Page 1 of 1
A Challenge to the Naysayers
Posted: Wed Nov 20, 2024 12:55 pm
by j2mcgreg
Here is my QSI:
Code: Select all
System:
Kernel: 6.6.12-1-liquorix-amd64 [6.6-16~mx23ahs] arch: x86_64 bits: 64 compiler: gcc v: 12.2.0 parameters: audit=0
intel_pstate=disable rcupdate.rcu_expedited=1 BOOT_IMAGE=/boot/vmlinuz-6.6.12-1-liquorix-amd64
root=UUID=<filter> ro quiet splash
Desktop: Xfce v: 4.18.1 tk: Gtk v: 3.24.36 info: xfce4-panel wm: xfwm v: 4.18.0 vt: 7
dm: LightDM v: 1.26.0 Distro: MX-23.4_ahs_x64 Libretto January 21 2024 base: Debian GNU/Linux
12 (bookworm)
Machine:
Type: Laptop System: HP product: HP Laptop 15-ef2xxx v: N/A serial: <superuser required> Chassis:
type: 10 serial: <superuser required>
Mobo: HP model: 887A v: 59.21 serial: <superuser required> UEFI: AMI v: F.27 date: 10/20/2022
Battery:
ID-1: BAT0 charge: 40.7 Wh (100.0%) condition: 40.7/40.7 Wh (100.0%) volts: 12.9 min: 11.3
model: HP Primary type: Li-ion serial: <filter> status: full
CPU:
Info: model: AMD Ryzen 3 5300U with Radeon Graphics bits: 64 type: MT MCP arch: Zen 2 gen: 3
level: v3 note: check built: 2020-22 process: TSMC n7 (7nm) family: 0x17 (23)
model-id: 0x68 (104) stepping: 1 microcode: 0x8608104
Topology: cpus: 1x cores: 4 tpc: 2 threads: 8 smt: enabled cache: L1: 256 KiB
desc: d-4x32 KiB; i-4x32 KiB L2: 2 MiB desc: 4x512 KiB L3: 4 MiB desc: 1x4 MiB
Speed (MHz): avg: 3554 high: 3898 min/max: 400/3900 scaling: driver: amd-pstate-epp
governor: performance cores: 1: 3896 2: 3890 3: 3898 4: 3893 5: 2598 6: 3875 7: 2600 8: 3789
bogomips: 41524
Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm
Vulnerabilities:
Type: gather_data_sampling status: Not affected
Type: itlb_multihit status: Not affected
Type: l1tf status: Not affected
Type: mds status: Not affected
Type: meltdown status: Not affected
Type: mmio_stale_data status: Not affected
Type: retbleed mitigation: untrained return thunk; SMT enabled with STIBP protection
Type: spec_rstack_overflow mitigation: Safe RET
Type: spec_store_bypass mitigation: Speculative Store Bypass disabled via prctl
Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer sanitization
Type: spectre_v2 mitigation: Retpolines, IBPB: conditional, STIBP: always-on, RSB filling,
PBRSB-eIBRS: Not affected
Type: srbds status: Not affected
Type: tsx_async_abort status: Not affected
Graphics:
Device-1: AMD Lucienne vendor: Hewlett-Packard driver: amdgpu v: kernel arch: GCN-5 code: Vega
process: GF 14nm built: 2017-20 pcie: gen: 3 speed: 8 GT/s lanes: 16 link-max: gen: 4
speed: 16 GT/s ports: active: eDP-1 empty: HDMI-A-1 bus-ID: 03:00.0 chip-ID: 1002:164c
class-ID: 0300 temp: 46.0 C
Device-2: Luxvisions Innotech HP TrueVision HD Camera type: USB driver: uvcvideo bus-ID: 1-3:3
chip-ID: 30c9:0013 class-ID: 0e02 serial: <filter>
Display: x11 server: X.Org v: 1.21.1.7 compositor: xfwm v: 4.18.0 driver: X: loaded: amdgpu
unloaded: fbdev,modesetting,vesa dri: radeonsi gpu: amdgpu display-ID: :0.0 screens: 1
Screen-1: 0 s-res: 1920x1080 s-dpi: 96 s-size: 508x285mm (20.00x11.22") s-diag: 582mm (22.93")
Monitor-1: eDP-1 mapped: eDP model: AU Optronics 0x5799 built: 2021 res: 1920x1080 hz: 60
dpi: 142 gamma: 1.2 size: 344x194mm (13.54x7.64") diag: 395mm (15.5") ratio: 16:9 modes:
max: 1920x1080 min: 640x480
API: OpenGL v: 4.6 Mesa 24.2.2-1~mx23ahs renderer: AMD Radeon Graphics (radeonsi renoir LLVM
15.0.6 DRM 3.54 6.6.12-1-liquorix-amd64) direct-render: Yes
Audio:
Device-1: AMD Renoir Radeon High Definition Audio vendor: Hewlett-Packard driver: snd_hda_intel
v: kernel pcie: gen: 3 speed: 8 GT/s lanes: 16 link-max: gen: 4 speed: 16 GT/s bus-ID: 03:00.1
chip-ID: 1002:1637 class-ID: 0403
Device-2: AMD ACP/ACP3X/ACP6x Audio Coprocessor vendor: Hewlett-Packard
driver: snd_rn_pci_acp3x v: kernel alternate: snd_pci_acp3x, snd_pci_acp5x, snd_pci_acp6x,
snd_acp_pci, snd_rpl_pci_acp6x, snd_pci_ps, snd_sof_amd_renoir, snd_sof_amd_rembrandt,
snd_sof_amd_vangogh pcie: gen: 3 speed: 8 GT/s lanes: 16 link-max: gen: 4 speed: 16 GT/s
bus-ID: 03:00.5 chip-ID: 1022:15e2 class-ID: 0480
Device-3: AMD Family 17h/19h HD Audio vendor: Hewlett-Packard driver: snd_hda_intel v: kernel
pcie: gen: 3 speed: 8 GT/s lanes: 16 link-max: gen: 4 speed: 16 GT/s bus-ID: 03:00.6
chip-ID: 1022:15e3 class-ID: 0403
API: ALSA v: k6.6.12-1-liquorix-amd64 status: kernel-api tools: alsamixer,amixer
Server-1: PipeWire v: 1.0.0 status: active with: 1: pipewire-pulse status: active
2: wireplumber status: active 3: pipewire-alsa type: plugin 4: pw-jack type: plugin
tools: pactl,pw-cat,pw-cli,wpctl
Network:
Device-1: Realtek RTL8822CE 802.11ac PCIe Wireless Network Adapter vendor: Hewlett-Packard
driver: rtw_8822ce v: N/A modules: rtw88_8822ce,wl pcie: gen: 1 speed: 2.5 GT/s lanes: 1
port: f000 bus-ID: 01:00.0 chip-ID: 10ec:c822 class-ID: 0280
IF: wlan0 state: up mac: <filter>
Bluetooth:
Device-1: Realtek Bluetooth Radio type: USB driver: btusb v: 0.8 bus-ID: 1-4:4 chip-ID: 0bda:b00c
class-ID: e001 serial: <filter>
Report: hciconfig ID: hci0 rfk-id: 1 state: up address: <filter> bt-v: 3.0 lmp-v: 5.1
sub-v: 6dcb hci-v: 5.1 rev: aed6
Info: acl-mtu: 1021:6 sco-mtu: 255:12 link-policy: rswitch hold sniff park
link-mode: peripheral accept service-classes: rendering, capturing, object transfer, audio,
telephony
Drives:
Local Storage: total: 476.94 GiB used: 33.11 GiB (6.9%)
SMART Message: Unable to run smartctl. Root privileges required.
