubes uses: have another vm with a special kernel just for the usb host controller, isolated using viommu
for maximum security make sure to use ps/2 mouse and keyboard so they don't get compromised when the designated usb shitting vm gets kernel exploited

I have actually been considering doing something like this on top of Guix; isolating services into their own containers with the native --container command & qemu/kvm for heavier stuff like browsers. Then there's the addition of support for xen and xen based guests that beg to be tinkered with; Qubes with Guix as the dom0 host seems like a very enticing proposition. Might try to mess around with it if and when time allows.

 

[SCV]

the one you mentioned, where you attach a funky usb peripheral to the computer and hope nobody notices? that isn't defended against by secure boot and related strategies, but it doesn't need to be since it's a completely different form of physical attack

I did not ask how to defend against it, I asked what it is called. But you and I both know you're intentionally 'misunderstanding' that.

i don't think many of us check for unfamiliar tiny adapters/dongles attached to our computers before booting or unsuspending our machines, but shit like this is readily detectable if your threat model includes "people attaching bad shit to my machine" and you are actively looking for it

Ah, I see. That goldilocks threat model where you're concerned about people targeting you specifically in person by attaching malicious devices to your computer but just not quite concerned enough keep random people from having unmonitored access to your computer. Then (assuming your vendor built their UEFI securely, lmao) secure boot might help. And this is worth only being able to run microsoft approved software on a computer that requires hardware attestation with your ID via pluton to connect to the niggercattlenet. Champion. Really.

ETA:

Doesn't disabling auto mount fix this straight up? Or, better still, just disabling the physical ports until needed?

As with most things it depends. Independent chip in short USB extension they connected your keyboard through? It's ogre. USB device that pretends to be an input device? Well, stuff like that gets loaded automatically too so it's probably a gamble of how up-to-date/hardened your kernel is vs. their device. Virus just on a partition on a thumb drive? This isn't the 90's where your computer auto-mounts whatever partition and executes autorun.inf so probably not. I would say disabling auto-mount is good practice but isn't even close to a silver bullet.

 

[Ferryman]

I did not ask how to defend against it, I asked what it is called. But you and I both know you're intentionally 'misunderstanding' that.
///
As with most things it depends. <sic>

Yep, agreed. Security is always an arms race no matter who you are or what OS you use. I'm not sure what kind of attack that would constitute? Guess you can call it a "hot plug" or something of that nature, especially if the tool used is an OMG cable or other malicious device posing as something normal.

 

[analrapist]

There's a tool called USBGuard. With it you can for example make a whitelist of USB devices which will be allowed on your system.

If udev wasn't such a horribly-architected solution, you ought to be able to do all this without a third-party solution, as this literally sits in the same solution space. But no, another nonce syntax... Someone should rewrite udev to use a properly-architected declarative language like Prolog, then you could do this sort of thing trivially.

 

[Rancid Xylitol]

https://kennethreitz.org/essays/2025-08-27-the_cost_of_transparency

remember that guy that raised $28k for the python "requests" library and ran off with it? he's back with his latest work.... a deeply moving, emotionally charged, and utterly hilarious (in the most tragic way possible) essay about how being openly diagnosed with schizoaffective disorder has turned him into a professional pariah, a social ghost, and the reason why the Python community doesn't want to include him in their documentary.

oh, but don't worry! he’s not mad. not at all. he’s just so happy to be living a life where:

• every new job is a thrilling adventure of "will they find out I have schizoaffective disorder and then slowly make me feel like an unwanted houseguest?"
• healthcare providers are so supportive, it’s almost funny how they react with visible fear when he has an acute episode (it’s not like he’s a threat or anything… just a guy who occasionally sees things that aren’t there).
• his open source community, the very one that uses his code every second of every day, is so progressive and inclusive that they’ve completely ignored him since he started talking about his mental health: no emails, no invites, just pure, unadulterated silence. It’s like he’s not even a person anymore, just a ghost in the machine!
• his friends and partners are so understanding that they all mysteriously disappear after learning about his diagnosis. because nothing says "I love you" like abruptly ghosting someone who's having a tough time.
• and the cherry on top? the life expectancy stats! did you know people with schizoaffective disorder live 8-17 years less than others? well, thanks to this wonderful system of exclusion, he’s already getting a head start on his early retirement plan!

