It’s used to check for website breaches. From How to stop Firefox from making automatic connections:

Firefox Monitor warns you if your online accounts were involved in a known data breach. For more information, see Firefox Password Manager - Alerts for breached websites.

To get the latest login breach information and more, Firefox connects to firefox.settings.services.mozilla.com

To disable, see here.

You can also run VirtualBox with KVM as a backend.

The attack worked, the password is cmF0dGEK.

This was obtained by generating 32 possible plaintexts for the first 10 bytes of system.zip (based on the different values in the headers of ~300 zip files on my system), plus three null bytes for the high bytes of compressed size, file name length and extra field length.

The entries in update.zip are encrypted using the weak ZipCrypto scheme, which is known to be seriously flawed. If you feel motivated, and can guess at least 12 bytes of plaintext for an entry, it is possible to recover the internal state of the generator, which is enough to decipher the data entirely, as well as other entries which were encrypted with the same password. The bkcrack project implements this attack.

Since some of the entries are zip files themselves, it is within the realm of possibility to guess 12 bytes of plaintext. Parts of the zip local file header are pretty static, and you can use some of the values from the local file header of update.zip itself. Still, this would require a bit of luck / inspired guesswork.

I think glider can do this, with -strategy rr (Round Robin mode). I have not used it in this way myself, so you might need to experiment a little. Proxychains can also do this, but it doesn’t present a socks5 interface itself (it uses LD_PRELOAD, so it won’t work everywhere).

Argon2id (cryptsetup default) and Argon2i PBKDFs are not supported (GRUB bug #59409), only PBKDF2 is.

There is this patch, although I have not tested it myself. There is always cryptsetup luksAddKey --pbkdf pbkdf2.

GRUB works just fine with LUKS2 these days. There is no need to switch bootloaders.

This seems right and exactly the way I’ve set it up. On subvolid=5 I have subvolumes @ and @home, in /etc/fstab I mount / as subvol=@, and /home as subvol=@home.

Could you run sudo lshw -C network and post the output for the wireless interface?

Here is a config template to run an obfs4 bridge, make changes as required:

BridgeRelay 1

# Replace "TODO1" with a Tor port of your choice.
# This port must be externally reachable.
# Avoid port 9001 because it's commonly associated with Tor and censors may be scanning the Internet for this port.
ORPort TODO1

ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy

# Replace "TODO2" with an obfs4 port of your choice.
# This port must be externally reachable and must be different from the one specified for ORPort.
# Avoid port 9001 because it's commonly associated with Tor and censors may be scanning the Internet for this port.
ServerTransportListenAddr obfs4 0.0.0.0:TODO2

# Local communication port between Tor and obfs4.  Always set this to "auto".
# "Ext" means "extended", not "external".  Don't try to set a specific port number, nor listen on 0.0.0.0.
ExtORPort auto

# Replace "" with your email address so we can contact you if there are problems with your bridge.
# This is optional but encouraged.
ContactInfo 

# Pick a nickname that you like for your bridge.  This is optional.
Nickname PickANickname

You can also use the reachability test to check if everything is configured correctly. If it is reachable and bootstrapping reaches 100% you should be set.

Set SocksPort if you want to connect your browser (don’t confuse this with ORPort). Default is localhost:9050.

I’m not on NixOS, but I have a decent working knowledge of Tor.

Not quite clear on what you’re trying to do, are you trying to run a relay, or just connecting to the Tor network and pointing your browser to the socks proxy?

Arti (the official Tor implementation in Rust) is not a complete replacement for the Tor C implementation yet. Hidden service support is disabled by default (due to the lack of a security feature that could allow guard discovery attacks), and bridges don’t work either. If you don’t understand Tor very well stick with the old router.

I occasionally experience the same thing. When this happens, it appears the jwt token is not sent with the initial request (thus appearing to be logged out), but it is sent with api requests on the same page (unread_count, list, etc.), so the cookie is not lost (document.cookie also shows it). Sometimes refreshing again fixes it, but I haven’t yet found a good workaround. I’ll experiment a bit next time it happens.

But you can do this.

Indeed. This works because direct connections to the tor network are easily censored, but WebRTC is not (not without a lot of collateral damage at least).

The snowflake proxy acts as a bridge to the tor network at the entry side. If by repercussions you mean risk of exit-node traffic, there are none. It might cost a little bit of bandwidth.

Memory safety would be the main advantage.