ID-1: /dev/nvme0n1 maj-min: 259:0 vendor: Western Digital model: PC SN530 SDBPNPZ-512G-1006
size: 476.94 GiB block-size: physical: 512 B logical: 512 B speed: 31.6 Gb/s lanes: 4 type: SSD
serial: <filter> rev: HPS2 temp: 26.9 C scheme: GPT
Partition:
ID-1: / raw-size: 476.69 GiB size: 468.13 GiB (98.21%) used: 33.11 GiB (7.1%) fs: ext4
dev: /dev/nvme0n1p2 maj-min: 259:2
ID-2: /boot/efi raw-size: 256 MiB size: 252 MiB (98.46%) used: 274 KiB (0.1%) fs: vfat
dev: /dev/nvme0n1p1 maj-min: 259:1
Swap:
Kernel: swappiness: 15 (default 60) cache-pressure: 100 (default)
ID-1: swap-1 type: file size: 3 GiB used: 0 KiB (0.0%) priority: -2 file: /swap/swap
Sensors:
System Temperatures: cpu: 53.8 C mobo: N/A gpu: amdgpu temp: 46.0 C
Fan Speeds (RPM): fan-1: 0 fan-2: 0
Repos:
Packages: pm: dpkg pkgs: 2143 libs: 1080 tools: apt,apt-get,aptitude,nala,synaptic pm: rpm
pkgs: 0 pm: flatpak pkgs: 0
No active apt repos in: /etc/apt/sources.list
Active apt repos in: /etc/apt/sources.list.d/debian-stable-updates.list
1: deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
Active apt repos in: /etc/apt/sources.list.d/debian.list
1: deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
2: deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
Active apt repos in: /etc/apt/sources.list.d/google-chrome.list
1: deb [arch=amd64] https://dl.google.com/linux/chrome/deb/ stable main
Active apt repos in: /etc/apt/sources.list.d/librewolf.list
1: deb [arch=amd64] http://deb.librewolf.net bookworm main
Active apt repos in: /etc/apt/sources.list.d/mx.list
1: deb https://mxrepo.com/mx/repo/ bookworm main non-free
2: deb https://mxrepo.com/mx/repo/ bookworm ahs
Info:
Processes: 360 Uptime: 4h 21m wakeups: 41599 Memory: 7.09 GiB used: 3.11 GiB (43.9%)
Init: SysVinit v: 3.06 runlevel: 5 default: graphical tool: systemctl Compilers: gcc: 12.2.0
alt: 12 Client: shell wrapper v: 5.2.15-release inxi: 3.3.26
Boot Mode: UEFI
Please point out any personal identifiers that could tie this machine to me or reveal my actual identity or location.
Re: A Challenge to the Naysayers
Posted: Wed Nov 20, 2024 1:59 pm
by baldyeti
nay!
Re: A Challenge to the Naysayers
Posted: Wed Nov 20, 2024 2:01 pm
by Adrian
nay!
Re: A Challenge to the Naysayers
Posted: Wed Nov 20, 2024 2:04 pm
by Eadwine Rose
Apparently you like HP, and Liquor(ix).
Re: A Challenge to the Naysayers
Posted: Wed Nov 20, 2024 2:06 pm
by j2mcgreg
Eadwine Rose wrote: Wed Nov 20, 2024 2:04 pm
Apparently you like HP, and Liquor(ix).
Yeah, but it's the only 'liquor' I'm allowed.
Re: A Challenge to the Naysayers
Posted: Wed Nov 20, 2024 2:12 pm
by CharlesV
+1 on Nay ! I have checked this every possible way I could see .. and nothing to exploit there.
Re: A Challenge to the Naysayers
Posted: Wed Nov 20, 2024 2:42 pm
by j2mcgreg
CharlesV wrote: Wed Nov 20, 2024 2:12 pm
+1 on Nay ! I have checked this every possible way I could see .. and nothing to exploit there.
And that's the point. All those who won't post their QSI can examine it to their heart's content and point out their
security concerns. Maybe we will learn something from their responses and maybe we won't.
Re: A Challenge to the Naysayers
Posted: Wed Nov 20, 2024 3:42 pm
by FullScale4Me
My wife was big on kitchen-helping innovations of sorts. She started buying aluminum foil as a box of pre-cut sheets.
One day she held one up to me and said "Pre-cut tin foil hats!"
Re: A Challenge to the Naysayers
Posted: Wed Nov 20, 2024 4:14 pm
by j2mcgreg
FullScale4Me wrote: Wed Nov 20, 2024 3:42 pm
My wife was big on kitchen-helping innovations of sorts. She started buying aluminum foil as a box of pre-cut sheets.
One day she held one up to me and said "Pre-cut tin foil hats!"
rotfl
Re: A Challenge to the Naysayers
Posted: Wed Nov 20, 2024 9:35 pm
by ghunter
I will be your huckleberry
Your computer is hot!
Sensors:
System Temperatures: cpu: 53.8 C mobo: N/A gpu: amdgpu temp: 46.0 C
Fan Speeds (RPM): fan-1: 0 fan-2: 0
I suspect you are pacificist LOL
mine is
Code: Select all
inxi -s
Sensors:
System Temperatures: cpu: 30.6 C mobo: N/A gpu: amdgpu temp: 28.0 C
Fan Speeds (RPM): N/A
Re: A Challenge to the Naysayers
Posted: Wed Nov 20, 2024 10:44 pm
by user101
Active apt repos in: /etc/apt/sources.list.d/google-chrome.list
1: deb [arch=amd64] https://dl.google.com/linux/chrome/deb/ stable main
Google knows all about you & thanks you for using their spyware.
Re: A Challenge to the Naysayers
Posted: Thu Nov 21, 2024 3:18 am
by lars_the_bear
It's not the individual snippets of information that are the problem. It's the large-scale aggregation and correlation of information from different sources. Certain business have gotten very good at this, and it's surprising how much real-life, individual information can be assembled with reasonable accuracy, using statistical processes.
I don't think posting system information anonymously on a web forum is a huge risk -- if we can even identify what the 'risk' might amount to. Nevertheless, my policy is to post as little information about myself or my hardware as is practicable. I don't know who runs this site, what information it shares, or how secure it is. The same applies to almost every on-line resource I use. So I prefer caution. Other people, no doubt, will assess the risk/reward balance differently.
BR, Lars.
Re: A Challenge to the Naysayers
Posted: Thu Nov 21, 2024 3:48 am
by DukeComposed
lars_the_bear wrote: Thu Nov 21, 2024 3:18 am
I don't know who runs this site, what information it shares, or how secure it is. The same applies to almost every on-line resource I use. So I prefer caution.
Translation: "I don't trust the people on this website, but I am happy to expect
free help from them." It's an easy enough problem to fix: don't ask for tech support and we won't ask for a QSI.
Re: A Challenge to the Naysayers
Posted: Thu Nov 21, 2024 4:31 am
by Eadwine Rose
Can we keep it on topic please, don't drag the kitchen sink into the discussion.
Re: A Challenge to the Naysayers
Posted: Thu Nov 21, 2024 5:05 am
by artytux
j2mcgreg wrote: Wed Nov 20, 2024 12:55 pm
Please point out any personal identifiers that could tie this machine to me or reveal my actual identity or location.
Taking privacy and control paranoia overboard, IF anyone is so worried about their personal information, and don't want to use the QSI, maybe just maybe they should spend some quiet time reading their QSI.
When Optus here in Oz got hacked myself and thousands yep thousands of now ex Optus customers had to get re-issued drivers licence , new phone numbers , knowing all our details , address email and snail also included bank details/cards what a mess then to add insult all the details went up for sale online.
Why or how actually could MX Linux harvest any private details without some-one stumbling across that sort of identifier.
Open source operating systems and software don't get away with intrusions like that for long (just ask one distro about phone home about user activities)
Re: A Challenge to the Naysayers
Posted: Thu Nov 21, 2024 9:05 am
by lars_the_bear
DukeComposed wrote: Thu Nov 21, 2024 3:48 am
lars_the_bear wrote: Thu Nov 21, 2024 3:18 am
I don't know who runs this site, what information it shares, or how secure it is. The same applies to almost every on-line resource I use. So I prefer caution.
Translation: "I don't trust the people on this website, but I am happy to expect
free help from them." It's an easy enough problem to fix: don't ask for tech support and we won't ask for a QSI.
This forum is, so far as I know, completely open to the public, everywhere in the world. There's an essentially unlimited number of untrustworthy people out there. I (probably) don't know you, you probably don't know me. No clear grounds for trust are apparent to me.
But, frankly, that's not what I'm talking about. I'd be more worried about the person or organization that provides the hosting, because that organization will be able to connect my comments to my IP number, which massively increases the identifiability. I haven't yet got paranoid enough to use a VPN all the time, but I'm certainly considering it.
