Contact Us - High Low Binary

How to start hacking? The ultimate two-path guide to information security. (Repost from r/hacking)

Before I begin - everything about this should be totally and completely ethical at it's core. I'm not saying this as any sort of legal coverage, or to not get somehow sued if any of you screw up, this is genuinely how it should be. The idea here is information security. I'll say it again. information security. The whole point is to make the world a better place. This isn't for your reckless amusement and shot at recognition with your friends. This is for the betterment of human civilisation. Use your knowledge to solve real-world issues.
There's no singular all-determining path to 'hacking', as it comes from knowledge from all areas that eventually coalesce into a general intuition. Although this is true, there are still two common rapid learning paths to 'hacking'. I'll try not to use too many technical terms.
The first is the simple, effortless and result-instant path. This involves watching youtube videos with green and black thumbnails with an occasional anonymous mask on top teaching you how to download well-known tools used by thousands daily - or in other words the 'Kali Linux Copy Pasterino Skidder'. You might do something slightly amusing and gain bit of recognition and self-esteem from your friends. Your hacks will be 'real', but anybody that knows anything would dislike you as they all know all you ever did was use a few premade tools. The communities for this sort of shallow result-oriented field include HowToHack and probably hacking as of now. ​
The second option, however, is much more intensive, rewarding, and mentally demanding. It is also much more fun, if you find the right people to do it with. It involves learning everything from memory interaction with machine code to high level networking - all while you're trying to break into something. This is where Capture the Flag, or 'CTF' hacking comes into play, where you compete with other individuals/teams with the goal of exploiting a service for a string of text (the flag), which is then submitted for a set amount of points. It is essentially competitive hacking. Through CTF you learn literally everything there is about the digital world, in a rather intense but exciting way. Almost all the creators/finders of major exploits have dabbled in CTF in some way/form, and almost all of them have helped solve real-world issues. However, it does take a lot of work though, as CTF becomes much more difficult as you progress through harder challenges. Some require mathematics to break encryption, and others require you to think like no one has before. If you are able to do well in a CTF competition, there is no doubt that you should be able to find exploits and create tools for yourself with relative ease. The CTF community is filled with smart people who can't give two shits about elitist mask wearing twitter hackers, instead they are genuine nerds that love screwing with machines. There's too much to explain, so I will post a few links below where you can begin your journey.
Remember - this stuff is not easy if you don't know much, so google everything, question everything, and sooner or later you'll be down the rabbit hole far enough to be enjoying yourself. CTF is real life and online, you will meet people, make new friends, and potentially find your future.
What is CTF? (this channel is gold, use it) - https://www.youtube.com/watch?v=8ev9ZX9J45A
More on liveoverflow, http://www.liveoverflow.com is hands down one of the best places to learn, along with liveoverflow
CTF compact guide - https://ctf101.org/
Upcoming CTF events online/irl, live team scores - https://ctftime.org/
What is CTF? - https://ctftime.org/ctf-wtf/
Full list of all CTF challenge websites - http://captf.com/practice-ctf/
> be careful of the tool oriented offensivesec oscp ctf's, they teach you hardly anything compared to these ones and almost always require the use of metasploit or some other program which does all the work for you.
http://picoctf.com is very good if you are just touching the water.
and finally,
netsec - where real world vulnerabilities are shared.
submitted by Dezo_Ghoste to hacking4noobs [link] [comments]

How to start hacking? The ultimate two path guide to information security.

Before I begin - everything about this should be totally and completely ethical at it's core. I'm not saying this as any sort of legal coverage, or to not get somehow sued if any of you screw up, this is genuinely how it should be. The idea here is information security. I'll say it again. information security. The whole point is to make the world a better place. This isn't for your reckless amusement and shot at recognition with your friends. This is for the betterment of human civilisation. Use your knowledge to solve real-world issues.

There's no singular all-determining path to 'hacking', as it comes from knowledge from all areas that eventually coalesce into a general intuition. Although this is true, there are still two common rapid learning paths to 'hacking'. I'll try not to use too many technical terms.

The first is the simple, effortless and result-instant path. This involves watching youtube videos with green and black thumbnails with an occasional anonymous mask on top teaching you how to download well-known tools used by thousands daily - or in other words the 'Kali Linux Copy Pasterino Skidder'. You might do something slightly amusing and gain bit of recognition and self-esteem from your friends. Your hacks will be 'real', but anybody that knows anything would dislike you as they all know all you ever did was use a few premade tools. The communities for this sort of shallow result-oriented field include HowToHack and probably hacking as of now. ​
The second option, however, is much more intensive, rewarding, and mentally demanding. It is also much more fun, if you find the right people to do it with. It involves learning everything from memory interaction with machine code to high level networking - all while you're trying to break into something. This is where Capture the Flag, or 'CTF' hacking comes into play, where you compete with other individuals/teams with the goal of exploiting a service for a string of text (the flag), which is then submitted for a set amount of points. It is essentially competitive hacking. Through CTF you learn literally everything there is about the digital world, in a rather intense but exciting way. Almost all the creators/finders of major exploits have dabbled in CTF in some way/form, and almost all of them have helped solve real-world issues. However, it does take a lot of work though, as CTF becomes much more difficult as you progress through harder challenges. Some require mathematics to break encryption, and others require you to think like no one has before. If you are able to do well in a CTF competition, there is no doubt that you should be able to find exploits and create tools for yourself with relative ease. The CTF community is filled with smart people who can't give two shits about elitist mask wearing twitter hackers, instead they are genuine nerds that love screwing with machines. There's too much to explain, so I will post a few links below where you can begin your journey.

Remember - this stuff is not easy if you don't know much, so google everything, question everything, and sooner or later you'll be down the rabbit hole far enough to be enjoying yourself. CTF is real life and online, you will meet people, make new friends, and potentially find your future.

What is CTF? (this channel is gold, use it) - https://www.youtube.com/watch?v=8ev9ZX9J45A
More on liveoverflow, http://www.liveoverflow.com is hands down one of the best places to learn, along with liveoverflow
CTF compact guide - https://ctf101.org/
Upcoming CTF events online/irl, live team scores - https://ctftime.org/
What is CTF? - https://ctftime.org/ctf-wtf/
Full list of all CTF challenge websites - http://captf.com/practice-ctf/
> be careful of the tool oriented offensivesec oscp ctf's, they teach you hardly anything compared to these ones and almost always require the use of metasploit or some other program which does all the work for you.

http://picoctf.com is very good if you are just touching the water.
and finally,
netsec - where real world vulnerabilities are shared.
submitted by SlickLibro to hacking [link] [comments]

Detached LUKS header full disk encryption with encrypted keyfile inside a passphrase-protected bootable keydisk using direct UEFI secure boot, encrypted swap, unbound with DNSCrypt and DNSSEC, and system hardening

EDIT: added parts to Arch Wiki

I.   Installation

General tips and notes:
 
I. Part I: Preparing the devices
Before you begin, go to your EFI settings (commonly referred to as BIOS settings although technically it's EFI now) at boot time using the designated function key. On my laptop that's F10 but you should google yours. Now go to Boot options and disable Secure Boot, then clear keys, this will leave the TPM in a receptive state for when we enroll our custom keys later. Note the clear keys option should be on the same page as the secure boot option, and it is not the separate TPM keys option which is something different. When you save changes and exit you may have to hit a key combination and press enter to verify.
Make sure to run 'lsblk' to find out what your block device mappings are, don't copy this blindly. We're overwriting all the data, so if there's files you need copy them or image them with Clonezilla to a different drive and leave that one unplugged.
dd if=/dev/urandom of=/dev/sda bs=4096 
#hard drive (just wait, a 500gb HDD took around 2.5 hours)
dd if=/dev/urandom of=/dev/sdb bs=4096 
#USB
 
I. Part II: Preparing the USB key
gdisk /dev/sdb 
n
1
2048
+512M
EF00
n is new partition, L shows all hex codes for filesystems (EF00, 8300), t allows you to change a filesystem after creating a partition
n
2
(Hit enter to accept the automatic start value here)
+250M
8300
Write changes with 'w', 'q' is quit.
cryptsetup --hash=sha512 --cipher=twofish-xts-plain64 --key-size=512 -i 30000 luksFormat /dev/sdb2 
 
Note: the -i is for iteration time in milliseconds for the key derivation function pbkdf, it should be at least 5000 (5 seconds), but preferably put it as high as you can stand. For me, that's about 30 seconds.
 
cryptsetup open /dev/sdb2 cryptboot 
 
mkfs.ext2 /dev/mappecryptboot 
 
Note: I picked ext2 for simplicity and to avoid journaling since it's just a usb drive
 
mount /dev/mappecryptboot /mnt 
 
cd /mnt 
 
dd if=/dev/urandom of=key.img bs=20M count=1 
 
cryptsetup --align-payload=1 --hash=sha512 --cipher=serpent-xts-plain64 --key-size=512 -i 30000 luksFormat key.img 
 
cryptsetup open key.img lukskey 
 
Note: You should make the file larger than 8192 bytes (the maximum keyfile size for cryptsetup) since the encrypted loop device will be a little smaller than the file's size.
20M might be a little too big for you, but 1) With a big file, we'll use --keyfile-offset=X and --keyfile-size=8192 to navigate to the correct position and 2) having too small of a file will get you a nasty 'Requested offset is beyond real size of device /dev/loop0' error.
Shoutout to the Gentoo Wiki for showing me how to do this easily and this thread from the Arch Linux forums for the inspiration. And the Gentoo Wiki again for explaining the size issue.
Now you should have 'lukskey' opened in a loop device (underneath /dev/loop1), mapped as /dev/mappelukskey
 
I. Part III: The main drive
truncate -s 2M header.img 
 
cryptsetup --hash=sha512 --cipher=serpent-xts-plain64 --key-size=512 --key-file=/dev/mappelukskey --keyfile-offset=X --keyfile-size=8192 luksFormat /dev/sda --align-payload 4096 --header header.img 
 
Pick an offset, and a number of milliseconds you can wait for
 
cryptsetup open --header header.img --key-file=/dev/mappelukskey --keyfile-offset=X --keyfile-size=8192 /dev/sda enc 
 
cd / 
 
cryptsetup close lukskey 
 
umount /mnt 
(if it complains about being busy make sure lukskey container is closed then "ps -efw" to find hanged processes and their PIDs to kill with "kill -9 "
 
pvcreate /dev/mappeenc 
 
vgcreate store /dev/mappeenc 
 
lvcreate -L 20G store -n root 
 
lvcreate -L 4G store -n swap 
 
lvcreate -l 100%FREE store -n home 
 
You can name "store" anything you want, the number of GB is up to you (note my root partition is currently using 3.9GB if you're looking for a rough minimum), swap space doesn't have to be twice your RAM unless you have a machine with very low RAM. Some people do the size of their RAM, some do half of their RAM, some do less. If you plan on suspending and hibernating, which I don't recommend (it's more proper to shutdown so the encryption keys are wiped from memory) then you would do at least the size of your RAM.
 
mkfs.ext4 /dev/store/root 
 
mkfs.ext4 /dev/store/home 
 
mount /dev/store/root /mnt 
 
mkdir /mnt/home 
 
mount /dev/store/home /mnt/home 
 
mkswap /dev/store/swap 
 
swapon /dev/store/swap 
 
mkdir /mnt/boot 
 
mount /dev/mappecryptboot /mnt/boot 
 
mkfs.fat -F32 /dev/sdb1 
 
mkdir /mnt/boot/efi 
 
mount /dev/sdb1 /mnt/boot/efi 
 
I. Part IV: The actual installation procedure and custom encrypt hook
After reading the "pacstrap" command and other tips below, follow the Installation Guide up to the "mkinitcpio" step but don't do it yet. You will skip "Partition the disks", "Format the partitions", and "Mount the file systems" as we've already done that. If you use a regular US keymap layout skip "Set the keyboard layout" as well. I skipped "Hostname" and "Network configuration" because I don't need a hostname and I prefer to start [email protected].service manually.
tl;dr quick network connection:
ip link set  up 
 
systemctl start [email protected].service 
This is my quick way to get https mirrors in order of speed (adjust for your country):
grep -i -A1 "United States" /etc/pacman.d/mirrorlist | grep -iP "^Server" | grep -vP "^--$" | sed 's/http/https/gi' > /etc/pacman.d/mirrorlist2 
#The accuracy of this grep statement could change depending on the format in the future, you may need to adjust.
 
rankmirrors -n 0 /etc/pacman.d/mirrorlist2 > /etc/pacman.d/mirrorlist 
 
Refreshing the package keys and a basic pacstrap command for our guide (if you need any other packages add them to the end or do a "pacman -S package" anytime after the chroot step):
pacman-key --refresh-keys 
 
pacstrap /mnt base base-devel linux-hardened efibootmgr sudo 
 
Now you should be at the "mkinitcpio" step and chrooted into your system. In order to get our encrypted setup to work, we will need to build our own hook, which is thankfully easy to do and I have the code you need. You will have to run "ls -lth /dev/disk/by-id" to figure out your own ID values for usb and main hard drive (they're linked -> to sda or sdb) then to get them into the file: "ls -lth /dev/disk/by-id | grep -iP 'PATTERNYOUWANT' | awk '{print $9}' >> /etc/initcpio/hooks/customencrypthook". You should be using those ids instead of just sda or sdb because sdX can change and this ensures it's the correct device.
You can name "customencrypthook" anything you want, and note that /etc/initcpio is the folder for hooks you create. Keep a backup of both files ("cp" them over to the /home directory or your user's home directory after you make one). /usbin/ash is not a typo.
/etc/initcpio/initcpio/hooks/customencrypthook
#!/usbin/ash 
 
run_hook() { 
 
modprobe -a -q dm-crypt >/dev/null 2>&1 
 
modprobe loop 
 
[ "${quiet}" = "y" ] && CSQUIET=">/dev/null" 
 
while [ ! -L '/dev/disk/by-id/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-part2' ]; do 
#the Xs represent your USB drive id found by "ls -lth /dev/disk/by-id"
 
 echo 'Waiting for USB' 
 
 sleep 1 
 
done 
 
 cryptsetup open /dev/disk/by-id/XXXXXXXXXXXXXXXXXXXXXXXX-part2 cryptboot 
 
 mkdir -p /mnt 
 
 mount /dev/mappecryptboot /mnt 
 
 cd /mnt 
 
 cryptsetup open key.img lukskey 
 
 cryptsetup --header header.img --key-file=/dev/mappelukskey --keyfile-offset=N --keyfile-size=8192 open /dev/disk/by-id/YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY enc 
#the Ys represent your main hard drive found by "ls -lth /dev/disk/by-id", N is your offset
 
 cd / 
 
 cryptsetup close lukskey 
 
 umount /mnt 
 
} 
#Note: I could also close cryptboot, but I want it to be easier to mount for updating and signing the kernel (which happens automatically during kernel updates), and regenerating the initramfs with mkinitcpio. You can close it using "cryptsetup close cryptboot", but then you would have to reenter the password before you mount it after booting into the system.
 
