Programs/orgs like Conda are like the #1 reason projects like Guix exist.

Conda's default repos are only technically free for personal use, and you have to pay an exorbitant amount if you want to use them in a company. But what happens is devs install Conda anyways, not realizing this, the software phones home, and all of a sudden you have a bunch of lawyers on your case, demanding 10 gorbillion dollars.

And because programs like Conda, or Oracle Java, or so on are technically not malware (even though they literally act like ransomware in some ways), they aren't, and will not ever be caught by antivirus software.

So the solution people come up to not have to deal with those, with, is to restrict all installation of software entirely, via things like AppLocker on Windows. This makes it so that only approved software can be installed. Software can be manually vetted, confirmed to actually be free for the business, or paid for, before being explicitly allowed.

But the problem with this, is that users like being able to autonomously install the tools they need in order to solve problems. So now they just get frustrated that they can't do that at all.

Guix, and other projects which only ship open source software, present a middle ground. They distribute a large repo of software, that is essentially confirmed safe for a business to use, and for their users to install autonomously. If I gave someone Guix, I could feel confident that they could install various tools they needed without risking totally-not-ransomware from getting onto the systems.

Anyway. There is nonguix and other additional guix package channels if you want, say CUDA so it's an option. I'm just trying to explain why some people insists on this model, and why someone would see that as a benefit.

Woops, a duplicate?

Did you reboot?

It could be that a system service was installed, and activated. This service could stay running even after the packages are removed, since the programs would remain in memory.

Thank you so much. This was so annoying. Although another comment mentions that this appears to be specific to samsung devices, and doesn't work on general android/aosp.

For those the ADB solution another comment mentions probably must be used.

It's not about trusting the source code or binaries to not have malicious additions.

It's about protecting myself and other users from anti features, by modifying or forking the software of the need ever arises. If software ever adds tracking or telemetry, the community can either modify it downstream (i.e. the way many linux distros compiled out audacity's telemetry), or they can directly fork it.

There is no need to worry about vendor lock in to a proprietary ecosystem, because the option to exit is always there.

randomise your web interface port

Randomized interface ports change nothing except for stopping automated scanners. They don't really help. Just lock it behind ssh, physical access or similar, and then never worry about it again.

Yeah only if you enable their cloud api

No, all of the local web interfaces have had problems too. Literally every router or network appliance has had similar issues.

ts not an isp or consumer router

ISP, consumer, and enterprise routers have all the same issues due to the same architecture. All of them.

have also pen tested my router remotley.

Me too. But it's just not about my router being secure today, it's about it being secure tomorrow. I want to be able to rest easy knowing that if a new vulnerability appears in xyz component then I don't have to worry about it.

Every issue with tp link has been. You need to have acces to the router physically to implement.

Come on, this is not true and you know it. Finding a counterexample was easy:

https://www.anavem.com/en/news/cybersecurity/tp-link-patches-critical-router-flaws-enabling-rce

Auth bypass + auth rce flaw. Literal remote code execution, instant own.

The problem with network appliances/routers is that they all have web ui's, and management api's or something of the sort. Web UI's are extremely complex services, with lots of difficult to secure attack surface. In a router, that attack surface is now running as root (because it has to be, to manage linux (or freebsd, routers are usually based on one of the two) kernel routing and networking.

So literally every single network appliance and router has had it's own critical vulnerabilities, even open source ones like openwrt.

The real solution here is to recognize that web interfaces are a security nightmare, and to either disable them or lock them behind ssh.

(Open)ssh, is known for having extremely few vulnerabilities, only 2.5 critical ones over it's 25+ years of existence. That's a big difference compared to some of these network appliances/routers which have 2+ critical vulns every quarter.

I'm so tired of news articles that hype up fairly mundane stuff, acting like it's the next big bomshell.

In addition to that, by misrepresenting what is happening, it's literally actively harmful to consume this kind of news, which is so common on the cybersecurity news cycle.

Yet another cyberslop article.

Not really. Immutability can be overriden by root, who can then edit files.

And in addition to that, /etc/, system config files, including pam files mentioned here, are not immuable even in immutable distros.

SIX. SEVEN.

Frantically does hand gesture

Yes this is the best way.

On Linux I've never had to install drivers for any printers, it comes with a "generic" driver that works for a ton of brands,

This is not the same. The AUR was a supply chain attack, where good packages where replaced with malicious one's.

Nix is better at stopping things like that from happening, becuase they have a monorepo, where most package updates or changes are reviewed by another person. The AUR is just a collection of individual git repos (or branches), where each maintainer can make updates or changes with no oversight.