InactiveUser

I consider The NoScript Misnomer to be a very important article.

By "exploiting" an entry on NoScript's whitelist, the author shines light on several pitfalls that not every NoScript user might be fully aware of:
NoScript comes with a default, enabled whitelist. whitelists are inherently flawed, even more so if you don't even maintain them yourself if you use a security tool without fully understanding its operation and configuration, you lull yourself into a false sense of security blocking all malicious scripts is unrealistic - you will need to think about defense in depth and sandboxing I personally use NoScript in combination with uBlock Origin in its advanced dynamic filtering mode. I also sandbox applications like Firefox, Thunderbird, Pidgin using Firejail, a small application that provides a convenient interface to built-in Linux kernel features (seccomp, namespaces, caps).
 
Ideally, I would be using Qubes OS for better isolation, but it's not like hypervisors are somehow magically flawless, either.

Somewhat comparable to ufw, firewalld is just an interface to iptables. It allows for convenient higher-level rule constructs ("rich rules" and zones) but also allows direct iptables manipulation (so called "direct rules"). The actual rule syntax for direct rules is virtually identical to iptables.

There are two ways to manage firewalld - graphically (firewall-config) or on the commandline (firewall-cmd).
I compiled some notes and screenshots on firewalld usage in this post. Written last year, so some parts of my post concerning Air's config generator are no longer accurate or useful. Anything concerning firewalld and Fedora is still valid.
More importantly though, read the man page for firewall-cmd and also understand the different between the runtime and permanent ruleset.
 
 
This is how I would "translate" your UFW rules:
(All systemctl and firewall-cmd commands need root privileges! drop to a root shell or use sudo)
 
1. First, make sure that the firewalld service is enabled and started:
 
systemctl enable firewalld systemctl start firewalld 2. Now configure your permanent rules:
 
firewall-cmd --direct --permanent --add-rule ipv4 filter FORWARD 0 -o tun+ -j ACCEPT firewall-cmd --direct --permanent --add-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT firewall-cmd --direct --permanent --add-rule ipv6 filter INPUT 0 -j DROP firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 -i lo -j ACCEPT firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 1 -i tun+ -p tcp --dport 60002 -j ACCEPT firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 1 -i tun+ -p udp --dport 60002 -j ACCEPT firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 999 -j DROP firewall-cmd --direct --permanent --add-rule ipv6 filter OUTPUT 0 -j DROP firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 -o lo -j ACCEPT firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 -o tun+ -j ACCEPT firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 1 -p udp -m udp --dport 443 -d 178.162.198.40 -j ACCEPT firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 999 -j DROP 3. Runtime rules (omitting the --permanent switch) take effect immediately (but don't survive reboots etc.). Permanent rules, however, only take effect after restarting or reloading firewalld:
 
firewall-cmd --reload 4. To review your current runtime ruleset:
 
firewall-cmd --direct --get-all-rules And your permanent ruleset:
 
firewall-cmd --direct --permanent --get-all-rules  
 
5. One final task: Thoroughly test your ruleset to make sure it actually accomplishes what you had in mind.

A very odd conclusion on the basis of what you have reported... On the contrary, all the leaks up to now confirm that NSA is not able to crack ciphers currently used by our service. That's exactly why they need backdoors or directly the keys. If you further read between the lines you'll also see what tremendous effort is putting NSA to bypass encryption, never to crack encryption directly, except for very special cases with very specific ciphers. They know the math very well.
 
Kind regards

The VPN connection seems fine, here's the actual problem:

I 2015.08.13 07:40:59 - Checking DNS
W 2015.08.13 07:41:02 - Error: NameResolutionFailure

The AirVPN client "tries to resolve domain names that are resolved only by our DNS server, to ensure that system is correctly querying our DNS server."
This check fails for some reason. Multiple users have recently reported similar problems so there might be a problem on Air's end.

Here's a quick workaround:

Go into Preferences, Advanced, DNS.
uncheck the box "Check if the tunnel uses AirVPN DNS" establish a VPN connection to check DNS manually, run this in a terminal window: cat /etc/resolv.conf The file /etc/resolv.conf lists all your system's DNS servers and should only contain one of Air's DNS (10.X.0.1).
You should also check that file to see if your default (non-Air) DNS servers are restored after disconnecting from AirVPN.