/etc/initcpio/install/customencrypthook
#!/bin/bash 
 
build() { 
 
local mod 
 
add_module dm-crypt 
 
if [[ $CRYPTO_MODULES ]]; then 
 
 for mod in $CRYPTO_MODULES; do 
 
 add_module "$mod" 
 
 done 
 
else 
 
 add_all_modules '/crypto/' 
 
fi 
 
add_binary "cryptsetup" 
 
add_binary "dmsetup" 
 
add_file "/uslib/udev/rules.d/10-dm.rules" 
 
add_file "/uslib/udev/rules.d/13-dm-disk.rules" 
 
add_file "/uslib/udev/rules.d/95-dm-notify.rules" 
 
add_file "/uslib/initcpio/udev/11-dm-initramfs.rules" "/uslib/udev/rules.d/11-dm-initramfs.rules" 
 
add_runscript 
 
} 
 
/etc/mkinitcpio.conf (edit this only don't replace it, these are just excerpts of the necessary parts)
MODULES=(loop) 
 
HOOKS=(base udev autodetect modconf block customencrypthook lvm2 filesystems keyboard fsck) 
#Note: the files=() and binaries=() arrays are empty, and you shouldn't have to replace HOOKS=(...) array entirely just edit in "customencrypthook lvm2" after block and before filesystems, and make sure "systemd", "sd-lvm2", and "encrypt" are removed.
 
I. Part V: Setting up sudo and a user
First, we need to change the root password and then add a user.
passwd 
 
useradd -m -G wheel -s /bin/bash USERNAMEHERE 
 
passwd USERNAMEHERE 
 
EDITOR=nano 
 
 visudo 
and make these edits:
at the top:
## See the sudoers man page for the details on how to write a sudoers file.
##
Defaults env_reset
Defaults editor=/usbin/nano, !env_editor
Defaults timestamp_timeout=0
Note: env_reset resets environment variables to prevent somebody from selecting a different program as their "editor" using the EDITOR environment variable, your default in the second line can be vi or another editor instead of nano, and timestamp_timeout=0 disables the sudo cache because I want to type the password every time. I recommend following these because even in a single-user scenario, potential malware could take advantage if you have those vulnerabilities open. The first two lines are from Sudo - Arch Wiki.
 
and near the bottom:
## User privilege specification
root ALL=(ALL) ALL
USERNAMEHERE ALL=(ALL) ALL
The owner and group for the sudoers file must both be root. The file permissions must be set to 0440.
ls -lth /etc/sudoers and make sure it looks like this:
-r--r----- 1 root root
If it doesn't then:
chown -c root:root /etc/sudoers 
 
chmod -c 0440 /etc/sudoers 
Now "su -l USERNAMEHERE" and run "sudo -i" and see if you can login as sudo, it should change your terminal to "[email protected]" instead of your username. Once you see it works, disable the direct root login and then exit.
passwd -l root 
 
exit 
From now on, you will use "sudo -e file" to safely edit files that require you to be root to edit them as it uses temporary files and is considered to be the proper form.
Also, while you should always use sudo to become root, if you ever use "su" for any user, use "su -l". This changes home directory and environment variables for safety as discussed here
 
I. Part VI: Direct UEFI using secure boot
 
We need to get cryptboot and sbupdate git from the AUR, then untar, read the pkgbuild, and "makepkg -si" inside the folder, for each. Yes, the program "cryptboot" has the same name as what we named our encrypted usb drive, but know that there's no relation here besides the implied meaning of "encrypted boot" and you can use any name for your encrypted usb drive.
These are the AUR links: cryptboot and sbupdate for reference. However, we'll be downloading a snapshot .tar.gz directly.
As of December 2017, the snapshot links are:
https://aur.archlinux.org/cgit/aur.git/snapshot/cryptboot.tar.gz
https://aur.archlinux.org/cgit/aur.git/snapshot/sbupdate-git.tar.gz
 
Important note: Don't do this as root and don't use sudo, add a user first and do it as the user.
su -l USERNAMEHERE 
 
If you're not already in the user's home directory:
cd ~ 
 
curl -o cryptboot.tar.gz https://aur.archlinux.org/cgit/aur.git/snapshot/cryptboot.tar.gz 
At this point I used my phone to copy and paste the .tar.gz "Download Snapshot" link from https://aur.archlinux.org/packages/cryptboot/ into VirusTotal.com and then used "sha256sum cryptboot.tar.gz" on the computer to get a checksum and compared it with the value on my phone.
 
tar xvf cryptboot.tar.gz 
 
cd cryptboot 
 
less PKGBUILD 
Read the package build and make sure nothing malicious has been snuck in there, to the best of your ability.
 
makepkg -si 
 
According to the Arch Linux wiki, this will download the code, resolve the dependencies with pacman, compile it, package it, and ask you for your sudo password to install the package.
Now we make our keys:
First prepare crypttab temporarily to be compatible with cryptboot.
Use "sudo -i" to become root.
sudo -e /etc/crypttab 
cryptboot /dev/disk/by-uuid/ZZZZZZZZZZZZZZZZZZZZZZZZZZZ none luks
You will have to find Z by running "ls -lth /dev/disk/by-uuid" and see which one links to sdb2 or whichever is the encrypted boot partition of your usb drive. Then "ls -lth /dev/disk/by-uuid | grep -iP 'PATTERNYOUWANT' | awk '{print $9}' >> /etc/crypttab".
sudo -e /etc/cryptboot.conf 
BOOT_CRYPT_NAME="cryptboot"
BOOT_DIR="/boot"
EFI_DIR="/boot/efi"
EFI_KEYS_DIR="/boot/efikeys"
 
cryptboot-efikeys create 
 
cryptboot-efikeys enroll 
 
Hopefully if you cleared your secure boot keys beforehand and properly configured the cryptboot.conf and your /boot partition is mounted, it should be successful. Delete the temporary entry we created from your crypttab.
Remember that generating keys only has to be done once. I guess you could do it again if you're worried that your keys have been compromised (don't forget to rename DB.* files back to db.*, see efikeys below), but it only needs to be done once and sbupdate will use the same keys to sign your new images every time you update your kernel.
Now we must prepare the system for sbupdate. Use "sudo -i" to become root.
cd /boot/efikeys 
"ls" to get a list of files and change all the "db.*" files to "DB" like this: mv db.file DB.file
Switch back to regular user "su -l USERNAMEHERE". Repeat the curl, tar, less, makepkg procedure done above for cryptboot except this time do it for sbupdate.
sudo -e /etc/default/sbupdate 
KEY_DIR="/boot/efikeys"
ESP_DIR="/boot/efi"
CMDLINE_DEFAULT="/vmlinuz-linux-hardened root=/dev/mappestore-root rw quiet"
The CMDLINE_DEFAULT is really important here, without it your efi will not boot. If you're curious what these files are and where they come from, vmlinuz is the compressed kernel image which is part of the package for linux-hardened. It's installed to the mounted /boot directory. In the same directory, initramfs-*.img files are created by mkinitcpio when we run the command.
now "sudo -i" into root and run:
mkinitcpio -p linux && mkinitcpio -p linux-hardened && sbupdate 
It should generate the initramfs image, and generate a signed UEFI image of your kernel and initramfs that we will be able to boot from. There should be a few "missing firmware" errors which should be harmless
 
Note: I keep the linux kernel as a backup in case anything goes wrong with linux-hardened after an update and I need to boot
 
Now we need a boot option for the signed efi file.
First run "lsblk" and look for the usb device and the 512M EFI partition. Mine is sdb1.
The Gentoo Wiki gives us a good example:
efibootmgr -c -d /dev/sdb -p 1 -L "Arch Linux Hardened Signed" -l "EFI\Arch\linux-hardened-signed.efi" 
-c create, -d disk, -p partition, -L label, and -l loader
Make sure the boot order puts "Arch Linux Hardened Signed" first. If not change it with "efibootmgr -o XXXX,YYYY,ZZZZ"
Finally, exit the chroot (keep running exit until it says [email protected] without brackets [] and the "lsblk" shows boot as "/mnt/boot" and not "/boot") and umount devices, then reboot
exit 
 
cd / 
 
umount -R /mnt 
 
reboot 
 
Now you will have to press the button for your EFI settings (BIOS settings) and enable secure boot, disable legacy boot and cd boot, and set up an administrator or power on password to prevent access. You'll need the usb key to boot and you'll have to enter two passwords, one for the usb key and another for the keyfile. Then the keyfile unlocks the main hard drive. You should probably run 'pacman -Syu' to update the system.
I. Part VII: Graphics and audio
First check your graphics driver here. I'm using radeon. Newer AMD cards use amdgpu (xf86-video-amdgpu). Nvidia and Intel should check the wiki for info.
pacman -S xorg-server xf86-video-ati xfce4 mousepad 
Check your ~/.local/share/xorg/Xorg.0.log and make sure it got loaded properly. For example, radeon will have lines that say "RADEON(0):". If it didn't load your driver it may say "MODESETTING(0):" which is the fallback driver as explained here Xorg - ArchWiki.
Also check your driver's wiki page to find out about enabling "TearFree" which prevents the horizontal lines when playing video (you'll have to create a minimal Xorg Configuration first with a "Device" section containing "Driver" and "Identifier").
Ctrl + F this page for "Prevent Xorg" and do that now, plus "Run Xorg Rootless".
Now for the audio:
pacman -S pulseaudio pavucontrol xfce4-pulseaudio-plugin 
Controversial, but pulseaudio indeed "just works" and you need it to hear sound on Firefox.

