this isn’t remotely how this meme is used lol
cultural reviewer and dabbler in stylistic premonitions
this isn’t remotely how this meme is used lol
wikipedia articles about him have been deleted twice:
lol, i just accepted the title tag from the page which the create post form auto-filled 🤡
If you’re ready to break free of Android, I would recommend https://postmarketos.org/ though it only works well on a small (but growing!) number of devices.
imho if you want to (or must) run Android and have (or don’t mind getting) a Pixel, Graphene is an OK choice, but CalyxOS is good too and runs on a few more devices.
Hi, I’m an admin on lemmy.ml. The account of the one existing mod of the session community here has apparently been deleted.
I’ve heard there are some bugs with moderation of remote communities, but, I just made you a mod there anyway. I don’t know the state of those bugs; it might work better if you made an account on this instance.
Btw, I recommend against using Session for a variety of reasons including the one I posted in your thread here.
It’s literally a covert project funded by google to both sell pixels and harvest data of “privooocy” minded users. It seems to be working well.
Is it actually funded by Google? Citation needed.
I would assume Graphene users make up a statistically insignificant number of Pixel buyers, and most of the users of it I’ve met opt to use it without any Google services.
/r/shittyaskreddit
wasn’t supposed to be an instruction manual 🙄
E: old thinkpad gang input: take the time to reapply thermal grease to the cpu at some point. It makes a huge difference.
What’s a “gang input”?
😂 it’s an input to this discussion from a member of the group of people (“gang”) who have experience with old thinkpads. and yes, if your old thinkpad (or other laptop) is overheating and crashing, reapplying the thermal paste is a good next step after cleaning the fans.
Indeed, the only thing WhatsApp-specific in this story is that WhatsApp engineers are the ones pointing out this attack vector and saying someone should maybe do something about it. A lot of the replies here don’t seem to understand that this vulnerability applies equally to almost all messaging apps - hardly any of them even pad their messages to a fixed size, much less send cover traffic and/or delay messages. 😦
xzbot from Anthony Weems enables to patch the corrupted liblzma to change the private key used to compare it to the signed ssh certificate, so adding this to your instructions might enable me to demonstrate sshing into the VM :)
Fun :)
Btw, instead of installing individual vulnerable debs as those kali instructions I linked to earlier suggest, you could also point debootstrap at the snapshot service so that you get a complete system with everything as it would’ve been in late March and then run that in a VM… or in a container. You can find various instructions for creating containers and VMs using debootstrap (eg, this one which tells you how to run a container with systemd-nspawn
; but you could also do it with podman or docker or lxc). When the instructions tell you to run debootstrap
, you just want to specify a snapshot URL like https://snapshot.debian.org/archive/debian/20240325T212344Z/
in place of the usual Debian repository url (typically https://deb.debian.org/debian/
).
A daily ISO of Debian testing
or Ubuntu 24.04 (noble
) beta from prior to the first week of April would be easiest, but those aren’t archived anywhere that I know of. It didn’t make it in to any stable releases of any Debian-based distros.
But even when you have a vulnerable system running sshd in a vulnerable configuration, you can’t fully demo the backdoor because it requires the attacker to authenticate with their private key (which has not been revealed).
But, if you just want to run it and observe the sshd slowness that caused the backdoor to be discovered, here are instructions for installing the vulnerable liblzma deb from snapshot.debian.org.
Sounds like it requires that your DHCP server is hostile, which is actually a very small (though nonzero, yes) number of the attack scenarios that VPNs are designed for
In most situations, any host on the LAN can become a DHCP server.
“there are no ways to prevent such attacks except when the user’s VPN runs on Linux or Android” is a very funny way of saying “in practice applies only to Windows and iOS”.
No. There are certainly ways of mitigating it, but afaict no Linux distros have done so yet.
The vast majority of LANs do not do anything to prevent rogue DHCP servers.
Just to be clear, a “DHCP server” is a piece of software which can run anywhere (including a phone). Eg, if your friend’s phone has some malware and you let them use the wifi at your house, someone could be automatically doing this attack against your laptop while they’re there.
Regarding your browser-based thing: what are the specific capabilities of the “threat agents” (in your threat model’s terminology) which your e2ee is intended to protect against?
It seems like the e2ee is not needed against an attacker who (a) cannot circumvent HTTPS and (b) cannot compromise the server; HTTPS and an honest server will prevent them from seeing plaintext. But, if an attacker can do one of those things, does your e2ee actually stop them?
The purpose of e2ee is to protect against a malicious server, but, re-fetching JavaScript from the server each time they use the thing means that users must actually rely on the server’s honesty (and HTTPS) completely. There is no way (in a normal web browser) for users to verify that the JavaScript they’re executing is the correct JavaScript.
If you run a browser-based e2ee service like this and it becomes popular, you should be prepared that somebody might eventually try to compel you to serve malicious JavaScript to specific users. Search “lavabit” or “hushmail” for some well-documented cases where this has happened.