The VPN connection seems fine, here's the actual problem:

I 2015.08.13 07:40:59 - Checking DNS
W 2015.08.13 07:41:02 - Error: NameResolutionFailure

The AirVPN client "tries to resolve domain names that are resolved only by our DNS server, to ensure that system is correctly querying our DNS server."
This check fails for some reason. Multiple users have recently reported similar problems so there might be a problem on Air's end.

Here's a quick workaround:

Go into Preferences, Advanced, DNS.
uncheck the box "Check if the tunnel uses AirVPN DNS" establish a VPN connection to check DNS manually, run this in a terminal window: cat /etc/resolv.conf The file /etc/resolv.conf lists all your system's DNS servers and should only contain one of Air's DNS (10.X.0.1).
You should also check that file to see if your default (non-Air) DNS servers are restored after disconnecting from AirVPN.

The VPN connection seems fine, here's the actual problem:

I 2015.08.13 07:40:59 - Checking DNS
W 2015.08.13 07:41:02 - Error: NameResolutionFailure

The AirVPN client "tries to resolve domain names that are resolved only by our DNS server, to ensure that system is correctly querying our DNS server."
This check fails for some reason. Multiple users have recently reported similar problems so there might be a problem on Air's end.

Here's a quick workaround:

Go into Preferences, Advanced, DNS.
uncheck the box "Check if the tunnel uses AirVPN DNS" establish a VPN connection to check DNS manually, run this in a terminal window: cat /etc/resolv.conf The file /etc/resolv.conf lists all your system's DNS servers and should only contain one of Air's DNS (10.X.0.1).
You should also check that file to see if your default (non-Air) DNS servers are restored after disconnecting from AirVPN.

(from https://news.ycombinator.com/item?id=10039306)
 
Starting with Windows 8, Microsoft even facilitates this process:
 
(from https://news.ycombinator.com/item?id=10046957. More info on Windows Platform Binary Table)
 
 
My thoughts on this:
 
Proprietary software makes free and secure computing impossible.
 
"Just install Linux" doesn't fix anything: Your BIOS/UEFI still runs proprietary code, doing stuff behind your back and against your will.
 
"Just install a free BIOS (coreboot)" doesn't fix anything either: Recent intel CPUs are managed by a "separate CPU within the CPU". That separate CPU (Intel Management Engine) has its own, proprietary, irreplacable firmware.
(from http://www.coreboot.org/Binary_situation)
 
 
Under the guise of providing new feautures for "convenience" and even "security" (see Secure Boot), hardware companies turn free computers into proprietary appliances.
 
 
What can we do?
Support alternative vendors such as System76, ThinkPenguin and Purism Support "open hardware" projects such as Novena, with the hope of carving out a niche for truly free, open source and secure computing Support organizations such as FSF and EFF Engage politically! Lobby against freedom-inhibiting developments such as compulsory non-free routers 

I just wanted to add a link where one can buy preconfigured libreboot computers:
http://minifree.org (fka gluglug)
 
 
If they would help the cause I'd be all in. Hell, I almost preorderd one of the Librem but I went for the libreboot (fortunately).
I am having mixed feelings because it looks like it is all about money. It is most of the time. Yesterday there has been a tweet from Purism making fun of libreboot computers (the account has been closed now & there has been an apology). This is not the first time I am getting the impression that Purism is all talk and no action. The good thing is that some of the projects like coreboot, libreboot and companies dedicated to building Linux friendly laptops/computers are getting more attention.
 
I hope that more people care but I fear that the demand will not grow enough for big companies to build laptops respecting your freedom a little more. On the contrary.
 
Look at Snowden and his leaks. Most people don't want to hear about him anymore. I am asking myself - why?
 

I'd replace Purism with Libreboot.
I know, Libreboot is running mainly on Lenovo laptops but they have been freed of all proprietary firmware. This is what I'd call free.
 
