cypherpunks

cypherpunks , 3 days ago

and later it will turn out that the AI solution was actually two clickworkers in a trenchcoat

cypherpunks , 10 days ago

A daily ISO of Debian testing or Ubuntu 24.04 (noble) beta from prior to the first week of April would be easiest, but those aren’t archived anywhere that I know of. It didn’t make it in to any stable releases of any Debian-based distros.

But even when you have a vulnerable system running sshd in a vulnerable configuration, you can’t fully demo the backdoor because it requires the attacker to authenticate with their private key (which has not been revealed).

But, if you just want to run it and observe the sshd slowness that caused the backdoor to be discovered, here are instructions for installing the vulnerable liblzma deb from snapshot.debian.org.

cypherpunks , 10 days ago

xzbot from Anthony Weems enables to patch the corrupted liblzma to change the private key used to compare it to the signed ssh certificate, so adding this to your instructions might enable me to demonstrate sshing into the VM :)

Fun :)

Btw, instead of installing individual vulnerable debs as those kali instructions I linked to earlier suggest, you could also point debootstrap at the snapshot service so that you get a complete system with everything as it would’ve been in late March and then run that in a VM… or in a container. You can find various instructions for creating containers and VMs using debootstrap (eg, this one which tells you how to run a container with systemd-nspawn; but you could also do it with podman or docker or lxc). When the instructions tell you to run debootstrap, you just want to specify a snapshot URL like https://snapshot.debian.org/archive/debian/20240325T212344Z/ in place of the usual Debian repository url (typically https://deb.debian.org/debian/).

cypherpunks , 11 days ago

mullvad.net/…/evaluating-the-impact-of-tunnelvisi…

cypherpunks OP , 12 days ago

because i thought the situation described by the post was tragicomic (as was somewhat expressed by the line from it quoted in the post title)

cypherpunks , 24 days ago

Mattermost isn’t e2ee, but if the server is run by someone competent and they’re allowed to see everything anyway (eg it’s all group chat, and they’re in all the groups) then e2ee isn’t as important as it would be otherwise as it is only protecting against the server being compromised (a scenario which, if you’re using web-based solutions which do have e2ee, also leads to circumvention of it).

If you’re OK with not having e2ee, I would recommend Zulip over Mattermost. Mattermost is nice too though.

edit: oops, i see you also want DMs… Mattermost and Zulip both have them, but without e2ee. 😢

I could write a book about problems with Matrix, but if you want something relatively easy and full featured with (optional, and non-forward-secret) e2ee then it is probably your best bet today.

cypherpunks , 25 days ago

you don’t see any downside to nuclear escalation?

cypherpunks , 25 days ago

FICO is just one of a multitude of scoring systems which impact people’s lives in the US today.

en.wikipedia.org/…/Criticism_of_credit_scoring_sy…

You and your friends’ social media activity, among numerous other things, can absolutely affect your ability to get a loan, a job, a rental contract, etc.

cypherpunks , 25 days ago

news.uga.edu/how-social-media-posts-could-affect-… (via)

cypherpunks , 25 days ago

Tell me you didn’t click either link in my comment without telling me you didn’t click either link

cypherpunks , 26 days ago

screenshot of the moment at 2:07 in “A Tribe Called Quest - Can I Kick It? (Official HD Video)” when the letters “iT” are about to be kicked over, with the subtitle “♪ Yes, you can! ♪” at the bottom of the frame

this track really has a lot of flavor

cypherpunks OP , 26 days ago

i left a comment about the origin of that saying in the cross-post of this thread. (i think the privacy/security/achieve version you posted is much better than the original one which said “deserve neither Liberty nor Safety”.)

cypherpunks OP , 26 days ago (edited 26 days ago)

What’s the old saying, Ben Franklin said it if I remember right?

Those who would give up freedom in exchange for security deserve neither and will lose both.