II.   Firewall

https://aur.archlinux.org/cgit/aur.git/snapshot/arno-iptables-firewall.tar.gz
You know the AUR drill we used for cryptboot and sbupdate by now, just curl -o the snapshot, verify the checksum matches the one online with VirusTotal, tar xvf, less pkgbuild, then makepkg -si. Remember to do it all as a regular user, not root so don't use sudo. Then:
 cd ~/arno-*/src/aif* sudo ./install.sh 
 
sudo -e /etc/arno-iptables-firewall/firewall.conf 
EXT_IF=""
EXT_IF_DHCP_IP=1
If you use a static ip you would leave the dhcp setting at 0.
sudo systemctl enable arno-iptables-firewall.service 
 
sudo systemctl start arno-iptables-firewall.service 

III.   System Hardening

Encrypted Swap
sudo -e /etc/crypttab 
swap /dev/mappestore-swap /dev/urandom swap,cipher=twofish-xts-plain64,hash=sha512,size=512,nofail
sudo -e /etc/fstab 
/dev/mappeswap none swap defaults 0 0
The entry for fstab replaces the old swap entry, you could just edit the old one to look like this.
Umask
sudo -e /etc/profile 
# Set our umask
umask 077
The way it was explained to me is that before the umask is applied, linux permissions for files you create start off as 0777. Umask 077 is the same as 0077. Thus, subtract 0777 - 0077 = 0700
The order is 0 (setuid, setgid, sticky bit), 7 (user), 0 (group), 0 (others)
This means that only the user who created or root will be able to read, write, and execute the file or directory (only directories create as exec). A umask of "177" would prevent the executable bit from being set so the default file permissions for directories you create would be "-rw-------".
The first 0 is for setuid, setgid, and sticky bit. Setuid and setgid allow a user to become other users or groups like root or wheel. Sticky bit allows your user to write or change a file, but prevent the change or deletion of your files by other users. This is useful for group or world-writable settings where people have the same permissions in a folder but you want to prevent destructive behavior.
Know that root can violate any permissions it wants unless you write a specific rule in SELinux which is a out of scope for this guide, unforunately. There are good books on it written by a guy named "Vermeulen".
Permissions
You may want to consider running: chmod -R g-rwx,o-rwx /boot
What this does is - (subtracts) all permissions (rwx) from group (g) and others (o). Leaving only root and the owner of the file with permissions.
chmod 000 /boot/key.img
chmod 000 /boot/header.img
#Note that obviously root will still be able to override this, but it means that no user can access it so the files can only be read or written to by root.
Pluggable Authentication Modules PAM rules
sudo -e /etc/pam.d/system-login 
#auth required pam_tally.so onerr=succeed file=/valog/faillog
auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/valog/faillog
Note you have to comment the first line so failed attempts are not counted twice, then the second line sets 2 denials (wrong passwords) and a 10 minute lockout. onerr=succeed counts the number of attempts. The file=* is a failure log.
sudo -e /etc/pam.d/su 
auth required pam_wheel.so use_uid
sudo -e /etc/pam.d/su-l 
auth required pam_wheel.so use_uid
TCP IP Hardening
sudo -e 50-dmesg-restrict.conf 
kernel.dmesg_restrict = 1
sudo -e 51-net.conf 
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.secure_redirects = 1
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.ip_forward = 0
net.ipv4.tcp_rfc1337 = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_timestamps = 0
sudo -e 40-ipv6.conf 
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.accept_ra = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.eno1.use_tempaddr = 2
net.ipv6.conf.lo.accept_redirects = 0
net.ipv6.conf.wlo1.use_tempaddr = 2
To apply changes,
sudo sysctl --system 
I've intentionally left out logging martian packets (people sending you packets with a spoofed or misconfigured addresses), but if you want you can log those to track down malicious activity.
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
Disabling Root login
We already ran "passwd -l root" after we set up sudo.
sudo -e /etc/securetty 
Comment out all the lines in this file, you'll still be able to use sudo.
Hardening fstab
For cryptboot and the usb EFI partition add this to the fourth field comma-separated values:
noauto,nodev,nosuid,noexec
For /dev/store/home or /dev/mappestore-home:
nodev,nosuid
Hidepid
sudo -e /etc/fstab 
proc /proc proc nosuid,nodev,noexec,hidepid=2,gid=proc 0 0
For Xorg to work, an exception needs to be added for systemd-logind:
sudo -e /etc/systemd/system/systemd-logind.service.d/hidepid.conf 
[Service]
SupplementaryGroups=proc
Prevent coredumps
sudo -i /etc/systemd/coredump.conf 
Storage=none
Check Pacman SigLevel and PGP keyring keys
grep -i siglevel /etc/pacman.conf 
SigLevel = Required DatabaseOptional
Update the keys manually:
pacman-key --refresh-keys 
Today is January 02, 2018. As of today, the "archlinux-keyring" was last updated on "2017-12-15 12:23 UTC". In a scenario where a key is no longer valid or goes rogue, it would be helpful to have the latest keys.
Safe mounting of external disks (sdc1 is an example)
sudo mount -o nodev,nosuid,noexec /dev/sdc1 /mnt 
This prevents executables, programs running with different user privileges than the user has, and nodev prevents character or block devices from being interpreted on the drive to prevent malicious exploits.
Browser cache permissions
edit: Updated to chromium
~/.config/chromium and ~/.cache/chromium files are "-rw-------" (chmod 600) and folders are "drwx------" (chmod 700). The point is to check permissions frequently and prevent executable files in the cache.
TTY Timeout
sudo -e /etc/profile.d/shell-timeout.sh 
TMOUT="$(( 60*10 ))";
[ -z "$DISPLAY" ] && export TMOUT;
case $( /usbin/tty ) in
/dev/tty[0-9]*) export TMOUT;;
esac
You can also block tty access all together but I prefer having it so I can switch over if I want or need to get away from Xorg.
Prevent Xorg from being run on a different terminal besides the one you logged in
sudo -e ~/.xserverrc 
#!/bin/sh
exec /usbin/Xorg -nolisten tcp -nolisten local "[email protected]" vt$XDG_VTNR
-nolisten local disables abstract sockets of X11. Which are supposed to be a risk if a keylogger or screenshotter attached itself to them. This blog gives some history on the subject.
Startx will execute this when you start up your desktop. You can autostart X at login but I prefer to do it manually. I use xfce so it's "exec startxfce4" after I login.
Run Xorg rootless
sudo -e /etc/X11/Xwrapper.config 
set needs_root_rights = no

IV.   Unbound + Dnscrypt + DNSSEC

edit: The new dnscrypt-proxy automatically updates the sources (servers list) so I've simplified this section.
 
sudo pacman -S unbound expat dnscrypt-proxy ldns 
 
sudo -e /etc/dhcpcd.conf 
Add anywhere:
static domain_name_servers=127.0.0.1
sudo systemctl edit dnscrypt-proxy.service 
edit: After the update on 5/18/2018 dnscrypt-proxy needs CAP_NET_BIND_SERVICE capability.
[Service]
DynamicUser=yes
CapabilityBoundingSet=CAP_IPC_LOCK CAP_SETGID CAP_SETUID CAP_NET_BIND_SERVICE
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
PrivateTmp=true
PrivateDevices=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
RestrictRealtime=true
RestrictAddressFamilies=AF_INET
SystemCallArchitectures=native
[email protected] @cpu-emulation @debug @keyring @ipc @module @mount @obsolete @raw-io
Above is from DNSCrypt - ArchWiki
sudo -e /etc/dnscrypt-proxy/dnscrypt-proxy.toml 
listen_addresses = []
require_dnnssec = true
cache = false
Cache is disabled because we are using DNSCrypt as a forwarder for the unbound cache. I still use Unbound because it has a better way of actually testing and validating that DNSSEC is working.
sudo -e /etc/unbound/unbound.conf 
server:
use-syslog: yes
username: "unbound"
directory: "/etc/unbound"
trust-anchor-file: trusted-key.key
port:53
do-not-query-localhost: no
forward-zone:
  name: "."
  forward-addr: [email protected]
sudo -e /etc/resolv.conf 
nameserver 127.0.0.1
options edns0 single-request-reopen
systemctl edit dnscrypt-proxy.socket 
[Socket]
ListenStream=
ListenDatagram=
ListenStream=127.0.0.1:5138
ListenDatagram=127.0.0.1:5138
The port number is larger than 1024 so dnscrypt-proxy is not required to be run by root. So pick a number from 1025-65535, or run this command "shuf -n 1 -i 1025-65535".
For DNSCrypt with Unbound, only unbound and dnscrypt-proxy.socket need to be started and enabled.
 systemctl enable dnscrypt-proxy.socket 
 
 systemctl enable unbound.service 
 
 systemctl start dnscrypt-proxy.socket 
 
 systemctl start unbound.service 
 
Now test it out
 drill -DT sigfail.verteiltesysteme.net 
 
 drill -DT sigok.verteiltesysteme.net 
 
 unbound-host -C /etc/unbound/unbound.conf -v sigok.verteiltesysteme.net 
 
 unbound-host -C /etc/unbound/unbound.conf -v sigfail.verteiltesysteme.net 
Root Hints
sudo curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache 
 
sudo chmod 644 /etc/unbound/root.hints 
 
sudo -e /etc/unbound/unbound.conf 
Under "server:":
root-hints: "/etc/unbound/root.hints"
 
sudo systemctl restart unbound 
 
Root Hints script (Optional, probably unnecessary)
This optional script creates a service that updates root hints automatically. is your internet device from "ip link", usually eno1 or wlo1. If you don't use dhcpcd then change it to the service that gets your internet working. Once the timer goes off each month, the script will retry every 20 minutes until the internet is on then update the root hints. If a timer is missed it will keep trying. The 2 minute predelay is to give dnscrypt time to resolve fingerprints and the certificate.
sudo -e /etc/systemd/system/roothints.service 
 
[Unit]
Description=Update root hints for unbound
[email protected].service
[Service]
TimeoutStartSec=0
Restart=on-failure
RestartSec=1200
ExecStartPre=/bin/sleep 120
ExecStart=/usbin/bash -c 'isitalive=$(/usbin/systemctl is-active [email protected].service); if [ "$isitalive" == "active" ]; then /usbin/curl -v -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache; fi; if [ "$isitalive" == "inactive" ]; then exit 1; fi'
 
sudo -e /etc/systemd/system/roothints.timer 
[Unit]
Description=Run root.hints monthly
[Timer]
OnCalendar=monthly
Persistent=true
[Install]
WantedBy=timers.target
You can use a custom date like this: "OnCalendar=*-*-12 12:00:00". That would run the job on the 12th of every month at 12pm local time.
sudo systemctl enable roothints.timer 
 
sudo systemctl start roothints.timer 
 
sudo systemctl status roothints.timer 
Testing our script
From the wiki on Timers you can check the calendar time until the next run:
systemd-analyze calendar "*-*-12 12:00:00" 
 
systemd-analyze calendar monthly 
If you have other timers also, you may want to consider setting them to separate, specific times or using "RandomizedDelaySec" in the .timer file under [Timer]
 
systemctl daemon-reload 
To reload units after making changes on disk.
sudo systemctl start roothints 
Wait a little and then check the systemctl status.
 
Troubleshooting
If you can't resolve hosts try:
  • Setting "verbosity=5" under "server:" in /etc/unbound/unbound.conf and check "journalctl -u unbound.service". You should see some pretty detailed output that shows if it's working.
  • If you just want to get your internet working again, # comment out the forwardings section ("forward-zone:", "name:", "forward-addr:") and "trust-anchor-file" in unbound.conf, systemctl stop dnscrypt-proxy.socket and dnscrypt-proxy.service, then stop and start unbound to fix the internet.
  • If you're using unbound, make sure /etc/dnscrypt-proxy/dnscrypt-proxy.toml 'cache' is disabled.
Sometimes, fixing the internet is as simple as using "ip link set down", "ip link set up", then stop and start [email protected].service. Or restarting unbound.service. Also check "systemctl status dnscrypt*" to make sure the socket is running and that the proxy service received its certificate and fingerprints from the server.

V.   Firejail:

pacman -S firejail chromium xorg-server-xephyr openbox 
Edit: changed to Chromium
Xephyr and openbox will allow us to enable X11 sandboxing and resize the browser window, respectively.
sudo -e /etc/firejail/firejail.config 
xephyr-screen WIDTHxHEIGHT
Width and Height are in pixels.
To open the sandbox and browser:
firejail --x11 --profile=/etc/firejail/chromium.profile openbox --startup 'chromium' 
You should be able to adjust the window or maximize it, and the internet should work automatically since unbound is handling our dns.

VI.   Afternotes:

  • Be careful with your LUKS header and any backups of it, the proper disposal is to "shred", "wipe", or dd it with random data multiple times before deleting it Securely Wipe Disk - Arch Wiki.
    If an attacker gets a hold of your old LUKS header (after you changed the passphrase) and they figured out the old passphrase or keyfile, they can use the old header to get access to your system. Check out the cryptsetup FAQ for more details.
    A way to mitigate this is to use "cryptsetup-reencrypt" which will generate a new master key (volume key) and make the old header ineffective even when they have the compromised passphrase or keyfile, but read the man page first.
  • You can use dd to backup the whole usb drive as an image, or the partitions (assuming it's sdb):
    dd if=/dev/sdb1 of=backup.img bs=4M
    dd if=/dev/sdb2 of=backup2.img bs=4M
  • The LUKS keyfile can be changed like this:
    cryptsetup --header /boot/header.img --key-file=/dev/mappelukskey --keyfile-offset=X --keyfile-size=8192 luksChangeKey /dev/mappeenc /dev/mappelukskey2 --new-keyfile-size=8192 --new-keyfile-offset=Y 
Afterwards, "cryptsetup close lukskey" and "shred" or "dd" the old keyfile with random data before deleting it, then make sure that the new keyfile is renamed to the same name of the old one "key.img" or other name.
  • For some reason sysctl doesn't seem to be loading my /etc/sysctl.d/51-net.conf file on boot so I have to run "sysctl --reload" to get it working.
  • Read General Recommendations on the Arch Wiki, mainly "System Administration" and "Package Management"
  • Consider blacklisting usb devices with USBGuard
  • Check permissions, ownership, and sticky bits everywhere you can.
    find / -path /proc -prune -o -type f \( -perm -4000 -o -perm -2000 \) | xargs ls
    #look for setuid or setgid bits
    chmod u-s /path/to/file
    #unset a setsuid bit for a file (user id)
    chmod g-s /path/to/file
    #unset a setguid bit for a file (group id)
    find / -nouser -o -nogroup | xargs ls
    #unowned abandoned orphaned files
    find / -path /proc -prune -o -perm -2 ! -type l | xargs ls
    #world-writable files
  • Anti virus or anti malware such as clamav and rkhunter
  • Intrusion detection, scanning, and security auditing tools such as lynis, nmap, aide, snort, yasat. You can find more recommendations here
  • Implementing access control security policies such as SELinux, Tomoyo, AppArmor, Smack, and I'm sure there's more.
submitted by wincraft71 to archlinux [link] [comments]

Full container/vm documentation available (unreleased but copied/pasted here)

Sourced from here but copied/pasted here for ease of view. It's not merged yet but we will be able to find it here when finished.

