Discussion:
how2 format a flash drive
(too old to reply)
Lee
2024-06-25 14:00:02 UTC
Permalink
My old laptop died; I just got a new one and it has _no_ optical
drive. But the Debian install from flash instructions were excellent
& I now have a laptop running Debian.

My question is: how do I reformat the flash drive so it's usable as a
"normal" flash drive again?

Nothing I tried worked.. I ended up putting the thumb drive in a
Windows machine and formatting it there; it would be nice to know how
to restore the thumb drive to working order on Debian.

Thanks,
Lee
Thomas Schmitt
2024-06-25 14:30:01 UTC
Permalink
Hi,
Post by Lee
My question is: how do I reformat the flash drive so it's usable as a
"normal" flash drive again?
You have to delete the partitions of the USB stick which came with
the ISO.
Then you create one or more partitions.
Then you format them to a writable filesystem each.

If it shall serve for file exchange with MS-Windows or Macs, then you
probably want just one partition with FAT as filesystem.

I would do the first and second step by program "fdisk" and the third
step by program "mkfs.fat".
If you prefer a GUI program, look for GParted or what your desktop
offers for the tasks of partitioning and filesystem formatting.

-------------------------------------------------------------------

In hindsight it would of course have been advisable to make a copy
of the USB stick to an image file before putting the netinst ISO onto it.
Assuming that the USB stick is /dev/sdc and you home directory offers
enough space for the size of the USB stick this would have been something
like:

dd if=/dev/sdc bs=1M of="$HOME"/usb_stick.img

Later you would put it back onto the USB stick the same way as you did
with the netinst ISO image.


Have a nice day :)

Thomas
David Wright
2024-06-25 14:50:01 UTC
Permalink
Post by Thomas Schmitt
Post by Lee
My question is: how do I reformat the flash drive so it's usable as a
"normal" flash drive again?
You have to delete the partitions of the USB stick which came with
the ISO.
Then you create one or more partitions.
Then you format them to a writable filesystem each.
If it shall serve for file exchange with MS-Windows or Macs, then you
probably want just one partition with FAT as filesystem.
I would do the first and second step by program "fdisk" and the third
step by program "mkfs.fat".
If you prefer a GUI program, look for GParted or what your desktop
offers for the tasks of partitioning and filesystem formatting.
Of course, we're not told what "normal" means, what was tried,
nor how normality was tested. It's possible that they need to
use, say, mkdosfs to get back to the state in which USB sticks
are typically bought, so it can be plugged into other devices.

Cheers,
David.
Thomas Schmitt
2024-06-25 16:30:01 UTC
Permalink
Hi,
Post by David Wright
Of course, we're not told what "normal" means,
I guess it's a single partition with FAT.
Around 2010 i got three USB sticks and kept their compressed original
content. For examination of their MBR partition tables it is enough to
cut off their heads:

$ gunzip <usb_2gb_original.gz | dd bs=512 count=1 of=x.img
...
$ /sbin/fdisk -l x.img
...
Device Boot Start End Sectors Size Id Type
x.img1 * 32 3915775 3915744 1.9G 6 FAT16

The other two have

Device Boot Start End Sectors Size Id Type
x.img1 38 7839719 7839682 3.8G b W95 FAT32

Device Boot Start End Sectors Size Id Type
x.img1 * 63 15794175 15794113 7.5G b W95 FAT32

The types do not necessarily tell the actual filesystem type.
But since that was the initial partitioning, i trust them and do not
uncompress the whole images in order to inspect them.
Post by David Wright
what was tried, nor how normality was tested.
Yeah. More tangible info would help with helping.
Post by David Wright
It's possible that they need to
use, say, mkdosfs to get back to the state in which USB sticks
are typically bought, so it can be plugged into other devices.
Since at least a decade, "man mkdosfs" describes "mkfs.fat".

But before creating a new filesystem, it is necessary to create a
suitable partition for hosting it.
An USB stick with the netinst ISO shows two partitions:

$ /sbin/fdisk -l debian-12.2.0-amd64-netinst.iso

Disk debian-12.2.0-amd64-netinst.iso: 628 MiB, 658505728 bytes, 1286144 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x52bf7ba9

Device Boot Start End Sectors Size Id Type
debian-12.2.0-amd64-netinst.iso1 * 0 1286143 1286144 628M 0 Empty
debian-12.2.0-amd64-netinst.iso2 4476 23451 18976 9.3M ef EFI (FAT-12

Partition editors might react unfriendly on the "Empty" partition which
surrounds the EFI partition. The latter has a FAT filesystem which is
completely filled up:

$ sudo mount offset=2291712 /mnt/fat
$ df /mnt/fat
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/loop0 9450 9446 4 100% /mnt/fat

The files in this FAT are the initial boot stages for amd64 and i386:

$ find /mnt/fat -type f
/mnt/fat/efi/boot/bootx64.efi
/mnt/fat/efi/boot/grubx64.efi
/mnt/fat/efi/boot/bootia32.efi
/mnt/fat/efi/boot/grubia32.efi
/mnt/fat/efi/debian/grub.cfg

Their only purpose is to convince Secure Boot that the GRUB software is
acceptable and to find the ISO filesystem where the rest of GRUB's
equipment is stored.

So both partitions are of no use for the general purpose USB stick
and can be deleted.


Have a nice day :)

Thomas
Thomas Schmitt
2024-06-25 16:50:01 UTC
Permalink
Hi,
Post by Thomas Schmitt
$ sudo mount offset=2291712 /mnt/fat
For the archives, this would of course have to be

$ sudo mount offset=2291712 debian-12.2.0-amd64-netinst.iso /mnt/fat

The number 2291712 was computed from the partition start block 4476
multiplied by the block size 512.


Have a nice day :)

Thomas
e***@gmx.us
2024-06-25 17:20:01 UTC
Permalink
Post by David Wright
Of course, we're not told what "normal" means, what was tried,
nor how normality was tested. It's possible that they need to
use, say, mkdosfs to get back to the state in which USB sticks
are typically bought, so it can be plugged into other devices.
I keep my thumb drives in extN, because interchangeability with other OSes
is not normally a concern. So for me, that is normal and FAT is an aberration.

--
Logic is a systematic method of coming to
the wrong conclusion with confidence.
David Wright
2024-06-25 23:00:01 UTC
Permalink
Entire attribution and quote removed to avoid the mailing list
treating this post as spam.

I got the impression that Lee used windows in the past (and may
still), which is why I didn't suggest the same as Joe. (Lee did
write "on Debian").

And by devices, I was thinking more of TVs, printers, scanners,
set-top boxes, etc.

One of our six TVs can handle ext2/3; nothing else can.

Cheers,
David.
Lee
2024-06-25 19:40:01 UTC
Permalink
Post by Thomas Schmitt
Hi,
Hi,
I don't know what happened, but your msg _finaly_ showed up in my inbox.
Strange how it was delayed for so long..
Post by Thomas Schmitt
Post by Lee
My question is: how do I reformat the flash drive so it's usable as a
"normal" flash drive again?
You have to delete the partitions of the USB stick which came with
the ISO.
Then you create one or more partitions.
Then you format them to a writable filesystem each.
If it shall serve for file exchange with MS-Windows or Macs, then you
probably want just one partition with FAT as filesystem.
I would do the first and second step by program "fdisk" and the third
step by program "mkfs.fat".
Yes. That's the answer.
I was missing the fdisk bit and mkfs wasn't working for me. Or at
least not working until I did the fdisk :)
Post by Thomas Schmitt
In hindsight it would of course have been advisable to make a copy
of the USB stick to an image file before putting the netinst ISO onto it.
Assuming that the USB stick is /dev/sdc and you home directory offers
enough space for the size of the USB stick this would have been something
dd if=/dev/sdc bs=1M of="$HOME"/usb_stick.img
Later you would put it back onto the USB stick the same way as you did
with the netinst ISO image.
Thanks for that, but all I was using this thumb drive for was putting
movies on it & plugging it into a traver router so I could watch
movies on a TV with no ads.
In other words, there's nothing on the thumb drive that isn't expendable.

Thanks,
Lee
Joe
2024-06-25 15:50:01 UTC
Permalink
On Tue, 25 Jun 2024 09:53:41 -0400
Post by Lee
My old laptop died; I just got a new one and it has _no_ optical
drive. But the Debian install from flash instructions were excellent
& I now have a laptop running Debian.
My question is: how do I reformat the flash drive so it's usable as a
"normal" flash drive again?
Nothing I tried worked.. I ended up putting the thumb drive in a
Windows machine and formatting it there; it would be nice to know how
to restore the thumb drive to working order on Debian.
Experience suggests that if it will be used on a Windows machine, e.g.
for file transfer, it's probably best to format it in Windows.
Otherwise Windows will give the occasional error message about it,
offer to fix it, and fail miserably. It will still work.

