cypherpunks, 21 hours ago (edited 17 hours ago)

screenshot of notification from facebook found in article, but with the word “if” highlighted in the sentence “If your objection is honored, it will be applied going forward.” and three red question marks added under it

If your objection is honored, it will be applied going forward

cypherpunks, 1 day ago

shoutout to the multiple people flagging this post as misinformation 😂

(I don’t know or care if OP’s screenshot is genuine, and given that it is in /c/shitposting it doesn’t matter and is imo a good post either way. and if the screenshot in your comment is genuine that doesn’t even mean OP’s isn’t also. in any case, from reading some credible articles posted today on lemmy (eg) I do know that many equally ridiculous google AI answer screenshots are genuine. also, the song referenced here is a real fake song which you can hear here.)

cypherpunks, 2 days ago

spiderman pointing at spiderman meme template with the spidermen labeled “bing” and “duckduckgo, qwant, ecosia, startpage, chatgpt internet search”

cypherpunks, 10 days ago

and later it will turn out that the AI solution was actually two clickworkers in a trenchcoat

cypherpunks, 1 month ago

Building an optional, immutable/composable version of postmarketOS

that sounds great! is there more information somewhere about this plan yet?

cypherpunks, 18 days ago

VPNs have several purposes but the big two are hiding your traffic from attackers on the local area network and concealing your location from sites that you visit.

If you’re using a VPN on wifi at a cafe and anyone else at the cafe can run a rogue DHCP server (eg, with an app on their phone) and route all of your traffic through them instead of through the VPN, I think most VPN users would say the purpose of the VPN has been defeated.

cypherpunks, 18 days ago

The vast majority of LANs do not do anything to prevent rogue DHCP servers.

Just to be clear, a “DHCP server” is a piece of software which can run anywhere (including a phone). Eg, if your friend’s phone has some malware and you let them use the wifi at your house, someone could be automatically doing this attack against your laptop while they’re there.

cypherpunks, 18 days ago

Sounds like it requires that your DHCP server is hostile, which is actually a very small (though nonzero, yes) number of the attack scenarios that VPNs are designed for

In most situations, any host on the LAN can become a DHCP server.

“there are no ways to prevent such attacks except when the user’s VPN runs on Linux or Android” is a very funny way of saying “in practice applies only to Windows and iOS”.

No. There are certainly ways of mitigating it, but afaict no Linux distros have done so yet.

cypherpunks, 18 days ago

mullvad.net/…/evaluating-the-impact-of-tunnelvisi…

cypherpunks, 17 days ago (edited 13 days ago)

xzbot from Anthony Weems enables to patch the corrupted liblzma to change the private key used to compare it to the signed ssh certificate, so adding this to your instructions might enable me to demonstrate sshing into the VM :)

Fun :)

Btw, instead of installing individual vulnerable debs as those kali instructions I linked to earlier suggest, you could also point debootstrap at the snapshot service so that you get a complete system with everything as it would’ve been in late March and then run that in a VM… or in a container. You can find various instructions for creating containers and VMs using debootstrap (eg, this one which tells you how to run a container with systemd-nspawn; but you could also do it with podman or docker or lxc). When the instructions tell you to run debootstrap, you just want to specify a snapshot URL like https://snapshot.debian.org/archive/debian/20240325T212344Z/ in place of the usual Debian repository url (typically https://deb.debian.org/debian/).

cypherpunks, 17 days ago (edited 13 days ago)

A daily ISO of Debian testing or Ubuntu 24.04 (noble) beta from prior to the first week of April would be easiest, but those aren’t archived anywhere that I know of. It didn’t make it in to any stable releases of any Debian-based distros.

But even when you have a vulnerable system running sshd in a vulnerable configuration, you can’t fully demo the backdoor because it requires the attacker to authenticate with their private key (which has not been revealed).

But, if you just want to run it and observe the sshd slowness that caused the backdoor to be discovered, here are instructions for installing the vulnerable liblzma deb from snapshot.debian.org.