Defense in depth is an important design principle of secure systems. You should not put all your eggs in one basket when it comes to protecting your computers (or protecting your civilization from plague).
But some people seem to think that signature-based malware scanners in particular are an essential part of this defense, and the absence of such tools in a typical stack is a flaw in Linux-based operating systems.
Y'all. The reason clamav is the best available virus scanner, and doesn't have a very good UX and isn't shipped by default, is because it doesn't matter.
There are millions of Linux desktops in the world, there are orders of magnitude more servers, almost none of them run antivirus software, and the sky is not falling because of it.
Antivirus scanners came into being at a time when the predominant desktop operating system had no such thing as protected kernel memory. They're not useless on Linux, but neither are they an essential layer of defense in today's models.
We just dodged the biggest ever attempted attack on the Linux OS ecosystem, and it was an attack that no malware scanner running on third-party binaries and no IDS checking for modified system binaries would have done anything to prevent.
For Ubuntu 24.10, we should patch bash so that when it's given content on stdin, it checks the process tree and if the sending process is curl, launches x-www-browser with a page on basic Internet safety instead of executing the command.
Makes a good story but expecting fiscal accountability for government spooks is like expecting criminal accountability for cops, when it happens it has no correlation with the severity of the offense https://infosec.exchange/@tinker/112196180295212632
@vorlon Also, it was pretty successful and there's no way this team gets fired/demoted. Instead, they can show how they were almost successful and with a few minor tweaks, the next attempt WILL be successful. This is a minor setback at best, and you can bet they had previously launched parallel attempts with other maintainers/contributors currently in place to try again.
@vorlon So while the US is clearly an outlier here, with large chunk of those half a million HCQ exposures probably related to Trump.. The global nature of these exposures is likely due to the early research showing HCQ's efficacy. There was (bad) research early on showing HCQ had an effect, and it was enough that my wife did a HCQ post-exposure prophylaxis study (https://pubmed.ncbi.nlm.nih.gov/33284679/). With so little data, doctors gave HCQ off-label because there wasn't much else they could do.
@vorlon By the time Trump was pushing it, though, it was starting to become clear that it was useless. That didn't stop folks in the US from grabbing up all the HCQ and nearly dooming my wife's study. And then Trump's idiocy polarized future and existing study participants, resulting in the study taking much longer that it should have. https://www.tandfonline.com/doi/full/10.1080/1744666X.2020.1860758
Just received a letter informing me that my PII has been compromised in a data breach at a company that stopped being the servicer of the mortgage on our house in 2016.
So that's cool.
Seriously, does anyone know a lawyer willing to take on a class action suit against these fuckers who are losing data that they shouldn't have/retain access to? This is the second one in a year.
@Andres4NY give them a legal reason not to retain the data i.e. suing their asses.
Unfortunately, one of the likely unintended consequences here is that companies will still RETAIN the data and instead fail to disclose that they have been compromised.
A lot of people pointing out that the sudden scrutiny of executive compensation at Mozilla is driven by someone with an ulterior motive, and that's good information to have.
But, look. That is not a reason to DEFEND a CEO being paid $7 million. The reason Lunduke zeroed in on this is because it is ACTUALLY DISGUSTING AND HE KNOWS PEOPLE WILL BE BOTHERED BY IT. When surveyed about CEO compensation, people say a good ratio is less than 5:1.
There's not a CEO in the world doing $7 million worth of work. Saying this is in line with exec compensation elsewhere is not a defense, it's an indictment. Nor is gender equity in pay an argument when ALL execs are overpaid and where pay equity is worst is at the entry level and among the precariat.
Seriously, stop trying to justify a $7 million salary. Executive compensation is a PROBLEM, and while it's nothing specific to Mozilla, you can say this without pretending it's healthy.
If you look at the screenshot, what it appears to be doing is showing part of the user's profile description. In other words, the software is giving the person writing the reply a reminder of who the person is that they are replying to. No database of experts necessary.
But it will cut down a bit on men seeing a woman in a profile picture and assuming she is not an expert.
The 7yo has learned the word "cyberpunk" and after a Dad symposium about its true definition, wants to know if there are any cyberpunk movies he could watch.
Anyone have any ideas? By the nature of the genre it's going to target more mature audiences. Something with a PG-13 rating might be ok depending, but definitely not R. And I'm having a hard time thinking of many that are true cyberpunk. Johnny Mnemonic is about the only one I can think of that unconditionally qualifies.
Anyone else remember the period in American history when a substantial fraction of advertising dollars in the economy were spent on selling chewing gum, or
> I'm part of a generation of kids who grew up thinking it was normal to see ads for cranberry juice 5 times per hour.
> I don't think I ever had cranberry juice as a kid. But I sure as hell knew Ocean Spray had natural antioxidants.
Portland parents! Earlier this year, PPS placed an order for additional in-classroom air purifiers, with input from the school communities, from the Oregon Health Authority; at no cost to the district; to help combat poor air quality affecting our children's learning environment.
The air purifiers have arrived at the district office.
And the district has decided not to distribute them to the schools.
Many people who could not implement encryption, or even explain it, nevertheless have absorbed the message that they should use it, because it keeps their information secret from prying eyes.
This is good.
But encryption is not a panacea, not even "end-to-end" encryption. The problem arises when people believe "it's encrypted, therefore it's safe".
Because encryption relies on you having a secret that no one else has, that you use to do math, to reveal the plain text.
But that secret doesn't just live in your head; you share it with software to do the decryption.
When the software you're sharing it with is running in a web browser, that software is directly controlled by the web server that serves the page. There is NOTHING that stops the software running in your browser from sharing that secret back to the web server.
In-browser "end-to-end" encryption is better than no encryption, and it does protect against offline attacks of the server data. But you shouldn't be lulled into a false sense of security.
So when you use Protonmail's webmail to decrypt emails, or you let keybase "escrow" your PGP keys so you don't lose them, be mindful of what you are or aren't protected against.