Running Custom Containers Under Chrome OS

Welcome to the containers project where we support running arbitrary code inside
of VMs in Chrome OS.
This is a heavily-technical document, but more user-friendly information will be
coming in the future.
We won't get into technical details for specific projects as each one already
has relevant documentation.
We instead will link to them for further reading.
[TOC]

Overview

There are many codenames and technologies involved in this project, so hopefully
we can demystify things here.
Crostini is the umbrella term for making Linux application support easy to use
and integrating well with Chrome OS.
It largely focuses on getting you a Terminal with a container with easy access
to installing whatever developer-focused tools you might want.
It's the default first-party experience.
The Terminal app is the first entry point to that environment.
It's basically just crosh.
It takes care of kicking off everything else in the system that you'll interact
with.
crosvm is a custom virtual machine monitor that takes care of managing KVM,
the guest VM, and facilitating the low-level (virtio-based) communication.
Termina is a VM image with a stripped-down Chrome OS linux kernel and
userland tools.
Its only goal is to boot up as quickly as possible and start running containers.
Many of the programs/tools are custom here.
In hindsight, we might not have named it one letter off from "Terminal", but so
it goes.
Maitred is our init and service/container manager inside of the VM, and is
responsible for communicating with concierge (which runs outside of the VM).
Concierge sends it requests and Maitred is responsible for carrying those
out.
Garcon runs inside the container and provides integration with
Concierge/Chrome for more convenient/natural behavior.
For example, if the container wants to open a URL, Garcon takes care of
plumbing that request back out.
Sommelier is a Wayland proxy compositor that runs inside the container.
Sommelier provides seamless forwarding of contents, input events, clipboard
data, etc... between applications inside the container and Chrome.
Chrome does not run an X server or otherwise support the X protocol; it only
supports Wayland clients.
So Sommelier is also responsible for translating the X protocol inside the
container into the Wayland protocol that Chrome can understand.
You can launch crosh and use the vmc command to create new VMs manually.
It will only run Termina at this point in time.
You can use [vsh] to connect to a VM instance and use LXC to run
containers.

Quickstart

Here's a quick run down of how to get started.
If you're interested in Android Studio, check out their documentation.

Runtime Features

OK, so you've got your container going, but what exactly can you expect to work?

Missing Features

There's a lot of low-hanging fruit we're working on fleshing out.
There are more things we're thinking about, but we're being very
careful/cautious in rolling out features as we want to make sure we aren't
compromising overall system security in the process.
The (large) FAQ below should hopefully hit a lot of those topics.

Security

While running arbitrary code is normally a security risk, we believe we've come
up with a runtime model that addresses this.
The VM is our security boundary, so everything inside of the VM is
considered untrusted.
Our current VM guest image is also running our hardened kernel to further
improve the security of the containers, but we consider this a nice feature
rather than relying on it for overall system security.
In this model, the rest of the Chrome OS system should remain protected from
arbitrary code (malicious or accidental) that runs inside of the containers
inside of the VM.
The only contact with the outside world is via crosvm, and each channel
talks to individual processes (each of which are heavily sandboxed).

User Data In The Container

With the shift to cloud services, current security thinking highlights the fact
that getting account credentials (e.g. your Google/Facebook passwords) is way
more interesting than attacking your desktop/laptop.
They are not wrong.
The current VM/container Chrome OS solution does not currently improve on
this.
Put plainly, anything entered into the container is the responsibility of the
user currently.
So if you run an insecure/compromised container, and then type your passwords
into the container, they can be stolen even while the rest of the Chrome OS
system remains secure.

Persistence

Linux apps do not survive logout (since they live in the user's encrypted
storage).
They also do not automatically start at login (to avoid persistent attacks),
nor can they automatically run at boot (without a login session) since they
wouldn't be accessible (they're in the user's encrypted storage).

Lifecycles

Once you've got the Terminal installed (which takes care of installing all
the other necessary components like Termina), the system is ready to use.
By virtue of having things installed, nothing starts running right away.
In that regard, when you log out, everything is shutdown and killed, and when
you login, nothing is automatically restarted.
When you run the Terminal, the Termina will be started automatically,
and the default Crostini container will be started in that.
You can now connect to the container via SSH or SFTP (via the Files app).
Similarly, if you run a Linux application diretly (e.g. pinned to your shelf
or via the launcher), the Termina will be started automatically, and
the container that application belongs to will be launched.
There's no need to run Terminal manually in these situations.
When you close all visible appliations, the VM/containers are not shutdown.
If you want to manually stop them, you an do so via crosh and the vmc
command.
Similarly, if you want to spawn independent VMs, or more containers, you can
do so via crosh and the vmc and vsh commands.

Device Support

While we would like to be able to bring this work to all Chromebooks, the kernel
and hardware features required limit where we can deploy this.
A lot of features we use had to be backported, and the further back we go, the
more difficult & risky it is to do so.
We don't want to compromise system stability and security here.

Supported Now

The initial platform is the Google Pixelbook (eve) running an Intel processor
(x86_64) with Linux 4.4.

Hardware Requirements

We are not planning on requiring a minimum amount of RAM, storage, or CPU speed,
but certainly the more you have of each of these, the better off things will
perform.
You will need a CPU that has hardware virtualization support.

Glossary

FAQ

Where can I chat with developers?

All Chromium OS development discussions happen in our
chromium-os-dev Google Group.
Feel free to ask anything!

Where can I file feature requests?

As a nascent project, we've got a lot on our plate and planning on releasing,
so it'd be nice to hold off for now and check back in after a few Chrome OS
releases.
Feel free to chat/ask on the mailing list above in the meantime.
Once we are in a more stable place, you can use our issue tracker.
See the next question for details.

Where can I file bugs?

Please first make sure you're using the latest dev channel.
A lot of work is still ongoing.
Next, please make sure the issue isn't already known or fixed.
You can check the existing bug list.
If you still want to send feedback, you can [file a feedback
report]feedback-report and include #crostini in the description.
Feedback about any part of Chrome OS can be filed with "Alt-Shift-i".
If you still want to file a bug with the developers, use this link to
route to the right people.

Can I boot another OS like Windows, macOS, Linux, *BSD, etc...?

Currently, no, you can only boot our custom Linux VM named Termina.
See also the next few questions.

Can I run my own VM/kernel?

Currently, no, you can only boot Termina which uses our custom Linux kernel
and configs.
Stay tuned!

Can I run a different Linux distro?

Of course!
The full LXD command line is available, and the included images remote has lots
of other distros to choose from.
However, we don't test with anything other than the default container that we
ship, so things may be broken when running another distro.

I'm running , how do I get {gui apps, launcher icons, etc...}?

Sommelier and Garcon binaries are bind-mounted into every container, so no
need to install or cross-compile.
The systemd units and config files from cros-container-guest-tools will start
these daemons in a systemd user session.
It's also a good idea to run loginctl enable-linger to allow these to
remain running in the background.

Am I running Crostini?

If you're using the Terminal app, or programs in the default container we
provide that includes our programs to ease integration (e.g. Sommelier), then
yes.
If you're running your own container or VM, then no.

How do I share files between Chrome OS & the container?

Using Secure Shell, you can set up a SFTP mount to the remote container and
then browse via the Files app.
Work is on going to automate this step by default.

Can I access files when the container isn't running?

Currently, the container must be running in order to access its content.

Can I install custom kernel modules?

Currently, no, Termina does not include module support.
That means trying to use software that requires building or loading custom
kernel modules (e.g. VirtualBox) will not work.
See the next question too.

Can I mount filesystems?

Currently, no (*).
The containers are implemented using Linux user namespaces and those are quite
restricted (by design).
We're looking into supporting FUSE though.
(*): Technically you can mount a few limited pseudo filesystems (like
memory-backed tmpfs), but most people aren't interested in those.

Can I run a VM inside the VM?

Currently, no, nested KVM is not supported.
You could run qemu-system to emulate the hardware and boot whatever OS you want
inside of that.
Unfortunately, it'll be quite slow as QEMU won't be able to utilize KVM for
hardware acceleration.

Can I run a container inside the container?

Yes!
You'll probably need to install the relevant packages first for whatever
container format you want to run.

What container formats are supported?

Termina currently only supports LXC directly.
We're aware of Kubernetes/DockeOCI/rkt/etc... and hope to make them all easy
to use.
See the previous question for a workaround in the mean time.

What architecture works on my system?

Since everything is all native code execution, it depends on the device you
have.
If you don't know what device you have, you can find this out in two different
ways:
If you see x86_64, you'll be able to run code compiled for Intel/AMD
(32-bit/64-bit/x32 should all work).
If you see arm (or something similar like armv7l) or aarch64, you'll be
able to run code compiled for ARM/ARM64.

Can I run other architectures?

There is currently no integrated support for running e.g. ARM code on an Intel
system, or vice-versa.
You could handle this yourself (e.g. by using qemu-user), but if you're familiar
with qemu-user, then you already knew that :).

How many VMs can I run?

You can spawn as many as your system can handle (RAM/CPU-wise).
They are all independent of each other.

How many containers can I run?

You can spawn as many as your system can handle (RAM/CPU-wise).
Each VM instance can host multiple containers.

Can I run programs that keep running after logout?

Nope!
All VMs (and their containers) are tied to your login session.
As soon as you log out, all programs are shutdown/killed by design.
Since all your data lives in your encrypted home, we wouldn't want that to
possibly leak when you logout.
For more details, see the Security section in this doc.

Can I autorun programs when I login?

Nope!
All VMs (and their containers) need to be manually relaunched.
This helps prevent persistent exploits.
For more details, see the Security section in this doc.

Can I autorun programs when I boot?

Nope!
See the previous questions, and the Security section.

Are my VMs/containers/data synced/backed up?

Currently, no, nothing is synced or backed up.
You're responsible for any data going into the containers.
We hope to improve this situation greatly.

Can I use IPv6?

Unfortunately, only IPv4 is currently supported.
Yes, we're fully aware that everything should be IPv6-compatible in 2018.
We're working on it.

Can I access layer 2 networking?

Currently, no, networking access is only at layer 3 (i.e. IP).
So you won't be able to do any bridging or lower level fun stuff.
It's not clear if/when this will change.
Bridging with the outside world is difficult with WiFi, and not many devices
have Ethernet connections.
We could support layer 2 between containers, but it's not clear how many people
want this in order to justify the effort involved.

Can I access hardware (e.g. USB/Bluetooth/serial)?

Currently, no, but we are working on it.
Stay tuned!

Can I run graphical applications?

Yes, but currently things are unaccelerated.
So if you're looking to play the latest Quake game, it's not going to work well.
See the next few questions.

Can I run Wayland programs?

Yes, and in fact, these are preferred!
Chrome itself deals with Wayland clients heavily, and so you're much more
likely to have things "just work" if you upgrade.

Can I run X programs?

Yes, via our Sommelier helper.
We're still working out some compatibility kinks, and it probably will never be
as perfect as running an X server, but with the community moving to Wayland,
it should be good enough.

Why are windows sometimes tiny/fuzzy?

While Chrome supports high DPI displays, many Linux applications don't.
When a program doesn't properly support DPI scaling, poor results follow.
Currently we expose the native resolution and DPI directly to applications.
If they show up tiny or fuzzy, it's because they don't support scaling properly.
You should report these issues to the respective upstream projects so that,
hopefully someday, it'll "just work".
In the mean time, Sommelier exposes some runtime settings so you can set the
scale factor on a per-program basis to workaround the misbehavior.
Check out Sommelier's documentation for more details.
If you're applying a system wide zoom or otherwise changing the default display
resolution, we attempt to scale the application output to match.
This can lead to blurry results.
You can adjust the resolution of your display, or tweak things via Sommelier
(see above for more details).

Can I run Windows programs?

Sure, give WINE a try.
Compatibility will largely depend on WINE though, so please don't ask us for
support.

Can I run Steam?

Sure, give Steam a shot.
Just remember that without accelerated graphics or sound, it's probably not
going to be too much fun.

Can I run macOS programs?

Probably not.
You could try various existing Linux solutions, but chances are good that they
are even rougher around the edges.

Can I develop Android apps (for ARC++)?

Check out the Android Studio site for more details on this.

Why implement crosvm from scratch (instead of using QEMU/kvmtool/etc...)?

We have nothing against any of these other projects.
In fact, they're all pretty great, and their designs influenced ours.
Most significantly, they did more than we needed and did not have as good a
security model as we were able to attain by writing our own.
While crosvm cannot do everything those other projects can, it does only what
we need it to.
For more details, check out the crosvm project.

Why run VMs? Aren't containers secure?

While containers often isolate themselves (via Linux namespaces), they do not
isolate the kernel or similar system resources.
That means it only takes a single bug in the kernel to fully exploit the system
and steal your data.
That isn't good enough for Chrome OS, hence we put everything inside a VM.
Now you have to exploit crosvm via its limited interactions with the guest,
and crosvm itself is heavily sandboxed.
For more details, see the Security section in this doc.

Don't Android apps (ARC++) run in a container and not a VM?

