xzbot from Anthony Weems enables to patch the corrupted liblzma to change the private key used to compare it to the signed ssh certificate, so adding this to your instructions might enable me to demonstrate sshing into the VM :)

Fun :)

Btw, instead of installing individual vulnerable debs as those kali instructions I linked to earlier suggest, you could also point debootstrap at the snapshot service so that you get a complete system with everything as it would’ve been in late March and then run that in a VM… or in a container. You can find various instructions for creating containers and VMs using debootstrap (eg, this one which tells you how to run a container with systemd-nspawn; but you could also do it with podman or docker or lxc). When the instructions tell you to run debootstrap, you just want to specify a snapshot URL like https://snapshot.debian.org/archive/debian/20240325T212344Z/ in place of the usual Debian repository url (typically https://deb.debian.org/debian/).

A daily ISO of Debian testing or Ubuntu 24.04 (noble) beta from prior to the first week of April would be easiest, but those aren’t archived anywhere that I know of. It didn’t make it in to any stable releases of any Debian-based distros.

But even when you have a vulnerable system running sshd in a vulnerable configuration, you can’t fully demo the backdoor because it requires the attacker to authenticate with their private key (which has not been revealed).

But, if you just want to run it and observe the sshd slowness that caused the backdoor to be discovered, here are instructions for installing the vulnerable liblzma deb from snapshot.debian.org.

Sounds like it requires that your DHCP server is hostile, which is actually a very small (though nonzero, yes) number of the attack scenarios that VPNs are designed for

In most situations, any host on the LAN can become a DHCP server.

“there are no ways to prevent such attacks except when the user’s VPN runs on Linux or Android” is a very funny way of saying “in practice applies only to Windows and iOS”.

No. There are certainly ways of mitigating it, but afaict no Linux distros have done so yet.

The vast majority of LANs do not do anything to prevent rogue DHCP servers.

Just to be clear, a “DHCP server” is a piece of software which can run anywhere (including a phone). Eg, if your friend’s phone has some malware and you let them use the wifi at your house, someone could be automatically doing this attack against your laptop while they’re there.

VPNs have several purposes but the big two are hiding your traffic from attackers on the local area network and concealing your location from sites that you visit.

If you’re using a VPN on wifi at a cafe and anyone else at the cafe can run a rogue DHCP server (eg, with an app on their phone) and route all of your traffic through them instead of through the VPN, I think most VPN users would say the purpose of the VPN has been defeated.

because i thought the situation described by the post was tragicomic (as was somewhat expressed by the line from it quoted in the post title)

You can use Wireshark to see the packets and their IP addresses.

https://www.wireshark.org/download.html

https://www.wireshark.org/docs/

A word of warning though: finding out about all the network traffic that modern software sends can be deleterious to mental health 😬

I do have wireguard on my server as well, I guess it’s similar to what tailscale does?

Tailscale uses wireguard but adds a coordination server to manage peers and facilitate NAT traversal (directly when possible, and via a intermediary server when it isn’t).

If your NAT gateway isn’t rewriting source port numbers it is sometimes possible to make wireguard punch through NAT on its own if both peers configure endpoints for eachother and turn on keepalives.

Do you know if Yggdrasil does something similar and if we exchange data directly when playing over Yggdrasil virtual IPv6 network?

From this FAQ it sounds like yggdrasil does not attempt to do any kind of NAT traversal so two hosts can only be peers if at least one of them has an open port. I don’t know much about yggdrasil but from this FAQ answer it sounds like it runs over TCP (so using TCP applications means two layers of TCP) which is not going to be conducive to a good gaming experience.

Samy Kamkar’s amazing pwnat tool might be of interest to you.

I have a device without public IP, AFAIK behind NAT, and a server. If I use bore to open a port through my server and host a game, and my friends connect to me via IP, will we have big ping (as in, do packets travel to the server first, then to me) or low ping (as in, do packets travel straight to me)?

No, you will have “big ping”. bore (and everything on that page i linked) is strictly for tunneling which means all packets are going through the tunnel server.

Instead of tunneling, you can try various forms of hole punching for NAT traversal which, depending on the NAT implementation, will work sometimes to have a direct connection between users. You can use something like tailscale (and if you want to run your own server, headscale) which will try its best to punch a hole for a p2p connection and will only fall back to relaying through a server if absolutely necessary.

