Some people have apparently not only gone through the trouble of digging out the latest available version of Archie (old FTP indexer / search engine from the mid 80’s / 90’s before Google was a thing), but they even set up a fresh install and made a web interface available. Even better: The entire source code apparently also...
ok, after reading that article fully, it does sound a lot less concerning than the headline would like me to believe. it is early in the morning (almost 13:00) and this is a great chance to expose how little i know about all that, so i will:
They believed SSH traffic was immune […].
classic. we always think that something is perfectly safe until it breaks. also, looking at the article, the issue with RSA has been known since 1996. there had to be a useful application for this. such as TLS. and now some SSH implementations.
Last year, researchers found that […] they were still able to passively observe faulty signatures that allowed them to compromise the RSA keys of […] Baidu.com
no idea how this adds any value in a discussion about SSH, but i chuckled.
now the article also get to some more interesting stats.
5.2 billion SSH records. of that 590k with invalid signatures and 4.9k revealed factorization for a total of 189 unique private keys.
now i would very much prefer that last number to be a solid zero, but out of 590k faults, only 4.9k were usable for the attack. everyone that thinks “oh thats nothing. im safe.” is still a fool, but it could be far worse. especially since this only target RSA and leaves ed25519 (and others) untouched.
but it just gets even better:
The researchers traced the keys they compromised to devices that used custom, closed-source SSH implementations that didn’t implement the countermeasures found in OpenSSH and other widely used open source code libraries.
if i was drinking something reading this, i would have spat it out laughing. i am that kind of fun at parties. this also partially explains why there are “only” 590k invalid signatures in over 5.2 billion records total. and judging by how good some companies and organizations handle updates (assuming there will be updates from cisco, zyxel, hillstone and mocana), this will still be enough to be used in some attacks five years from now.
Google’s browser not only got new chrome, it now also uses keeps track of all websites you visit to generate a topic list for ads that is shared with websites directly. Nobody asked for that.
intel now joins the club with their take on GPU driver telemetry. they call it “Computing Improvement Program” and it can thankfully be disabled during a manual install, or in system settings after the installation is complete
okay Google, how about this. I already pay for premium, but Im too lazy to disable my adblocker for just your site, can we just call it a draw and move on?
hah. no. not on a platform where the lead thinks serving you a good dozen unskippable ads to test your patience is a fun little experiment. sure is the year of big platforms trying everything to get rid of users
In cases when viewers feel they have been falsely flagged as using an ad blocker, they can share this feedback by clicking on the link in the prompt.
and you can bet that ill (ab)use that. might as well make it just a bit harder for them
Archie has been resurrected (archie.serialport.org)
Some people have apparently not only gone through the trouble of digging out the latest available version of Archie (old FTP indexer / search engine from the mid 80’s / 90’s before Google was a thing), but they even set up a fresh install and made a web interface available. Even better: The entire source code apparently also...
TunnelVision - How Attackers Can Decloak Routing-Based VPNs For a Total VPN Leak (CVE-2024-3661) (www.leviathansecurity.com)
Good summary by another user in the crosspost over in !programming:...
FYI: Malicious/Badly Written KDE theme can wipe out all your data (www.reddit.com)
cross-posted from: lemmy.ml/post/13397700...
flathead_irl (pawb.social)
perfectly level.
In a first, cryptographic keys protecting SSH connections stolen in new attack | Ars Technica (arstechnica.com)
Oh, that’s concerning 🙃 I’d love to hear thoughts on this from Soatok
Wizz UH-U c16-1 7 d: One of the greenest moons ive ever seen (pawb.social)
Almost everything looked green on there. The ice, the ship, the thin methane atmosphere and even the fonticulua. Absolutely breathtaking....
Recent picture of me standing on / inside of my exploration liner (pawb.social)
Taken on Eocs Aip JC-D d12-1 3. May or may not be the start of a ~700kLy trip. Star distribution resembles more of a thin mist out here…
Chrome now ships with a user-tracking ad platform baked in (arstechnica.com)
Google’s browser not only got new chrome, it now also uses keeps track of all websites you visit to generate a topic list for ads that is shared with websites directly. Nobody asked for that.
Intel Arc drivers now ship with telemetry enabled by default (www.techpowerup.com)
intel now joins the club with their take on GPU driver telemetry. they call it “Computing Improvement Program” and it can thankfully be disabled during a manual install, or in system settings after the installation is complete
YouTube confirms three-strikes test for ad blocking (www.androidauthority.com)
okay Google, how about this. I already pay for premium, but Im too lazy to disable my adblocker for just your site, can we just call it a draw and move on?