I read a lot about Purism and I liked the enthusiasm at first but I am afraid that this is looking more and more like a charade to me. Purism's goals are noble but sound like an individual promising world peace. I'd love to be proven wrong and I am not an expert but most of the experts who have been working years on this subject aren't anywhere near what Purism is talking about.
 
I don't trust the latest hardware because more and more backdoors seem to be implemented. I use older hardware, my latest laptop is from 2010.

(from https://news.ycombinator.com/item?id=10039306)
 
Starting with Windows 8, Microsoft even facilitates this process:
 
(from https://news.ycombinator.com/item?id=10046957. More info on Windows Platform Binary Table)
 
 
My thoughts on this:
 
Proprietary software makes free and secure computing impossible.
 
"Just install Linux" doesn't fix anything: Your BIOS/UEFI still runs proprietary code, doing stuff behind your back and against your will.
 
"Just install a free BIOS (coreboot)" doesn't fix anything either: Recent intel CPUs are managed by a "separate CPU within the CPU". That separate CPU (Intel Management Engine) has its own, proprietary, irreplacable firmware.
(from http://www.coreboot.org/Binary_situation)
 
 
Under the guise of providing new feautures for "convenience" and even "security" (see Secure Boot), hardware companies turn free computers into proprietary appliances.
 
 
What can we do?
Support alternative vendors such as System76, ThinkPenguin and Purism Support "open hardware" projects such as Novena, with the hope of carving out a niche for truly free, open source and secure computing Support organizations such as FSF and EFF Engage politically! Lobby against freedom-inhibiting developments such as compulsory non-free routers 

Actually, the AirVPN button we're used to in the Linux version (the one in the main application window) does not seem to be active in the OS X version. At least it did nothing when I tried it. You have to either press "cmd + ," or use the menu bar icon. Good tip though, regarding "start visible".

You can also click the 'AirVPN' button on the top left of the application, then select Preferences. I'm on my Linux machine atm so I can't check the exact wording, but there'll be a section in the box that pops up saying something like "Mac OS X only - start visible". Check that box and next time you start the app the main window will open automatically for you.

It's indeed a little confusing:
After launching the AirVPN client and entering your Mac user password, the AirVPN client does start - but it's minimized! Not even clicking on the dock icon will bring it up.

However, you will notice a new icon in your menu bar (right upper edge of your screen, next to the clock).
Click on the Air-themed icon (looks like a cloud in a circle). Select "Show Main Window" to bring up the main application window. Also notice that you can get to the separate "Preferences" pane by clicking on the menu bar icon.

It's indeed a little confusing:
After launching the AirVPN client and entering your Mac user password, the AirVPN client does start - but it's minimized! Not even clicking on the dock icon will bring it up.

However, you will notice a new icon in your menu bar (right upper edge of your screen, next to the clock).
Click on the Air-themed icon (looks like a cloud in a circle). Select "Show Main Window" to bring up the main application window. Also notice that you can get to the separate "Preferences" pane by clicking on the menu bar icon.

I'd argue the contrary: There's no such thing as some freedom of speech - you either have free speech or you don't. However, to touch on your bomb threat example, that doesn't mean that your exercise of free speech is without consequence. If your free speech causes direct damage, those you have damaged might rightfully take action against you. You can't use bomb threats as an argument against free speech.

Actually though, "censorship vs freedom of speech" is not the main issue at hand - at least in the western world.
What we're actually fighting against are total surveillance police states;  the idea that we can't have any confidential or private means of communication. The idea that we have to abolish any rights to privacy and individual freedom, just for a wee bit of perceived security.

Not only is that an ideologically abhorrent idea, it has also proven to be an extremely ineffective strategy against crime and terror. Governments know that of course, they aren't stupid. They abuse the public's fear of terror to broaden their power over the plebs.

Absurd UK footnote: Huge budgets for GCHQ and CCTV, yet no money for actual police work.

