• 0 Posts
  • 13 Comments
Joined 1 year ago
cake
Cake day: July 30th, 2023

help-circle
  • I assume the problem is hardware. Matt’s hardware didn’t work well with LM, therefore Matt thinks LM sucks… I do wish there was better hardware support but it’s the reason apple went with 1 product = 1 OS = 1 general set of hardware. Sure not every iPhone has the same hardware, but that’s why they have the model numbers, and it’s so much easier to test 200 model mixes than 2,000,000 (Android). Windows gets all the debug info sent directly to them like the others but they also have a huge stack of hardware they can use or they can buy it to test.


  • Just something to keep in mind for those not in the security space. When a security company does an audit, its generally a checklist of commercial and custom security software along with a couple people poking around looking for more manual harder to find stuff. But there’s a reason companies like Mullvad have a bug bounty program… Just because cure53 didn’t find it, it doesn’t mean some bored hacker won’t…

    Absolutely better than nothing though.




  • That does go a long way towards explaining why there are so many Bluetooth vulnerabilities, thanks for the info. Looking at the list of Bluetooth protocols wiki page gives me a headache. Surely there is a better standard, and I see things like HaLow, ZigBee, Z-Wave and other custom protocols, but it seems like there should be a very cleanly well-documented alternative to do the basics that everyone expects BT to do. This, coming from a total noob, speaking completely out of my anus. I just know that as a BT user, it’s a crapshoot whether there will be major audio delay, and pause/play actually worked, that’s if pairing works in the first place. But if something did come along I wonder if there would even be adoption among consumer devices.




  • Synnr@sopuli.xyztoLinux@lemmy.ml*Permanently Deleted*
    link
    fedilink
    arrow-up
    1
    ·
    edit-2
    6 months ago

    And have eyes good enough to look very closely and detect any small . or `s that are out of place, and be current on all methods of sanitization, catching any and all confusing variable names doing funny things, and never getting mentally overloaded doing it.

    I wouldn’t be surprised at all if teams at NSA & co had game months where the teams that find the highest number of vulns or develop the most damaging 0day exploits get a prize and challenge coin. Then you have the teams that develop the malware made to stay stealthy and intercept data for decades undetected, and the teams that play mail agent and intercept packages containing core internet backbone routers to put hardware ‘implants’ inside them.

    These are the things Snowden showed us a small sliver of in 2013, over a decade ago, some of which was well aged by that point.

    The days of doing illegal things for funsies on the internet, like learning how to hack hands-on, are over if you don’t want to really risk prison time. Download vulnerable virtual machines and hack on those.

    But if you’re worried about a random maintainer or packager inserting something like a password stealer or backdoor and letting it hit a major distro with a disastrous backdoor that doesn’t require a PhD in quantum fuckography to understand, chances are likely big brother would alert someone to blow the whistle before it hit production, as they likely did with xzutils.





  • Synnr@sopuli.xyztoLinux@lemmy.ml*Permanently Deleted*
    link
    fedilink
    arrow-up
    20
    ·
    edit-2
    8 months ago

    In turn it compromises ssh authentication allows remote code execution via system(); if the connecting SSH certificate contains the backdoor key. No user account required. Nothing logged anywhere you’d expect. Full root code execution.

    https://news.ycombinator.com/item?id=39877312

    There is also a killswitch hard-coded into it, so it doesn’t affect machines of whatever state actor developed it.

    https://news.ycombinator.com/item?id=39881018

    It’s pretty clear this is a state actor, targeting a dependency of one of the most widely used system control software on Linux systems. There are likely tens or hundreds of other actors doing the exact same thing. This one was detected purely by chance, as it wasn’t even in the code for ssh.

    If people ever wonder how cyber warfare could potentially cause a massive blackout and communications system interruption - this is how.


  • I didn’t agree with their decision at all at the time, but now that I realize they made it a little while after it gained widespread adoption and people stopped using it because “Signal isn’t actually secure!” … seems like people were expecting a secure messenger to be, well, secure. So they would chat about anything and everything thinking “I am using a secure messenger, these messages can’t be read…” and tech ignorance is a dangerous thing if you’re trying to be secure. I would’ve preferred a colored window and un-closable message for SMS chats, but oh well. I like that they’ve introduced usernames so you don’t have to give out your real number.