Obviously only for the Windows formats, FAT or NTFS. Microsoft pretends
not to know about things Not Invented Here.

It's possible to have MS and Linux partitions on the same drive. I have
one like that, FAT for interchange and ext4 for files that Linux
software insists must have certain permissions.
--
Joe
Hans
2024-06-25 16:50:01 UTC
Permalink
You can easily refotrmat it, either using fdisk or if you want a GUI, use
gparted.


With fdisk (also you can use cfdisk) I suggest first to delete all partitions,
then create new one. Then choose your type (it is 0b for FAT32).

Write to disk and quit fdisk.

Then format the new partition, for vfat use: mkfs.vfat /dev/sdc1 (or whatever
your partition is).

Everything must be done as root (of course) so be carefull.

Hope this helps.

Best

Hans
Lee
2024-06-25 23:30:01 UTC
Permalink
Post by Hans
You can easily refotrmat it, either using fdisk or if you want a GUI, use
gparted.
I just learned about fdisk today -- thank you!

Lee
Lee
2024-06-25 19:50:01 UTC
Permalink
Post by Joe
On Tue, 25 Jun 2024 09:53:41 -0400
Post by Lee
My old laptop died; I just got a new one and it has _no_ optical
drive. But the Debian install from flash instructions were excellent
& I now have a laptop running Debian.
My question is: how do I reformat the flash drive so it's usable as a
"normal" flash drive again?
Nothing I tried worked.. I ended up putting the thumb drive in a
Windows machine and formatting it there; it would be nice to know how
to restore the thumb drive to working order on Debian.
Experience suggests that if it will be used on a Windows machine, e.g.
for file transfer, it's probably best to format it in Windows.
Yes, but I did the "burn the boats" thing with my new desktop & wiped
windows and installed debian.
My remaining Windows 10 machine goes end of life... at the end of the
year? So I need to learn how to live without windows -- which I have
mostly. I just haven't adjusted to Linux and the horrible UI :( Or
how user _un_friendly linux can be. Whoever came up with scroll bars
that play hide & seek should be tarred & feathered.

Lee
e***@gmx.us
2024-06-25 20:20:01 UTC
Permalink
Post by Lee
Whoever came up with scroll bars
that play hide & seek should be tarred & feathered.
Agree. Most programs that do that crap can be convinced not to. Same with
Thunderbird putting the menu bar below that next bit, whatever you call it.
Search the net for |<program> scrollbar|.

--
Q: Why do black holes never learn?
A: Because they're too dense. -- ZurkisPhreek on Fark
George at Clug
2024-06-25 23:30:01 UTC
Permalink
Post by Lee
Post by Joe
On Tue, 25 Jun 2024 09:53:41 -0400
Post by Lee
My old laptop died; I just got a new one and it has _no_ optical
drive. But the Debian install from flash instructions were excellent
& I now have a laptop running Debian.
My question is: how do I reformat the flash drive so it's usable as a
"normal" flash drive again?
Did you try gparted, a user friendly graphical partition manager? I do not know if it would do what you want, but I expect it will, it has always helped me out.
Post by Lee
Post by Joe
Post by Lee
Nothing I tried worked.. I ended up putting the thumb drive in a
Windows machine and formatting it there; it would be nice to know how
to restore the thumb drive to working order on Debian.
Experience suggests that if it will be used on a Windows machine, e.g.
for file transfer, it's probably best to format it in Windows.
Yes, but I did the "burn the boats" thing with my new desktop & wiped
windows and installed debian.
Good on you ! I support you in this move.

If you have any grips or difficulties, please mention them. After five years of using XFCE, I no longer have desires to go back to Windows. Steam has helped me play the few Windows based games that I play with my children. I have yet to master Wine, but then Linux has all the programs I need so I don't have much need for Wine.
Post by Lee
My remaining Windows 10 machine goes end of life... at the end of the
year? So I need to learn how to live without windows -- which I have
I would like you to keep a diary of your journey, of what challenges you face and how you moved past, this could help other people you know who want to make this journey.
Post by Lee
mostly. I just haven't adjusted to Linux and the horrible UI :( Or
I wonder what UI you are using?

Would you be using Gnome? There are many people who really like the Gnome UI, but I do not, I prefer KDE, Cinnamon, and XFCE.

Maybe because I am a long time Windows user, I prefer text based menus over the smartphone style icon based menus, like Gnome, Windows 3.x, Windows 8.x, Windows 11.

I use XFCE on my main PC, and very much appreciate it. Simple, elegant, and to the point menu system, customisable task bars, customisable system tray, etc.

When my wife returned to Linux this year, I set up her PC with KDE Plasma 6. I find this UI very attractive, modern, and a great temptation to leave XFCE, but XFCE is just so nice and simple to use so I will stay with XFCE for now. I use Menulibre to add menu items.

I also like Cinnamon, I find it 'beautiful' to look at, and a very simple and uncluttered UI. Great for computer users who never change the look and feel of their UI.

I think KDE is better for someone who is familiar with computers and wants to make a few changes to their UI's behaviour.

So far I have not mentioned Mate. If I recall correctly, Mate has three main menus, I only see the need for one, hence prefer KDE, Cinnamon, and XFCE.
Post by Lee
how user _un_friendly linux can be. Whoever came up with scroll bars
that play hide & seek should be tarred & feathered.
If I recall correctly, in KDE and in Firefox I was able to turn scroll bars on permanently, so much nicer than "scroll bars that play hide & seek". I am currently using KDE, and my Firefox and File manager have permanently visible scroll bars, 'as it should be'.

Disclaimer: These are my personal preferences. Other peoples experiences and preferences may vary.
Post by Lee
Lee
s***@swampdog.co.uk
2024-06-27 13:30:01 UTC
Permalink
Post by George at Clug
Post by Joe
On Tue, 25 Jun 2024 09:53:41 -0400
[snip]
Post by George at Clug
If you have any grips or difficulties, please mention them. After five years
of using XFCE, I no longer have desires to go back to Windows. Steam has
helped me play the few Windows based games that I play with my children. I
have yet to master Wine, but then Linux has all the programs I need so I
don't have much need for Wine.
I've been mightily impressed by steam. The only reason my win10 is still
around is because it has skyrim on it (and a load of mods). Skyrim works under
steam but I can't be bothered figuring out how to get the mod manager and other
tools to work.

Within steam you can elect to designate a particular proton (aka wine) version
for a game. Google usually solves figuring that out.

Fwiw, the only thing about win10 which has impressed me is WSL2. Not enough to
advocate keeping win10 but to avoid me coaching newbies through putty. Can't
really recommend cygwin any more.


OP:
The best thing about linux is, when you gain a bit of knowledge, just how
little the operating system matters wrt to your data. I've been depreciating a
couple of centos boxes (raid 6 servers). They're now debian and the data disks
are unchanged. Loosely, all I did was create a debian VM with passthrough to
an ssd, copied the samba/nfs/iscsi configs over and stuck the ssd into an esata
caddy on the back of the centos server. Downtime was reboot time plus time to
go into the bios and change the boot drive to the esata.

Sod's law came into play (in reverse). I bought an rpi4 and a 5 bay usb
enclosure. Spent many many days backing up (rsync) both boxes. If I'd not had
a backup something horrible would have happened. ;-)

My old kmail client was running gentoo from, must be 15 years ago, KDE 3.5
iirc. I exported all its emails then imported them into this kmail. I didn't
expect it to work. Ditto backup so it did.
Lee
2024-06-29 16:50:01 UTC
Permalink
Post by George at Clug
Post by Lee
Post by Joe
On Tue, 25 Jun 2024 09:53:41 -0400
Post by Lee
My old laptop died; I just got a new one and it has _no_ optical
drive. But the Debian install from flash instructions were excellent
& I now have a laptop running Debian.
My question is: how do I reformat the flash drive so it's usable as a
"normal" flash drive again?
Did you try gparted, a user friendly graphical partition manager?
No. It wasn't installed and fdisk was, so I went with fdisk.
Post by George at Clug
Post by Lee
Yes, but I did the "burn the boats" thing with my new desktop & wiped
windows and installed debian.
Good on you ! I support you in this move.
If you have any grips or difficulties, please mention them.
My gripes and difficulties are the same thing. No universal image
viewer like Ifranview, an html editor would be nice -- something along
the lines of the seamonkey html editor but current software and
supported, something equivalent to notepad++, something equivalent to
winmerge (meld is nice, but isn't really a substitute), a cloneSpy
equivalent would be nice, I'm getting used to the linux privoxy log
viewer vs. the iconified thing that sits there on the windows taskbar,
Exact Audio Copy doesn't work on Linux, but supposedly does run under
wine so that's a possibility.. Debian firefox does NOT allow one to do
TLS intercept - ie. this does not work:
C:\UTIL>cat firefox-tlsdecode.bat
set SSLKEYLOGFILE=C:\Users\Lee\AppData\Local\Temp\FF-SSLkeys.txt
start C:\"Program Files\Firefox\Firefox.exe"