There have been some really egregious leakages of personal information from web-based services that I thought could be trusted. The worst I know of is a UK gun trading website, that leaked the names and addresses of over a hundred thousand people
who own firearms. What the criminal fraternity made of that, hardly bears thinking about. Another forum I used a lot turned out to be populated mostly by far-right conspiracy theorists. That these people know
anything about me, anything at all is, frankly, terrifying. These incidents certainly changed the way I thought about on-line privacy.
If you don't want to help, on the basis that I'm a bit uncomfortable about putting my trust in a complete stranger on the Internet, that's fine. I won't hold it against you.
Having said all that, I suspect that not wanting to share trivial system information is a bit close to tinfoil hat territory. It probably wouldn't worry me at all, had I not had disturbing experiences in the past.
BR, Lars
Re: A Challenge to the Naysayers
Posted: Thu Nov 21, 2024 12:46 pm
by j2mcgreg
@lars_the_bear wrote:
I don't think posting system information anonymously on a web forum is a huge risk -- if we can even identify what the 'risk' might amount to. Nevertheless, my policy is to post as little information about myself or my hardware as is practicable. I don't know who runs this site, what information it shares, or how secure it is. The same applies to almost every on-line resource I use. So I prefer caution. Other people, no doubt, will assess the risk/reward balance differently.
Concerning the QSI request which is the subject of this topic, consider this scenario. Your car is acting up and you are searching for a mechanic to fix it. However, the only information you are willing to volunteer is that it has a gasoline engine. How successful do you think that your search is going to be? How much help, if any, will you glean? We only care about the malfunctioning machine and similar to the mechanic, we only ask for the bare minimum information necessary to solve the problem
Re: A Challenge to the Naysayers
Posted: Thu Nov 21, 2024 1:11 pm
by j2mcgreg
user101 wrote: Wed Nov 20, 2024 10:44 pm
Active apt repos in: /etc/apt/sources.list.d/google-chrome.list
1: deb [arch=amd64] https://dl.google.com/linux/chrome/deb/ stable main
Google knows all about you & thanks you for using their spyware.
You are assuming that I have a choice. There are government websites that I have to access on a regular basis that only work consistently with Chrome or Edge. Firefox and its clones are very hit and miss. Of the two that do work, I consider Chrome to be the lesser evil by a long chalk.
Re: A Challenge to the Naysayers
Posted: Thu Nov 21, 2024 1:21 pm
by siamhie
ghunter wrote: Wed Nov 20, 2024 9:35 pm
I will be your huckleberry
Your computer is hot!
Sensors:
System Temperatures: cpu: 53.8 C mobo: N/A gpu: amdgpu temp: 46.0 C
Fan Speeds (RPM): fan-1: 0 fan-2: 0
I suspect you are pacificist LOL
mine is
Code: Select all
inxi -s
Sensors:
System Temperatures: cpu: 30.6 C mobo: N/A gpu: amdgpu temp: 28.0 C
Fan Speeds (RPM): N/A
I like the Winter days.
Code: Select all
inxi -Ss
System:
Host: flux23 Kernel: 6.6.62-x64v3-xanmod1 arch: x86_64 bits: 64
Desktop: Fluxbox v: 1.3.7 Distro: MX-23.4_fluxbox_x64 Libretto May 19
2024
Sensors:
System Temperatures: cpu: 27.6 C mobo: N/A gpu: amdgpu temp: 46.0 C
Fan Speeds (rpm): N/A gpu: amdgpu fan: 731
Re: A Challenge to the Naysayers
Posted: Thu Nov 21, 2024 2:06 pm
by j2mcgreg
ghunter wrote: Wed Nov 20, 2024 9:35 pm
I will be your huckleberry
Your computer is hot!
Sensors:
System Temperatures: cpu: 53.8 C mobo: N/A gpu: amdgpu temp: 46.0 C
Fan Speeds (RPM): fan-1: 0 fan-2: 0
I suspect you are pacificist LOL
mine is
Code: Select all
inxi -s
Sensors:
System Temperatures: cpu: 30.6 C mobo: N/A gpu: amdgpu temp: 28.0 C
Fan Speeds (RPM): N/A
You also have to consider the uptime. At 4 hours and twenty-one minutes use on a laptop, 53.8 C is nothing to worry about. I would be concerned if that was the starting idle temperature.
Re: A Challenge to the Naysayers
Posted: Thu Nov 21, 2024 2:34 pm
by FullScale4Me
I've seen help requests go to 3 pages (>21 posts) when no QSI was shared before a solution was found. In a few cases, the original poster went missing and an "I'm having that problem too!" showed up and only that second person benefited from the proposed solution(s).
Yes, it could be that the OP forgot to circle back and report success, but I hope that even in 2024 it is more rare than the norm.
Re: A Challenge to the Naysayers
Posted: Thu Nov 21, 2024 8:04 pm
by tomcashen
Whats a QSI?
Re: A Challenge to the Naysayers
Posted: Thu Nov 21, 2024 8:09 pm
by Jerry3904
Quick System Info
Re: A Challenge to the Naysayers
Posted: Thu Nov 21, 2024 8:16 pm
by tomcashen
Dooh! Thanks, Jerry. My brain needs a QSI.
Re: A Challenge to the Naysayers
Posted: Thu Nov 21, 2024 8:53 pm
by siamhie
j2mcgreg wrote: Thu Nov 21, 2024 2:06 pm
You also have to consider the uptime. At 4 hours and twenty-one minutes use on a laptop, 53.8 C is nothing to worry about. I would be concerned if that was the starting idle temperature.
Laptop temps will always be higher than computer tower temps which is what I suspect ghunter is running a computer tower.
Re: A Challenge to the Naysayers
Posted: Fri Nov 22, 2024 3:34 am
by lars_the_bear
j2mcgreg wrote: Thu Nov 21, 2024 12:46 pm
Concerning the QSI request which is the subject of this topic, consider this scenario. Your car is acting up and you are searching for a mechanic to fix it. However, the only information you are willing to volunteer is that it has a gasoline engine. How successful do you think that your search is going to be? How much help, if any, will you glean? We only care about the malfunctioning machine and similar to the mechanic, we only ask for the bare minimum information necessary to solve the problem
Sure, that's an entirely fair point. There are two important differences, though.
1. I'm not communicating with the car mechanic over a medium that is see all over the world, and
2. The car mechanic I employ lives in my neighbourhood, and I've known him for twenty years.
I receive technical information from my clients, over a web interface. Some of my clients know me personally, but most do not. But, even if they don't trust me, they can at least
sue me if I mishandle their data. There is a strict code of practice that governs how I store and use that information, which is enforceable by law. If it ever ended up in any public forum, I would be in trouble; the kind of trouble that requires lawyers. And none of the data I handle
appears to be sensitive, or capable of exploitation.
Sadly, we live in a world where a measure of paranoia is justified. Probably, asking people to send this QSI information would not even have raised an eyebrow ten years ago. It's almost certainly harmless even now, but people see things differently these days.
I don't claim to know what the solution is. It might help a little, perhaps, if 'send QSI' wasn't the
first thing everybody was asked. Just my two cents' worth, of course.
BR, Lars
Re: A Challenge to the Naysayers
Posted: Fri Nov 22, 2024 4:43 am
by DukeComposed
lars_the_bear wrote: Fri Nov 22, 2024 3:34 am
It might help a little, perhaps, if 'send QSI' wasn't the
first thing everybody was asked.
The MX Linux devs have built a tool that quickly and consistently provides generic system diagnostic information which can potentially solve your issue if an expert can read and interpret it. You don't have to have years of UNIX experience to understand where all your system config files are and you don't even have to be the sharpest pencil in the drawer to just run the command and then copy and paste the output. Old greybeards who wear suspenders and write their e-mails in vi can use the tool. Newbies who confuse "hard disk" with "memory" can use this tool, and everyone in between. It's easy to run, easy to share, and can save a lot of time and agony for everyone.
And still people won't use this tool.
They won't use it because they don't know it exists. Then they won't use it because they haven't read the forum rules, which are linked on literally every page. Then they say they'd love to run the tool but gosh, shucks, Russian crime syndicates exist so, I'd best not let the world know what my partition table looks like for my own personal safety. Surely you must understand. Anyway, about my problem I haven't fully described, how do I fix it?