Create an AirVPN.desktop file like this

I've had my fair share of battles with GNOME Dash and other docks like Plank.
Usually, all you have to do is right-click the icon and "Add to favorites" / "Keep in dock".
This option is missing for many "non-native" (Java, Mono) applications.
You can add Eddie to Dash if you do it like this:
 

 
But it doesn't work properly, you're going to end up with two separate icons:
 

 
It appears that docks have a hard time figuring out which Java/Mono windows belong to what application.
This often happens if the "WM_CLASS" property is different from the application's name.
I'll use the application "Android Studio" as an example.
Using the xprop tool, I find out:
WM_CLASS(STRING) = "sun-awt-X11-XFramePeer", "jetbrains-studio"

If I add the following line to the Android Studio's .desktop file ...

StartupWMClass=jetbrains-studio

... the GNOME window manager / dock will be able to correctly detect running instances and map them to the app's icon.

When I try this workaround with Eddie, "xprop" is unable to find the "WM_CLASS" property for the running Eddie instance. It is missing!
This is a common issue for Mono applications and would require Air's coders to write some C# to set the WM_CLASS.
Probably something along those lines. I've opened an issue on Github to let them know.

I've had my fair share of battles with GNOME Dash and other docks like Plank.
Usually, all you have to do is right-click the icon and "Add to favorites" / "Keep in dock".
This option is missing for many "non-native" (Java, Mono) applications.
You can add Eddie to Dash if you do it like this:
 

 
But it doesn't work properly, you're going to end up with two separate icons:
 

 
It appears that docks have a hard time figuring out which Java/Mono windows belong to what application.
This often happens if the "WM_CLASS" property is different from the application's name.
I'll use the application "Android Studio" as an example.
Using the xprop tool, I find out:
WM_CLASS(STRING) = "sun-awt-X11-XFramePeer", "jetbrains-studio"

If I add the following line to the Android Studio's .desktop file ...

StartupWMClass=jetbrains-studio

... the GNOME window manager / dock will be able to correctly detect running instances and map them to the app's icon.

When I try this workaround with Eddie, "xprop" is unable to find the "WM_CLASS" property for the running Eddie instance. It is missing!
This is a common issue for Mono applications and would require Air's coders to write some C# to set the WM_CLASS.
Probably something along those lines. I've opened an issue on Github to let them know.

I'm a bit surprised to see Win10 discussed at all in this forum.
I understand that some people might not be in a position to abandon Windows but why the rush towards Windows 10? I mean, have you read their new privacy policies?

Before you say, "yeah, all those new features suck, I'll just turn them all off" - well, you can't:
Unless you have the "Enterprise" edition, you can't opt out of "diagnostic and usage data" collection.
https://i.imgur.com/iHge6RJ.jpg
https://twitter.com/adrianchm/status/626734160032477184
 
Before you say, "oh, but you can run tweak-tool XYZ or change this registry value, that'll turn it off completely" - how do you know? It's proprietary software. You're not in control whatsoever. Also, it only takes a small Windows update - that you can no longer opt out of either - to revert your manual changes. Why would they want to do that? Well, to quote Microsoft, data collection is now "vital to the operation of Windows", so you really have no reason to believe that your manual changes will stick.

I'm not sure what else Microsoft would have to do to make Windows look more like spyware than it already does. I really don't.

I'm a bit surprised to see Win10 discussed at all in this forum.
I understand that some people might not be in a position to abandon Windows but why the rush towards Windows 10? I mean, have you read their new privacy policies?

Before you say, "yeah, all those new features suck, I'll just turn them all off" - well, you can't:
Unless you have the "Enterprise" edition, you can't opt out of "diagnostic and usage data" collection.
https://i.imgur.com/iHge6RJ.jpg
https://twitter.com/adrianchm/status/626734160032477184
 
Before you say, "oh, but you can run tweak-tool XYZ or change this registry value, that'll turn it off completely" - how do you know? It's proprietary software. You're not in control whatsoever. Also, it only takes a small Windows update - that you can no longer opt out of either - to revert your manual changes. Why would they want to do that? Well, to quote Microsoft, data collection is now "vital to the operation of Windows", so you really have no reason to believe that your manual changes will stick.

I'm not sure what else Microsoft would have to do to make Windows look more like spyware than it already does. I really don't.