so yes, the cost of transparency is high. but the alternative: silence, hiding, pretending to be someone you’re not is even worse. because in that world, you’d have to stop being him, which would mean no more essays, no more advocacy, and most importantly, no more deliciously ironic suffering for the greater good.

in conclusion: if you ever feel like you’re being treated unfairly because of your mental health, just remember: it’s not about you. it’s about them. they’re just too afraid of reality to handle someone who actually lives with it. and that? that’s a problem for them, not for you.

 

[volatile puar]

Lunduke covers the lawsuit and praises Kiwifarms for trolling the UK government. Is this the first time Lunduke has mentioned Kiwifarms publicly? @Null

 

[Null]

I believe so. I'm not sure though.

 

[CrunkLord420]

Lunduke covers the lawsuit and praises Kiwifarms for trolling the UK government. Is this the first time Lunduke has mentioned Kiwifarms publicly? @Null

DAS RITE

SAY OUR NAME LUNDUKE

 

[Sperg_rancher]

Lunduke covers the lawsuit and praises Kiwifarms for trolling the UK government. Is this the first time Lunduke has mentioned Kiwifarms publicly? @Null

from searching online, automatic subtitles say that he's mentioned the word 'kiwi' three other videos, referring to Suse's KIWI and KIWI-next, tools to build containerized images.

https://filmot.com/search/kiwi/1?gridView=1&channelID=UCkK9UDm_ZNrq_rIXCz3xCGA

 

[Heliantheae]

https://kennethreitz.org/essays/2025-08-27-the_cost_of_transparency

Kenneth Reitz biggest problem (for himself) is that he has always been a narcissistic pretentious twat. "The only thing I really care about is user experience"as stated on his GitHub profile is an overt lie detectable by anyone with a passing familiarity with his shit, and it's no surprise that his website renders like shit on my machine:

If you are unfamiliar with Ken, here's how the documentation of his most well-known contribution to Python used to look like:

and here's a particularly pretentious commit void of any actual substance.

 

[Creative Username]

I did not ask how to defend against it, I asked what it is called. But you and I both know you're intentionally 'misunderstanding' that.

usb keylogger dongle? firewire dma device? it's a whole class of crazy shit

attaching malicious devices to your computer

it's more "people fucking with the software on your hard drive"
full-disk encryption protects all the files, but the computer has to have something that tells it how to display the "decrypt drive" screen and then load the rest of the system. if somebody gets a hold of your shit somehow, and replaces this with a modified equivalent (i'm sure there are dozens of easy-to-use script-kiddie-friendly versions of grub that send off drive keys and let you put other payloads in the initramfs) that does malicious shit, then you're fucked. being fucked is generally a bad idea

And this is worth only being able to run microsoft approved software on a computer that requires hardware attestation with your ID via pluton to connect to the niggercattlenet. Champion. Really.

with a non-retarded implementation of secure boot, you can burn your own public key into a nigh-impossible-to-reset write-once non-volatile memory area, and run your own bootloader that you signed yourself
this means if you lose track of your computer for a while, and a moderately-sophisticated attacker replaces your bootloader with his special build of grub that inserts backdoors, it won't work because all of your hardware will say "fuck no this isn't @SCV's grub wtf i'm not booting up now"

there are many attacks that somebody could do if they had access to your computer. the general situation is quite dire if somebody can touch your computer, which means ideally you should never ever let this happen. unfortunately nobody is perfect so there are tools available to potentially cuck attackers that are dedicated enough to get around a lack of security but not dedicated enough to get around moderate security
secure boot is but one technique in a wide arsenal that lets you lock down a computer to do 1 thing
it also gets a bad rap for being used by gay corporations to lock down computers to do 1 thing that isn't what the user wants. this is indefensible and any secure boot implementation that comes with somebody else's keys and no way to add your own is extremely gay and the person responsible needs to be subjected to medieval torture/execution methods

 

[Rancid Xylitol]

Imagine the lack of self-reflection to sit down and write a blog saying "I've had this huge string of jobs. Shortly after I get hired (for no reason) they single me out and fire me. Why? I have no idea. I guess the whole world is against me, but only me."

