I just meant that it was very convenient to have the firmware images there on S3, nothing else :D Many vendors make the process of even just obtaining a copy of the firmware much harder than that, so for once I was glad it has been much easier. Also being able to bindiff two adjacent versions of the same firmware is great ... all in all I was just expressing my happiness :D
Doesn't matter really, keeping blobs hidden doesn't actually do anything except make it slightly harder to analyze the software. Making all blobs easily and readily available is exactly what I want the vendor to do. Black boxes don't make things secure.
Nerve is a tool that creates stateful agents with any LLM — without writing a single line of code. While it was inspired by other projects such as Autogen and Rigging, its main goal and core difference with other tools is to allow the user to instrument smart and stateful agents without writing code (unless required for custom functionalities).
OpenSnitch author here ... although performances are not a big deal here because only conntrack packets are intercepted, the project will move to a C++ implementation once the current Python prototype/PoC will be complete and will prove that what I want to do is 100% doable on GNU/Linux :)
I would say that golang is good enough. But if you are interested , you could go for Rust. Multiple teams have built extremely high performance network manipulation tools in Rust - like linkerd-tcp .
Once I saw OpenSnitch I decided to write my own in Rust (mostly as a learning experience for myself)[1] -- it's still obviously WIP as it doesn't even filter packets yet! My intention is to make it have a remote API so that policy decisions aren't done in the daemon but are done in swappable clients.
OpenSnitch author here ... that's exactly the direction the project is going, C++ daemon running as root and low privileged UI in Python or whatever. The current implementation is more of a PoC/test to see the whole logic working before starting the real thing :)
Why C++? The backend only has to read ftrace events, and Python should be fast enough for that.... And why root? Can't you just create a dbus connection, open your fd to the ftrace pipe, and then drop privs to a nonroot user?
OpenSnitch is not only about ftrace, check the NFQUEUE handling, moving to native will improve performances and stability. Also, it requires root because that's the only way it can install the iptable rules it needs in order to function properly.
The iptables rules are static though, aren't they? And they have bypass enabled, so you should be able to load them once at system boot time and leave them there to default to allow.
As far as nfqueue, I googled around but I wasn't able to find out what perms you need in order to communicate with netlink. I assumed you could open an fd and drop perms but it looks like it might not allow that. I agree that eventually you'd need a pretty robust multithreaded app to handle large packet flows without adding too much latency... it seems like quite a big burden just to authorize specific applications to make specific network connections.
as long as i know, you definitely need root to communicate with netlink .... i don't think there're gonna be large packet flows, only first connection packets tnx to conntrack, it's doable :)
i write posts in markdown, they're then "compiled" into html, I should fix the software I'm using ... but as long as it works, for me it's ok, being it styling or markup :)