See https://github.com/anderspitman/awesome-tunneling for a list of many similar things. A few of them automatically setup letsencrypt certs for unique subdomains so you can have end-to-end HTTPS.

Color can provide useful context. For example, in the case of this image, imagine if in a thread about it there was some discussion of the ripeness of the yuzu fruit.

Mattermost isn’t e2ee, but if the server is run by someone competent and they’re allowed to see everything anyway (eg it’s all group chat, and they’re in all the groups) then e2ee isn’t as important as it would be otherwise as it is only protecting against the server being compromised (a scenario which, if you’re using web-based solutions which do have e2ee, also leads to circumvention of it).

If you’re OK with not having e2ee, I would recommend Zulip over Mattermost. Mattermost is nice too though.

edit: oops, i see you also want DMs… Mattermost and Zulip both have them, but without e2ee. 😢

I could write a book about problems with Matrix, but if you want something relatively easy and full featured with (optional, and non-forward-secret) e2ee then it is probably your best bet today.

Tell me you didn’t click either link in my comment without telling me you didn’t click either link

https://news.uga.edu/how-social-media-posts-could-affect-credit-scores/ (via)

FICO is just one of a multitude of scoring systems which impact people’s lives in the US today.

https://en.wikipedia.org/wiki/Criticism_of_credit_scoring_systems_in_the_United_States

You and your friends’ social media activity, among numerous other things, can absolutely affect your ability to get a loan, a job, a rental contract, etc.

you don’t see any downside to nuclear escalation?

I’m inclined to believe that it’s not just “not respecting the proportions” but rather manufacturers putting a fake logo to create the appearance of safety. From your link:

“The Commission was also aware of fraudulent misuse of the mark on products that did not comply with the standards, but that this is a separate issue.”

Why would you be inclined to believe that manufacturers of non-conformant products would be intentionally using a nonstandard version of the mark instead of the correctly-proportioned one which they can use just as easily?

And why haven’t you edited your comment to remove that image making the false claim that a CE mark with nonstandard proportions is a “China Export Symbol”?

That is actually a racist urban legend.

cc @jkrtn@lemmy.ml

Who is we???

Perhaps OP is a member of the US congress, trying to figure out what to vote for? 🤪

There is a nice sample of Michael Parenti talking about this kind of use of the word “we” at the beginning of this song. (lyrics here)

no, it’s because the basis of your joke is elder abuse.

I’m the worm in the apple car.

That worm has a name: Lowly

Update:

https://twitter.com/Stella_Assange/status/1780258878237667377

the US didn’t have to coerce them to kick him out.

You think the $4.2B IMF loan package they got 30 days before his expulsion wasn’t contingent on revoking his asylum? Here is evidence that it was, two months before it happened.

He essentially got kicked out for installing spyware and listening devices into the embassy’s private network.

What? The listening devices and hidden cameras were in fact installed by the Spanish private security company who was ostensibly working for the embassy but who it turned out was also working for the CIA, for the purpose of spying on Assange (including in the bathroom, where he would go to meet with his lawyers due to his suspicion that the other rooms had been bugged), as has been well documented in both US and Spanish courts:

• https://elpais.com/elpais/2019/10/23/inenglish/1571817241_796975.html

• https://english.elpais.com/spain/2023-03-29/spanish-company-provided-cia-with-information-leading-to-julian-assanges-arrest.html

• https://english.elpais.com/international/2023-12-22/a-spanish-company-and-the-cia-found-guilty-of-violating-rights-of-julian-assanges-visitors.html#

• https://en.wikipedia.org/wiki/Surveillance_of_Julian_Assange

What is it that people in the UK don’t understand about ‘indeterminate detention without charge’?

He was detained without charge for many years, but there are charges now: the US unsealed their 2018 indictment against him immediately after they coerced Ecuador into revoking his asylum in April 2019, and they added more charges a month later.

As the linked article explains, he is currently charged with 17 counts of espionage and 1 count of conspiracy to commit computer intrusion. He remains in His Majesty’s Prison Belmarsh while fighting the US’s extradition request.

See also https://en.wikipedia.org/wiki/Indictment_and_arrest_of_Julian_Assange

https://en.wikipedia.org/wiki/List_of_countries_that_have_gained_independence_from_the_United_Kingdom says the current count is 65 countries, but cites https://www.guinnessworldrecords.com/world-records/most-countries-to-have-gained-independence-from-the-same-country which says 66 (4 + 62).