@rem wireshark:
@rem edit / preferences
@rem protocols / tls (v2.6: protocols / ssl)
@rem paste SSLKEYLOGFILE filename into (Pre)-Master-Secret log
filename (was SSL debug file entry)

But the major things that were keeping me from migrating to Debian are
fixable now in xfce:
The xfce4-terminal window can be configured so that left double click
selects a "word" and right click pastes it in
installing bits of the Chicago95 theme makes all the scrollbars
permanently visible, with up & down arrows at either end of the scroll
bar that scroll by one line
clicking in the scrollbar trough above or below the bar scrolls the
window up one window size instead of jumping to that point in the
scroll buffer
Post by George at Clug
Post by Lee
My remaining Windows 10 machine goes end of life... at the end of the
year? So I need to learn how to live without windows -- which I have
I would like you to keep a diary of your journey, of what challenges you face and how you moved past, this could help other people you know who want to make this journey.
I don't know how helpful a diary of my journey would be. My workplace
had a policy of Windows for the desktop and RedHat for servers in data
centers, so I got used to cygwin on windows to ssh into linux servers
(that other people maintained). Then Microsoft came out with the
Windows 10 spyware/operating-system-as-a-service and it was clearly
time to abandon ship. Which wasn't possible at work, but at home I
don't have to put up with the M$ crapware so.. new machine, blow away
everything that came installed on it and install Debian on the PC at
home.

To make a long story short, I have years of experience with the
end-user side of linux & almost none with the maintenance side.. like
formatting thumb drives or anything requiring sudo access.
Post by George at Clug
I wonder what UI you are using?
Xfce

Lee
Dan Ritter
2024-06-29 17:40:01 UTC
Permalink
Post by Lee
My gripes and difficulties are the same thing. No universal image
viewer like Ifranview,
`apt search image viewer` suggests: eog, eom, ephoto, photoqt..
among dozens of others. But start with one of those.
Post by Lee
an html editor would be nice -- something along
the lines of the seamonkey html editor but current software and
supported
`apt search html editor` offers a bunch of suggestions, but
really most editors have support for specialized syntax checking
and previews and such. You might try bluefish.
Post by Lee
, something equivalent to notepad++
Assuming that you don't want the graphical forms of emacs or
vim, how about bluefish, or notepadqq ?
Post by Lee
, something equivalent to
winmerge (meld is nice, but isn't really a substitute)
You will have to be specific about what makes meld "not a
substitute". Assume whoever you are talking to doesn't know what
winmerge is.
Post by Lee
, a cloneSpy equivalent would be nice
duff, perforate, rdfind, dupeguru...
Post by Lee
Exact Audio Copy doesn't work on Linux, but supposedly does run under
wine so that's a possibility..
You want to pull stuff off of an optical disk? cdparanoia, or
one of the things that wraps it like ripit or ripperx.
Post by Lee
Debian firefox does NOT allow one to do
C:\UTIL>cat firefox-tlsdecode.bat
set SSLKEYLOGFILE=C:\Users\Lee\AppData\Local\Temp\FF-SSLkeys.txt
start C:\"Program Files\Firefox\Firefox.exe"
@rem edit / preferences
@rem protocols / tls (v2.6: protocols / ssl)
@rem paste SSLKEYLOGFILE filename into (Pre)-Master-Secret log
filename (was SSL debug file entry)
I have no idea what you are trying to do there, but I'm sure a
DOS batch file won't run here, especially since it appears to
mostly be comments.

Describe what you want to do, not how you want it to happen.

-dsr-
Lee
2024-07-01 02:40:01 UTC
Permalink
Hi,
Post by Dan Ritter
Post by Lee
My gripes and difficulties are the same thing. No universal image
viewer like Ifranview,
`apt search image viewer` suggests: eog, eom, ephoto, photoqt..
among dozens of others. But start with one of those.
Thanks, I'll check them out.
Post by Dan Ritter
Post by Lee
an html editor would be nice -- something along
the lines of the seamonkey html editor but current software and
supported
`apt search html editor` offers a bunch of suggestions, but
really most editors have support for specialized syntax checking
and previews and such. You might try bluefish.
Bluefish looks like a possible replacement for notepad++ but it
doesn't [seem to?] support WYSIWYG editing of html files.

I'll save recipes that look good and try them later. But I don't want
all the fluff that goes with most recipes, so I trim them down
drastically;
delete all the <look at all these other recipes>, all the comments,
all the kitchenware thry're trying to sell me... All I want is the
recipe
Post by Dan Ritter
Post by Lee
, something equivalent to notepad++
Assuming that you don't want the graphical forms of emacs or
Right. If I was going to climb the emacs learning curve I'd have done
it 20 years ago :)
Post by Dan Ritter
vim,
While I like vim and occasionally do use it for html editing, what
usually happens is running the file thru tidy and then edit with vim.
I'd rather have a WYSIWYG html editor that lets me delete tables, rows
or columns at a time. Or, since everybody wants to move to CSS,
delete all the goop in a specific <div>
Post by Dan Ritter
Post by Lee
, something equivalent to
winmerge (meld is nice, but isn't really a substitute)
You will have to be specific about what makes meld "not a
substitute". Assume whoever you are talking to doesn't know what
winmerge is.
Meld is beautiful. Meld looks **good** But I find it a distraction
and _much_ harder to figure out what the difference is between two
files or merge updates from <this> file to <that> file.
Maybe I've just gotten used to winmerge & <alt><downarrow> to get to
the next difference and <alt><left arrow> to copy the missing text
from the left window to the right window. I can do most everything
from the keyboard. Maybe because I haven't used it that much but I
was using the mouse a lot in meld.
Post by Dan Ritter
Post by Lee
, a cloneSpy equivalent would be nice
duff, perforate, rdfind, dupeguru...
Thank you. More things to check out :)
Post by Dan Ritter
Post by Lee
Exact Audio Copy doesn't work on Linux, but supposedly does run under
wine so that's a possibility..
You want to pull stuff off of an optical disk? cdparanoia, or
one of the things that wraps it like ripit or ripperx.
Yup. I want to pull music off a CD and make MP3s of it.
2 cars ago I had a CD caddy in the trunk - I could play 6 CD worth of
music without having to change anything.
Now my car has a USB port; that + a 16GB thumb drive is more than 12
hrs worth of drive time enjoyment (as much as droning along at 55MPH
can be called enjoyment)
Post by Dan Ritter
Post by Lee
Debian firefox does NOT allow one to do
C:\UTIL>cat firefox-tlsdecode.bat
set SSLKEYLOGFILE=C:\Users\Lee\AppData\Local\Temp\FF-SSLkeys.txt
start C:\"Program Files\Firefox\Firefox.exe"
@rem edit / preferences
@rem protocols / tls (v2.6: protocols / ssl)
@rem paste SSLKEYLOGFILE filename into (Pre)-Master-Secret log
filename (was SSL debug file entry)
I have no idea what you are trying to do there, but I'm sure a
DOS batch file won't run here, especially since it appears to
mostly be comments.
Describe what you want to do, not how you want it to happen.
I want to be able to use wireshark to look at encrypted web traffic. eg
https://everything.curl.dev/usingcurl/tls/sslkeylogfile.html

Regards,
Lee
jeremy ardley
2024-07-01 05:50:01 UTC
Permalink
Post by Lee
Bluefish looks like a possible replacement for notepad++ but it
doesn't [seem to?] support WYSIWYG editing of html files.
Visual Studio Code allows you to edit HTML and preview it using Live
Server plugin

https://marketplace.visualstudio.com/items?itemName=ritwickdey.LiveServer
Lee
2024-07-01 13:10:01 UTC
Permalink
Post by jeremy ardley
Post by Lee
Bluefish looks like a possible replacement for notepad++ but it
doesn't [seem to?] support WYSIWYG editing of html files.
Visual Studio Code allows you to edit HTML and preview it using Live
Server plugin
https://marketplace.visualstudio.com/items?itemName=ritwickdey.LiveServer
Thanks, but no thanks. That seems to include the Microsoft spyware
licensing: https://code.visualstudio.com/license
Data Collection. The software may collect information about you and
your use of the software, and send that to Microsoft.