No one should have to spend their time guessing what your fix might be when you have an all-in-one tool that could have helped paint a clear picture 30 posts ago. This is not only a matter of wasting time and violating the rules of the community. It is willfully withholding information that could help you move on with your life. It's just plain rude.
Re: A Challenge to the Naysayers
Posted: Fri Nov 22, 2024 5:08 am
by Freja
If you (or I) have not any bad use in MX Linux, but Machine name, model, HDD/SSD usage amount detail expose, I feel uneasy.
Also, HDD/SSD composition / configuration expose also concern privacy I think.
It's maybe not only me think that.
QSI can't detect location, organization, name etc, but private machine's privacy expose is feel some little resistance.
The problem may lie here. It's privacy.
I think it's good dev team might consider cutting out some privacy details.
Re: A Challenge to the Naysayers
Posted: Fri Nov 22, 2024 5:36 am
by lars_the_bear
DukeComposed wrote: Fri Nov 22, 2024 4:43 am
No one should have to spend their time guessing what your fix might be when you have an all-in-one tool that could have helped paint a clear picture 30 posts ago. This is not only a matter of wasting time and violating the rules of the community. It is willfully withholding information that could help you move on with your life. It's just plain rude.
I absolutely get it. You try to help, and the people you're trying to help throw your efforts back in your face.
And, yet... the landscape has changed. We don't live in a world where people feel entirely comfortable about handing over a big chuck of data for world-wide perusal, whose potential for abuse they can't assess. You've only got to look at how sophisticated browser fingerprinting has become, to see how seemingly innocuous data can be exploited.
I'm one of the 'greybeards' you mentioned, and I actually do write my emails in vi. I remember a time when the Internet was a friendly, cooperative place, peopled by tech-savvy individuals who really did trust one another. Nobody was trying to scalp you, or monetize you, or steal your identity to get access to your pension savings. Or so it looked, through my rose-tinted monitor screen, anyway.
Those days are gone. We've allowed the corporate sharks to turn the Internet into an urban hellscape, and now we have to live in it. I'm not worried about Russian crime syndicates -- there are problems much closer to home.
If solving a problem needs certain information, and the person seeking help can't, or won't, provide it, nobody's going to hold it against you if you can't help.
Everybody understands you're not a psychic. But to accuse people of being 'plain rude' when they have concerns, that seem to me to be entirely justifiable, is a bit harsh.
BR, Lars.
Re: A Challenge to the Naysayers
Posted: Fri Nov 22, 2024 5:45 am
by DukeComposed
lars_the_bear wrote: Fri Nov 22, 2024 5:36 am
Everybody understands you're not a psychic
Oh how I wish this were true.
Re: A Challenge to the Naysayers
Posted: Fri Nov 22, 2024 6:21 am
by AK-47
lars_the_bear wrote: Fri Nov 22, 2024 3:34 amSure, that's an entirely fair point. There are two important differences, though.
1. I'm not communicating with the car mechanic over a medium that is see all over the world, and
2. The car mechanic I employ lives in my neighbourhood, and I've known him for twenty years.
Great. So are you willing to pay members of the MX community adequately to provide such highly personalised assistance? Because that is the distinguishing factor here. Providing support for free, for software given away for free, versus a product or service you pay for which likely comes with a warranty and/or a managed product support lifecycle.
lars_the_bear wrote: Fri Nov 22, 2024 3:34 amI receive technical information from my clients, over a web interface. Some of my clients know me personally, but most do not. But, even if they don't trust me, they can at least
sue me if I mishandle their data. There is a strict code of practice that governs how I store and use that information, which is enforceable by law. If it ever ended up in any public forum, I would be in trouble; the kind of trouble that requires lawyers. And none of the data I handle
appears to be sensitive, or capable of exploitation.
So you signed an NDA with your clients, or you entered into a relationship in which there are good-faith provisions regarding the disclosure of such information, sensitive or otherwise. Not the same situation here.
lars_the_bear wrote: Fri Nov 22, 2024 3:34 amSadly, we live in a world where a measure of paranoia is justified. Probably, asking people to send this QSI information would not even have raised an eyebrow ten years ago. It's almost certainly harmless even now, but people see things differently these days.
I don't claim to know what the solution is. It might help a little, perhaps, if 'send QSI' wasn't the
first thing everybody was asked. Just my two cents' worth, of course.
BR, Lars
Devil's advocate mode on: I can agree if people are asking "How do I do X using Y application" then it is likely possible to assist without the QSI.
Devil's advocate mode off: people often ask "Why am I not able to do X", which often depends on certain aspects of your system. And rather than going through 50 questions, we have all the answers in a package.
Me personally, I work on a need-to-know basis. If I don't need the QSI I will not ask for it. But if I do need some information about your system, I will ask for the QSI and a bunch of logs to help. And what people don't see is, we have been able to resolve many a bug thanks to the QSI and other relevant logs, users do not see this work behind the scenes. I also agree that not providing a QSI is rude
per se although if you don't provide it when asked, I won't bother wasting my time and silently leave the thread. Others probably do things differently.
Re: A Challenge to the Naysayers
Posted: Fri Nov 22, 2024 6:52 am
by lars_the_bear
AK-47 wrote: Fri Nov 22, 2024 6:21 am
Great. So are you willing to pay members of the MX community adequately to provide such highly personalised assistance? Because that is the distinguishing factor here.
Actually, I am. In principle, at least. Particularly if support includes specific confidentiality guarantees.
This is why, for example, I pay for email and calendar services, rather than using Google's "free" offering. I pay rsync.net for my off-site backups, rather than using a "free" service from Dropbox. And so on. If there were a commercial support offering for MX Linux, with defined SLAs and so on, I would certainly consider subscribing to it. Of course, it would depend on the price :)
I'm sure that people are grateful for the help they get for free. I certainly am, and I try to reciprocate on the few occasions when I can. I'm also sure that people will understand if sometimes they can't get help for free, without taking a small risk with data confidentiality. I don't think any ought to resent being asked for technical data, and I don't see much evidence that anybody does.
Nevertheless, I do think it will deter some people from asking for help, if a condition of getting it is to upload a data dump -- whether it seems to be relevant or not. But, at the same time, I can see why it would speed things up if everybody did this -- particularly as the content of the QSI dump contains so little that could be exploited.
I do understand, really I do; but I understand both sides.
BR, Lars.
Re: A Challenge to the Naysayers
Posted: Fri Nov 22, 2024 9:27 am
by siamhie
I second this challenge via a different route. (testing to see if non-forum members can access this file.
QSI.txt
Re: A Challenge to the Naysayers
Posted: Fri Nov 22, 2024 9:29 am
by Eadwine Rose
People who are not logged in will not see this. Already tested with someone who never wanted to post their QSI.
Re: A Challenge to the Naysayers
Posted: Fri Nov 22, 2024 9:32 am
by siamhie
Eadwine Rose wrote: Fri Nov 22, 2024 9:29 am
People who are not logged in will not see this. Already tested with someone who never wanted to post their QSI.
I noticed the minute I logged out. I can see greg's QSI as a non member and wanted to check the other avenue.
no-permit.png
Re: A Challenge to the Naysayers
Posted: Fri Nov 22, 2024 9:35 am
by j2mcgreg
siamhie wrote: Fri Nov 22, 2024 9:27 am
I second this challenge via a different route. (testing to see if non-forum members can access this file.
QSI.txt
When I'm logged in I can grab it but when i'm logged out I get this:
You do not have the required permissions to view the files attached to this post.
Re: A Challenge to the Naysayers
Posted: Fri Nov 22, 2024 9:58 am
by siamhie
j2mcgreg wrote: Fri Nov 22, 2024 9:35 am
siamhie wrote: Fri Nov 22, 2024 9:27 am
I second this challenge via a different route. (testing to see if non-forum members can access this file.
QSI.txt
When I'm logged in I can grab it but when i'm logged out I get this:
You do not have the required permissions to view the files attached to this post.
@Eadwine Rose pointed out that this was brought up before.
@j2mcgreg I was going to suggest forum members upload their QSI as a text file so that non-forum members can't see it.
Non members can still see QSI posted as code but there still isn't information included that gives away the users personal information. Only the hardware they use.