France and Spain are in second and third place with 28 and 17, respectively.

Tuta is most likely a honeypot, and in any case it is pseudo-open source so it’s offtopic in this community.

https://en.wikipedia.org/wiki/Government_cheese

See also:

• https://en.wikipedia.org/wiki/Butter_mountain
• https://en.wikipedia.org/wiki/Wine_lake
• https://en.wikipedia.org/wiki/Quebec_Maple_Syrup_Producers#Strategic_reserve

As the image transcript in the post body explains, the image at the bottom is a scene from a well-known 1998 film (which, according to Wikipedia, was in 2014 selected for preservation in the United States National Film Registry by the Library of Congress as being “culturally, historically, or aesthetically significant”).

This meme will not make as much sense to people who have not seen the film. You can watch the referenced scene here. The context is that the main character, The Dude (played by Jeff Bridges) has recently had his private residence invaded by a group of nihilists with a pet marmot (actually portrayed by a ferret) and they have threatened to “cut off his Johnson”. In an attempt to express sympathy, The Dude’s friend Walter (played by John Goodman) points out that, in addition to the home invasion and threats, the nihilists’ exotic pet is also illegal. The Dude’s retort “what, are you a fucking park ranger now” is expressing irritation with that observation, because it is insignificant compared with the threat of the removal of his penis.

This meme attempts to draw a parallel between this humorous scene and XZ developer Lasse Collin’s observation that the XZ backdoor was also a violation of Debian’s software licensing policies.

Thank you for reading my artist’s statement.

Ok, you and @d3Xt3r@lemmy.nz are both mods of /c/linux@lemmy.ml now. Thanks!

Not necessarily true - that right to modify/redistribute depends on the exact license being applied.

If you don’t have the right to modify and redistribute it (and to do so commercially) then it does not meet the definitions of free software or open source.

For example, the Open Watcom Public License claims to be an “open source” license, but it actually doesn’t allow making modifications.

The Sybase Open Watcom Public License does allow making modifications, and distributing modified versions. The reason why the FSF has not approved it is that it requires you to publish source code even if you only wanted to run your modified version yourself and didn’t actually want to distribute anything to anyone. (The Watcom license is one of the few licenses which is approved by OSI but not FSF. You can see the other licenses which are approved by one but not the other by sorting this table.)

The FSF’s own AGPL license is somewhat similar, but it only imposes the requirement if you run the software for someone else over a network. (Neither of these requirements are likely to be enforceable by copyright law, as I explained in my comment about the AGPL in the thread which this thread is about…)

This is also why we specifically have the terms “free software” or “FOSS” which imply they you are indeed allowed to modify and redistribute.

I would recommend reading this: https://www.gnu.org/philosophy/open-source-misses-the-point.en.html

I would recommend that you re-read that, because it actually explains that the two terms refer to essentially the same category of software licenses (while it advocates for using the term free software to emphasize the philosophical aspects of those licenses).

Opensource just means that the source code is available, FOSS however implies that you’re free to modify and redistribute the program

Incorrect. “Open Source” also means that you are free to modify and redistribute the software.

If the source code is merely available but not free to modify and/or redistribute, then it is called source-available software.

Ok, I just stickied this post here, but I am not going to manage making a new one each week :)

I am an admin at lemmy.ml and was actually only added as a mod to this community so that my deletions would federate (because there was a bug where non-mod admin deletions weren’t federating a while ago). The other mods here are mostly inactive and most of the mod activity is by me and other admins.

Skimming your history here, you seem alright; would you like to be a mod of /c/linux@lemmy.ml ?

Thanks. They are no longer a mod of this community. (I wrote this comment to them and they did not reply.)

As of today, NixOS (like most distros) has reverted to a version slightly prior to the release with the Debian-or-Redhat-specific sshd backdoor which was inserted into xz just two months ago. However, the saboteur had hundreds of commits prior to the insertion of that backdoor, and it is very likely that some of those contain subtle intentional vulnerabilities (aka “bugdoors”) which have not yet been discovered.

As (retired) Debian developer Joey Hess explains here, the safest course is probably to switch to something based on the last version (5.3.1) released prior to Jia Tan getting push access.