Regards,
Lee
t***@tuxteam.de
2024-07-01 13:50:01 UTC
Permalink
[...]
Post by Lee
Post by jeremy ardley
https://marketplace.visualstudio.com/items?itemName=ritwickdey.LiveServer
Thanks, but no thanks. That seems to include the Microsoft spyware
licensing: https://code.visualstudio.com/license
Data Collection. The software may collect information about you and
your use of the software, and send that to Microsoft.
Desperate for Data :-)

But yes, that's what they currently do.

Cheers
--
t
jeremy ardley
2024-07-01 19:30:01 UTC
Permalink
Post by Lee
Post by jeremy ardley
Visual Studio Code allows you to edit HTML and preview it using Live
Server plugin
https://marketplace.visualstudio.com/items?itemName=ritwickdey.LiveServer
Thanks, but no thanks. That seems to include the Microsoft spyware
licensing: https://code.visualstudio.com/license
Data Collection. The software may collect information about you and
your use of the software, and send that to Microsoft.
VS Code Telemetry is easily turned off.

https://code.visualstudio.com/docs/getstarted/telemetry#_disable-telemetry-reporting

In the more general case, telemetry is not in itself considered 'evil'.
For example Debian comes with telemetry that you can enable or disable.
https://popcon.debian.org/

Firefox, and just about any other web browser you use also has
telemetry. e.g. https://support.mozilla.org/en-US/kb/telemetry-clientid

To be certain your activity is private you will have to disconnect
completely from the internet as any software that uses any internet
resource will automatically leak information about you.

.
Stefan Monnier
2024-07-02 03:50:01 UTC
Permalink
Post by jeremy ardley
In the more general case, telemetry is not in itself
considered 'evil'.
I consider it evil if it's opt-out rather than opt-in.


Stefan
gene heskett
2024-07-02 04:10:01 UTC
Permalink
Post by Stefan Monnier
Post by jeremy ardley
In the more general case, telemetry is not in itself
considered 'evil'.
I consider it evil if it's opt-out rather than opt-in.
Stefan
I think that highly depends on what that telemetry is sending. Crash
reports, yes, contents of a list of phone numbers it found, not no, but
hell no! Ditto for passwords and such.

Cheers, Gene Heskett, CET.
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
- Louis D. Brandeis
t***@tuxteam.de
2024-07-02 04:40:01 UTC
Permalink
Post by Stefan Monnier
Post by jeremy ardley
In the more general case, telemetry is not in itself
considered 'evil'.
I consider it evil if it's opt-out rather than opt-in.
Absolutely.

Plus (a) I don't trust most vendors to be telling the truth
whenever their bottom line is at stake and (b) I've seen
enough dark patterns to nudge users to not opt out to be more
than disgusted.

Just... no.

Cheers
--
t
George at Clug
2024-07-02 04:50:01 UTC
Permalink
Is telemetry evil?  Are guns evil?  Philosophical questions?



I find it objectionable when people gather "telemetry" about "me" and
not just the causes of the "blue screens of death".


I find it objectionable when people gather personal "telemetry" and
then on sell that information to others for whatever purposes, whether
it is to target me with ads, or political analysts like Cambridge
Analytica, or to alter my "Social Credit Score", or to be used to
cancel my Credit Cards, or for whatever other purpose.



While collecting information about individuals and selling their data
is common practice these days, I object. I cannot stop it, but I can
at least use systems that gather such data as minimally as possible.
Hopefully by using Linux for 99% of my computing experience, I am
giving Google and Windows less data.


Of course, by the mere fact of visiting a web site (for example, that
has Google Analytics installed), and by writing emails like this that
well be scanned, and then this data will be added to my profile by any
companies collecting data to gain some view of me, which they will
then sell to political groups, marketers, etc.


Scott McNally’s quip that ‘you have no privacy, get over it’ is
sadly true, but I don't think he meant that we have to resign
ourselves to this fast, we can but do what we can to reduce the data
collected, even while realising our efforts are mostly in vain.



https://lockstep.com.au/library/quotes/


Privacy is an interesting topic.



What has privacy to do with a Debian User email list?  Well I am
hoping by using Debian less of my data ends up in large tech company
hands. At least let me dream that it does.


I encourage others to use Debian, if by doing so will let them sleep
better at night, even if it is in ignorance.



George.
Post by jeremy ardley
In the more general case, telemetry is not in itself
considered 'evil'.
I consider it evil if it's opt-out rather than opt-in.


        Stefan
Jeffrey Walton
2024-07-02 08:20:01 UTC
Permalink
Is telemetry evil? Are guns evil? Philosophical questions?
I find it objectionable when people gather "telemetry" about "me" and not just the causes of the "blue screens of death".
I find it objectionable when people gather personal "telemetry" and then on sell that information to others for whatever purposes, whether it is to target me with ads, or political analysts like Cambridge Analytica, or to alter my "Social Credit Score", or to be used to cancel my Credit Cards, or for whatever other purpose.
For those interested in reading more, pick up a copy of Shoshana
Zuboff's book The Age of Surveillance Capitalism: The Fight for a
Human Future at the New Frontier of Power
(<https://www.amazon.com//dp/1610395697> and
<https://en.wikipedia.org/wiki/Surveillance_capitalism>).

Jeff
t***@tuxteam.de
2024-07-02 08:30:02 UTC
Permalink
Post by Jeffrey Walton
Is telemetry evil? Are guns evil? Philosophical questions?
I find it objectionable when people gather "telemetry" about "me" and not just the causes of the "blue screens of death".
I find it objectionable when people gather personal "telemetry" and then on sell that information to others for whatever purposes, whether it is to target me with ads, or political analysts like Cambridge Analytica, or to alter my "Social Credit Score", or to be used to cancel my Credit Cards, or for whatever other purpose.
For those interested in reading more, pick up a copy of Shoshana
Zuboff's book The Age of Surveillance Capitalism: The Fight for a
Human Future at the New Frontier of Power
(<https://www.amazon.com//dp/1610395697> and
<https://en.wikipedia.org/wiki/Surveillance_capitalism>).
Thanks for that ref. One of the most important books for our
trade, indeed.

If possible, don't buy it at Amazon :-)

Cheers
--
t
jeremy ardley
2024-07-02 09:20:01 UTC
Permalink
Scott McNally’s quip that ‘you have no privacy, get over it’ is sadly
true, but I don't think he meant that we have to resign ourselves to
this fast, we can but do what we can to reduce the data collected,
even while realising our efforts are mostly in vain.
Linedkin is worse than any organisation I know of. I signed up very
reluctantly with a fake profile and a throw-awy email address and the
first thing it suggested was to link to immediate family and people it
had no way of knowing I was related to.

I can only guess they have profiled my browser signature and worked off
that.

If you are or ever have been a user of Linkedin your privacy is worse
than zero. You are a product that can be bought and sold and almost
everything you see and hear will be managed by them or their customers.

I class that entirely differently to application telemetry with an
option to opt out.

Back on my original post I use Visual Studio Code because it is a very
useful tool and has a broad community of people in the open source
community. I rate VS Code significantly less intrusive than github
which, with no option to opt out, scans  all your private repositories
to gain information about you that it can package and resell 
'anonymously'. Even if you aren't a user of github, your access to
download is recorded and included in the data it resells.
John Hasler
2024-07-02 15:20:01 UTC
Permalink
Post by George at Clug
While collecting information about individuals and selling their data
is common practice these days
It's common practice because people won't pay for services but will
tolerate advertising.
Post by George at Clug
Of course, by the mere fact of visiting a web site (for example, that
has Google Analytics installed)
I've never visited a site that cares that I block Google Analytics.

The best way to protect your "personal information" is to not have
accounts with any of the popular "social media" services, especially
Google, Facebook, and Twitter (and never use Windows, of course).
--
John Hasler
***@sugarbit.com
Elmwood, WI USA
Lee
2024-07-02 08:30:02 UTC
Permalink
Post by jeremy ardley
Post by Lee
Post by jeremy ardley
Visual Studio Code allows you to edit HTML and preview it using Live
Server plugin
https://marketplace.visualstudio.com/items?itemName=ritwickdey.LiveServer
Thanks, but no thanks. That seems to include the Microsoft spyware
licensing: https://code.visualstudio.com/license
Data Collection. The software may collect information about you and
your use of the software, and send that to Microsoft.
VS Code Telemetry is easily turned off.
https://code.visualstudio.com/docs/getstarted/telemetry#_disable-telemetry-reporting
Except the license says
You may opt-out of many of these scenarios, but not all, as described
in the product documentation located at
https://code.visualstudio.com/docs/supporting/faq#_how-to-disable-telemetry-reporting.