The original phrasing was “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.” but Franklin didn’t mean what most people quoting it today assume that he meant. (The author of that article is contemptible imo, being the sort of person who often writes things similar to the NYT Opinion piece which this thread is about, but I think his analysis of this particular quote is probably correct. You can read Franklin’s original use of the phrase in context here.)

cypherpunks OP , 24 days ago

Color can provide useful context. For example, in the case of this image, imagine if in a thread about it there was some discussion of the ripeness of the yuzu fruit.

cypherpunks , 27 days ago

Meanwhile, people at many/most movie theaters in the US:

“You Guys Are Getting Paid” meme with caption “you guys are getting beer in movie theaters?”

cypherpunks , 26 days ago

It only became legal in New York in 2022. Perhaps today most people in the US do live in states where it is legal, but that doesn’t mean they live near a theater that actually does it. This article from a year ago says the largest chain, AMC, has a bar in the lobby of 300 (of their 593 in the US, according to wikipedia) locations but that some of them don’t let you bring a beer into the theater. The second-largest chain, Regal Cinemas, was only serving alcohol in 80 of their 511 locations as of last year.

cypherpunks , 28 days ago (edited 28 days ago)

That is actually a racist urban legend.

cc @jkrtn

cypherpunks , 28 days ago (edited 28 days ago)

I’m inclined to believe that it’s not just “not respecting the proportions” but rather manufacturers putting a fake logo to create the appearance of safety. From your link:

“The Commission was also aware of fraudulent misuse of the mark on products that did not comply with the standards, but that this is a separate issue.”

Why would you be inclined to believe that manufacturers of non-conformant products would be intentionally using a nonstandard version of the mark instead of the correctly-proportioned one which they can use just as easily?

And why haven’t you edited your comment to remove that image making the false claim that a CE mark with nonstandard proportions is a “China Export Symbol”?

cypherpunks , 27 days ago

And sorry but I have no idea what you’re trying to say in your paragraph.

Let me try rephrasing it: Why do you think a manufacturer of a non-conformant product (who wants to be perceived as conformant) would intentionally use a nonstandard version of the mark, instead of the standard one? Note that the standard mark is not a certification or proof of conformance of any kind; it is merely a way for the manufacturer to affirm that they are conformant. It is illegal to sell non-conformant products in the European Economic Area regardless of if they carry the standard CE mark or not.

Regardless of why we’re literally looking at one in the OP. Which is, as if I need to repeat this, a literal suicide device.

Did you think we’re looking at an actual non-conformant product, and that it used a non-standard CE mark to deceive consumers? I thought it was pretty clear we were looking at a satirical fake product, and I assume the non-standard version of the CE mark was used unintentionally. If it was intentional, it was certainly not to deceive consumers but perhaps could have been an overcautious artist worried about trademark infringement.

FWIW i looked it up and the image in the post is an artwork titled “electric bath duck for suicidal tendency” created in 2001 by Nicolas Gaudron while he was at the Royal College of Art in London.

It was a brief meme in 2007, being featured on wired.com via ohgizmo.com via ubergizmo.com via gearfuse.com via haha.nu (this was back when there was more of a culture of attributing sources of things on the web). In 2011 it appeared on whokilledbambi.co.uk, and in 2016 it made it to /r/rubberducks.

cypherpunks OP , 29 days ago

“First-term state Rep. Roger Wilder, R-Denham Springs, who sponsored the child labor measure and owns Smoothie King franchises across the Deep South, said he filed the bill in part because children want to work without having to take lunch breaks.”

knowyourmeme.com/…/the-children-yearn-for-the-min…

cypherpunks , 1 month ago

I’m the worm in the apple car.

That worm has a name: Lowly

cypherpunks , 1 month ago

no, it’s because the basis of your joke is elder abuse.

cypherpunks OP , 1 month ago (edited 1 month ago)

He is better off in the USA he can clam first amendment rights freedom of the press

The US position is that the first amendment doesn’t apply to non-citizens, and also that it isn’t possible to make a public interest defense to espionage charges.

also he won’t get death the worst is 20 to life

The current set of charges carry up to 175 years and the US has thus far refused to guarantee to the British court that they won’t add more charges after they extradite him.

And even if he was “only” facing 20 to life, what would that be better than? He isn’t charged with anything anywhere else.

cypherpunks OP , 1 month ago (edited 1 month ago)

First amendment is given to us by our creators it says so in the us constution everyone gets it period

Neither the US Constitution, the Bill of Rights, or any of its other amendments use the word “creator”. You’re probably thinking of the Declaration of Independence (the famous second sentence of which is “We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness.”). The DoI predates the Constitution and its amendments by over a decade and has no force of law.

