Or even a criminal organization.
Or even a criminal organization.
This isn’t the same thing, but I’m reminded of Minecraft.
Minecraft is a massively popular game. Notch once said he planned to make it open source when its popularity died down. But now Microsoft owns it.
Not only that, but Mojang accounts don’t work anymore. You have to have a Microsoft account to play it now. Even trying to download and play an older version of the game offline requires Microsoft to approve it. Microsoft is actively tightening the leash on the game because it makes them money. Open sourcing the game will likely never happen now. The best we can hope for it for versions to fall into public domain after 70-ish years.
That’s how I see Microsoft. They only care about what its beneficial for them to drive profits. Working on open source projects, and open sourcing a few of their tools to get the benefits of community adoption and code review is great, sure. But they’d sooner try to incorporate Linux into Windows to keep people in their surveillance ecosystem, than to open source Windows.
Remember when Windows 10 was the last version, until they changed their minds? Remember when they floated the idea of charging a recurring subscription to use Windows, before they silently dropped the idea? Remember when there was credible talk about the next version of Windows being cloud-based where they controlled all your data and you had no privacy? Hell, you have basically no privacy on Windows 10. Trying to reclaim some involves registry edits, special third party tools, and a constant battle with automatic updates reverting your changes.
I’ll say it again. Microsoft doesn’t care about OSS. It’s just currently beneficial for them to pretend they do.
Goggle seemed to care a lot about OSS, then started making everything in Android depend on their proprietary ecosystem to function. Now Google is using the dominant position they got by taking advantage of OSS adoption, and have been pushing privacy-invading standards and trying to get rid of ad blockers online, among many other things.
For these huge companies, OSS is just a tool to get more control and power. The moment it’s no longer useful, they’ll find ways to work around the license and enshitify everything again.
It keeps happening. I refuse to keep trusting bad actors every time they dangle a shiny trinket over our heads.
I do appreciate the work this person did in finding the bug. It’s not all doom and gloom.
Damn fine work all around.
I know this is an issue fraught with potential legal and political BS, and it’s impossible to check everything without automation these days, but is there an organization that trains and pays people to work as security researchers or QA for open source projects?
Basically, a watchdog group that finds exploitable security vulnerabilities, and works with individuals or vendors to patch them? Maybe make it a publicly owned and operated group with mandatory reporting of some kind. An international project funded by multiple governments, where it’s harder for a single point of influence to hide exploits, abuse secrets, or interfere with the researchers? They don’t own or control any code, just find security issues and advise.
I don’t know.
Just thinking that modern security is getting pretty complicated, with so many moving parts and all.
I’m pretty sure it was Debian in the early aughts.
This creates a single backdoor for all sign-ons on your phone.
When I saw this on a custom ROM, it was basically the same thing, but said that my financial institution or whoever had admin access to my phone, including seeing texts and everything else, until my phone was paid off. Still not sure why that was there in a custom ROM, but I ended up not using it.
They can be good quality, yeah. But I’m more worried about having to basically present a digital-equivalent of a driver’s license if I want to sign up for Netflix, or watch porn, or order food. And if ID system routes every request to a central location first, then you get stuck with de-facto tracking on everything you ever do, no matter how good the company’s privacy record is. That’s what I meant by creepy.
Huh. I hadn’t thought about that. That’s not a bad point either.
When I was a teen looking for a job, I checked the classified section of the newspaper. Saw a job post I thought I could do and called them. Ended up giving them some of my info, and maybe my social security number, don’t remember. All I know it I put them on hold to ask my parents a question about something, and they said “anybody can put things in the paper”. That’s when I learned that scammers just post their shit in public with little to no consequence.
Why would Reddit ban it? It’s an easy way for them to collect users’ IP addresses for their corporate overlords.
At my last job, the fire system kept calling the fire department with false positives so often that they told us to fix it or the city was going to start fining the company LOTS of money. One of the dumbass HR people asked if we could just disable the fire system to prevent it from making false positives. The very patient fireman had to explain that no, we could not intentionally disable fire safety equipment in a populated building, and the company had to actually fix the broken detector.
The elevators also broke down a lot, one time with my intern inside. I called the fire department to get her out, and my boss’s boss said I should have waited longer before calling the fire department, for some reason. I forget why.
I never signed an NDA, and I think I’d be fine telling you the name of this global company. But to be safe, I won’t. I’ll just say that most of the people here have probably interacted with customer service run by this company before. I AM CERTAIN OF IT.
Same. Pass phrases seem like a solution to a problem that doesn’t exist anymore. We don’t live in a world where people should be reusing and memorizing strong passwords. We live in a world with frequent user data theft and scams to glean your login info. Just last week, I started getting random login attempts from around the world for a Microsoft account I haven’t used in over a decade. No idea when or how that info got leaked.
And people aren’t equipped to memorize a different passphrase for all 30 of their accounts.
So, we should do what we always do: Get machines to make the issue easier for us to manage. Right now, that means password managers with a strong master password and secure storage.
In the future, maybe we’ll have some kind of creepy central government ID based password-less login method. Who knows?
Edit: Besides, most services require ThIrTeEn dIgIt lOnG PaSsWoRdS WiTh fIvE SpEcIaL ChArAcTeRs aNd sIx nOn-cOnSeCuTiVe dIgItS Of pI ThAt dOeSn’t mAtCh aNy kNoWn dAtE Or eVeNt oR SpEcIaL StRiNg oF NuMbErS. It’s just too annoying, and I’d have to memorize all the special characters in addition to the phrase.
Using the internet without everyone and their grandmother spying on them and blocking access to stuff the busybodies don’t personally like.