So
1. you can't opt-out of _all_ telemetry. .. at least according to the license.
2. opt-out is evil. Any group that uses opt-out is evil. They only
do opt-out because they _know_ almost no one would opt-in.
Post by jeremy ardley
In the more general case, telemetry is not in itself considered 'evil'.
Anything opt-out I consider 'evil'.
Post by jeremy ardley
For example Debian comes with telemetry that you can enable or disable.
https://popcon.debian.org/
That's opt-in, so a completely different case.
Post by jeremy ardley
Firefox, and just about any other web browser you use also has
telemetry. e.g. https://support.mozilla.org/en-US/kb/telemetry-clientid
I know & I don't like it. But it's like apple vs. google -- which one
is less evil?
I have an iPhone so that should tell you what I think.
Post by jeremy ardley
To be certain your activity is private you will have to disconnect
completely from the internet as any software that uses any internet
resource will automatically leak information about you.
If I use Internet resources I know that I can be tracked .. but **only
when using the Internet**. Microsoft spyware is always-on tracking
that can't be turned completely off.

And if I don't want to leave Internet footprints - or if I just want
to give the finger to whoever is watching, I'll use the tor browser.
So I have options when I get on the Internet. I don't see any options
when the OS or my tools are spying on me other than don't use that OS
or those tools.

Regards,
Lee
jeremy ardley
2024-07-02 09:30:01 UTC
Permalink
Post by Lee
And if I don't want to leave Internet footprints - or if I just want
to give the finger to whoever is watching, I'll use the tor browser.
That is probably the worst thing you can do. On my last check *most* Tor
exit points are operated by intelligence or police agencies.

Going about your business just using a regular ISP makes it unlikely
anyone will pay attention to you unless you frequent disreputable sites.

Using Tor will automatically put you on a watch list. Your identity can
easily be found because your ip address at the exit point will be
recorded and matched with ISP records.
Lee
2024-07-02 20:40:01 UTC
Permalink
Post by Lee
And if I don't want to leave Internet footprints - or if I just want
to give the finger to whoever is watching, I'll use the tor browser.
That is probably the worst thing you can do. On my last check *most* Tor exit points are operated by intelligence or police agencies.
OK.. I'll bite. How do you know most Tor exit points are operated by
intelligence or police agencies?

I mean, it sounds reasonable, but how do you *know*?
Post by Lee
Going about your business just using a regular ISP makes it unlikely anyone will pay attention to you unless you frequent disreputable sites.
Using Tor will automatically put you on a watch list.
Yeah. I've heard that too. But using tor - or any encryption, is
still legal, so what I'm doing doesn't even rise to the level of civil
disobedience.
So if they're going to put me on a list, they're going to put me on a
list. I've been using tor since however long ago when it came bundled
with privoxy, so I doubt that me not using tor now is going to make a
difference.
Post by Lee
Your identity can easily be found because your ip address at the exit point will be recorded and matched with ISP records.
Indeed. The TOR documentation used to be up-front about tor not being
proof against a global adversary, so I doubt the NSA needs to bother
my ISP asking for records.
I was just poking around on torproject.org (which has been rumored to
be enough to get one on a watch list) and I don't see any strong
warnings about using tor :( Or even much of anything that would
discourage one from using TOR.
Oh well.. I guess they need lots of cannon fodder to provide covering
traffic for .. who?

Regards,
Lee
Jeffrey Walton
2024-06-29 20:50:02 UTC
Permalink
[...] Debian firefox does NOT allow one to do
C:\UTIL>cat firefox-tlsdecode.bat
set SSLKEYLOGFILE=C:\Users\Lee\AppData\Local\Temp\FF-SSLkeys.txt
start C:\"Program Files\Firefox\Firefox.exe"
@rem edit / preferences
@rem protocols / tls (v2.6: protocols / ssl)
@rem paste SSLKEYLOGFILE filename into (Pre)-Master-Secret log
filename (was SSL debug file entry)
I'm not sure who your complaint is against -- Debian, Firefox or
Linux. I'm also not sure that it is a valid complaint.

Firefox uses its own certificate store. If you want to proxy your
traffic, then the proxy's root cert needs to be in Mozilla's
certificate store. See
<https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox>.

Chrome is different. Chrome uses the Windows store by default, but
also has its own certificate store. For Chrome, your Windows admin can
make a change with a Group Policy, and Chrome will pick it up through
the Windows certificate store. Or you can manually install the proxy's
root cert. See <https://chromium.googlesource.com/chromium/src/+/main/net/data/ssl/chrome_root_store/faq.md>.

Debian is not concerned about TLS interception in this case. But for
completeness, Debian has its own store at /etc/ssl/certs. You get the
certificates by installing the ca-certificates package. You can
install certificates into the store by dropping the root cert on the
filesystem at /usr/local/share/ca-certificates, and then running
update-ca-certificates. See
<https://wiki.debian.org/Firefox/PrivateCertificateAuthority> and
<https://manpages.debian.org/buster/ca-certificates/update-ca-certificates.8.en.html>.

When you are intercepting/inspecting traffic, you typically setup your
proxy, and then proxy Firefox and Chrome traffic through your proxy.
The proxy can run on your local machine, like 127.0.0.1. Your proxy's
root certificate should be in the browser's store (as described
above).

Jeff
Max Nikulin
2024-06-30 01:40:01 UTC
Permalink
Post by Jeffrey Walton
[...] Debian firefox does NOT allow one to do
C:\UTIL>cat firefox-tlsdecode.bat
set SSLKEYLOGFILE=C:\Users\Lee\AppData\Local\Temp\FF-SSLkeys.txt
start C:\"Program Files\Firefox\Firefox.exe"
[...]
Post by Jeffrey Walton
I'm not sure who your complaint is against -- Debian, Firefox or
Linux. I'm also not sure that it is a valid complaint.
I do not mind to see a link stating that the appropriate logger is
really disabled. Certainly dumping of TLS session keys may be disabled
through a compile time flag similar to enforcing signatures for add-ons.
It may be default Firefox configuration for release builds or some line
in Debian build rules. It still might be some mistake during attempts to
enable the logger. I have read about this approach but I have never
tried it in action.
Post by Jeffrey Walton
Firefox uses its own certificate store.
It is relevant to active traffic interception you described (a proxy).
Lee prefers passive traffic sniffing and it requires cooperation from a
peer to get session keys. Each case has its own advantages.

P.S.

At first it was not clear to me that having TLS private key (copied from
the server) is not enough for passive traffic decryption. Diffie-Hellman
key exchange scheme allows to generate secret keys even over public
channel. The main purpose of TLS certificates (public keys in the
browser or system store) is to confirm that there is no attacker in
between that blocks packets from the client and establishes its own
connection to the server. Encryption of email messages using a public
key is a different case. Session keys are required to debug TLS
applications.
Jeffrey Walton
2024-06-30 06:00:01 UTC
Permalink
Post by Max Nikulin
Post by Jeffrey Walton
[...] Debian firefox does NOT allow one to do
C:\UTIL>cat firefox-tlsdecode.bat
set SSLKEYLOGFILE=C:\Users\Lee\AppData\Local\Temp\FF-SSLkeys.txt
start C:\"Program Files\Firefox\Firefox.exe"
[...]
Post by Jeffrey Walton
I'm not sure who your complaint is against -- Debian, Firefox or
Linux. I'm also not sure that it is a valid complaint.
I do not mind to see a link stating that the appropriate logger is
really disabled. Certainly dumping of TLS session keys may be disabled
through a compile time flag similar to enforcing signatures for add-ons.
It may be default Firefox configuration for release builds or some line
in Debian build rules. It still might be some mistake during attempts to
enable the logger. I have read about this approach but I have never
tried it in action.
Post by Jeffrey Walton
Firefox uses its own certificate store.
It is relevant to active traffic interception you described (a proxy).
Lee prefers passive traffic sniffing and it requires cooperation from a
peer to get session keys. Each case has its own advantages.
As far as I know, the browsers support active interception. That is,
"interception is a valid use case" for the browsers to support
Dataloss Prevention (DLP) programs. The browsers do that through the
use of interception proxies and root CA's used in the DLP program.

Browsers do not support the passive capture/replay that OP wants. That
is, they don't support exporting the premaster secret or the derived
master secret.

The browsers use tortured logic to arrive at "interception is a valid
use case". They hang it off of the W3C's Design Principles and
Priorities of Constituencies. The browser's argument goes as such: if
a user did not want to be intercepted, then the CA certificate used
for interception would not be present in the certificate store. Since
the proxy's interception certificate is present in the store, the user
wants to be intercepted. (You can't make this shit up).