There is a strong legal argument to be made, including some historical court rulings, that at least some of the rights in the Bill of Rights do apply to non-citizens - although some of those arguments are limited to when non-citizens are on US soil (which Assange was not when he engaged in the acts of journalism which he is being prosecuted for).

However, one of the US prosecutors (Gordon Kromberg) specifically told the court in his declaration in support of the Assange extradition:

Concerning any First Amendment challenge, the United States could argue that foreign nationals are not entitled to protections under the First Amendment […]

Former Secretary of State and CIA Director Mike Pompeo also wrote in his memoir Never Give An Inch:

Julian Assange has no First Amendment privileges. He is not a U.S. citizen.

Other US officials have made similar statements.

You can read more here:

• thedissenter.org/countdown-to-day-x-us-assange-no…
• jurist.org/…/law-professor-marjorie-cohn-extradit…

Last month, the British High Court gave the US prosecutors until April 16 to submit a declaration including assurances that “the applicant is permitted to rely on the first amendment” and that he “is afforded the same first amendment protections as a United States citizen” (those are the British court’s words).

The assurance the US has now submitted did not actually repudiate the prosecutors earlier explicit statement that the “the United States could argue that foreign nationals are not entitled to protections under the First Amendment” but instead said merely that he can “seek to raise” the first amendment in his defense. But, he has already been seeking to raise the first amendment to stop his extradition, and these “assurances” that he can seek to raise it again in the US come from the same prosecutors who explicitly argued (and again, have not repudiated their argument) to the British court that he is not entitled to first amendment protection because he is a foreign national.

You didn’t answer my question: Better off than what?

cypherpunks OP , 1 month ago (edited 1 month ago)

getting a fair trial

🤨 did you read any of the links in my last comment?

(are you suggesting you think that he could actually be extradited and found not guilty, or are you saying you think he deserves to go to prison and that is what you mean by saying he would be “better off” not fighting extradition?)

cypherpunks OP , 1 month ago

Yes he could be extradited and found not guilty No member of the press deserves to go to jail For doing that’s job

So, I guess you’re either being disingenuous or you haven’t followed the case much. If it’s the latter, I highly encourage you to read the two links in my earlier comment, and/or any of these: 1, 2, 3

Are you aware of anyone besides yourself seriously arguing that he has any chance of being found not guilty in a US espionage trial, while also saying that he doesn’t deserve to go to jail?

As far as I’ve seen, any remotely informed commentator who argues that he could get a “fair trial” in the US is also arguing that it would be “fair” for him to be convicted and spend the rest of his life in prison.

cypherpunks OP , 1 month ago

What is it that people in the UK don’t understand about ‘indeterminate detention without charge’?

He was detained without charge for many years, but there are charges now: the US unsealed their 2018 indictment against him immediately after they coerced Ecuador into revoking his asylum in April 2019, and they added more charges a month later.

As the linked article explains, he is currently charged with 17 counts of espionage and 1 count of conspiracy to commit computer intrusion. He remains in His Majesty’s Prison Belmarsh while fighting the US’s extradition request.

See also en.wikipedia.org/…/Indictment_and_arrest_of_Julia…

cypherpunks OP , 1 month ago

the US didn’t have to coerce them to kick him out.

You think the $4.2B IMF loan package they got 30 days before his expulsion wasn’t contingent on revoking his asylum? Here is evidence that it was, two months before it happened.

He essentially got kicked out for installing spyware and listening devices into the embassy’s private network.

What? The listening devices and hidden cameras were in fact installed by the Spanish private security company who was ostensibly working for the embassy but who it turned out was also working for the CIA, for the purpose of spying on Assange (including in the bathroom, where he would go to meet with his lawyers due to his suspicion that the other rooms had been bugged), as has been well documented in both US and Spanish courts:

• elpais.com/elpais/2019/…/1571817241_796975.html
• …elpais.com/…/spanish-company-provided-cia-with-i…
• …elpais.com/…/a-spanish-company-and-the-cia-found…
• en.wikipedia.org/…/Surveillance_of_Julian_Assange

cypherpunks OP , 1 month ago

Update:

!Screenshot of tweet from @Stella_Assange with text: BREAKING: “The United States has issued a non-assurance in relation to the First Amendment, and a standard assurance in relation to the death penalty. It makes no undertaking to withdraw the prosecution’s previous assertion that Julian has no First Amendment rights because he is not a U.S citizen. Instead, the US has limited itself to blatant weasel words claiming that Julian can “seek to raise” the First Amendment if extradited. The diplomatic note does nothing to relieve our family’s extreme distress about his future – his grim expectation of spending the rest of his life in isolation in US prison for publishing award-winning journalism. The Biden Administration must drop this dangerous prosecution before it is too late.”

twitter.com/Stella_Assange/…/1780258878237667377

cypherpunks , 1 month ago

en.wikipedia.org/…/List_of_countries_that_have_ga… says the current count is 65 countries, but cites guinnessworldrecords.com/…/most-countries-to-have… which says 66 (4 + 62).

France and Spain are in second and third place with 28 and 17, respectively.

cypherpunks , 1 month ago

en.wikipedia.org/wiki/Government_cheese

See also:

• en.wikipedia.org/wiki/Butter_mountain
• en.wikipedia.org/wiki/Wine_lake
• en.wikipedia.org/…/Quebec_Maple_Syrup_Producers#S…

cypherpunks OP , 1 month ago

As the image transcript in the post body explains, the image at the bottom is a scene from a well-known 1998 film (which, according to Wikipedia, was in 2014 selected for preservation in the United States National Film Registry by the Library of Congress as being “culturally, historically, or aesthetically significant”).

This meme will not make as much sense to people who have not seen the film. You can watch the referenced scene here. The context is that the main character, The Dude (played by Jeff Bridges) has recently had his private residence invaded by a group of nihilists with a pet marmot (actually portrayed by a ferret) and they have threatened to “cut off his Johnson”. In an attempt to express sympathy, The Dude’s friend Walter (played by John Goodman) points out that, in addition to the home invasion and threats, the nihilists’ exotic pet is also illegal. The Dude’s retort “what, are you a fucking park ranger now” is expressing irritation with that observation, because it is insignificant compared with the threat of the removal of his penis.

This meme attempts to draw a parallel between this humorous scene and XZ developer Lasse Collin’s observation that the XZ backdoor was also a violation of Debian’s software licensing policies.

Thank you for reading my artist’s statement.

cypherpunks , 1 month ago

Title card from Star Trek: Voyager S02E01, with the crew of Voyager standing around a 1936 Ford truck in their cargo bay. The episode title “The 37’s” is at the top left of the image.

cypherpunks , 1 month ago

Ok, I just stickied this post here, but I am not going to manage making a new one each week :)

I am an admin at lemmy.ml and was actually only added as a mod to this community so that my deletions would federate (because there was a bug where non-mod admin deletions weren’t federating a while ago). The other mods here are mostly inactive and most of the mod activity is by me and other admins.

Skimming your history here, you seem alright; would you like to be a mod of /c/[email protected] ?

cypherpunks , 1 month ago

Ok, you and @d3Xt3r are both mods of /c/[email protected] now. Thanks!

cypherpunks , 1 month ago (edited 1 month ago)

As of today, NixOS (like most distros) has reverted to a version slightly prior to the release with the Debian-or-Redhat-specific sshd backdoor which was inserted into xz just two months ago. However, the saboteur had hundreds of commits prior to the insertion of that backdoor, and it is very likely that some of those contain subtle intentional vulnerabilities (aka “bugdoors”) which have not yet been discovered.

As (retired) Debian developer Joey Hess explains here, the safest course is probably to switch to something based on the last version (5.3.1) released prior to Jia Tan getting push access.

Unfortunately, as explained in this debian issue, that is not entirely trivial because dependents of many recent pre-backdoor potentially-sabotaged versions require symbol(s) which are not present in older versions and also because those older versions contain at least two known vulnerabilities which were fixed during the multi-year period where the saboteur was contributing.

After reading https://www.nongnu.org/lzip/xz_inadequate.html (first published eight years ago…) I’m convinced that migrating the many projects which use XZ today (including DPKG, RPM, and Linux itself) to an entirely different compression format is probably the best long-term plan. (Though we’ll always still need tools to read XZ archives for historical purposes…)