Nice!
Needs the unified menu for the active/maximized window at the top. Else, it’s perfect.
These. Get some have that special dividers or pouches for extra comfort. So cozy.
For some reason, I now have the urge to bury you in wet shady soil.
Linux already won years ago. Linux won so thoroughly that Windows 10 includes a Linux subsystem, almost every supercomputer runs Linux or BSD, and the majority of all mobile devices use the Linux kernel.
Not too bad for a bunch of nerds sharing code. :)
Problem is that one day, it will. I’m old enough to be able to see the difference in how much freedom has been lost online.
It’s not impossible. North Korea exists. There’s nothing stopping the rest of the world from adopting the same authoritarian regulations and technology bans.
That’s why people need to be involved in their governments; elections, local regulations, and what have you. It’s easy to complain that things aren’t perfect, or that you don’t like any of the options; but being part of the process, long term, is the only real way to fix that. The more people that give up and say they don’t care, the faster corruption infects everything and ruins what good is there. And trying to be clever and say that “one side is just as bad as the other” is not only a selfish lie people tell themselves to feel better about not doing anything, but it actively helps the authoritarians claim power.
The only thing that staves off corruption and authoritarianism is when the people being governed get involved and stay vigilant. Even small things like school board elections matter down the road.
You want to have a free internet? Then vote in school board elections. Seriously.
It already is. For example, it’s basically impossible to run your own email server these days, because most big email providers just block residential IPs to reduce spam.
Lots of ISPs block or heavily filter things like torrents.
Your ISP might decide you having a personal server at home is against their terms and force you to make a business account. They don’t want people uploading, only downloading.
Some countries are trying to weaken or ban encryption across the board.
And this is only slightly related, but things like websites that let you watch movies or shows are dying. They either all share the same server for video, or they just copy the files from each other. If you find one and watch a video with a little glitch, you’re likely to find that same glitch in all the other websites too. Think things like TV logos, audio suddenly changing language for a few seconds, scan lines on old VHS or TV recordings, etc… There used to be a lot, but now all the small players are being sued or shut down, and only the largest ones are still alive. The noose is tightening.
So, I got malware that seemed to create an hidden proxy or VPN or something when I was online, without me having to install anything. I was on Fedora using Firefox in private mode with Ublock Origin and some script blocker. Ghostery, or Privacy Badger, or something. Fedora has it’s firewall enabled and blocking inbound connections, and SELinux was running. It would occasionally report small things like VLC or Clam AV wanting access to something.
It took me a little bit to realize something was wrong.
I realized it after Google started demanding repeated captcha attempts for everything, I started seeing unsuccessful attempts to sign into my Microsoft account from around the world, and some websites started blocking my IP for abuse. A few times, the blocking page (usually Cloudflare) showed that my public IP was over 240.0.0.0, in the unassigned block. My modem logs showed my machine making outbound connections to these random or impossible IPs at times that roughly lined up with my connection issues.
But if I simply hit refresh on those pages when they blocked me, the websites suddenly returned my correct residential IP address and started working again. I was slow to catch on. Hell, I hadn’t even used my Microsoft account for years, and I assumed Fedora with SELinux would alert me if anything strange was going on. It didn’t. My machine started acting weird, but I couldn’t place my finger on exactly how. I tried tools like Clam AV, or any number of intrusion detection solutions to assuage my growing paranoia. Problem is that they require some knowledge and you have to set them up before things go wrong.
Besides a terminal tool to unhide running processes, which inconsistently returned zero to dozens of unknown short-lived programs with increasingly high PIDs, nothing was detected. I later ran that unhide tool on a live USB of Fedora, and it did the same thing, so I assumed it was a false positive.
Ultimately, it was my fault, I know. I just went on a shady website to watch a TV show. Stupid, but not uncommon. My android phone also started acting strangely around the same time. I assume because I visited the same site to finish some season in bed using Firefox mobile. It’s been replaced entirely now.
But the point is that SELinux didn’t stop anything, I didn’t have to explicitly download or install anything to my machine, and it was some kind of drive-by infection that somehow added my machine to a kind of botnet, I think. Hard to tell just from the various logs I gathered from my machine and modem.
I don’t know what it was doing, but when I finally put all the pieces together, I completely wiped the drive in that machine, including a long dd operation on the drives with /dev/random. Still not sure what I’m going to do with it.
I’m also not sure if the infection was limited to Firefox itself, or if my entire machine was compromised. I may never know for sure.
While I was being stupid, I wasn’t being completely reckless and just running untrusted code from strange places. I watched TV in Firefox’s embedded video player. All it took was going to a website that I found by other people recommending it on social media. I should have known better, but I’m human.
If I can’t even visit a webpage without getting invisible botnet malware that escapes professionally configured tools like SELinux on Fedora, then how are complete newbies, or kids, or grandparents, or “know just enough to be dangerous nerds” (like me) supposed to be safe?
I agree that the user is the single biggest point of failure in security, and should be mindful. But when you’re not installing random Github packages, or turning off your firewall, or enabling SSH, and your machine can still get so easily pwned, what then?
That’s the value of anti-virus software. Yeah, it’s not perfect, but neither is your list of rules to follow. There is no single perfect approach, and people are lazy, impulsive, and sometimes drunkenly want to watch Breaking Bad. I don’t know what the solution is, but outright denying everyday antivirus seems… unwise, I guess?
Even if if takes a month for the vendor to be able to detect it, that’s still protection for anyone who comes after. It doesn’t have to be perfect to make a positive difference.
And, no: For anyone curious, I’m not going into more detail about the website.