A corollary to "interception is a valid use case" is, webapps can
never be sure they have a secure channel. Therefore, webapps can only
handle low value data. Higher value data should be handled by hybrid
and native apps.
Post by Max Nikulin
At first it was not clear to me that having TLS private key (copied from
the server) is not enough for passive traffic decryption. Diffie-Hellman
key exchange scheme allows to generate secret keys even over public
channel...
Correct. You also need ClientHello.random and ServerHello.random since
the master secret is computed from
(https://datatracker.ietf.org/doc/html/rfc5246#section-8.1):

master_secret = PRF(pre_master_secret, "master secret",
ClientHello.random + ServerHello.random)
[0..47];

Something some folks don't realize is, ClientHello.random and
ServerHello.random are also used for key transport schemes like RSA,
when the client encrypts the premaster secret and sends it to the
server. The ClientHello.random and ServerHello.random are present to
ensure both sides contribute to the master secret. Otherwise, only the
client would contribute to the master secret in a key transport
scheme.
Post by Max Nikulin
The main purpose of TLS certificates (public keys in the
browser or system store) is to confirm that there is no attacker in
between that blocks packets from the client and establishes its own
connection to the server.
No, not quite. Interception is a valid use case under the browser's
security model.

You can achieve what you are getting at, but you need to use hybrid
and native apps that practice host public key pinning. You need hybrid
and native apps because they can usually obtain the host's public key.
But the browsers don't expose the host public key to the webapp. So
webapps have no way to perform pinning. You can't even get the public
key from a WebSocket.
Post by Max Nikulin
Encryption of email messages using a public
key is a different case. Session keys are required to debug TLS
applications.
Email transport security is an absolute mess due to opportunistic
encryption and smart hosts. About the best you can do is, encrypt and
sign the message, and send it over an insecure channel.

Jeff
Max Nikulin
2024-06-30 15:40:01 UTC
Permalink
Post by Jeffrey Walton
Post by Lee
set SSLKEYLOGFILE=C:\Users\Lee\AppData\Local\Temp\FF-SSLkeys.txt
start C:\"Program Files\Firefox\Firefox.exe"
[...]
Post by Jeffrey Walton
Browsers do not support the passive capture/replay that OP wants.
Lee, may you, please, specify Firefox version and release channel you
are using on Windows where this feature is working?
Lee
2024-07-01 07:00:01 UTC
Permalink
Post by Max Nikulin
Post by Jeffrey Walton
Post by Lee
set SSLKEYLOGFILE=C:\Users\Lee\AppData\Local\Temp\FF-SSLkeys.txt
start C:\"Program Files\Firefox\Firefox.exe"
[...]
Post by Jeffrey Walton
Browsers do not support the passive capture/replay that OP wants.
It works for me in Windows.

This looks like the Debian bug report
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842292
Post by Max Nikulin
Lee, may you, please, specify Firefox version and release channel you
are using on Windows where this feature is working?
Firefox 115.12.0esr -- which is the current extended service release software
I'm not sure what you mean by release channel .. ESR? If I go to
https://www.mozilla.org/en-US/firefox/115.12.0/releasenotes/
under "Download Firefox" there's links to
Windows 64-bit and Windows 64-bit MSI

wow! I've been letting firefox update itself for awhile now. What I
installed was Firefox Setup 68.3.0esr.msi

Lee
Max Nikulin
2024-07-01 15:10:02 UTC
Permalink
Post by Lee
Post by Max Nikulin
Post by Lee
set SSLKEYLOGFILE=C:\Users\Lee\AppData\Local\Temp\FF-SSLkeys.txt
start C:\"Program Files\Firefox\Firefox.exe"
This looks like the Debian bug report
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842292
Post by Max Nikulin
Lee, may you, please, specify Firefox version and release channel you
are using on Windows where this feature is working?
Firefox 115.12.0esr -- which is the current extended service release software
I'm not sure what you mean by release channel .. ESR?
Thanks. I expected that you may use either developer release, beta, or
even nightly.

Is libnss built with logging support ABI compatible with the variant in
Debian repositories? (Or can it be patched to achieve ABI
compatibility?) Instead of asking for changing compile flags for all
users, from my point of view, it is better to suggest alternative
packages with and without logging enabled.

Browsers are rather sensitive applications, so I find it reasonable that
dumping of encryption keys are not available by default. However
debugging should be possible and should require special configuration.

I have not tried .deb packages provided by Mozilla. Since their Windows
builds allows logging, it might work on Linux as well.
<https://support.mozilla.org/en-US/kb/install-firefox-linux#w_install-firefox-deb-package-for-debian-based-distributions>
Lee
2024-07-07 21:50:01 UTC
Permalink
Hi,
Post by Max Nikulin
Post by Lee
Post by Max Nikulin
Post by Lee
set SSLKEYLOGFILE=C:\Users\Lee\AppData\Local\Temp\FF-SSLkeys.txt
start C:\"Program Files\Firefox\Firefox.exe"
This looks like the Debian bug report
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842292
Post by Max Nikulin
Lee, may you, please, specify Firefox version and release channel you
are using on Windows where this feature is working?
Firefox 115.12.0esr -- which is the current extended service release software
I'm not sure what you mean by release channel .. ESR?
Thanks. I expected that you may use either developer release, beta, or
even nightly.
Nope - just regular firefox-esr
Post by Max Nikulin
Is libnss built with logging support ABI compatible with the variant in
Debian repositories? (Or can it be patched to achieve ABI
compatibility?) Instead of asking for changing compile flags for all
users, from my point of view, it is better to suggest alternative
packages with and without logging enabled.
Browsers are rather sensitive applications, so I find it reasonable that
dumping of encryption keys are not available by default.
Maybe I don't know enough to know what's "reasonable" or not.. but I
don't see a problem with me being able to inspect the traffic between
me and some website.
Anyone else wants to intercept my traffic and they'll have to set an
environment variable - which root can do, but who else?
Post by Max Nikulin
However
debugging should be possible and should require special configuration.
I have not tried .deb packages provided by Mozilla. Since their Windows
builds allows logging, it might work on Linux as well.
<https://support.mozilla.org/en-US/kb/install-firefox-linux#w_install-firefox-deb-package-for-debian-based-distributions>
Thanks for the pointer to downloading firefox from mozilla. But wow!!
plenty too many instructions for to be able to
Install Firefox .deb package for Debian-based distributions

I suppose it's funny that I have no qualms with
SSLKEYLOGFILE=<whatever> but balk at following those instructions to
modify apt-get actions, but I don't know how to evaluate the security
implications of modifying apt-get files. So I just downloaded the
binary from mozilla and went from there:

get the 64 bit linux version of firefox esr from
https://www.mozilla.org/en-US/firefox/all/#product-desktop-esr

tar -xvf firefox-115.12.0esr.tar.bz2
sudo mv firefox /opt/firefox-115.12.0esr/
sudo ln -s /opt/firefox-115.12.0esr/firefox /usr/local/bin/firefox

***@laptop:~$ cat ~/bin/firefox-tlsdecode.sh
#!/bin/bash
# set things up so that wireshark can decrypt firefox tls traffic
umask 077
SSLKEYLOGFILE=/tmp/FF-SSLkeys.txt
export SSLKEYLOGFILE
/usr/local/bin/firefox "$@" &

# then in wireshark:
# edit / preferences
# protocols / tls (v2.6: protocols / ssl)
# paste SSLKEYLOGFILE filename into (Pre)-Master-Secret log filename

***@laptop:~$


So now I've got the debian /usr/bin/firefox that doesn't allow export
tls keys and a /usr/local/bin/firefox that does.

Thanks
Lee
Max Nikulin
2024-07-08 02:40:04 UTC
Permalink
Post by Lee
Post by Max Nikulin
Post by Lee
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842292
[...]
Post by Lee
Post by Max Nikulin
Is libnss built with logging support ABI compatible with the variant in
Debian repositories? (Or can it be patched to achieve ABI
compatibility?) Instead of asking for changing compile flags for all
users, from my point of view, it is better to suggest alternative
packages with and without logging enabled.
Browsers are rather sensitive applications, so I find it reasonable that
dumping of encryption keys are not available by default.
Maybe I don't know enough to know what's "reasonable" or not.. but I
don't see a problem with me being able to inspect the traffic between
me and some website.
Is it OK for you that e.g. GnuPG agent disables tracing by default, so
attaching a debugger or a tool like strace is not so easy? It makes
harder to debug some issues.