Unfortunately, yes, Android apps currently run only in a container.
We try to isolate them quite a bit (using namespaces, seccomp,
alt syscall, SELinux, etc...), but at the end of the day, they have direct
access to many syscalls and kernel interfaces, so a bug in there is reachable
via code compiled with Android's NDK.

If Android apps are in a container, why can't users run code too?

We don't usually accept a low security bar in one place as a valid reason to
lower the security bar everywhere.
Instead, we want to constantly raise the security bar for all code.

Are Android apps (ARC++) going away?

There are no plans to merge the two projects.
We share/re-use a lot of the Chrome bridge code though, so it's not like we're
doing everything from scratch.

Don't VMs slow everything down?

It is certainly true that VMs add overhead when compared to running in only
a container or directly in the system.
However, in our tests, the overhead is negligble to the user experience, and
well worth the strong gains in system security.
For more details, see the Security section in this doc.

Why run containers inside the VM? Why not run programs directly in the VM?

In order to keep VM startup times low, we need Termina to be as slim as
possible.
That means cutting out programs/files we don't need or are about.
We use SquashFS to make the image smaller and faster to load, but it means
the image/root filesystem is always read-only.
Further, the versions of programs/libraries we ship are frequently newer than
other distros (since we build off of Gentoo), and are compiled with extra
security flags.
It would also make it more difficult to have a stateless image that always
worked and would be immune from user mistakes.
Altogether, it's difficult to support running arbitrary programs, and ends
up being undesirable.
Forcing everything into a container produces a more robust solution, and
allows users to freely experiment without worry.
Also, we love turtles.

Can I disable these features?

Administrators can control access to containers/VMs via the management
console, so enterprise/education organizations that want to limit this can.
Initially there is a "Linux (Beta)" option under the standard Chrome OS
settings, but the long-term plan is to remove this knob so things work
on-demand.
At which point, there will be no knob for unmanaged devices.
submitted by -nbsp- to Crostini [link] [comments]

Streamlined Beginner's Guide

I was making edits to A Beginner Guide written by a Beginner and Updated by a Friend when it gave me the error message that the post had too many characters. I decided it was honestly too wordy. I hope that the clarity of the message was not lost during the chopping process. Light suggestions and/or questions are welcome. I added this to the wiki as well after updating it due to your suggestions :)
The guide starts with day 1 "need to know" information then proceeds with Characters you Want, the Daily Grind, More to Grind, Comic Cards, Character Optimization, and finally a Quick Start Glossary.
 
First Month Goals
 
Content Difficulty Progression
This is a rough estimation of the progression of the game using the character level as a reference.
1-50 50-60 60+ 60++ 60+++
Story Mode Ch.1-8 Chapters 9-10 Chapter 11 Chapter 12
VS: Easy/Normal VS: Hard World Boss iThanos World Boss Ultimate
- - SL 1-15 SL 15-25 -
- - Strange Epic Quest Wolvie Epic Quest -
AB AB AB clear XAB clear XAB score chasing
TL TL/AC TL/AC TL/AC TL/AC
Cards: - 4* cards with ~30% SCD and 20+ Ignore Defense 4*/5*/6* cards w/SCD, Ignore Defense, and Attack 6* cards with ~30% SCD, ~30% Ignore Defense, and +30% All Attack
Villain Siege, Alliance Battle, TimeLine, Alliance Conquest, ShadowLand.
 
Starter Team: 6* Sharon Rogers, Loki, and any top character of your choice
This can be done with the 6* selector (day 1), the 6* selector (day 7), and "Hero's Journey".
A "Six Star Selector" allows for you to choose a character from a menu and that character is immediately 6* regardless of whether you recruited them or not.
For your 2nd and 3rd starter characters there are conflicting recommendations which to me proves it doesn't really matter who you choose, but be warned that not all characters are created equally so it is best to choose from these or the difficult to farm "Facetank" characters listed further down.
Check out the analysis/discussion from "Starter toons: Sharon Rogers and _________?" and decide for yourself, but definitely get Sharon Rogers.
 
After your first "failed" mission it is highly recommended to get 4 star Iron Fist.
Get his Hobo (netflix) Uni when you have the chance.
 
Farm Enough Story Mission Bios to 6 Star Cap, Widow, and Iron Man.
Both Cap and Iron Man will be very useful additions to your team. Black Widow can be good, but as a beginner will be mostly useful as a striker in the Corvus Glaive World Boss battle.
You can get Age of Ultron unis for gold.
 
Use your 3 day trial of bio subscription for "Paywall" characters
I would recruit Enchantress, Agent Venom, and Kid Kaiju who are all still useful at T1. I would only use them on Carnage if you plan on paying for a bio subscription to T2 him (need ~366 bios to max gears). You will still need to get Mega Rank Up Tickets (2600 Crystals on weekend) to rank them up.
T2 Carnage > Agent Venom > Kid Kaiju > Enchantress > Ironheart > Hyperion > T1 Carnage
 
The best deals for real money include Stark Stash, Bio Subscription, VIP Package, and S.H.I.E.L.D.
Prices vary slightly depending on where you live and whether you use android or Apple (android is cheaper), but these are generally the best deals:
You don't need to spend money to be successful in this game, but I would highly recommend at least getting the Stark Stash (or bio sub) to get to VIP 1 (200 Crystals) for increased gold in Co-Op. You'll also hear a lot about "tag heals" which is unlocked at VIP 3 (2300 crystals total), and "Heroic Rifts" which are unlocked at VIP 10 (99,000 crystals total).
The best deals for Crystals include on sale uniforms (750), Mega Rank Up Tickets (2600), and "Deluxe" pack (6600).
 
Get in as high level alliance as you can (ideally 24+)
Use the weekly recruitment thread to join an Alliance for camaraderie, alliance stat boosts, alliance member rifts, energy rewards, and Alliance Battle/Conquest. Note that the stat boosts from Alliances You may see Alliance requirements including days of activity, Alliance Battle score, and Alliance Conquest participation. Even so, there are so many alliances out there that the odds are good that you can find a good balance between casual and competitive. There will also be a variety in beginner and veterans. But let's be honest, veterans need beginners around to tell them that they are awesome :)
 
Don't go "all in" on Epic Quests (Dr. Strange and Wolverine/Jean), rather dip your feet!
Dr. Strange, Wolverine, and Jean are all amazing, but the cost is significantly above a beginner's paygrade. I would however recommend completing enough quests to start farming Baron Mordo (need 50 Red Norns and 200 Blue Norns) and Rogue/Beast (need 100 Dimension Debris and 100 Red Norns). Rogue (speed) and Beast (combat) are perfect complements to your Sharon/Loki starter pack. For more information: Dr. Strange Epic Quest Guide and Rise of the X-men Epic Quest guide.
 
 

Characters and why you want them:

Facetank chars - Low skill threshold to defeat most content. High priority characters bolded.
Character Survivability Farmability
Sharon Rogers iframes + damage immunity Use starter selectors. Otherwise Bio Selectors.
Loki shield + clones = RUN Viable starter option. Otherwise Dimension Rift "Chitauri Invasion"
Carnage iframes + invincibility @ T2 Bio $ubscription only. Use Rank up Tickets and save bios for gears.
Agent Venom iframes + shield + invincibility Bio $ubscription only. Use Rank up Tickets and save bios for gears.
Enchantress shield, and can permanently charm world bosses Bio $ubscription only. Use Rank up Tickets and save bios for gears.
Kid Kaiju iframes + summons + shield Bio $ubscription only. Use Rank up Tickets and save bios for gears.
Elsa iframe + damage immunity @ T2 Villain Siege Chaos Tokens
Kate Bishop iframes + stuns Villain Siege "Hard"
Captain Marvel damage immunity Timeline Honor Tokens
Crystal snare attacks + shield Special Mission, Inhumans "Crystal Palace"
Songbird snare attacks + shield Special Mission, New Avengers "Baked Alaska"
Groot Heal; Baby uni: iframes Dimension Rift "Bark is Worse than Bite"
Yellow Jacket several iframes Dimension Rift "Amazingly Interesting Voyage"
Wasp damage immunity "bubble" + iframe Dimension Rift "Growth Spurt"
Baron Mordo iframe + stuns + shield Epic Quest, Memory Mission "Road to the Monastery"
Ancient One invincibility + heal Epic Quest, Memory Mission "Monastery in Trouble"
Hellstorm immunity + summon Epic Quest, Dark Dimension "Increasing Darkness"
Rogue damage immunity (skill/leadership) + iframes + heal Epic Quest: Rise of the X-men, Tracking "Going Rogue"
Beast stun + snare + iframe Epic Quest: Rise of the X-men, Tracking "Friends and Enemies"
Storm stun + guard breaks + iframes Epic Quest: Rise of the X-men, Tracking "Weathering the Storm"
Cyclops stun + guard breaks + damage immunity + iframe Epic Quest: Rise of the X-men, Tracking "Blindsided!"
Magneto bind + guard breaks + shield + iframes 6600 crystals for "Deluxe" pack; "Mutual Enemy"
Captain America damage immunity + iframe (uni) Story Mission 1-1, 3-10, and 5-6
Black Widow dodge + guard breaks + stun (uni) Story Mission 1-4, 2-6, 3-9, and 5-4
Iron Fist uni: invincibility + iframe; dodge @ T2 Story Mission 4-5 and 6-5.
Elektra iframes + stun Story Mission 4-6, 7-2, and 7-5
Black Panther damage immunity + iframes Story Mission 8-1
Thor guard breaks + shield Story Mission 8-9, 12-5, and 12-8
Blackbolt guard breaks + damage immunity @ T2 Story Mission 8-10
GR (Robbie Reyes) iframes + shield Bio Selectors.
Mantis iframes + heal + fear bubble Bio Selectors.
Red Hulk guard breaks + heal + damage immunity (uni) Bio Selectors.
Silk shield + webbing Bio Selectors.
 
Leadership characters - Only need ranking and mastery to be helpful. Characters worth further investment are marked with ‡
Boost Character(s)
48% Damage to Male She-Hulk (uni = +55%)
45% Energy Attack Hela, Ironheart
45% Energy Attack for Blast Ancient One‡, Star-lord (uni = +50%)
45% Physical Attack Gorgon, Beast
40% Energy Attack Ebony Maw
45% All Attack Magneto‡ (for X-men)
36% All Attack Moon-Girl‡
24% All Attack Wiccan‡, Sin, Punisher, Ultron, Shang-Chi‡, Hyperion‡, Hogan, Cyclops‡ (+24% All Defense)
30% Energy Attack Crystal‡, Singularity, Lash, Captain Marvel‡, Modok, Blackbolt‡
30% Physical Attack Elsa‡, Deathlok, War Machine, Crossbones, Winter Soldier, Ulik‡, Hulk
18% All Attack, 18% All Defense, 6% Speed Wasp‡
36% All Attack for Universal Ronan‡ (+36% all defense), Medusa‡
60% Lightning Damage Lincoln
60% Fire Damage Satana‡, Red Hulk‡
60% Cold Damage Misty Knight
 
Support characters - Generally cannot be main damage dealers unless marked
 

The Daily Grind:

Complete each of the daily "challenges". Most of these modes should be done during Hot Time (reduced cost and increased rewards) which occurs twice a day for 3 hours (6 AM/PM Pacific Time). Most can also be played on "auto" by using clear tickets. For Story missions you can "autoclear" which will insta-clear the level giving you gold and shield/alliance experience, but it will not give your characters experience.
Story missions (1+/day):
Complete story mode chapters up to 10 as soon as you can. You can level characters more quickly using higher levels. After you have done such, here's a list of story mode characters (alphabetical) that you might want to get:
 
Special missions (20 min/day):
Rank New Avengers Inhumans
1 Songbird Crystal
2 Wiccan Gorgon
3 White Tiger Moon Girl
4 Squirrel Girl Maximus
5 Hulkling Karnak
 
Daily Missions (2/day)
Fairly easy missions with great rewards including: gold and the option for Iso-8/nornstones, more gold/experience chips, or M'kraan Shards (X-men material).
 