If you walk into 20 rooms and they all smell like shit, maybe you should check your shoes.

Funnily enough, Open Source projects usually don't have carte blanche to just forcibly toss someone out. They are very much unlike commercial software companies, where anyone is easily disposed of. On OSS projects, I'm not so sure Kenneth is as much a committer as he is the one holding the rest of the project members hostage.

I can't imagine trying to keep a straight face as I keep $28,000 of crowdfunded money for "taxes". You'd have to think the rest of the world was pretty fucking stupid if you thought that'd be a credible story.

Sooner or later, every bridge is burnt. I imagine if he's not permanently jobless you can start counting down the months before some company singles out poor Kenneth and ejects him; all totally randomly and through no fault of his own.

 

[AnOminous]

there are many attacks that somebody could do if they had access to your computer. the general situation is quite dire if somebody can touch your computer, which means ideally you should never ever let this happen.

The problem is most of us are humans who interact with other humans. Can you really tell your mom she can't log into her email when she's at your house? Shit like that. And we're in a world where shit happens like chinks can put that shit right on CPUs that they sell to us.

Never mind the really advanced shit the NSA probably can do.

 

[Creative Username]

The problem is most of us are humans who interact with other humans. Can you really tell your mom she can't log into her email when she's at your house?

generally you would trust your mom to not plant a rootkit on your machine

And we're in a world where shit happens like chinks can put that shit right on CPUs that they sell to us.

Never mind the really advanced shit the NSA probably can do.

this specific defense is meant for a specific threat: you go to some conference or something with your company laptop, and somebody decides to get in your hotel room somehow and fuck with that laptop so they can get the potentially-valuable data inside (and if the company is smart, they use multiple layers of defense and try to keep important data off the laptop if possible, just in case)
and other shit like that; there are many conceivable reasons why you would leave your computer powered down and unattended, and some non-state smarter-than-average civilian-level actor would want to plant something on it in the hopes that they can get the data off of it
this is called the "evil maid attack"

 

[Betonhaus]

Never mind the really advanced shit the NSA probably can do.

Honestly over time I get less and less convinced that the NSA is super competent.

 

[AnOminous]

this is called the "evil maid attack"

And it happens. I didn't deny that.

Honestly over time I get less and less convinced that the NSA is super competent.

They don't have to be super competent. They just have to be competent against people like you and me, and you're a dude who rabbits on about how you have terabytes of gay porn. I mean wtf man.

 

[teriyakiburns]

The problem is most of us are humans who interact with other humans. Can you really tell your mom she can't log into her email when she's at your house?

I can, but maybe I'm an arsehole. I knowingly haven't let anyone else touch my computer for over 20 years, after I let the kids of a family friend play on it to distract them and came back to find they'd completely fucked it up. Genius kids, but a valuable lesson: nobody touches my stuff. Not even my wife.

(insert dongle joke here)

 

[Cuckoman]

I can, but maybe I'm an arsehole. I knowingly haven't let anyone else touch my computer for over 20 years, after I let the kids of a family friend play on it to distract them and came back to find they'd completely fucked it up. Genius kids, but a valuable lesson: nobody touches my stuff. Not even my wife.

(insert dongle joke here)

I can relate.

My computer is an extension of my body, like my dick.
I can play with it, my wife (when I am in the mood for it) can play with it.
Someone not me or my wife touch it? I beat the living hell out of you and call you a faggot.

 

[Rancid Xylitol]

I can, but maybe I'm an arsehole. I knowingly haven't let anyone else touch my computer for over 20 years, after I let the kids of a family friend play on it to distract them and came back to find they'd completely fucked it up. Genius kids, but a valuable lesson: nobody touches my stuff. Not even my wife.

Another reason to run Linux. No one even WANTS to touch it.