From my point of view, by default libnss3 should not allow logging of
private keys. At the same time I do not mind that some users should be
able to inspect TLS sessions. My idea is an *alternative* package that
may be optionally installed instead of regular libnss3. Comments to the
bug report request to enable debugging for *all* and I agree with the
maintainers who have not do it. You may ask for providing an additional
package for TLS debugging.
Post by Lee
Anyone else wants to intercept my traffic and they'll have to set an
environment variable - which root can do, but who else?
IAny regular user may start browser with this variable set. Some
unintentionally executed code in a user session may restart browser with
enabled logging. I would not argue that it is a great trouble if an
exploit is executed. However some measures may be taken to increase
attack complexity and disabling TLS logging is a small step in this
direction.
Post by Lee
Post by Max Nikulin
<https://support.mozilla.org/en-US/kb/install-firefox-linux#w_install-firefox-deb-package-for-debian-based-distributions>
but I don't know how to evaluate the security
implications of modifying apt-get files. So I just downloaded the
binary from mozilla
So you trust mozilla anyway. Notice the "Signed-By" key in repository
configuration: sources.list(5),
<https://wiki.debian.org/DebianRepository/UseThirdParty>
<https://wiki.debian.org/SourcesList>
apt-secure(8), <https://wiki.debian.org/SecureApt>
Post by Lee
tar -xvf firefox-115.12.0esr.tar.bz2
sudo mv firefox /opt/firefox-115.12.0esr/
sudo ln -s /opt/firefox-115.12.0esr/firefox /usr/local/bin/firefox
I suspect that a regular user owns /opt/firefox-115.12.0esr/ and may
modify files. It should allow autoupdates, but I believe, it is an
administrator task to update browser.
Lee
2024-07-08 14:30:01 UTC
Permalink
Hi,
Post by Max Nikulin
Post by Lee
Post by Max Nikulin
Post by Lee
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842292
[...]
Post by Lee
Post by Max Nikulin
Is libnss built with logging support ABI compatible with the variant in
Debian repositories? (Or can it be patched to achieve ABI
compatibility?) Instead of asking for changing compile flags for all
users, from my point of view, it is better to suggest alternative
packages with and without logging enabled.
Browsers are rather sensitive applications, so I find it reasonable that
dumping of encryption keys are not available by default.
Maybe I don't know enough to know what's "reasonable" or not.. but I
don't see a problem with me being able to inspect the traffic between
me and some website.
Is it OK for you that e.g. GnuPG agent disables tracing by default, so
attaching a debugger or a tool like strace is not so easy? It makes
harder to debug some issues.
I didn't realize that GnuPG disables tracing by default, so the idea
of it being OK or not has never come up for me. But my first question
is does it actually improve security or is it more like security
theater?
I don't know how hard it would be to build your own version of GnuPG
that allows tracing, but if it's relatively easy it seems like
disabling tracing is just a minor stumbling block instead of an actual
security enhancement.
Post by Max Nikulin
From my point of view, by default libnss3 should not allow logging of
private keys. At the same time I do not mind that some users should be
able to inspect TLS sessions. My idea is an *alternative* package that
may be optionally installed instead of regular libnss3. Comments to the
bug report request to enable debugging for *all* and I agree with the
maintainers who have not do it. You may ask for providing an additional
package for TLS debugging.
Post by Lee
Anyone else wants to intercept my traffic and they'll have to set an
environment variable - which root can do, but who else?
IAny regular user may start browser with this variable set.
Right, but presumably they intended that the variable be set.
I'm asking about malicious use of that variable. Root can do pretty
much whatever they want to, but how does a non-root attacker set that
variable?
Post by Max Nikulin
Some
unintentionally executed code in a user session may restart browser with
enabled logging. I would not argue that it is a great trouble if an
exploit is executed. However some measures may be taken to increase
attack complexity and disabling TLS logging is a small step in this
direction.
Well, debian has taken that small step. It's no big deal for me to
download firefox from mozilla, so I've got my work-around.
And this is on my laptop, so the minor lack of security is only going
to impact me -- nobody else uses this laptop :)
Post by Max Nikulin
Post by Lee
Post by Max Nikulin
<https://support.mozilla.org/en-US/kb/install-firefox-linux#w_install-firefox-deb-package-for-debian-based-distributions>
but I don't know how to evaluate the security
implications of modifying apt-get files. So I just downloaded the
binary from mozilla
So you trust mozilla anyway.
Yes, I trust them enough to run their binary.
I lack the knowledge to evaluate the security implications of
following their instructions to add their repository to .. whatever it
is on my machine (I don't even know what it's called.)

"When in doubt, leave it out." seems applicable here.
Post by Max Nikulin
Notice the "Signed-By" key in repository
configuration: sources.list(5),
<https://wiki.debian.org/DebianRepository/UseThirdParty>
<https://wiki.debian.org/SourcesList>
apt-secure(8), <https://wiki.debian.org/SecureApt>
Post by Lee
tar -xvf firefox-115.12.0esr.tar.bz2
sudo mv firefox /opt/firefox-115.12.0esr/
sudo ln -s /opt/firefox-115.12.0esr/firefox /usr/local/bin/firefox
I suspect that a regular user owns /opt/firefox-115.12.0esr/ and may
modify files.
You're right :) Everything in /opt/firefox-115.12.0esr/ is owned by me.
But again, this in on a laptop that nobody else is going to use so ...
I dunno.. maybe I'll chown everything to root so it can't be
accidentally updated.
Post by Max Nikulin
It should allow autoupdates, but I believe, it is an
administrator task to update browser.
I agree. I've got it set up that way on my windows machine. I should
probably fix it so I have to become root to update firefox.

Regards,
Lee

Lee
2024-07-01 01:40:01 UTC
Permalink
Hi,
Post by Jeffrey Walton
[...] Debian firefox does NOT allow one to do
C:\UTIL>cat firefox-tlsdecode.bat
set SSLKEYLOGFILE=C:\Users\Lee\AppData\Local\Temp\FF-SSLkeys.txt
start C:\"Program Files\Firefox\Firefox.exe"
@rem edit / preferences
@rem protocols / tls (v2.6: protocols / ssl)
@rem paste SSLKEYLOGFILE filename into (Pre)-Master-Secret log
filename (was SSL debug file entry)
I'm not sure who your complaint is against -- Debian, Firefox or
Linux. I'm also not sure that it is a valid complaint.
It is 100% a valid complaint. And it's a complaint against Debian
because they're the ones that turned off that functionality.
They have <reasons>, I disagree, I'm free to build Firefox for myself,
get somebody else to doit for me, or get it somewhere else.

... which is the downside of free software. Technically, yes, I'm
free to build the software with whatever I want enabled, with whatever
changes I want added/deleted.
In practice, my ability to build Firefox is .. lacking :(
Post by Jeffrey Walton
Firefox uses its own certificate store. If you want to proxy your
traffic, then the proxy's root cert needs to be in Mozilla's
certificate store. See
<https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox>.
Right. I have privoxy & occasionally do set it for +https-inspection
when I want it to inspect/modify web traffic.
Post by Jeffrey Walton
Chrome is different.
I've never used Chrome & don't intend to.
Post by Jeffrey Walton
When you are intercepting/inspecting traffic, you typically setup your
proxy, and then proxy Firefox and Chrome traffic through your proxy.
The proxy can run on your local machine, like 127.0.0.1. Your proxy's
root certificate should be in the browser's store (as described
above).
Or you can tell firefox to write the SSL key info to a file that
wireshark can read & then decrypt the traffic.
For example
https://everything.curl.dev/usingcurl/tls/sslkeylogfile.html

Best Regards,
Lee
Jeffrey Walton
2024-07-01 01:50:01 UTC
Permalink
Post by Lee
Post by Jeffrey Walton
[...] Debian firefox does NOT allow one to do
C:\UTIL>cat firefox-tlsdecode.bat
set SSLKEYLOGFILE=C:\Users\Lee\AppData\Local\Temp\FF-SSLkeys.txt
start C:\"Program Files\Firefox\Firefox.exe"
@rem edit / preferences
@rem protocols / tls (v2.6: protocols / ssl)
@rem paste SSLKEYLOGFILE filename into (Pre)-Master-Secret log
filename (was SSL debug file entry)
I'm not sure who your complaint is against -- Debian, Firefox or
Linux. I'm also not sure that it is a valid complaint.
It is 100% a valid complaint. And it's a complaint against Debian
because they're the ones that turned off that functionality.
They have <reasons>, I disagree, I'm free to build Firefox for myself,
get somebody else to doit for me, or get it somewhere else.
It looks like the change is due to NSS (Network Security Services),
not Firefox: <https://bugzilla.mozilla.org/show_bug.cgi?id=908046> and
<https://bugzilla.mozilla.org/show_bug.cgi?id=1183318>. I think the
3318 bug is most relevant, but I may be mistaken.

If I am parsing the various bug reports properly, it looks like
SSLKEYLOGFILE was disabled by default for release builds. It looks
like you might have to perform your own debug build to gain access
again. Or maybe the nightly builds of Firefox will have it.
Post by Lee
... which is the downside of free software. Technically, yes, I'm
free to build the software with whatever I want enabled, with whatever
changes I want added/deleted.
In practice, my ability to build Firefox is .. lacking :(
Yeah, trying to build some of these projects is the pits.