Villain Siege (1-3/day)
This is a fossil of previous “end-game” content. It is more important that you win the battle then you use all of the recommended characters. If you know it will take you two tries, then use a team with NO recommended characters first, followed by one with 2-3 of the recommended characters.
Use the Chaos Tokens for: Elsa >> Chaos Custom Gear Chest/Chaos Chest > Ant-man > Lash
 
Timeline (1-10/day)
A "one vs. one" matchup that gives honor tokens for each battle (win or lose) and crystals at the end of the week for how high you scored in comparison to others. Note that your characters start with all skills on cooldown while the enemy's do not. At least do one a day, but it would be worth it to do all of them.
Use the Tokens on Captain Marvel > Warwolf > Honor Card Chest/Honor Chest > Gamora
 

More to Grind

Alliance Battle
Great source of gold, norns, and bios. Here's a chart of who to use from my Alliance Battle Guide:
Day Main Damage Leader Support Notes
Open (x2; reset day) Loki, Sharon, Hellstorm, Strange She-Hulk, Ancient One, Gorgon, Hela Warwolf (T2), Coulson (T2), Groot (T2) save combat/villain (i.e. Carnage) for XAB
Combat Hobo Iron Fist, Agent Venom, Carnage, Black Panther, Moon Knight, Red Hulk, Captain America She-Hulk, Hulk, Shang-Chi Groot (T2), Warwolf (T2) save T2 Warwolf for XAB, unless you have T2 Coulson.
Blast Sharon, Enchantress, Strange, Mantis, Cyclops Ancient One, Star-Lord Coulson (T2)
Speed Elsa (L), Kate, Rogue, Silk, Kid Kaiju Elsa, Winter Soldier Baby Groot (T2) Speed day is tough. Get Elsa's uni and her T2.
Universal Loki, Hellstorm, GR (Robbie Reyes), Captain Marvel, Black Order, Dmmu, Odin Ronan, Medusa, Hela Throot (T2) Loki strikes again.
Female Sharon, Floki, Elsa, Mantis, Rogue Hela, Ancient One (uni) Ancient One (uni) Starog is easier than Loki (uni) and would allow Floki to be used for XAB as DPS (if no BO) or team-up (w/DMMU).
Villain Loki, Enchantress Ronan, Hela n/a Looookiii
 
Dimension Rift (3 "completions")
Coordinate Rifts with alliance members to get completion bonus (gold, dimension debris, energy). MFF etiquette strongly suggests you commit to several battles in a rift if you choose to enter it.
Cards to farm: Loki, Nebula, Baby Groot, Star-Lord/Yondu, Zombies (Heroic Rifts), and Punisher (Heroic Rifts)
Characters to farm: Loki > Wasp/Yellowjacket/Groot > Ronan > others
 
Co-Op (5 "Rewards" collections)
It is worth it to increase your VIP to 1 for its benefit in Co-Op alone. There are 8 reward slots that open with increasing VIP. VIP 1 opens the GOLD slot. Otherwise the first slot is random (giving you a chance for gold).
Characters at 4 stars & level 40 Stage ~Gold per ”Reward Acquired”
0 Stage 1 ~260,000
21+ Stage 2 ~280,000
41+ Stage 3 ~320,000
61+ Stage 4 ~360,000
81+ Stage 5 ~400,000
101+ Stage 6 ~440,000
 
Epic Quest Missions
Memory Missions, Dark Dimension, Tracking, Veiled Secret, and Mutual Enemy will eventually become part of your "daily grind," but as a beginner focus only on farming Rogue and Beast from the X-men "Tracking" missions. It might also be worth farming Baron Mordo from Dr. Strange Memory Mission "Road to the Monastery" partially due to the extra obelisks.
 
World Boss Invasion (unlimited)
Your characters will be temporarily maxed for this co-op boss battle. Be sure to read and follow the requirements as best you can. Push the purple button when available. Slot boxes for later and then open them for random norns, bios, and other resources.
 
World Bosses
Gives black anti-matter, chaos norns, and bios for the black order (BO) characters. One of your primary goals of the game should be to beat world bosses as soon as possible. A few pointers:
Once unlocked and clearing 30/35 build up: Strange >>>> Corvus/Proxima > Odin/Dormammu/Jean >> Thanos > Ebony/Supergiant >>>> Black Dwarf.
World Boss Ultimate is ridiculously challenging.
 
Shadowland
A "transition" into end game content, but you can do it! Try your best to get farther each week. Floors 5, 10, and 15 reward bio selectors. These are my Six Pieces of Advice for Shadowland:
  1. Force low tier characters to clear difficult low floors. Save T2 for floors 10+
  2. Plan out all static floors (1, 2, 5, 21-25) but especially floors 22 and 23 (and floor 5 for a beginner).
  3. Keep Track of your Roster.
  4. Unless you want a specific reward avoid Waves, Rumbles, Reflects, Bleeds, and Spider-Army
  5. Keep Track of your Clears and Analyze for Improvement
  6. Have Fun, Take Your Time, and Good Luck!
First time clear rewards are incredible including rank up tickets, cards, awakened iso, and Black Anti-matter for Epic Quests and ranking up Native T2's.
 
Battleworld (1-10/day “when active”)
Occasional event that can reward bios, iso, obelisks, and cards. I would at least do one to get “on the board” and get some reward. It is usually good to max your participation if you can just for the gold participation rewards though which scale up with number of entries.
 
Alliance Conquest
Depending on the activity of your alliance you may be required (or encouraged) to participate in this incredible, interactive battle game between 3 alliances. It is reminiscent of the world domination game Risk).
It has two phases: the obvious Attack phase (3 times a day) and the slightly more confusing "prep" phase. During prep phase all you can do is revive defeated character with alliance tokens from the store or switch defending characters with crystals. It will be difficult to contribute much until you get a few 6* characters.
 

Comic Cards Offer Huge Team-wide Stat Boosts

Check out this awesome card guide. You want to work on building 4* cards with Skill Cooldown and Ignore Defense and then slowly replace those cards with 4*, 5* and 6* cards with Skill Cooldown, Ignore Defense, and Attack. Here are some great cards with "ideal rolls" from Comic Cards INFO:
Card (Acquired) Stat 1* (static) Stat 2* (static) Stat 3* Stat 4* Stat 5* Stat 6*
Loki (Loki Rift) All Attack Cooldown duration Ignore Defense Attack Speed All Defense Energy/Physical Attack
Marvel Zombies #2 (any Heroic Rift) Dodge Cooldown duration Critical Damage Ignore Defense Recovery Rate All Attack
Baby Groot (Groot Rift) Critical Damage Ignore Defense Energy Attack Cooldown duration All Defense All Attack/Physical Attack
Star-Lord (Yondu Rift) Ignore Defense Critical Rate Physical Attack Cooldown duration All Defense All Attack/Energy Attack
Avengers (Nebula Rift) Max HP Ignore Defense All Attack/Physical Attack Cooldown duration Critical Damage Energy Attack
Punisher #19 (any Heroic Rift) Ignore Defense Attack Speed Max HP Cooldown Duration All Defense All Attack
Civil War #4/Thor (Crystal Card Chests) All Attack Physical Defense Physical Attack Cooldown duration Critical Damage Ignore Defense/Energy Attack
 
It is very expensive to "unequip" cards, obelisks, and iso. Build them up in your inventory before you equip.
 

Character optimization for damage/survivability balance

First off: skills that increase by % (i.e. summons, buffs, and shields) should be upgraded.
 
Gears are built similarly for every character
Check this out for more in depth explanation, but this is the basics:
Gear 1st slot 2nd slot the rest
1 Energy/Physical attack per lvl "base" energy/physical or all attack "base" energy/physical or all attack
2 Physical defense per lvl Energy defense per lvl All defense
3 HP per lv HP per lvl or HP HP
4 Skill Cooldown in as many slots needed to get 50% Ignore Defense in leftover slots (until 50%) Crit damage, attack speed, or crit rate if both SCD and Ignore Defense are maxed
† You need to figure out if a character has attacks that base off of energy or phyical. From there you only want one or the other. A bit confusing.
Aim for 17/17/17/17 on characters you use semi-regularly and 20/20/20/20 on your main characters (required for T2 ticket).
 
Attack Iso Sets (OD, POAH, HE) tend to be the best in the long run, but heal (IAAG, SB) and Shield (DDE, BP) have their place.
As a beginner you will likely need survivability boosting until you can max your skill cooldown. It is easiest to roll Stark Backing (heal set), but I am Also Groot (heal set) is better. Drastic Density Enhancement is a shield skill that procs on attack. Binary is a Shield on Defense. As I've moved through the game I have found that I want an attack set (Overdrive, Power of Angry Hulk, or Hawk's eye) on essentially all of my characters. Note that Hawk's Eye can lead to redundant SCD and lacking Ignore Defense.
Don't equip fully awakened Iso unless you for sure want to keep a set (i.e. not Stark Backing, but yes OD or POAH). Equipping 3* or 4* iso on most of your characters should be fine. You can equip 5* and 6* iso on your main World Boss and Alliance battle hitters.
 
Obelisks ideally should have some attack stats and either a damage increase "1 attack" or an invincibility proc.
For Obelisk building start with:
and then upgrade/change option until you get a good proc. Ideally increase damage "1 attack" (any mode but especially XAB) or invincibility (any mode but especially timeline and alliance conquest).
 
Uniforms:
Never buy uniforms unless they are on sale (750 or less). I would not buy uniforms just for the sake of increasing the stats of another uniform wearer. There is always a benefit from buying a uniform for a character that you use, but there are definitely a few "game-changers":
 
 
Tier-2
T2 will always increase a character's overall power, but there are a few that are particularly useful. When looking to Tier 2 a character take particular note of how their skills may change and possible team-wide boosts.
Elsa, Black Bolt, and Carnage absolutely need their T2. They gain a damage immunity (invincibility for Carnage) on one of their skills which significantly increases their survivability.
Support characters have significant team boosts at T2 which may make their T2 of higher priority than other "worth it" T2's. These include Coulson, Warwolf, Groot, Wasp, and Mantis.
 
Skill Rotations
When using a character, the order of skills you use can have a significant impact on survivability and damage output. Try to prioritize higher damaging skills (usually 5, 4, and 3) and buffs (usually skill 5 or 3) while also preventing overlapping survivability mechanisms (damage immunity, iframes, guard-hit shields, and crowd control). As an example look at Sharon's skills:
Damage Immunity ... ... i frame
3 1c 5 2c 4(c)
Skill 3 starts the damage immunity. Skill 1 is a non-iframe skill. Skill 5 ends in an iframe and the beginning of skills 2 and 4 are both iframes. You could also just do 3-5-4 with similar reasoning. With the Starlight uni do not cancel skill 4 (the iframe/main damage is at the end).
I've compiled a list of skill rotations specifically for Shadowland, but also useful for any other mode. Keep in in mind that stun-type debuffs have no effect on World Bosses (other than Skill 2 "Charm" of Enchantress).
 
Uru are a huge resource sink-hole that become increasingly available to you from level 60-70
They can fill in the cracks of your character build after you have used up your gear options. Do not try to get mythic uru unless you are willing to sell your soul rather shoot for 4* and maybe 5*. Once you are at level 70 try the following algorithm:
  1. Fill all empty uru slots with worthless 1* uru (physical defense) then amplify until you have 3-4 shiny spots.
  2. Equip 2 attack uru (energy or physical) on each gear in the amplified spots.
  3. Max Skill cooldown at 50% (200=1%).
  4. Max Ignore Defense at 50%. (200=1%).
  5. Equip whatever you feel the character needs. Critical Damage/Critical Rate are solid options (boost at about 2:1 ratio). Attack speed is useful, but not for every character (shortens iframe time). HP and Energy Defense is great for Destroyer. Dodge might be useful.
If you only have a few slots available then I would focus on SCD and Ignore Defense, but recognize the uru you equip might not be there to stay. Amplifying is RNG (as most things in this game are) and you may end up with redundant stats (i.e. a slot with SCD or Ignore Defense gets amplified).
 

Lab upgrades (especially Item Shop) may have some value**

How much you actually want to upgrade these things is up to personal preference, but imho it is generally too costly. But you can get a second opinion
 

Quick Start Glossary

I tried to avoid jargon and acronyms specifically in this guide, but head over here for ones you will definitely come across.
 

Updates

submitted by aby_baby to future_fight [link] [comments]

New Atlantia: The ruins of Greenway "concept pitch" 01.01.03.1

name of the game:

-

New Atlantia: The ruins of Greenway

---

project pages:

-

https://docs.google.com/document/d/13PHPZeRcitKKL6JtJd1Aod5JtPcPNMHfHqcG_4jYQQs/edit?usp=sharing

---

some descriptive terms:

-

an open source cross-platform title (also works on mobile), openGL powered and created in conjunction to blender

uses Godot Engine and is fully moddable through use of mod.io API (softwares)

makes heavy use of procedural generation and uses a random HEX seed that you can enter manually to set the generation environment up

persistent sandbox game with fully destructible environment including ablation of the ground and hill/mountain-sides through use of explosives, lasers, and drills/diggers

game makes use of other open source projects such as chromium for the integrated web-browser and tox for chat and voice. The game automatically starts an instance of I2P and plays exclusively over the darknet, though exit nodes should be available and darknet can be disabled for censorship related purposes, but games/server instances needs to have exit node enabled to allow censored players to join the I2P network through the exit node

the only advertising is the official greenway splash in teh beginning of the game when you start it up that explains a bit about the game and asks you to please join operation greenway and join the effort to create a green and good greenway

the game is meant to be played online, but there is a single player offline option as well

---

licensing:

-

open source honestyware
https://defuse.ca/honestyware.htm

---

funding:

-

the game will be funded by a 30 second timed monero miner that deposits the crypto into the operation greenway "trustfund". donations in other currency will be accepted and then converted directly into monero deposited into the secured fund for this project. no funds from teh project may be diverted into other government projects, but other relevant government projects may deposit funds into this one if their funding structure supports the transfer of funds to relevant projects. GreenSoft will receive 20%=
---

mission:

-

"to provide the most playable and fun sandbox on the open source market, and make the first fully open source 3D game of its kind, to simulate Greenway up from the ruins, and bring civilization back into outer space. to foster creativity and fun along with promotion of greenway and awareness to issues with various political systems in the civics mode of the game. to gather support for operation greenway through a donate and involvement buttons right on the front loading screen of the game"

---

disclaimer and excitement:

-

this may sound like a coders nightmare with all the parallel integrations and imbedded VMs running linux with open ended compilers within the code, but trust me, in the future, people will look back at this project as one of the most noble software engineering feats ever pulled off for the sake of open source community (and advertising a micronation!). the goal is to blow not only the people but developers themselves away with an entirely new set of in game mechanics based ont only on useability but underlying software paradigms like cloud resource computing and network cluster driven computation acceleration (experimental distant scene rendering over network). I guarantee that after all is said and done and if the project ever gets finished or damn near close, that the payoff will be big and the greatest reward will be hearing all the happy people talking about THE KILLER APP FOR ALL SYSTEMS.

one major issue is game overhead, and the fact that the game will need to run either a lot of processes or one large bloated process with an internal task manager to manually adjust game settings to get compatibilities just right and fine tweak the system; the game will be small enough and huge at the same time, with the inclusion of multiple tools and imbedded software releases in each version

this is a HUGE PROJECT for a HUGE OPERATION, one for all, and all for one, to promote and secure domestic tranquility, greenway's government will most likely be releasing "New Atlantia: The ruins of Greenway" before the artificial island is built, which will foster a flood of hoestyware payments and donations (honestyware payments disable the 30 second donation and cryptocurrency miner script)

don't feel daunted by the task. when you are in doubt, turn to something else on the LONG LIST OF THINGS TO DO or even just make some concept art sketchups on the computer or play the currently progressed version of the alpha/beta game

i think that an etherpad based editor for making the game would increase the flow of ideas sharing. more open source collaboration softwares should be researched and discussed for greenway and for the purpose of this document, particularly focusing on the digital side of things such as this game concept

!create this decade's killer app, "New Atlantia: The ruins of Greenway" and help support operation greenway's mission to gather attention in the international public's eye and earn free advertising forever!

