You don’t even have to do anything and there are thousands of people out there trying to protect you from getting more fucked[…]

Don’t go around telling them they don’t have to “do anything” plz 😅

You removed the emphasis on “You” from my quote which changes the meaning. I specifically meant that you, the person that I am replying to, don’t need to do anything, and there are people who will do something on your behalf.

Nothing that you’ve said changes my critique of your critique btw. You said:

he lives in absolute La La land

No, actually he presented a well thought out analysis of the way that the relationship between business and customer/user in our current system, along with the relationship between business and legislator, both entrenches monopolies and causes a pathological dependency whereby customers cannot exercise their right to freely choose with whom they do business, and so their rights are severely diminished.

the idea that these webs of laws or these models of “how things should work” mean anything tho the people with power are complete nonsense.

The main point of my reply was that you are arguing against a straw-man here since the intended audience of the article is not “the people with power.”

like, buddy, your country just went full Nazi. You’ve been living in a total fantasy. You’re not going to rethink the concept of fixers, get a grip.

A non-sequitur and then a baseless dismissal of the argument that suggests that you either didn’t read it, or didn’t understand it.

Did you think this blog post was aimed at the people with power, to petition them to change the laws?

It’s aimed at us, the people getting fucked over, to point out what (among the many other things) we should be fighting for. Commentary like this is important to align the goals of the organizations, charities and lobby groups that defend YOUR civil rights by filing amicus briefs, publishing articles, encouraging activism and drives to get citizens to write to their representatives on the important matters that affect their rights. You don’t even have to do anything and there are thousands of people out there trying to protect you from getting more fucked by Big Tech and capitalism, on a volunteer basis.

It sounds to me like you’ve just given up hope that any progress can be made on this front, given the new status quo.

Never give up. Just because civil rights defenders will be on the defensive for a few years does not mean that discussions of what is worth defending no longer have value.

deleted by creator

The past tense of the verb “to lead” is “led.”

“Lead” is a heavy metal.

Seven people in France have been arrested and charged for allegedly cyberbullying the artistic director of the Paris Olympics this summer, French authorities announced last Friday.

The Paris prosecutor’s office said the arrests were the “first wave” in a series of prosecutions they intend to carry out in the aftermath of a coordinated campaign threatening Thomas Jolly, the mastermind of the opening and closing ceremonies at the XXXIII Olympiad in July and August.

    ♚

KEEP CALM

   AND

./configure && make && make install

This could also mean that they have found a (classical) vulnerability in one of the most used Post Quantum Encryption algorithms (such as Kyber) and they want everyone to switch to using it ASAP.

If this is impersonation (which it looks to be) shouldn’t it be removed?

Are you going to set the precedent that impersonation of figures in the open source community is allowed?

Personally I would be in favor of removing this post until OP can provide proof of identity (eg. by posting something on the main github account corroborating this post).

There’s something important missing from this article:

Eventually, that same USB drive is inserted into an air-gapped computer, allowing GoldenDealer to install GoldenHowl (a backdoor) and GoldenRobo (a file stealer) onto these isolated systems.

Why is an airgapped machine running executable code from a USB drive? Is there some OS-level vulnerability being exploited?

The original writeup says the following:

It is probable that this unknown component finds the last modified directory on the USB drive, hides it, and renames itself with the name of this directory, which is done by JackalWorm. We also believe that the component uses a folder icon, to entice the user to run it when the USB drive is inserted in an air-gapped system

So we have airgapped machines that rely on users to click icons in a graphical file manager to move data from USB drives. This is a complete failure of security procedure. If you have systems that need to be airgapped then you also need the corresponding procedures for use of those systems to prevent this kind of compromise.

Otherwise you start getting pushed around by other superpowers

This is more a coincidence of the status quo rather than a consequence of an inherent correlation between economic output and geopolitical power.

This vuln is not new, it was published 3.5 years ago: https://nvd.nist.gov/vuln/detail/CVE-2020-26558

If you read the article, the described attack allows a man-in-the-middle attack on two devices while they are pairing.

This means that someone could intercept and modify your bluetooth mouse or keyboard inputs, resulting in complete compromise of the device they are connected to.

If you think that international diplomacy between nation states is like handling kids then you’re not a veteran diplomat either.

I’m no “veteran diplomat” but in my experience it is only the people without real power who make threats. When you have power, you don’t need to make threats. You just respond to events with whatever proportionate response is necessary and within your capability. You don’t need to provide a preview of what those responses will be.

Setting “red lines” looks to me like weakness because it is essentially a plea to the other side not to do those things that you don’t want them to do, and it invites them to push up to those red lines, do anything but, and test their boundaries to test your commitment to them.

Then what you bought is not a mouse, it’s a proprietary peripheral that emulates a mouse when you install its propretary drivers.

I read the source code and this is a hobby-project that you could write in an afternoon with no knowledge of cryptographic protocols.

There are dozens of obvious deficiencies even to me and I am no expert in cryptography. An easy example to point out is that there is no input validation and no error checking or exception handling. Both the client and server just assume that the other side is a well-behaving correct implementation.

The author should not be posting this around as if it’s a serious tool for people to use. If anything it’s a starting point for OP to get advice from experts on how real systems do this properly. I’d recommend that the author spends a LOT of time reading before doing. There are numerous design documents of real systems and protocols, and some good comprehensive books too.

Discussed yesterday in [email protected]:

Ventoy source code contains some unknown BLOBs, still no word on the issue from the dev after months

https://github.com/thias/glim

The binaries in question are various GNU and FOSS tools from elsewhere, not part of the Ventoy project itself. So no, the Ventoy author does not own the copyright of the tools in question.

So your approach to security is that you cross your fingers and hope?