Jeff
Jeffrey Walton
2024-07-01 05:50:01 UTC
Permalink
Post by Jeffrey Walton
Post by Lee
[...]
... which is the downside of free software. Technically, yes, I'm
free to build the software with whatever I want enabled, with whatever
changes I want added/deleted.
In practice, my ability to build Firefox is .. lacking :(
Yeah, trying to build some of these projects is the pits.
One way out of this may be to make a Request for Packaging,
<https://wiki.debian.org/RFP>. Ask for debug builds of Firefox.

Since Debian is now supplying release builds in their release channel,
it might make sense for Debian to provide debug builds for web
developers. Web developers can install firefox-debug as a www-browser
alternative, and do things like debug protocol issues. Regular users
would still get the release version of Firefox, so regular users would
be protected from some of the security problems associated with the
debug build.

And you still might try the nightly build of Firefox, and see if it
provides the features that you are looking for. If the nightly build
has what you need, then you won't have to spend time on the RFP.

Jeff
Keith Bainbridge
2024-06-30 06:20:01 UTC
Permalink
My gripes and difficulties are the same thing.  No universal image
viewer like Ifranview,
geeqie is quick,
something equivalent to notepad++,
Geany
+5 for geany
--
All the best

Keith Bainbridge

***@gmail.com
***@gmail.com
+61 (0)447 667 468

UTC + 10:00
Jeffrey Walton
2024-07-01 06:00:02 UTC
Permalink
Post by George at Clug
[...]
If you have any grips or difficulties, please mention them.
My gripes and difficulties are the same thing. [...]
something equivalent to notepad++,
You might give Notepadqq a spin. I've used it in the past, and it has
a comparable look and feel to Notepad++.

<https://github.com/notepadqq/notepadqq>.

If TAB works kind of funny, then see this bug report and fix:
<https://github.com/notepadqq/notepadqq/issues/792#issuecomment-569470654>.
(I don't know if it was merged).

Jeff
George at Clug
2024-06-30 00:10:01 UTC
Permalink
Post by George at Clug
Post by Lee
Post by Joe
On Tue, 25 Jun 2024 09:53:41 -0400
Post by Lee
My old laptop died; I just got a new one and it has _no_
optical
Post by George at Clug
Post by Lee
Post by Joe
Post by Lee
drive.  But the Debian install from flash instructions
were excellent
Post by George at Clug
Post by Lee
Post by Joe
Post by Lee
& I now have a laptop running Debian.
My question is: how do I reformat the flash drive so it's
usable as a
Post by George at Clug
Post by Lee
Post by Joe
Post by Lee
"normal" flash drive again?
Did you try gparted, a user friendly graphical partition manager?
No.  It wasn't installed and fdisk was, so I went with fdisk.
Post by George at Clug
Post by Lee
Yes, but I did the "burn the boats" thing with my new desktop &
wiped
Post by George at Clug
Post by Lee
windows and installed debian.
Good on you !  I support you in this move.
If you have any grips or difficulties, please mention them.
My gripes and difficulties are the same thing.  No universal image
viewer like Ifranview, an html editor would be nice -- something
along
the lines of the seamonkey html editor but current software and
supported, something equivalent to notepad++, something equivalent
to
winmerge (meld is nice, but isn't really a substitute), a cloneSpy
equivalent would be nice, I'm getting used to the linux privoxy log
viewer vs. the iconified thing that sits there on the windows
taskbar,
Exact Audio Copy doesn't work on Linux, but supposedly does run
under
wine so that's a possibility.. Debian firefox does NOT allow one to
do
C:\UTIL>cat firefox-tlsdecode.bat
set SSLKEYLOGFILE=C:\Users\Lee\AppData\Local\Temp\FF-SSLkeys.txt
start C:\"Program Files\Firefox\Firefox.exe"
@rem   edit / preferences
@rem   protocols / tls  (v2.6: protocols / ssl)
@rem     paste SSLKEYLOGFILE filename into (Pre)-Master-Secret
log
filename (was SSL debug file entry)
But the major things that were keeping me from migrating to Debian
are
The xfce4-terminal window can be configured so that left double
click
selects a "word" and right click pastes it in
installing bits of the Chicago95 theme makes all the scrollbars
permanently visible, with up & down arrows at either end of the
scroll
bar that scroll by one line
clicking in the scrollbar trough above or below the bar scrolls the
window up one window size instead of jumping to that point in the
scroll buffer
Post by George at Clug
Post by Lee
My remaining Windows 10 machine goes end of life... at the end
of the
Post by George at Clug
Post by Lee
year?  So I need to learn how to live without windows -- which
I have
Post by George at Clug
I would like you to keep a diary of your journey, of what
challenges you face and how you moved past, this could help other
people you know who want to make this journey.
I don't know how helpful a diary of my journey would be.  My
workplace
had a policy of Windows for the desktop and RedHat for servers in
data
centers, so I got used to cygwin on windows to ssh into linux
servers
(that other people maintained).  Then Microsoft came out with the
Windows 10 spyware/operating-system-as-a-service and it was clearly
time to abandon ship.  Which wasn't possible at work, but at home
I
don't have to put up with the M$ crapware so.. new machine, blow
away
everything that came installed on it and install Debian on the PC at
home.
To make a long story short, I have years of experience with the
end-user side of linux & almost none with the maintenance side..
like
formatting thumb drives or anything requiring sudo access.
Post by George at Clug
I wonder what UI you are using?
Xfce
Hi Lee,

Thanks for your response.  

I abandoned Windows after Windows 8 when I learned they had included
"telemetry" at a significant level of data gathering. I understand
that our data is valuable to Tech companies to gather and sell, but I
would prefer if they did not.

You are doing some way more technical things than I ask of Linux. I do
not even use Bluefish which is a nice HTML editor. I do so little
technical things with Linux I only need the Mousepad text editor, and
of course, I use 'nano' not 'vim'.

I like XFCE, simple but effective. However because I am too lazy to
install specific useful applications, I usually install both Cinnamon
and XFCE, but then only ever log into XFCE. Doing this installs a
number of useful applications that I like. For example this way I get
to use a program that calls itself "Image Viewer". I once tracked down
its real name, but have forgotten it, 'eog' maybe?

I have issues remembering things, hence I use GUI applications that
have visible menus over Terminal applications that require the
memorisation of typed in commands, well, where ever possible. I do
resort to using the terminal to run 'find' for locating files, and
files containing text strings.

Recently I have been attempting to get Wine to work. Gecko does not
seem to install. I have no idea if 'wine msiexec' does anything, as it
never reports success or failure whether I specify a msi file that
exists or does not exist. When I run 'wine iexplore' the page is
blank, and I get an message like 'Could not find Wine Gecko' and no
page text is displayed. There are times like this with Linux where
things do not seem to work and documentation is quite limited. (If
anyone knows a simple solution to this issue, please let me know, but
I mention it, not to find a solution here, but as one my challenges in
using Linux). PlayOnLinux seems to work OK, not sure what they are
doing for Gecko?

I have used Steam's Pluton for running a few Windows Games my family
plays. I had to replaced our Nvidia GPUs for Radeon GPUs. I still
cannot get Nvidia to work well in either Debian or Arch Linux, despite
people on YouTube saying that Nvidia works well in Linux.

All the best on using Linux.

George.
Lee
Marc SCHAEFER
2024-07-06 15:50:01 UTC
Permalink
Hello,
Post by Lee
My question is: how do I reformat the flash drive so it's usable as a
"normal" flash drive again?
Nowadays, people rarely "format" (*) their "drives".

They create filesystems on raw devices.

For example `mkfs.ext4 /dev/sdX`, where /dev/sdX is the raw device
corresponding to your USB key (see the lsblk command, for example).
Post by Lee
Nothing I tried worked.. I ended up putting the thumb drive in a
Windows machine and formatting it there; it would be nice to know how
to restore the thumb drive to working order on Debian.
However, for Microsoft compatibility, in addition, you will need
a partition table. Linux, except for booting (because of BIOS
requirements), does not require partition tables.

So, first create a partition e.g. with fdisk[1]: this will make
/dev/sdX1 available in lsblk.

Then again, for Microsoft compatibility, you need to create
a Microsoft-compatible filesystem. One good alternative is
VFAT.

Thus with `mkfs.vfat /dev/sdX1`.

Please double-check you use the right raw device name, as fdisk and mkfs
commands are destructive.

(*) actually the last time I did format a device using a SCSI
command was in the nineties -- some people differentiate
"low-level formatting" with "high-level formatting", which
is better called "creating a filesystem" -- yes back then
it was sometimes useful to reformat using 256 bytes/sector
for RAID0 applications :)
[1] https://www.digitalocean.com/community/tutorials/create-a-partition-in-linux
Loading...