I am a long happy user of authenticated TOR hidden services for my secure admin access to ssh servers and some self-hosting services, and it is my last hope when even tailnets, meshnets fail to reach. I2PD c++ IP2 nodes are very helpful as backup authenticated hidden services for some of my servers, as in general TOR is more stable but sometimes I2P can work around when TOR fails.
Tor is simpler, better audited, and I don't mind too much the little centralization of the authority TOR nodes, plus the pluggable transports.
I2P is more complete (UDP, protocol libraries, nice hidden service client and server port handling, etc) its somewhat chaotic decentralization is a mixed bless, but that's the point. I like the tradeoff of mixing my bandwidth with others bandwidth (pay with some bandwidth now to save my rear-end later when needed).
I2PD c++ node is pleasant for me because it is compact and clean for my needs (authenticated hidden service SSH access and self-hosted web services) and I can manage it almost like the TOR node. The original IP2 Java node is good for end users, handy with integrated IRC, email, and file sharing services.
Minor inconvenience vs Mexico electronic invoice hell.
Our VAT is 16%, for everyone except a select group of small business, of a now discontinued tax regimen.
We must issue a dual cryptographic signed XML invoice (by the emitter and the tax authority) with individualized items with ID codes from a tax authority catalog of recognized products and services, that includes tampons (53131615) to warships (25111708) to radical ecological organizations (94131701).
Every invoice needs to be sent to the tax authority servers to get the second signature, without it the invoice is not valid. Without it is not possible to deduct to VAT payments, or (monthly) tax filling in general.
No internet, no invoice software, no computers, equals no invoice and no invoice is almost tax fraud. A fiscal invoice is only emitted when a customer asks for it, but businesses are obliged to emit a "general public invoice" with all the sales where customers don't ask for a fiscal invoice.
Try to vacation in Italy:
Consumers are obliged to get an invoice, businesses are obliged to provide one. Including cryptographic signatures (but without the big-list-of-article-numbers and centralized signatures craziness). The financial police are allowed to stop customers within a certain distance of a business and ask for the invoice for their purchase. If the customer cannot provide one, the customer and the business are fined heavily. That's why the business owner will get very angry with you when you (as a clueless tourist) immediately chuck the invoice in the bin, because why would you keep the invoice for a pack of gum...
In México, we have SPEI. Allows free instant transfers between bank accounts (with some exceptions). We employ an 18-digit code (CLABE), and debit card numbers are also permitted. You can add a phone number to your bank account to receive money transfers with it. SPEI supports push and pull, the latter being less common. SPEI can be utilized to remit payment for certain credit cards and specialized services. CLABE 18-digit codifies the bank, account location, account number and a verify digit. SPEI is managed by a subsidiary of the Mexican central bank. For a country where many things work slow a clunky, SPEI woks surprisingly well and fast. We really missed it when we tried to send money outside of Mexico.
Maybe you already know it: you can filter ads by DNS on phones (manually configured or with pseudo VPN apps), and if you don't mind using other mobile browsers, on Android Firefox supports ad blockers and Brave (Android and IOS) has an integrated one.
I see ad blockers as good filters for them. Someone that feels annoyed by ads to the extent of making the effort to install ad blockers is not a good target for ads too. Less tech-savvy and caring users are perfect targets for ads.
I am a very happy Silverblue user. There is a learning curve to adapt workflow to containers, Toolbox and serious Flatpak tuning, but got a solid and clean workstation experience. The clutter-free that prevents the gradual rot of the system pay by itself.
I like it so much that 2 years ago I jumped to the Fedora Core/IOT thing for my servers. A somewhat deeper learning curve (ignition files...) but very pleased to used lightweight Fedora rpm-ostree based immutable OS on metal and virtual. Cleanest rock solid server experience on Linux servers (that actually updates worry free) of my career.
It is a fixed bug. Your target needs to be an outdated Linux distro.
In a current one or patched one, is more likely to have a non-vulnerable LUKS2 volume that you can not downgrade to a vulnerable one, or a kernel and userspace tools non-vulnerable to the metadata manipulation even for a LUKS1 volume.
I concede the plausible scenario of replacing the kernel to a vulnerable one, if you ha access to the drive (by external OS boot or get the hardware) and replacing the kernel on the usually unencrypted boot partition along modifying the LUKS2 metadata of the encrypted volume. Not a quick local or remote feat to do. Not doable on an encrypted boot volume or signed boot files (secure boot thingy). Sincerely, if you have that kind of access, it is easier to modify the initramfs file to grab the LUKS key.
Your second guess is the correct one.
This is a bug in the LUKS2 header metadata that can trick the kernel to "recover and resume" an unsolicited decryption/reencryption process. Very hard to do because you need access to the drive and later someone to unlock the modified drive.
It as fixed bug, and a plausible scenario is if someone wants to decrypt a LUKS2 (in and old linux kernel system) which is auto unlocked by a TPM like device.
>It as fixed bug, and a plausible scenario is if someone wants to decrypt a LUKS2 (in and old linux kernel system) which is auto unlocked by a TPM like device.
how's the TPM ecosystem on linux like? On windows bitlocker, it mostly just works, but IIRC on linux you had to jump through a bunch of hoops to get everything configured.
Wayland forwarding over SSH: done