regreSSHion: RCE in OpenSSH's server, on glibc-based Linux systems (CVE-2024-6387)
The following summary from Debian's security list:
> The Qualys Threat Research Unit (TRU) discovered that OpenSSH, an implementation of the SSH protocol suite, is prone to a signal handler race condition. If a client does not authenticate within LoginGraceTime seconds (120 by default), then sshd's SIGALRM handler is called asynchronously and calls various functions that are not async-signal-safe. A remote unauthenticated attacker can take advantage of this flaw to execute arbitrary code with root privileges. This flaw affects sshd in its default configuration.
The past, present, and future of local-first - Martin Kleppmann
YouTube Video
Click to view this content.
Martin Kleppmann sets out a vision: "In local-first software, the availability of another computer should never prevent you from working."
He describes the evolution of how to classify local-first software, how it differs from offline-first, and proposes a bold future where data sync servers are a commodity working in tandem with peer-to-peer sync, freeing both developers and users from lock-in concerns.
It's convenient until you want to upgrade the distro.
The origin story of the Windows 3D Pipes screen saver
Looking for a place to show off.
JetBrains warned customers to patch a critical vulnerability that impacts users of its IntelliJ integrated development environment (IDE) apps and exposes GitHub access tokens.
Hmm wasn't there some kerfuffle recently about how the kernel was going to start self-issuing CVEs en masse? Is this the result of that plan?
Bringing the great successes of financial engineering to Rust.
A new microarchitectural side-channel attack exploiting data memory-dependent prefetchers in Apple silicons.
On Wednesday, the KDE team warned Linux users to exercise "extreme caution" when installing global themes, even from the official KDE Store, because these themes run arbitrary code on devices to customize the desktop's appearance.
If you can write correct C++ you'll be able to write Rust code that compiles first time. Don't stress, you're learning the good stuff.
IrfanView, now that's the good stuff
I probably wouldn't bother. I can think of two scenarios you might get spied on.
- Through your browser you've granted a website access to your webcam (Zoom etc.) and left a tab open. Maybe it could activate it when you weren't expecting?
- Someone has used a vulnerability to take control of your computer to the degree it can access your webcam directly. Desktop linux software doesn't usually have meaningful isolation between software running as the same user, so at this point they can grab all your data, passwords, take screenshots, etc. and the webcam is just the cherry on top.
I expect most people don't do (1) very often, let alone for sketchy websites, so IMO it doesn't make much difference either way.
Unprivileged attackers can get root access on multiple major Linux distributions in default configurations by exploiting a newly disclosed local privilege escalation (LPE) vulnerability in the GNU C Library (glibc).
Warcraft 2 Soundtrack - I'm a Medieval Man (Hidden Track)
YouTube Video
Click to view this content.
Smart fridges are one thing but there are many innocent folk relying on internet services to do normal and important things involving sensitive data - talk to family and friends, access healthcare, attend work, do their banking, school and childcare enrolments, even insurance. Should these things be replaced by rooms full of filing cabinets? Maybe, I dunno, that's a big call. Short of substantial collapse that renders the internet unavailable, these sort of things will continue to be online and ordinary people deserve all the security they can get. If you're working in cybersecurity to help people like this, then that is totally ethical in my view.
If you're lucky maybe you can land a role with some direct permacomputing aspects - reduce hardware requirements, simplification of systems, maintaining old hardware to maximise lifespan. But just avoiding roles where you or your organisation is encouraging people to view more ads or buy more stuff would be a good start.
The web can’t be discarded by individuals
I agree, as a practical matter it's another heavyweight tech system that we can't opt out of. Striving to keep client requirements low so that we can get maximum use out of older hardware is great.
Is your comment is driven by wasteful web design or are you saying that even a lean web service design is still inherently excessive?
The latter. The web relies on a continuous path of connectivity between the client and the server to function at all. In practice it also requires cooperation on a global scale to make this useful to everybody, whether that's DNS, CAs for TLS, BGP, undersea fibre optic cables or the big services that "everybody" relies on like AWS and GitHub.
When somebody says a word like permanetworking, to me that's an invitation to think small. If you want to create something local, networking offers a lot more possibilities for action than, say, semiconductor manufacturing. Bluetooth chat, neighbourhood WiFi with local servers, long distance email via sneakernet, distributing useful data packages like maps, books and encyclopedic data so that they're stored close to the people who need them. There's so much we can do without climate-controlled datacenters.
PLAN 6 is the best
The odd numbered versions of PLAN have always been buggy and unpopular and I think Bell Labs is using their monopoly to push everybody to update to PLAN 9 even if they need a new computer with a third mouse button. What is your favourite PLAN?
I'll join the handful of commenters shilling for kagi which has domain blocking and ranking as a first-class feature. It really is wonderful if you have the cash, and hopefully it will put pressure on the advertising-funded search engines to add these kinds of features.
I'm looking at the word "permanetworking" and my first thought is we could be a lot more ambitious. The web is such a complex and brittle way to access information it feels like a world away from perma-anything. Still, avoiding wasteful use of bandwidth is always a good thing so I won't prattle any further.
This is one scenario I proposed when we were last having this discussion: https://thomask.sdf.org/blog/2023/07/07/if-i-was-meta-and-wanted-to-make-fedi-implode.html
N=1 but outbound federation just worked for me in a post. It seems some work was done just recently including an upgrade to -rc.8.
My goal in this article is to inform technical communities of the research presented at the LIMITS conference, and to invite those who work at the intersection of sustainable technology and climate justice to join RIPE and the IETF.
It's best not to think of SDF admins in binary terms like "present" or "absent". They are an undulating force which makes changes here and there and we're all along for the ride.
*A formerly chill laid back community up until someone posted it on Lemmy 😀
I was comparing frozen diced veggies a couple of years back (in Australia) and noticed that the store-brand version was approximately 1/3 broccoli stems by volume, which certainly explained the cost difference.
Douglas Adams once made this amusing observation about how we view technology: Anything that is in the world when you’re born is normal and ordinary and...
That is the discussion. Microsoft is pretending by making it the upgrade path for two products which actually are local, and hoping users won't notice.
Honestly I'm glad they highlighted the telemetry. I went through the local report about what's included and while it's not an upsetting level of detail, it's more comprehensive than I would have opted in to if asked.
Still, as sibling points out it's in a completely different league from slurping up your IMAP creds, something which has always been local-only data. This is the second time I know of recently where MS has trampled on this kind of local-only expectation - the other was Edge defaulting to sending the contents of textboxes you're filling out on webpages to the MS cloud for spelling and grammar checks. Thunderbird is still a sound recommendation, and unlike Microsoft, I trust that if I uncheck the telemetry box they're not going to try to get me some other way.
Nothing in tech stands still. If you want a glimpse of a possible alternative future check out Pijul. And I don't know an example off-hand but the idea of doing version control on ASTs of program code rather than flat text is an interesting concept that hasn't taken off yet.
By Mark Brand, Google Project Zero Introduction It's finally time for me to fulfill a long-standing promise. Since I first heard about ...
I’d rather go to the local library and ask the clerk for a search term
Sounds kind of relaxing tbh
You're putting yourself in a tough position by asking for both E2EE and the ability to use from a browser. You have to trust the web app each time you open the page, and hope that they haven't altered the deal to simply grab your data after it's been decrypted by your password. I have no idea how likely it is that Standard Notes would do that but I'd reconsider the browser requirement specifically if E2EE is non-negotiable for you - an offline open source client program would be a much stronger position.
For my money, I use local text files and SyncThing but it's probably not spiffy enough for many people/purposes.