Re: A Challenge to the Naysayers
Posted: Fri Nov 22, 2024 10:05 am
by Adrian
Files are cumbersome compared to properly quoted text in the post.
Also as the initial point was mean who cares what hardware configuration a random poster on a forum uses? The only relevance is for people who are trying to help.
Re: A Challenge to the Naysayers
Posted: Fri Nov 22, 2024 10:21 am
by richb
Adrian wrote: Fri Nov 22, 2024 10:05 am
Files are cumbersome compared to properly quoted text in the post.
Also as the initial point was mean who cares what hardware configuration a random poster on a forum uses? The only relevance is for people who are trying to help.
+1
Re: A Challenge to the Naysayers
Posted: Fri Nov 22, 2024 10:41 am
by j2mcgreg
siamhie wrote: Fri Nov 22, 2024 9:58 am
j2mcgreg wrote: Fri Nov 22, 2024 9:35 am
siamhie wrote: Fri Nov 22, 2024 9:27 am
I second this challenge via a different route. (testing to see if non-forum members can access this file.
QSI.txt
When I'm logged in I can grab it but when i'm logged out I get this:
You do not have the required permissions to view the files attached to this post.
@Eadwine Rose pointed out that this was brought up before.
@j2mcgreg I was going to suggest forum members upload their QSI as a text file so that non-forum members can't see it.
Non members can still see QSI posted as code but there still isn't information included that gives away the users personal information. Only the hardware they use.
All I did was prove you correct.
Re: A Challenge to the Naysayers
Posted: Fri Nov 22, 2024 11:06 am
by lars_the_bear
Adrian wrote: Fri Nov 22, 2024 10:05 am
Also as the initial point was mean who cares what hardware configuration a random poster on a forum uses?
If you don't care, I respectfully suggest that perhaps you should. If you have not already, look into 'browser fingerprinting', to see how clever the data harvesters are, at building up real-world profiles of individuals from snippets of disparate information on the Internet. Quite a few organizations pride themselves on being able to do this with '95% accuracy' (whatever that means). And that's not even counting the outright data breaches, which are becoming more common, and more extensive.
My gut feeling is that everybody should be a little careful about what they reveal, even if it seems to be insignificant. I'm not saying we need to go the full tinfoil hat route, and make our lives too difficult to be bearable. But "not caring" seems a rather dangerous strategy to me. Just my two cents, though.
BR, Lars.
Re: A Challenge to the Naysayers
Posted: Fri Nov 22, 2024 11:20 am
by siamhie
lars_the_bear wrote: Fri Nov 22, 2024 11:06 am
Adrian wrote: Fri Nov 22, 2024 10:05 am
Also as the initial point was mean who cares what hardware configuration a random poster on a forum uses?
If you don't care, I respectfully suggest that perhaps you should. If you have not already, look into 'browser fingerprinting', to see how clever the data harvesters are, at building up real-world profiles of individuals from snippets of disparate information on the Internet. Quite a few organizations pride themselves on being able to do this with '95% accuracy' (whatever that means). And that's not even counting the outright data breaches, which are becoming more common, and more extensive.
My gut feeling is that everybody should be a little careful about what they reveal, even if it seems to be insignificant. I'm not saying we need to go the full tinfoil hat route, and make our lives too difficult to be bearable. But "not caring" seems a rather dangerous strategy to me. Just my two cents, though.
BR, Lars.
Your missing the point of this thread. What
personal information can be extracted from a QSI post?
Here's mine. Have at it.
Code: Select all
Snapshot created on: 20241119_0612
System:
Kernel: 6.6.62-x64v3-xanmod1 arch: x86_64 bits: 64 compiler: gcc v: 14.2.0 clocksource: tsc
avail: hpet,acpi_pm parameters: BOOT_IMAGE=/boot/vmlinuz-6.6.62-x64v3-xanmod1 root=UUID=<filter>
ro quiet init=/lib/systemd/systemd
Desktop: Fluxbox v: 1.3.7 with: tint2 tools: avail: light-locker vt: 7 dm: LightDM v: 1.32.0
Distro: MX-23.4_fluxbox_x64 Libretto May 19 2024 base: Debian GNU/Linux 12 (bookworm)
Machine:
Type: Desktop Mobo: Micro-Star model: B550-A PRO (MS-7C56) v: 2.0 serial: <superuser required>
uuid: <superuser required> UEFI: American Megatrends LLC. v: A.F0 date: 10/11/2023
CPU:
Info: model: AMD Ryzen 9 5950X bits: 64 type: MT MCP arch: Zen 3+ gen: 4 level: v3 note: check
built: 2022 process: TSMC n6 (7nm) family: 0x19 (25) model-id: 0x21 (33) stepping: 2
microcode: 0xA20120E
Topology: cpus: 1x cores: 16 tpc: 2 threads: 32 smt: enabled cache: L1: 1024 KiB desc: d-16x32
KiB; i-16x32 KiB L2: 8 MiB desc: 16x512 KiB L3: 64 MiB desc: 2x32 MiB
Speed (MHz): avg: 2575 high: 3400 min/max: 2200/5083 boost: disabled scaling:
driver: acpi-cpufreq governor: ondemand cores: 1: 3400 2: 2200 3: 2200 4: 2200 5: 2719 6: 2200
7: 2200 8: 2200 9: 2200 10: 2200 11: 2200 12: 2200 13: 2200 14: 2200 15: 2200 16: 2200 17: 3399
18: 2720 19: 2718 20: 2200 21: 2720 22: 3399 23: 2200 24: 3400 25: 3399 26: 2720 27: 3400
28: 2719 29: 3400 30: 2200 31: 2715 32: 2200 bogomips: 217605
Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm
Vulnerabilities:
Type: gather_data_sampling status: Not affected
Type: itlb_multihit status: Not affected
Type: l1tf status: Not affected
Type: mds status: Not affected
Type: meltdown status: Not affected
Type: mmio_stale_data status: Not affected
Type: reg_file_data_sampling status: Not affected
Type: retbleed status: Not affected
Type: spec_rstack_overflow mitigation: Safe RET
Type: spec_store_bypass mitigation: Speculative Store Bypass disabled via prctl
Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer sanitization
Type: spectre_v2 mitigation: Retpolines; IBPB: conditional; IBRS_FW; STIBP: always-on; RSB
filling; PBRSB-eIBRS: Not affected; BHI: Not affected
Type: srbds status: Not affected
Type: tsx_async_abort status: Not affected
Graphics:
Device-1: AMD Navi 22 [Radeon RX 6700/6700 XT/6750 XT / 6800M/6850M XT] vendor: Tul / PowerColor
driver: amdgpu v: kernel arch: RDNA-2 code: Navi-2x process: TSMC n7 (7nm) built: 2020-22 pcie:
gen: 4 speed: 16 GT/s lanes: 16 ports: active: DP-3 empty: DP-1,DP-2,HDMI-A-1 bus-ID: 2d:00.0
chip-ID: 1002:73df class-ID: 0300
Display: x11 server: X.Org v: 1.21.1.7 driver: X: loaded: amdgpu
unloaded: fbdev,modesetting,radeon,vesa dri: radeonsi gpu: amdgpu display-ID: :0.0 screens: 1
Screen-1: 0 s-res: 2560x1440 s-dpi: 96 s-size: 677x381mm (26.65x15.00") s-diag: 777mm (30.58")
Monitor-1: DP-3 mapped: DisplayPort-2 model: HP X27q serial: <filter> built: 2021
res: 2560x1440 hz: 165 dpi: 109 gamma: 1.2 size: 597x336mm (23.5x13.23") diag: 685mm (27")
ratio: 16:9 modes: max: 2560x1440 min: 720x400
API: EGL v: 1.5 hw: drv: amd radeonsi platforms: device: 0 drv: radeonsi device: 1 drv: swrast