---

plotlines:

-

based loosely off of ideas found in atlantis (a lost civilization), fallout 3 (video game), ark: survival evolved (video game), eve online (video game), space engineers (video game), half life 1/2 (video game), halo wars (video game), no man's sky (video game), aliens versus predator 2 (video game), metal gear solid 3: snake eater (video game), altered carbon (show on netflix), crysis series (video game), defcon (video game), portal (video game), xxx

an alternate universe with some parallel timeline characteristics (E.g. the lost civilization of atlantis, heisenburg {"heisenbohr"}, xxx)

antimatter warheads were launched in a global nuclear war on an alien planet in a distant galaxy far far away, star wars, with humanoids called prometheans who had advanced technology all over the planet because of developments in private industry that took off with the freedom in Greenway

you start off in the ruins of greenway, everything looks like fallout 3
you are born to parents who lived in the sewers (common spawning story at a random sewer in game)
you quickly learn to make fire and weapons from wood and rocks, moving to slingshots and crossbows, and later eventually graduating to ar-15s and plasma casters
raid the ruins to find useful items including tools, weapons, and ammunitions
you also learn to make a shelter, house, fort, and even an entire city with the blueprints you will discover throughout the game
later in the game, you will be able to build a spaceship, spaceport, and even a frigate and mothership, all in the spirit of space mechanics, where you first forge the pieces and then put them together either by template (blueprint) or manually by hand
like ark survival evolved, you will need to scavenge and hunt for resources on your own time
destroyed objects typically contain scavengeable parts

adventure through the ruins of a highly-advanced technological civilization
advance from meager sewer person to founder of New Greenway
re-create greenway in all its glory and adventure into space to explore and colonize

form a clan and play through the game to decide your faction. you can declare a truce with a player of that faction and work with them to earn respect in that faction again, getting to neutral and then friendly again. factions work like a tree with branches, you start in the trunk neutral with everybody and as you progress through the game, you naturally will align with one of the branches and finally a sub-set branch, where your position is indicated by a coloration of each branch (and a "leaf"?)

your goal is th befriend bots and real people to help you rebuild civilization and re-establish greenway, from anarchy to law and order. the game has persistent bots with progressively learning AI that will learn from your previous actions and interaction dialogues. you first make a city, then you unlock civics, and then your goal is to rebuild greenway and launch into space to colonize and scavenge for blueprints in engineers manuals and high tech including fully working antimatter powered ships in the holding bay of some ships.

game style is all vs all and cooperative through factions and clans, with PvAI and PvP gameplay, such as shooting a friend to steal their blueprints or having your fort attacked by a mob of angry AI. there is a setting to disable PvP in private servers but PvP is enabled in the official servers. there are "quests" you perform like in fallout 3 that progress you further towards colonizing outer space. players and AI can work together to build up civilization again from the ruins. one cooperative element is a donation library where books/blueprints are available from donations by players for checkout for limited periods of time (1 week of in game time). there is a clan management interface

greenway was an artificial island mass created in 1200bce relative to the game time by the prometheans as an escape from the authoritarians growing up around and warring among them. greenway eventually fell to the world war and the civilizations surely crashed beneath them. the startup videos show animations of greenway when it was green and good, being nuked with antimatter weapons in the year 1120bce. greenway took off into space but dies out due to an infection of aliens who are still lurking in intact ships within the galaxy waiting for you to discover the horror; by the year 400bce most of the underground cities died out and only the sewer dwellers in between remained; you are spawned in 0ce and the game has its own progression of time from there

you must first develop a boat and explore the surrounding islands to find the blueprints needed to create an airplane and fly to the nearby landmass about 250km away from greenway, then from there procedural generation takes place and all is free game, but there you will discover triangle craft blueprints and now you can fly around the world and into outer space once you reach the tech level to build them.

players can barter with each other and bot traders will trade with you too based on your disposition towards them; you can eventually find small towns with bazaars and markets to browse; open a store and start a business, evolve into an enterprise including enforcing security and/or mercenary contracts that you can pickup at a local bar or from select bots or any real player

players work together to make the civilization thrive again, from anarchy and ruins to a metropolis in outer space, greenway needs you to join the efforts on this game

realistic game mechanics where habitable worlds are within the goldilocks zone for their sun. deploy a garrison of bots you employ to terraform and colonze the planet's surface for greenway or your own nation

political simulator and sim city / tycoon like overview of your installation/s; Write a constitution for your state and federal government; Machine readable converter automatically marks up your document in AIML to simulate your text as a civilization (experimental); also you can choose the easy version which has templates of various useable texts for your political experiment!

the game is the first of its kind with an open universe fully destructible sandbox with persistent bots with deep-learning AI

the game also houses several mini games including the ganja seed card trader game (cryptocurrency backed seed growing and collector card game) and new atlantia: pirates which is based off of otys (board game)

---

game features and mechanics:

-

hire private security to protect your installations/bases/forts

work jobs to earn items

real time strategy war elements for fights like halo wars (video game)

imitate the jurassic world evolution game and make it possible to extract dinosaur DNA from fossils/amber and create dinosaurs (requires high tech level); downside is that in the future their could be hella dinosaurs everywhere

imitate the alien/predator movies and make it so that you can discover dead xenomorph or predator DNA and resurrect them by incubating in a sea mollusk or embryo, which you can discover the method by finding a journal or random chance

realistic DNA editor and genome sequence simulator that uses cloud resources of all gamers to compute and is redirectable to a local cluster computer with optional resource share (all resource sharing is adjustable in game with defaults based on hardware performance ratings versus settings and adjustable system overheads)

life on other planets; collect specimens to keep in a panspermic zoo and collect DNA from specimens to create splices

jumpgate codes and star maps for foreign systems (requires 0% discovery to have all solar system details)
puzzle solving and "hacking" to get into locked down areas, enable power, decode transmissions on your full-spectrum broadband transceiver, and disarm bombs for example

panspermia stuff with contagions on ships as a possibility which will form a biofilm in your shuttle and make you sick or cause a zombie plague

player ownership is primarily established by dominance but later on in the game there will be private security for hire to protect your shit and also police in the cities and sheriffs on the outskirts until the anarchist nomad zones which are areas that do not have enough established dominance or near enough to a city to be considered claimed territory since claims are too heavily disputed and non-enforced; you respawn naked back in the sewers where you started and need to work your way back up to get into your stashes until you are back in business

mining can be done for multiple reasons along with archeological digs to find artifacts and lost underground areas/cities

enable craft to dive into the oceans/lakes/rivers/streams for cover and enable underwater cities

bug reporting with screenshots and "frapping" (video/audio camera roll) built in and crash reporting directly to the team

underground cities and caves that go into pockets of underground water (clean water)
bullet time (single player only)

fog of knowledge (like fog of war)

grow a garden outside or indoors and even inside of your personal cruiser a few plants in a little closet, like cannabihopa plant that is effectively hops and cannabis in one with smokable buds rich in myrcene and thc/cbd/etc...

the ruins in space will be the most interesting, with scavenging having big payoff for big danger, like reactors that melted down after the craft were struck by antimatter rockets, and having to pass through a reactor room in your suit and get to the "Detox station" in time before you are fully radiated and your health drops to zero
i would also like to have HEV suits you discover in a partial map of the black mesa compound in a desert area on your home planet. the black mesa compound has all sorts of tech you can scavenge but is highly disputed by private military (bots) which also have robots and drones who will chase after you to kill you

the space component of the game will have dead highways of jumpgates that require power supplies to be repaired and the correct system and code sequence to be entered to bring you where you want to go. some gates have unlocked systems, but those owned by a foreign nation will have a passport code you will need to have a valid passport for to use or know a skeleton code (skeleton codes only work for their player and are a very rare random thing to find, sometimes the best place to look is a pirate ship or an anarchist lifeboat

you can fly all over the planet (flight simulation), but you start off in the ruins of greenway, in new atlantia, where the library of congress is, and you have to discover it among the ruins after you travel to a completely distant part of the map in your country of ruined greenway

advanced players will have entire industries under their control, and an "empire manager" is available as a "HUD" in game where micromanagement of your industry can take place all over in outer space and your commands be transmitted at the speed of light through a wormhole (you must create all the necessary infrastructure)

realistic solar systems and procedurally generated goldilocks planets that also enable non-goldilocks planets to be used with realistic heat, chill and bio-zones

heavy focus on user interface and user experience; futuristic steampunk look

other bots and players on the map can start forts and make cities and start their own nations, particularly the bots on other parts of the map who will work with or against you and your fledgeling nation of new civilization.

eventually there will be dinosaurs and aliens along with predators running around which will slow down everybody, and we need to try and ensure that the mechanics of the game make reproducing viable offspring require a high tech level to create so there are far less instances of "festering plagues"; aliens/predators and dinosaurs can sneak into your forts, cities, and even ships and come along for a ride to kill you and your crew and screw up everything; this feature will be disabled in at least one of the official servers to prevent infected plagues of servers which you die in 10 seconds every time since the aliens are everywhere since their bots and AI keep reproducing (evolutionary genetic based algorithm for AI traits)

discoveries and quest accomplishments along with defeating enemies and hitting certain wealth proportion and empire goals earn you XP which levels you up, building will increase your construction level for example, with no cap on available levels

extensive server administration interface with "resource injection" commands and "bot spawning" commands

dynamically changing environment with real erosion from water flows and seasons and weather and daytime nighttime, and procedurally generated fauna which are harvestable and actually follow population mechanics and statistics; it is possible to hunt animals down to extinction but unless every part of the animal is used, DNA can be extracted and it can be made again in a lab with high enough tech skill even viable to reproduce in the wild

splice dna from different fauna to create new creatures; custom create dna from scratch to make newer creatures with the creature designer

tame creatures to work for you and even ride them; use creatures to form a caravan and carry your stuff; creatures will stay loyal to you as long as you do not hit them much and cause damage, otherwise they will flee (some will immediately fight back based off of intrinsic aggression and predatory traits); imprint on creatures created in the lab often like the alien to make them your loyal children and unleash hell upon your enemies

your camouflage pattern will hide you when you are in a suit. change camo on the suit in the menu like in metal gear solid 3: snake eater; you will have an alertness indicator on your HUD that shows whether or not you have been seen and from who and what angle; become a master of sneak and sabotage, use your skills to rob installations and build up your stock (no penalty for selling stolen items as long as it is not sold to a narc or undercover who is aware of the theft)

there is an ingame internet based on TOR that a user can accumulate through raiding military journals to learn how to build a computer and a mesh-networking router (gigahertz {land/craft} @ 10GB/s & tertrahertz {space} @ 3.333333333333TB/s limited speeds) with b.a.t.m.a.n, which actually runs a simulation of this network protocol and realistic packet failure over wireless networking based on distance and obstruction type

drive a plethora of craft and design your own with either blueprints or from scratch, with every level of detail available (complete mechanical diagrams are modifiable and entirely custom designs can be implemented)

neural design in AI to solve complex puzzles by trial and error and probability based shortcuts to learn new foes and environments quickly as real life does; use of OpenAI (an e_musk/tesla company)

the ship can be set to autopilot either on a set route and defend itself and try to refuel and repair at a nearby station if available (costs items placed in the auto-barter section)

dynamic economy simulation and insights once you attain a high enough bartering skill, when greenway is up and running, a metatrader (software) like interface of available tradeable resources and their relative values tied to the closest thing to a credit in the game, a unitoshi which is the base numeric value of all items traded in game and used to compare item's values to one another by the in game engine