I don't remember a single new Windows version that wasn't launched with some Internet fiasco around it.
This one will be fun to see, I bet so many people will pirate it and use this unremovable spying feature (which seems to be intrusive this time) as an excuse why
they pirate the expensive enterprise copy
 
The "Share Wi-Fi passwords with friends" is a very communist idea, I must admit that I never expeceted it to be on by default.
Time to make new friends

Chromium: it's impossible to keep Google out of it.
 
If you doubt me, read this old thread on superuser.com or try it yourself:
change search engine to DDG set a blank homepage disable "phishing/malware protection" (aka Safe Browsing) disable "reports to Google" disable "webservice to resolve navigation errors" disable "prediction service"  
With these settings, would you expect Chromium to immediately contact Google? I didn't. Yet, when launching Chromium, I instantly see connection attempts to 5 Google servers:
 
SYN-SENT   173.194.46.64:443
SYN-SENT   173.194.46.67:443
SYN-SENT   216.58.216.74:443
SYN-SENT   173.194.46.72:443
SYN-SENT   173.194.46.66:443
 
Why? What for?
I'll stick with Firefox, thanks!

I'm a bit surprised to see Win10 discussed at all in this forum.
I understand that some people might not be in a position to abandon Windows but why the rush towards Windows 10? I mean, have you read their new privacy policies?

Before you say, "yeah, all those new features suck, I'll just turn them all off" - well, you can't:
Unless you have the "Enterprise" edition, you can't opt out of "diagnostic and usage data" collection.
https://i.imgur.com/iHge6RJ.jpg
https://twitter.com/adrianchm/status/626734160032477184
 
Before you say, "oh, but you can run tweak-tool XYZ or change this registry value, that'll turn it off completely" - how do you know? It's proprietary software. You're not in control whatsoever. Also, it only takes a small Windows update - that you can no longer opt out of either - to revert your manual changes. Why would they want to do that? Well, to quote Microsoft, data collection is now "vital to the operation of Windows", so you really have no reason to believe that your manual changes will stick.

I'm not sure what else Microsoft would have to do to make Windows look more like spyware than it already does. I really don't.

I'm a bit surprised to see Win10 discussed at all in this forum.
I understand that some people might not be in a position to abandon Windows but why the rush towards Windows 10? I mean, have you read their new privacy policies?

Before you say, "yeah, all those new features suck, I'll just turn them all off" - well, you can't:
Unless you have the "Enterprise" edition, you can't opt out of "diagnostic and usage data" collection.
https://i.imgur.com/iHge6RJ.jpg
https://twitter.com/adrianchm/status/626734160032477184
 
Before you say, "oh, but you can run tweak-tool XYZ or change this registry value, that'll turn it off completely" - how do you know? It's proprietary software. You're not in control whatsoever. Also, it only takes a small Windows update - that you can no longer opt out of either - to revert your manual changes. Why would they want to do that? Well, to quote Microsoft, data collection is now "vital to the operation of Windows", so you really have no reason to believe that your manual changes will stick.

I'm not sure what else Microsoft would have to do to make Windows look more like spyware than it already does. I really don't.

I'm a bit surprised to see Win10 discussed at all in this forum.
I understand that some people might not be in a position to abandon Windows but why the rush towards Windows 10? I mean, have you read their new privacy policies?

Before you say, "yeah, all those new features suck, I'll just turn them all off" - well, you can't:
Unless you have the "Enterprise" edition, you can't opt out of "diagnostic and usage data" collection.
https://i.imgur.com/iHge6RJ.jpg
https://twitter.com/adrianchm/status/626734160032477184
 
Before you say, "oh, but you can run tweak-tool XYZ or change this registry value, that'll turn it off completely" - how do you know? It's proprietary software. You're not in control whatsoever. Also, it only takes a small Windows update - that you can no longer opt out of either - to revert your manual changes. Why would they want to do that? Well, to quote Microsoft, data collection is now "vital to the operation of Windows", so you really have no reason to believe that your manual changes will stick.

I'm not sure what else Microsoft would have to do to make Windows look more like spyware than it already does. I really don't.