gbm: drv: kms_swrast surfaceless: drv: radeonsi x11: drv: radeonsi inactive: wayland
API: OpenGL v: 4.6 vendor: amd mesa v: 23.1.2-1~mx23ahs glx-v: 1.4 es-v: 3.2 direct-render: yes
renderer: AMD Radeon RX 6700 XT (navi22 LLVM 15.0.6 DRM 3.54 6.6.62-x64v3-xanmod1)
device-ID: 1002:73df memory: 11.72 GiB unified: no
API: Vulkan v: 1.3.250 layers: 3 device: 0 type: discrete-gpu name: AMD Radeon RX 6700 XT
(RADV NAVI22) driver: mesa radv v: 23.1.2-1~mx23ahs device-ID: 1002:73df surfaces: xcb,xlib
device: 1 type: cpu name: llvmpipe (LLVM 15.0.6 256 bits) driver: mesa llvmpipe
v: 23.1.2-1~mx23ahs (LLVM 15.0.6) device-ID: 10005:0000 surfaces: xcb,xlib
Audio:
Device-1: AMD Navi 21/23 HDMI/DP Audio driver: snd_hda_intel v: kernel pcie: gen: 4
speed: 16 GT/s lanes: 16 bus-ID: 2d:00.1 chip-ID: 1002:ab28 class-ID: 0403
Device-2: AMD Starship/Matisse HD Audio vendor: Micro-Star MSI driver: snd_hda_intel v: kernel
pcie: gen: 4 speed: 16 GT/s lanes: 16 bus-ID: 2f:00.4 chip-ID: 1022:1487 class-ID: 0403
API: ALSA v: k6.6.62-x64v3-xanmod1 status: kernel-api tools: alsactl,alsamixer,amixer
Server-1: PipeWire v: 1.2.2 status: active with: 1: pipewire-pulse status: active
2: wireplumber status: active 3: pipewire-alsa type: plugin 4: pw-jack type: plugin
tools: pactl,pw-cat,pw-cli,wpctl
Network:
Device-1: Intel Wi-Fi 6 AX210/AX211/AX411 160MHz driver: iwlwifi v: kernel pcie: gen: 2
speed: 5 GT/s lanes: 1 bus-ID: 05:00.0 chip-ID: 8086:2725 class-ID: 0280
IF: wlan0 state: up mac: <filter>
Device-2: Realtek RTL8111/8168/8411 PCI Express Gigabit Ethernet vendor: Micro-Star MSI
driver: r8169 v: kernel pcie: gen: 1 speed: 2.5 GT/s lanes: 1 port: f000 bus-ID: 2a:00.0
chip-ID: 10ec:8168 class-ID: 0200
IF: eth0 state: down mac: <filter>
Info: services: NetworkManager,wpa_supplicant
Bluetooth:
Device-1: Intel AX210 Bluetooth driver: btusb v: 0.8 type: USB rev: 2.0 speed: 12 Mb/s lanes: 1
mode: 1.1 bus-ID: 1-2.3:4 chip-ID: 8087:0032 class-ID: e001
Report: rfkill ID: hci0 rfk-id: 1 state: down bt-service: N/A rfk-block: hardware: no
software: no address: see --recommends
Drives:
Local Storage: total: 8.64 TiB used: 1.13 TiB (13.1%)
SMART Message: Unable to run smartctl. Root privileges required.
ID-1: /dev/nvme0n1 maj-min: 259:2 vendor: Western Digital model: WDS500G1X0E-00AFY0
size: 465.76 GiB block-size: physical: 512 B logical: 512 B speed: 63.2 Gb/s lanes: 4 tech: SSD
serial: <filter> fw-rev: 613000WD temp: 36.9 C scheme: GPT
ID-2: /dev/nvme1n1 maj-min: 259:0 vendor: Western Digital model: WDS500G3XHC-00SJG0
size: 465.76 GiB block-size: physical: 512 B logical: 512 B speed: 31.6 Gb/s lanes: 4 tech: SSD
serial: <filter> fw-rev: 102000WD temp: 31.9 C scheme: GPT
ID-3: /dev/sda maj-min: 8:0 vendor: Seagate model: ST8000DM004-2CX188 size: 7.28 TiB
block-size: physical: 4096 B logical: 512 B speed: 6.0 Gb/s tech: HDD rpm: 5425 serial: <filter>
fw-rev: 0001 scheme: GPT
ID-4: /dev/sdb maj-min: 8:16 vendor: Samsung model: SSD 870 EVO 500GB size: 465.76 GiB
block-size: physical: 512 B logical: 512 B speed: 6.0 Gb/s tech: SSD serial: <filter>
fw-rev: 1B6Q scheme: GPT
Partition:
ID-1: / raw-size: 465 GiB size: 456.63 GiB (98.20%) used: 10.69 GiB (2.3%) fs: ext4
dev: /dev/nvme0n1p2 maj-min: 259:4
ID-2: /boot/efi raw-size: 779 MiB size: 777.5 MiB (99.80%) used: 288 KiB (0.0%) fs: vfat
dev: /dev/nvme0n1p1 maj-min: 259:3
Swap:
Kernel: swappiness: 15 (default 60) cache-pressure: 50 (default 100) zswap: no
ID-1: swap-1 type: partition size: 64 GiB used: 0 KiB (0.0%) priority: -2 dev: /dev/sdb2
maj-min: 8:18
Sensors:
System Temperatures: cpu: 29.5 C mobo: N/A gpu: amdgpu temp: 47.0 C mem: 46.0 C
Fan Speeds (rpm): N/A gpu: amdgpu fan: 774
Repos:
Packages: pm: dpkg pkgs: 2311 libs: 1186 tools: apt, apt-get, aptitude, nala, synaptic pm: rpm
pkgs: 0
No active apt repos in: /etc/apt/sources.list
Active apt repos in: /etc/apt/sources.list.d/debian-stable-updates.list
1: deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
Active apt repos in: /etc/apt/sources.list.d/debian.list
1: deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
2: deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
Active apt repos in: /etc/apt/sources.list.d/mx.list
1: deb http://la.mxrepo.com/mx/repo/ bookworm main non-free
Active apt repos in: /etc/apt/sources.list.d/nordvpn.list
1: deb https://repo.nordvpn.com/deb/nordvpn/debian stable main
Active apt repos in: /etc/apt/sources.list.d/xanmod-release.list
1: deb [signed-by=/usr/share/keyrings/xanmod-archive-keyring.gpg] http://deb.xanmod.org releases main
Active apt repos in: /etc/apt/sources.list.d/extrepo_librewolf.sources
1: deb [arch=amd64 arm64] https://repo.librewolf.net librewolf main
Info:
Memory: total: 32 GiB available: 31.27 GiB used: 2.42 GiB (7.7%)
Processes: 466 Power: uptime: 43m states: freeze,mem,disk suspend: deep avail: s2idle
wakeups: 0 hibernate: platform avail: shutdown, reboot, suspend, test_resume image: 12.47 GiB
services: upowerd Init: systemd v: 252 target: graphical (5) default: graphical tool: systemctl
Compilers: gcc: 12.2.0 Client: shell wrapper v: 5.2.15-release inxi: 3.3.35
Boot Mode: UEFI
Re: A Challenge to the Naysayers
Posted: Fri Nov 22, 2024 1:23 pm
by Adrian
Your missing the point
People have been telling me that... a lot.
Re: A Challenge to the Naysayers
Posted: Fri Nov 22, 2024 3:38 pm
by MXRobo
I previously posted that if I were in the forum member's shoes, that at the most I would only provide a link of either how to post the QSI instructions of forum rules as opposed to asking for them as the members are doing the users a service.
But after reading AK-47's comment in post # 31:
Code: Select all
I work on a need-to-know basis. If I don't need the QSI I will not ask for it
I MIGHT consider it to not initially be required.
But it is amazing how frequently insufficient information is provided, and I feel like the "I'm not psychic" phrase is so apropos.
=====================================================================
However, I translated Lars' comments dichotomously and not antithetically, as in:
Do I trust the people on this website? No
Do I not trust the people on this website? No
I don't mean to speak for Lars, and I'm not psychic.
I also concur with Rose.
'Some' may have missed the point that Lars was initially referring to "large-scale aggregation and correlation of information from different sources. Certain business" as opposed to himself, and was defending himself by about the second page on, and against a straw-man or two.
I think Lar's original comment (#12) was engaging and introduced another perspective into the mix, but I suspect the poster encountered an evolutionarily programmed social tribal reflex which I find to be the the bane of mankind no matter the level of education. Quixotic to hope that mankind can overcome this "peacetime hindrance" as it seems very difficult for people to override this compulsion – even with some critical introspection.