there is a low light amplifier (like in avp2 video game), and vision modes (like in avp2) along with cyborg enhancements such as a telescoping eye with rangefinder and "FLIRed" (technology name for forward looking infrared) binoculars for the poor men who need to stash their tech

dying does not affect your levels and knowledge, because you are re-created as a clone at a cost, including debts where people will come after you after a long enough time has gone by from your last clone, this is from altered carbon (show on netflix), where your new clone body is called a sleeve, and your consciousness is uploaded via satellite and other wireless transmitters to the clone corporation which is always anarcho-capitalist and always has more power than the government because it owns all the "reboots"; rebooting into a sleeve is a phrase in the game; this is equivalent to respawning, but it incurs debt for the bounty to recover your disk. there is always rolling charge to upload your consciousness which is rolling autosaving but on average through an insurance algorithm your rolling update will pay off more than the bounty to recover your disk each time you die, and the charges are lower the less often you die vs the bounty on your disk which only rises each time you die till it is maxed out at like 100,000,000 credits which you have to get by bartering or working for the company collecting disks for bounty; the disk is dropped in a nearby system and you have to go and pick it up for a pittance, or with a high enough tech level and enough contract experience, you can go on deep space missions and travel to distant star systems to collect as many disks as will fit in your cargo bay; disks are a genetically engineered biological computer that stores information quantumly through nanocellulose and diamene coating to make nanotubes that are indestructible and can operate in the tetrahertz microwave range, they are also bioluminescent and ink photovoltaic based, capturing their data through a biological optic cavity system near the pineal gland. they must be inserted as a clone is growing and the pineal gland must have this disk copied into the new biologically formed disk through transcranial magnetic stimulation

plenty of maze like portions of procedurally generated dungeon like caverns and interiors of buildings with no labels inside vast underground cities; plenty of dungeon crawling style excitement; use portals like in portal (video game) to cross into difficult areas secured within the black mesa compound

puzzle solving will also be an important step in fixing things that you do not have a blueprint for

join and exit formations at your leisure and command armies from near and afar

form a strategy and create a work team to build your forts and cities

global map overview like defcon (video game) has the ability to strategically place your formations around a planet, and a 3d outer space voxel based layout grid allows you to command in space and the air, with the grid center projected from the center of the galaxy

build and battle mech suits like the alice combat system (avp2 video game) and iron man (comic book) or animatrix (movie) suits

---

game features:

-

in game DTV broadcast systems project national games and tournaments when they come online in the official servers, and can be hacked to display avi, mkv, and mp4 files of the users desire; smart tv systems that can recognize spoken words from the user mic and follow commands

computers in game have access in an in game internet with websites createable by the user and virtual camera phone/tricorder devices that can capture pictures, audio from the mic, and record video; use webcams to create a security surveillance grid (uses ispyconnect and/or ZoneMinder and virtual camera/s in the game); use a laptop in the field to pilot a drone or an army of drones from your cluster computer in your tribe's fort; there is an in game instance of openStack running enabling limited cloud computing for the DNA sequence calculations; create a real life cloud service computer system or order one to gain computing power in the game (can be a profit point for the team to maintain the dedicated server); multiple cameras available to access reminds me of red faction (video game) or even duke nukem 3d (video game); get military security with encrypted computers running veracrypt, prevents computers from being nearly as hackable; KeePass software protects the computer from easy break ins and bruteforcing is required from another computer; each computer running needs a small amount of system resources and there is cluster computing under openstack (software project) within the game as well as cloud servers hosting the game to bruteforce 8-char max passwords; computers store data on cloud servers hosted by "GreenSoft" alongside the dedicated servers and outproxy nodes for "bridging" into the I2P network; experiment in distributed computing to enable network accelerated VMs though virtualbox tweaks and re-writes

in game internet is wifi mesh networking over b.a.t.m.a.n with (sharded?) tahoe-lafs storage for each user account on each dedicated server cluster

learn to hack in the game using legitimate hacker tools like the kali linux (distro) collection where you collect programs you find in military bases and on holodisks scattered throughout the game

the storage of user datas is distributed throughout the network via multiple redundant shards or shard seeders. the network automatically balances the shards based on checksums of data stored locally on their machine within a veracrypt container that only the zero-trust distributed system knows the master key to (the ceremony is a distributed trust system where all peers generate a portion of a master key, the more people contribute the better, this is part of the initialization time for the game and all servers for through a ceremony

there is an ingame spoof of cryptocurrency where fake FLOPS are taken from machines you build or find/steal/hack and a monero style cryptocurrency using moneta verde mining schema, you have to collect this greencash source code from the state bank ruins in New Atlantia

interstellar mesh networking using lasers as optical network inside the jumpgates which connect to a wormhole device that pipes the signal as UV lasers

smartphones in the game are achieved via QEMU in VM running a legitimate version of replicant that can run apps off of the internal flash or holodisk memory

make microchips in a lab that the gnu octave engine will simulate outputs for and translate to useable elements in game like outputs in a serial console on an atmega (microchip brand name); specifically the microchips will be simulated down to the assembler level and FPGA language (Verilog) will be used to code the logic circuits

audio and video streaming provided via tox and all streams are password protectable

the programming studio built into the game computers debian linux mint is eclipse studio (software) for all programming languages comes with compilers for all major human programming languages, enabling people to create homebrew ingame; includes godot, blender, and mod.io api. capable of compiling FPGA Verilog and running an instance of QEMU and virtualbox within itself;

antimalware engine in game computer is based on real antivirus definitions for linux (clamav, Chkrootkit, xxx)

in game linux has clone mirrors to real versions of the software available to people, with the server administrators manually enabling or disabling separate packages to make available to their users (uses more disk space the more packages are available; repositories point towards the dedicated server and fetch through regular I2P; dedicated server serves as a whitelister and access restriction program that only allows connections to eepsites created using the same server token, effectively creating a sub-darknet because outside access is restricted by token signed in conjunction with the user account public key for that server instance

---

program features:

-

updates implemented through torrents and auto-update scripts and automatic md5 hash checking for integrity with fetch from main server; source code borrowed from qBittorrent; xxx

game available over torrent as alternative to synaptic package manager or download from the ftp/http web server (resume supported from server)

game music is streamed via TOX to all connected clients via the dedicated servers song tracklist; mp3, oog, and wav are all supported (along with experimental midi + instruments over network); single player server runs an instance of tox signed in as the music stream ande you can select the songs like the server admin

sleek interface integrates dedicated server to gameplay and you can play as the mod and spawn items while controlling your server from the same in game UI

possible to run in a VM with guest extensions for 3d rendering installed (makes compatibility for other hardware and distributions "complete")

can order DVD from "greensoft" that means paying postage and cost of the DVD (lightscribed), that is a live CD (debian linux mint) that has the game installed to run with all necessary dependencies and install distro to disk (for the drafts of the greenux OS); .iso is available for download from "greensoft" website

extensive use of procedural generation for textures, landscapes, fauna, in game buildings and crafts, internal mazes, etc...

built in chatbots with bot characters are marked up in AIML and become unique based on independent interactions you have with them

built in spellcheck! and markup check! (borrowed spellchecking from chromnium)

in game console with accessible scripting engine in GDScript (Godot native scripting engine) help includes "cheats" which includes how to enable cheats and each individual cheat with its parameters explained

extended options with expert mode including expanded server operator options

nginx server running to host friendica page for game social media functions, routes over I2P; web server administration like webmin and ispconfig; web site generator WYSIWYG editor for making a frontpage and complete website in game;

in game computers use virtualbox to make a debian linux mint instance run within the game on the player's screen

"anon grade" secured against data leaks and tracking, being the first video game known to be used exclusively on the darknet (outproxy nodes are run by the official servers that are made available as "bridges" into the network); defuse passgen code used to generate hexadecimal keys and also used for cryptography in game

dedicated physics simulation with GNU Octave code and interpreter for events like craft maneuvering and weapons collisions, is used for the waveform in audio playback and for compiling screens on electronics in game (live textures);

an instance of hashcat is included within the game VM to literally bruteforce codes in the game

aircrack-ng is included as an instance to run on your in game computer to crack into neighboring networks including ancient military service lines which go into every sector of the known universe

extensive support for trainers and "auto-minedefender" bots/scripts which are allowed in the official servers

compatible with VR (opens two renders from different vertical positions)

video monitor selection in game and 4k support, triple monitor support

gnu octave used to simulate circuits for design for your electronics
see an electronic simulation software package for GNU octave @ https://github.com/jlmayfield/quantumCircuitSandbox

decentralized login server for cross platform gamers using blockchain technology, auto syncronize with gamer profile in the game; credentials stored with KeePass (software) to protect from hackers

in game chat using tox has nicks for all server players and also there is a global server chat. experiment with chat rooms including audio and video in tox. chat supports announcements that can be recurring or once with scheduling; hexchat (software) repurposed with TOX for the protocol; password locked chats and openPGP interior text encryption support; alternative to tox.io is the eepsite that the integrated browser seamlessly navigates to and enables you to search for friends ingame online

game will run in windows under Cygwin, and all released files are compiled for cygwin

cheats in console require server cooperation or they won't enable; private servers can disable individual commands from running or keep their values within ranges

hard imbed in the source code of each release the most current draft constitution of greenway and when greenway is finally established, hard code in the constitution into the source code (use commenting on the whole thing, put at very bottom of source code, make non-essential to run game {can be stripped out by compilers on demand})

console versions (xbox one and playstation 4) will run an instance of debian linux mint with no xwindows just the game screen, but it should be hackable re-initialize the desktop of lxde which is available through command switch when you execute the game binary (hold down "control" key combination on controller to enable pre-initialization console and use the console screen of your keyboard to type in the command which is available from the greensoft website), and adds wireless keyboard and mouse support for usb devices, allows people to softmod their system using the game as a side loader instead of the system default dashboard

complete forking guide and detailed documentation for all aspects of the game and included programs including the console and a detailed section on "cheats" like god mode and noclip; all lines in source code are commented in a clear and concise fashion that is machine readable

---

message to developers:

-

are you interested in working for this project but not sure if you are up to joining? talk to ghost liberty in operation greenway chat @ https://discord.gg/9RtrTZh or email them at [[email protected]](mailto:[email protected]). make sure to make your subject about "new atlantia game" and we will get back to you about opportunities to join and help foster our project. this game is a much smaller part of a much bigger project to create a new nation for citizens of the world. please understand that you may be paid little to nothing if you work on this game but your name will be legendary for all time amoung the opensource community

---

xxx

submitted by ghost_liberty to u/ghost_liberty [link] [comments]

HighLow Binary Options - How to Sign up for HighLow Markets account  For beginner TRADING HIGH LOW CROSS BARRIER BINARY OPTIONS HighLow Review 2020 by Binary Today 100% PROFIT TRADING OPTONS HIGH LOW BINARY COM Binary Options - Extreme Trading High Low System

UPDATE (12.01.2017): We have found out that TR Binary Options has shut down their operations. We recommend choosing one of our top binary option brokers instead: Try also Binary Option Robot if you are looking for automated binary trading. Old Review: Since its foundation in 2011, TR Binary Options has established a stellar reputation for For traders just looking to try binary options, a low minimum deposit broker might be best. A small initial deposit keeps risks low. Minimum deposits start at just $5 and there are a growing number of brokers offering low minimum deposits – “low” would be any minimum under $50. The option choices are displayed in what the website refers to as the ‘binary options carousel’; this format makes it really easy to sort through and to select from the many available options choices. The traditional High/Low option is offered, of course, with this being the name of the web broker as well. They are one of the few binary option brokers who allow traders to open a demo account separate from their live trading account. They naturally offer high low options, along with Range Options, On Demand & Short Term Options. The minimum trade size is $10, and the maximum trade amount is $2,000. Many of their options offer a payout of 200%. High Low Binary Options Login. In the world on financial trading, binary options or Up/Down Betting is a way of trading that is heavily used. Overseas Binary Options. May 21, 2020 · Binary options wiki Q&A. They are created by.

[index] [11184] [13587] [14952] [10099] [9980] [23382] [5094] [25518] [2828] [5475]

HighLow Binary Options - How to Sign up for HighLow Markets account For beginner

autotrade binary bot,auto trade bot binary,Binary Bot Rise Fall-EMA CROSSING,Binary Bot High low EMA Crossing,Binary Bot Higher RSI Indicators,Binary Bot lower RSI indicators,Binary Bot Rise Fall HighLow binary options! I’m going to show you how to sign up for HighLow binary option broker website. This is the fist step to trade option, So it’s good to know how to do it. Binary Options - Extreme Trading High Low System: Free Download: https://drive.google.com/file/d/0B0_2... Please subscribe to receive the latest videos from ... LINK : http://bit.ly/Join_Binary Shoping Binary Bot: https://sellfy.com/aurabotfx Need daily Free signals, folow my twitter @IQOPTION_UkGb https://twitter.co... 🔴 Watch Day Trading Live - June 4, NYSE & NASDAQ Stocks (Live Stream) ... KAZi High Low : Binary Options Indicator & Strategy - Duration: 3:08. BINARY ALPHA 3,636 views. 3:08.

Flag Counter