https://fosstodon.org/@keepassxc/114544480029903918
edit: looks like its been taken down
You don’t want anything that advertises next generation encryption. You want tried and true encryption. You want boring encryption.
this post was submitted on 21 May 2025
1132 points (99.5% liked)
Technology
70249 readers
4011 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
But post-quantum....
Then you want them to advertise NIST PQ standards
... Which is also not necessary for single user password databases anyway
Yes it is necessary just as my homelab needs to have enterprise hardware and be georedundant. Statements like yours make my very reasonable self hosting purchases hard to financially justify.
The standards are royalty free, so I'm not sure what that has to do with anything
(it's a joke)
For a personal database that's unlikely to leave your hardware, sure. For SSH keys or something else that needs to be accessible publicly, post quantum or other "next generation" encryption may be reasonable.
If you're sharing KeePass with others, maybe post quantum encryption is something to look for to get a bit of protection going forward.
hey guys, AI really is good for something! it helps scammers a ton!
This is depressing. And what's worse is that the best way to combat this is probably also AI. We'll just scam ourselves out of resources by wasting it all on scams and battling scams. What a fitting way to go would that be.
Thank you for your service.
I use keepassxc and although I'm unlikely to ever install it any other way than through my distro's package manager without 3rd party repos, this is good to know and hits a personal note.
Fuck all nefarious hackes and scammers. I just re-installed my server and installed crowdsec on it not 24h hours ago, and already got 20 000 bans. Twenty thousand! It's getting worse and worse and worse and worse.
i'm brand new to linux after decades of windows. is there a comprehensive resource that talks about security on linux beyond just "linux is super secure don't worry about it"? i feel like the more people continue to ditch windows, the more scammers are going to focus their energy on linux, and i know next to nothing
edit: thank you for all the responses
the more people continue to ditch windows, the more scammers are going to focus their energy on linux
Sorry, I missed this in my first reply.
It is true.
A few simple rules:
- keep your system up-to-date within the constraints of their repositories
- install only from trusted repositories, i.e. the official ones for your distro. This excludes any package of any app straight from their website.
- same precautions for web browsers as for any other OS. Don't click any old link, don't execute mail attachments, that sort of stuff.
- don't execute arbitrary code esp. from the internet
- don't just sudo if you want to make something work. Despite the famous xkcd, that's not how this works. Least privilege at all times.
- Antivirus software still isn't required
Unless you have some extraordinary usage scenarios, that's it really.
https://wiki.archlinux.org/title/Security
Applicable to most Linux distros.
That's a lot of advanced shit, which can totally bork a system. What average user paths can we take program wise or etc?
Like a Linux mint user for instance who's first stop is diving into a Linux distro of their choice and wanting to gain 80 percent of the gains with 20 percent of the hassle and maintenance.
Basic internet precautions: if you're looking at a GitHub for a famous piece of software that has only 250 total downloads: double check the Url, read any commands before you run them and compare to documentation if you're unfamiliar with a piece of one, if you run something in docker or similar containerization for any reason make sure you set the PUID and GUID of the containers to a user other than root or they'll be root by default
I get that. Which is why anti virus and things are kind of common sense is what everyone usually says. Watch what you do and click etc. But your reply did not really address my question. What's the average Joe version of the link you posted, as it was for advanced users.
I don't know of any comprehensive source but there are a few basic things you that I do.
- Ensure sudo is on the system so that root account is not used.
- Get a secure browser that with add ons to protect against malicious sites (https everywhere, JavaScript blockers, etc...)
- Download software from trusted repositories and verify with GPG keys or hashes. Be wary on installing anything using a shell script with super user access.
- Use keys instead of passwords for ssh if you are going to use ssh.
- Password tools like Vaultwarden and KeePass can help secure passwords.
- You can encrypt your hard drive with LUKS before you install Linux with many distros.
- Flatpak (Docker as well) can allow you to run applications with limited access to your system much like phone apps on Android. This can be more secure but comes with larger app sizes and limits what you can do with the app sometimes (e.g. browsers not being able to upload files because they don't have full filesystem access)
- If you want a firewall on your workstation (not needed much anymore with hardware firewalls from routers), UFW makes it easy
- If you want to check for viruses use ClamAV (ClamTK for a GUI app).
First of all there isn't One Linux.
In simple terms for an end user, yes, you are definitely better off with any of the major distros.