Can AI intelligently discuss these kinds of topics yet?
Mankind's opposing thumb, mind and primate sociality have worked wonders, but I've often wondered about that advantages that mankind would have had, had he been a non-social creature.
I probably won't reply to this post, but in the vein of the topic, I'm still very pro-QSI and I've learned that even more problem solving info is contained within since I posted my previous pro-QSI or pro
viewtopic.php?p=255062#p255062 post many months ago.
Maybe I should've kept my two-cents to myself.
Regards
Re: A Challenge to the Naysayers
Posted: Fri Nov 22, 2024 3:40 pm
by Arnox
On one hand, I do think with an IP address of a potential target and their QSI, I could quite potentially cause a lot of damage. Just for starters, the QSI lists all the hardware vulnerabilities that the user, for whatever reason, might have left unpatched. It also declares MX version and kernel version information which could potentially be used to see if there is an exploitable software component in the target's install.
So who exactly is going to want to take advantage of that information? The MX forum would need to be hacked first in order to even harvest user IP addresses, and, assuming the user wasn't using a VPN (which case, you're screwed), you'd then also have to get past modem/router security of the user as well. Which may actually be quite easy since most ISPs send unsecured junk to their subscribers. Alternatively, a user could have mistakenly used the same alias on this forum that they use on the dark web as well, which would interest both criminal and state actors if they, for whatever reason, felt so inclined to do a little digging on the dark web user.
On the other hand, it's a plain fact that diagnostic information is needed for, well, a diagnosis in many cases. This is just flat-out unavoidable. You could set up private threads that only the MX staff can see, but then, normal users would no longer be able to contribute answers and fixes. So I guess, ultimately, one will probably just have to accept that if they want free tech support from the MX community and the MX devs, then they need to provide their QSI. If security is a big enough factor, then I'm afraid the MX forums are probably off-limits to them.
Re: A Challenge to the Naysayers
Posted: Fri Nov 22, 2024 4:57 pm
by Eadwine Rose
Guys.. instead of discussing yes/no QSI, which is not the topic, the challenge is to extract the personal info from the provided QSI.
Clearly you cannot do it 'cause you're talking all around it and away from the challenge.
But post 42 has one. Three, two, one, GO!
Re: A Challenge to the Naysayers
Posted: Fri Nov 22, 2024 5:50 pm
by Stevo
Nope, nope, I can't really see anything either, so another "neigh" here"
Re: A Challenge to the Naysayers
Posted: Fri Nov 22, 2024 5:52 pm
by FullScale4Me
Arnox wrote:On one hand, I do think with an IP address of a potential target and their QSI, I could quite potentially cause a lot of damage. Just for starters, the QSI lists all the hardware vulnerabilities that the user, for whatever reason, might have left unpatched. It also declares MX version and kernel version information which could potentially be used to see if there is an exploitable software component in the target's install.
For the
concerned folks perhaps a step or two back - inxi -EMnprdxxx ... with two x's you don't get MSDOS/GPT info about drives.
Code: Select all
mike@OptiPlex7050:~
$ inxi -EMnprdxxx
Machine:
Type: Desktop System: Dell product: OptiPlex 7050 v: N/A
serial: <superuser required> Chassis: type: 3 serial: <superuser required>
Mobo: Dell model: 0NW6H5 v: A00 serial: <superuser required> UEFI: Dell
v: 1.21.0 date: 07/12/2022
Network:
Device-1: Intel Ethernet I219-LM vendor: Dell driver: e1000e v: kernel
port: N/A bus-ID: 00:1f.6 chip-ID: 8086:15e3 class-ID: 0200
IF: eth0 state: up speed: 1000 Mbps duplex: full mac: 50:9a:4c:44:56:a3
Device-2: Realtek 802.11ac NIC type: USB driver: rtw_8821cu bus-ID: 1-5:3
chip-ID: 0bda:c811 class-ID: 0000 serial: 123456
IF: wlan0 state: down mac: 6a:d2:3e:e9:2f:8b
Bluetooth:
Device-1: Plugable Bluetooth 5.0 Adapter type: USB driver: btusb v: 0.8
bus-ID: 1-9:6 chip-ID: 2230:0016 class-ID: e001 serial: 00E04C239987
Report: hciconfig ID: hci0 rfk-id: 1 state: up address: 8C:AE:4C:C0:29:91
bt-v: 3.0 lmp-v: 5.1 sub-v: 8761 hci-v: 5.1 rev: b
Drives:
Local Storage: total: 3.86 TiB used: 801.54 GiB (20.3%)
ID-1: /dev/sda vendor: Lexar model: 128GB SSD size: 119.24 GiB
speed: 6.0 Gb/s type: SSD serial: K44440W101205 rev: 117D scheme: GPT
ID-2: /dev/sdb type: USB model: External USB3.0 size: 111.79 GiB type: N/A
serial: 201703310007F rev: 0204 scheme: GPT
ID-3: /dev/sdc type: USB vendor: Western Digital model: WD40EDAZ-11SLVB0
size: 3.64 TiB type: HDD rpm: 5400 serial: WD-WX12DA3LNAYT rev: 1031
scheme: GPT
Optical-1: /dev/sr0 vendor: HL-DT-ST model: DVD+-RW GU90N rev: A1C1
dev-links: cdrom
Features: speed: 24 multisession: yes audio: yes dvd: yes
rw: cd-r,cd-rw,dvd-r,dvd-ram state: running
Partition:
ID-1: / size: 57.95 GiB used: 27.84 GiB (48.0%) fs: ext4 dev: /dev/sda3
ID-2: /boot/efi size: 54.1 MiB used: 411 KiB (0.7%) fs: vfat
dev: /dev/sda2
ID-3: /media/120gb_ssd size: 109.98 GiB used: 100.08 GiB (91.0%) fs: ext2
dev: /dev/sdb1
ID-4: /media/mike/WD4TB size: 3.64 TiB used: 673.62 GiB (18.1%) fs: exfat
dev: /dev/sdc1
Repos:
Packages: 2869 pm: dpkg pkgs: 2847 pm: flatpak pkgs: 22
No active apt repos in: /etc/apt/sources.list
Active apt repos in: /etc/apt/sources.list.d/ahs-staging.list
1: deb https://mxrepo.com/mx/repo/ bookworm ahs-staging
Active apt repos in: /etc/apt/sources.list.d/debian-stable-updates.list
1: deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
Active apt repos in: /etc/apt/sources.list.d/debian.list
1: deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
2: deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
Active apt repos in: /etc/apt/sources.list.d/google-chrome.list
1: deb [arch=amd64] https://dl.google.com/linux/chrome/deb/ stable main
Active apt repos in: /etc/apt/sources.list.d/megasync.list
1: deb [signed-by=/usr/share/keyrings/meganz-archive-keyring.gpg] https://mega.nz/linux/repo/Debian_12/ ./
Active apt repos in: /etc/apt/sources.list.d/mx.list
1: deb http://la.mxrepo.com/mx/repo/ bookworm main non-free
2: deb http://la.mxrepo.com/mx/repo/ bookworm ahs
Active apt repos in: /etc/apt/sources.list.d/slack.list
1: deb https://packagecloud.io/slacktechnologies/slack/debian/ jessie main
Active apt repos in: /etc/apt/sources.list.d/spotify.list
1: deb http://repository.spotify.com stable non-free
mike@OptiPlex7050:~
edit: typofix
Re: A Challenge to the Naysayers
Posted: Fri Nov 22, 2024 5:54 pm
by Melber
Eadwine Rose wrote: Fri Nov 22, 2024 4:57 pm
But post 42 has one. Three, two, one, GO!
siamhie gets out of bed way too early if the time of the snapshot is anything to go by.
Re: A Challenge to the Naysayers
Posted: Fri Nov 22, 2024 5:57 pm
by AK-47
Freja mentioned a few items of concern in post #28. Also the repo list may reveal which rough geographical location the poster is in, and application vendors that may be in use. CPU vulnerabilities, yes, but a lot of them require specific techniques to exploit anyway. But ooh, bluetooth device!
Device-1: Plugable Bluetooth 5.0 Adapter type: USB driver: btusb v: 0.8
bus-ID: 1-9:6 chip-ID: 2230:0016 class-ID: e001 serial: 00E012345678
Any of you have a mobile broadband modem, let us know if the IMEI number is in there.