Unfortunately, as explained in this debian issue, that is not entirely trivial because dependents of many recent pre-backdoor potentially-sabotaged versions require symbol(s) which are not present in older versions and also because those older versions contain at least two known vulnerabilities which were fixed during the multi-year period where the saboteur was contributing.

After reading Xz format inadequate for long-term archiving (first published eight years ago…) I’m convinced that migrating the many projects which use XZ today (including DPKG, RPM, and Linux itself) to an entirely different compression format is probably the best long-term plan. (Though we’ll always still need tools to read XZ archives for historical purposes…)

for those unfamiliar: Reflections on trusting trust by Ken Thompson

Hi @haui_lemmy@lemmy.giftedmc.com,

fyi icymi due to this thread someone posted this other thread asking “Is it appropriate for someone to be a mod here when they don’t understand open source, and insult users in the community?”.

I don’t have time to read all ~200 comments in these two threads, but I do think that being a moderator of /c/opensource@lemmy.ml requires knowing what FOSS is to be able to remove posts promoting things which are not.

Hopefully the replies here (again, I have not read even half of this thread…) have made you better informed?

In case you haven’t yet, I would highly recommend that you read these two documents (you can start with their wikipedia articles and follow links from there to the actual documents):

• https://en.wikipedia.org/wiki/The_Free_Software_Definition
• https://en.wikipedia.org/wiki/The_Open_Source_Definition

In short, the answer to your question (“Is there a License that requires the user to donate if they make revenue?”) is yes, there are many such licenses, but they are definitively not FOSS licenses (despite what some people who haven’t read the above definitions might try to tell you).

I won’t enumerate any of the non-FOSS licenses which attempt such a thing, because I recommend against the use of such licenses or software licensed under them.

BTW, I saw you wrote in another comment:

By now I get that FOSS mostly implies free work for corporations. I‘ll just go with agpl to ensure they get nothing from my work.

While corporations benefiting from FOSS while failing to financially support it at all is extremely commonplace, I vehemently disagree that that is what FOSS “mostly implies”. In fact, the opposite is more common: the vast majority of free software users are not paying anything to the companies who have paid for an enormous amount of the development of it. A few hundred companies pay tens of thousands of individual developers to develop and maintain the Linux kernel, for instance.

Regarding the second sentence of yours that I quoted above, in case you haven’t understood this yet: the AGPL does not prevent commercial use of your work. If you write a web app and license it AGPL, you are giving me permission to run it, modify it, redistribute my modified version, and to charge money for it without giving you anything.

What the AGPL does, and why many companies avoid it, is impose the requirement that I (the recipient of your software) offer the source code to your software (and any modifications I made to it) under that same license not only to anyone I distribute it to but also to anyone using the software over a network on my server.

If the software were licensed GPL instead of AGPL, I would only be required to offer GPL-licensed source code to people when I distribute the software to them. Eg, I could improve a GPL web app and it is legal to not share my improvements (to the server-side code) with anyone at all because the software is not being distributed - it is just running on my server.

By imposing requirements about how you run the software (eg, if you put an AGPL notice in the UI, I am not allowed to remove it) the AGPL is more than just a copyright license: violations of the GPL and most FOSS licenses are strictly copyright violations and can be enforced as such, but violating the part of the AGPL where it differs from the GPL would not constitute copyright infringement because no copying is taking place. Unlike almost every other FOSS license, the AGPL is both a copyright license and a end-user license agreement.

For this reason, many people have misgivings about the AGPL. However, if you want to scare companies away from using your software at all (and/or require them to purchase a different license from you to use it under non-AGPL terms, which is only possible if you require all contributors to assign copyright or otherwise give you permission to dual-license their work) while still using a license which the FOSS community generally accepts as FOSS… AGPL is probably your best bet.

HTH.

p.s. I’m not a lawyer, this isn’t legal advice, etc etc :)

there is enough garbage there now that they could just make the tourist permit require everyone to bring down more than they take up with them

maybe it’s important to note he isn’t on trial for treason? The charges are for hacking and espionage.

He isn’t on trial for treason in courts of law, but he is in the court of public opinion - various commentators and some officials (including Senator Joe Lieberman and then-CIA Director Mike Pompeo) have used the word to describe his publishing.

what was the prompt you used?