Non-commerciality is probably the most important aspect. Or as someone put it a long time ago: "Suddenly I realized that the software is on my side."
I've used Linux for 15+ years.
Install from the repositories, if it isn't in your "app store" or installed using apt or yum or whatever your distro package manager is, don't bother with it until you're more familiar with Linux.
Your system is 99%+ of the time going to be secure as long as you don't install something sketch. You need to install it, it won't just happen on it's own, things can be hidden behind copy paste instructions so be sure you have a good idea of what each step does if you're doing that (I've never come across this in the wild, FYI). The other small percentage is a bug or something in packages (see the xz debacle) which you have little control over. The best thing you can do is just keep packages up to date.
Please nobody wheel out the Swiss cheese analogy or I'll shit myself.
Lactose intolerance is rough.
I feel like github should have verified repositories
Blue checkmark?
Checkered checkmark
PSA: The amount of stars on GitHub can be botted and is not a good indicator to know if you are dealing with a legitimate repository. Even the commit history can be faked (although that's less common).
How to go about it then?
Try to do some research like you would do with closed source tools. See if they have a website and if it links to the GitHub you encountered. Also see if there are subreddits or forums and see what they link to.
In the case of this "Pro" version of KeePass; a simple search would have shown that there is no Pro version.
I'm not sure who they were trying to fool? Bluntly, if you're keeping your passwords in a local repo using strong encryption via something like keepass, you're generally not the kind of person to see "KeePassXE Pro ultra mega best edition" and blindly download it without vetting the source....
If it works once or twice it was probably worth it
Big yikes energy
Someone will probably attach an LLM and call it the Ultimate edition, because why not...
Thank goodness for distro repositories with somewhat-vetted software.
This is why I never feel safe downloading a program from Github. I need a recognisable domain name website that google or duckduckgo has picked as the product.
No it's not perfect, but it feels safer than a random github.
I need a recognisable domain name website that google or duckduckgo has picked as the product.
This doesn't always work. For example, I used to (and still do) see a lot of fake websites when I l type revanced (https://revanced.app/) on duckduckgo, and I've nearly fallen for two of the fake ones before (I think two of .com / .org / .to...?)
Thankfully ublock origin warns users of this:
Otherwise, I'd have 100% downloaded some malware-loaded crap.
Just tried a search for Magisk and uBlock indeed does a great job at blocking all the scam websites.
It's important to note that new scam sites won't be picked up until someone reports them, so there's still a chance you'll be one of the first to a new domain.
I need to install Magisk.
Google:
1st result: their Github page
2: magisk-manager.fr.uptodownDOTcom/android
3: magiskmanagerDOTcom/
4: magisk-manager.fr.softonicDOTcom/android
Kagi:
1st result: their Github page
2: magiskDOTme/ (icon showing it may be scam)
3: magiskmanagerDOTcom/ (scam icon)
4: themagiskDOTcom/ (scam icon)
No way I'm clicking on anything but the Github page.
Kagi is somewhat better than Google, but you have to pay attention to the small warning icon.
I would say bot search engines do a bad job and shouldn't show those results (or have an option "show me unsafe websites")
edit: uptodown and softonic might not be as bad. Still wouldn't download from them.
Wait til you hear about npm.
This reminds me of the new vector for malware that targets "vibe coders". LLMs tend to hallucinate libraries that don't exist. Like, it'll tell you to add, install, and use jjj_image_proc or whatever. The vibe coder will then get an error like "that library doesn't exist" and "can't call jjj_image_proc.process()`.
But you, a malicious user, could go and create a library named jjj_image_proc and give it a function named process. Vibe coders will then pull down and run your arbitrary code, and that's kind of game over for them.
You'd just need to find some commonly hallucinated library names
As a Typescript developer, npm is a damn mess. I ain’t got a clue how to handle these dependencies.
It's taught me that bigger standard libraries are better. You still have similar issues, but at least nobody's importing LeftPad. And your remaining dependency probably isn't importing LeftPad either.
i like Keepass, in fact I've been using it fot almost 2 years. Might consider going "GNU Pass" so I have more controls.
I used keepass since ages and about two years ago I switched to a self-hosted vaultwarden instance and I still think it was a great choice. So of you have a docker experience and a little VM lying around you could give vaultwarden/Bitwarden a try.
I myself prefer to keep good ass IRL