For the most part the challenge is pointless, because revealing of
personal information is not what any of these "naysayers" are complaining about, it's
sensitive information. What constitutes sensitive depends on the individual, and dismissing this concern as "See? QSI don't got no credit card numbers!" is somewhat disingenuous. But the option to post QSI as a file is there in the utility for those who really need to, although for a single file (ie. QSI only, most requests) quoted text is better. Attachments will satisfy the requirement of only registered members being allowed to access this. The way around it is quite simple though: create an account on the forum. A bad actor could do so without making a single post and grab that anyway.
That said, publicly asking for help will likely reveal more damning information about your situation and what you use the machine for than a QSI will.
Re: A Challenge to the Naysayers
Posted: Fri Nov 22, 2024 10:05 pm
by siamhie
Melber wrote: Fri Nov 22, 2024 5:54 pm
Eadwine Rose wrote: Fri Nov 22, 2024 4:57 pm
But post 42 has one. Three, two, one, GO!
siamhie gets out of bed way too early if the time of the snapshot is anything to go by.
I think it was one of those mornings where I thought I might as well do something while making a pot of coffee
Re: A Challenge to the Naysayers
Posted: Fri Nov 22, 2024 10:53 pm
by siamhie
Eadwine Rose wrote: Fri Nov 22, 2024 4:57 pm
But post 42 has one. Three, two, one, GO!
I'm not seeing anything different in my QSI from everyone else who posts theirs. What do you see?
Re: A Challenge to the Naysayers
Posted: Fri Nov 22, 2024 11:21 pm
by aika
j2mcgreg wrote: Wed Nov 20, 2024 12:55 pm
Here is my QSI:
Code: Select all
System:
Kernel: 6.6.12-1-liquorix-amd64 [6.6-16~mx23ahs] ...
=>
https://www.cvedetails.com/version/1756 ... .6-16.html
=>
https://www.cvedetails.com/vulnerabilit ... .6.12.html
If you know the exact kernel version, you can easily find some CVE's for selecting appropriate Metasploit modules.
Re: A Challenge to the Naysayers
Posted: Sat Nov 23, 2024 12:33 am
by DukeComposed
aika wrote: Fri Nov 22, 2024 11:21 pm
If you know the exact kernel version, you can easily find some CVE's for selecting appropriate Metasploit modules.
OK. Then what?
Thirty years ago the most common way for home users to connect to the Internet was over PPP: you plugged a phone line into your computer and authenticated against your local ISP. That ISP would assign you an IP address and that was how you'd get to yahoo.com or GeoCities or your AngelFire page. A fun way to knock someone offline was to use a freeware utility called WinNuke, which exploited a widespread Windows 95 kernel bug on, if I remember it correctly, 135/tcp. It might have been 138/tcp. If you knew someone's IP address, it was highly probable you could invoke a blue screen of death on their PC remotely. There was no way to prevent this, unless you downloaded and installed the free version of the third-party ZoneAlarm packet filter utility.
That was thirty years ago.
Similar issues plagued Windows until Windows XP Service Pack 2, which enabled a packet filter by default.
That was over twenty years ago.
Let's say I know your exact kernel version. Let's say I grab your QSI and build an identical system I can use for target practice. Let's say I craft a functional Metasploit payload to do something nefarious on any machine with that configuration.
OK. Then what?
I'd still have to know your IP address. Let's say I buy the MX Linux forum server's ISP, or bribe the sysadmin. OK, now I can match your forums logins to an IP address. Mwah-ha-ha!
OK. Then what?
I'd still have to deliver that payload. These days people don't use dial-up anymore. They typically end up buying or renting an always-on cable modem from their ISP and that modem acts as a gateway, which gives the home user internal NAT addresses which the cable modem forwards to the ISP and then to the Internet at large.
OK. Then what?
In order for me to do mean, nasty things to your machine, which I can absolutely do thanks to Metasploit and the QSI you've proffered, I would still need to figure out how to get your cable modem to forward the malicious packets to your machine. if that were easy to do, Russian bots would be doing it constantly.
OK. Then what?
If you're running MX 23 (or later, I presume), your firewall is enabled by default, so some random kernel vulnerability on a local port that's listening on 0.0.0.0 for no good reason wouldn't even be an option unless you've explicitly allowed it in the firewall
and forwarded it correctly in the cable modem config. (This assumes I haven't found out how to remotely enable god mode on your modem. If I do, I'll prove it by making the front lights blink messages to you like "CALL YOUR MOM" in Morse code[0].)
I could set up a honeytrap. I could build a website and entice you to visit it somehow. Possibly by purchasing advertising on the MX Linux forum ISP I just bought. When you visit it, I could exploit your browser to load malware onto it. Except your QSI doesn't divulge which browser you use, so I really could have just started at buying the ISP and looked at your user agent info and gone from there. The info in your QSI isn't even a relevant factor now.
OK. Then what?
Then we have to start realizing that in the 21st century basic endpoint protections prevent the kind of shell popping that we all were taught was perilously easy in the 1980s and 1990s where if anyone knew your IP they could completely destroy your life, livelihood, and peace of mind. A dedicated attacker is not going to hang out on a volunteer forum waiting for FunkyDude22 to slip up and share his kernel version because he has an NVIDIA driver complaint just so they can maybe someday get his bank's login creds if they play their cards juuust right. I think a lot of people are having "I'm the Main Character" Syndrome and are worried about laser-focused spearphishing attacks by a Mossad-class adversary purely from providing generic, anonymized diagnostic details on an anonymous Linux forum in a day and age when they're far more likely to get an unsolicited text message from "Alice" or "Jessica" that can end up emptying out their bank account.
As a wise man once said many decades ago, "If the Mossad want to get you, they're gonna get you and there's nothing you can do about it." Don't post your QSI if you don't want to post. That's fine. The easiest way to do that is to not ask for free help here in the first place.
[0] -.-. ._ _... _... / -.-- --- -.. ._. / -- --- -- is "CABB YODR MOM". No one said this was an exact science.
Re: A Challenge to the Naysayers
Posted: Sat Nov 23, 2024 12:51 am
by aika
DukeComposed wrote: Sat Nov 23, 2024 12:33 am... OK. Then what?
I'd still have to know your IP address ...
Which I could easily read using JavaScript+PHP after attracting you to my homepage
For example, I don't use a cable modem and my active firewall keeps 2 ports open for LinPhone.
DukeComposed wrote: Sat Nov 23, 2024 12:33 am... A dedicated attacker is not going to hang out on a volunteer forum waiting for FunkyDude22 to slip up and share his kernel version ...
But maybe FunkyDude22 had over 2000 posts in another Linux forum and doesn't want to be detected via QSI? QSI could only be displayed visibly for forum members, similar to image attachments.
Re: A Challenge to the Naysayers
Posted: Sat Nov 23, 2024 1:39 am
by DukeComposed
aika wrote: Sat Nov 23, 2024 12:51 am
DukeComposed wrote: Sat Nov 23, 2024 12:33 am
I'd still have to know your IP address ...
Which I could easily read using JavaScript+PHP after attracting you to my homepage
Sigh... I'll take "Didn't Bother Reading the Whole Thing" for $200.
Bozo bit hereby flipped.
Re: A Challenge to the Naysayers
Posted: Sat Nov 23, 2024 2:23 am
by aika
DukeComposed wrote: Sat Nov 23, 2024 1:39 am... I'll take "Didn't Bother Reading the Whole Thing" for $200 ...
I took the trouble to install the Firefox add-on "DeepL-translator" for your English irony . But a woman who was an amateur radio operator in her youth has no problems with Morse code.
Re: A Challenge to the Naysayers
Posted: Sat Nov 23, 2024 3:40 am
by Eadwine Rose
siamhie wrote: Fri Nov 22, 2024 10:53 pm
Eadwine Rose wrote: Fri Nov 22, 2024 4:57 pm
But post 42 has one. Three, two, one, GO!
I'm not seeing anything different in my QSI from everyone else who posts theirs. What do you see?
I think you missed my intent, which was pointing out your QSI for people to get back on topic.
Looks like this topic has outlived its usefulness, and is therefore now closed.