Techrights logo

IRC: #techbytes @ Techrights IRC Network: Sunday, July 04, 2021

(ℹ) Join us now at the IRC channel | ䷉ Find the plain text version at this address.

*Techrights-sec has quit (Ping timeout: 2m30s)Jul 04 00:00
*libertybox has quit (Ping timeout: 2m30s)Jul 04 00:00
*Techrights-sec2 has quit (Quit: http://quassel-irc.org - Chat comfortably. Anywhere.)Jul 04 00:04
*Techrights-sec (~quassel@22e8m8t4gqjin.irc) has joined #techbytesJul 04 00:05
*psydruid (~psydruid@jevhxkzmtrbww.irc) has left #techbytesJul 04 00:58
*rianne_ has quit (Ping timeout: 2m30s)Jul 04 01:15
*liberty_box has quit (Ping timeout: 2m30s)Jul 04 01:15
*rianne_ (~rianne@22e8m8t4gqjin.irc) has joined #techbytesJul 04 01:16
*liberty_box (~liberty@22e8m8t4gqjin.irc) has joined #techbytesJul 04 01:16
*psydruid (~psydruid@jevhxkzmtrbww.irc) has joined #techbytesJul 04 01:27
*psydruid (~psydruid@jevhxkzmtrbww.irc) has left #techbytesJul 04 01:54
*rianne_ has quit (Ping timeout: 2m30s)Jul 04 02:30
*liberty_box has quit (Ping timeout: 2m30s)Jul 04 02:30
*rianne_ (~rianne@22e8m8t4gqjin.irc) has joined #techbytesJul 04 02:33
*liberty_box (~liberty@22e8m8t4gqjin.irc) has joined #techbytesJul 04 02:34
*rianne_ has quit (Ping timeout: 2m30s)Jul 04 03:58
*liberty_box has quit (Ping timeout: 2m30s)Jul 04 03:58
*rianne_ (~rianne@22e8m8t4gqjin.irc) has joined #techbytesJul 04 04:06
*liberty_box (~liberty@22e8m8t4gqjin.irc) has joined #techbytesJul 04 04:08
*psydruid (~psydruid@jevhxkzmtrbww.irc) has joined #techbytesJul 04 04:12
*DaemonFC has quit (Quit: Leaving)Jul 04 07:20
*rianne_ has quit (Ping timeout: 2m30s)Jul 04 08:24
*rianne_ (~rianne@22e8m8t4gqjin.irc) has joined #techbytesJul 04 08:25
schestowitzx https://www.bleepingcomputer.com/forums/t/754269/hacked-via-linux/Jul 04 09:19
-TechBytesBot/#techbytes-www.bleepingcomputer.com | Hacked via linux - Virus, Trojan, Spyware, and Malware Removal HelpJul 04 09:19
schestowitz# M$ siteJul 04 09:19
*liberty_box has quit (Ping timeout: 2m30s)Jul 04 09:50
*rianne_ has quit (Ping timeout: 2m30s)Jul 04 09:50
*rianne_ (~rianne@22e8m8t4gqjin.irc) has joined #techbytesJul 04 10:27
*liberty_box (~liberty@22e8m8t4gqjin.irc) has joined #techbytesJul 04 10:28
*liberty_box has quit (Ping timeout: 2m30s)Jul 04 10:40
*rianne_ has quit (Ping timeout: 2m30s)Jul 04 10:41
*rianne_ (~rianne@22e8m8t4gqjin.irc) has joined #techbytesJul 04 10:42
*liberty_box (~liberty@22e8m8t4gqjin.irc) has joined #techbytesJul 04 10:43
*liberty_box has quit (Ping timeout: 2m30s)Jul 04 11:07
*rianne_ has quit (Ping timeout: 2m30s)Jul 04 11:07
*rianne_ (~rianne@22e8m8t4gqjin.irc) has joined #techbytesJul 04 11:08
*liberty_box (~liberty@22e8m8t4gqjin.irc) has joined #techbytesJul 04 11:08
*rianne_ has quit (Ping timeout: 2m30s)Jul 04 11:31
*liberty_box has quit (Ping timeout: 2m30s)Jul 04 11:32
*rianne_ (~rianne@22e8m8t4gqjin.irc) has joined #techbytesJul 04 11:45
*liberty_box (~liberty@22e8m8t4gqjin.irc) has joined #techbytesJul 04 11:45
*psydroid_ (~psydroid@cqggrmwgu7gji.irc) has joined #techbytesJul 04 11:56
*rianne_ has quit (Ping timeout: 2m30s)Jul 04 13:18
*liberty_box has quit (Ping timeout: 2m30s)Jul 04 13:18
*rianne_ (~rianne@22e8m8t4gqjin.irc) has joined #techbytesJul 04 13:30
*liberty_box (~liberty@22e8m8t4gqjin.irc) has joined #techbytesJul 04 13:30
schestowitzhttps://twitter.com/LeDave32/status/1411645735364399105Jul 04 13:48
-TechBytesBot/#techbytes-@LeDave32: @schestowitz It is like suggesting MSIE7 as alternate browser 😂🤣😂🤣Jul 04 13:48
schestowitzhttps://twitter.com/crystalshen6/status/1411470278073499652Jul 04 13:49
-TechBytesBot/#techbytes-@crystalshen6: "As the first load of prisoners arrived at the new military prison camp at Guantanamo, Cuba, on January 11, 2002, h… https://t.co/2NnHArk7v4Jul 04 13:49
-TechBytesBot/#techbytes-@crystalshen6: "As the first load of prisoners arrived at the new military prison camp at Guantanamo, Cuba, on January 11, 2002, h… https://t.co/2NnHArk7v4Jul 04 13:49
schestowitz""As the first load of prisoners arrived at the new military prison camp at Guantanamo, Cuba, on January 11, 2002, he declared them “unlawful combatants” who “do not have any rights under the Geneva Convention.”"Jul 04 13:49
schestowitzhttps://twitter.com/jrbrtson/status/1411457673011269634Jul 04 13:49
-TechBytesBot/#techbytes-@jrbrtson: @schestowitz Who replaces Microsoft Windows? Microsoft has a strong cult following of tinkerers who don't touch the command line.Jul 04 13:49
schestowitzhttps://twitter.com/csolisr/status/1411379761658707969Jul 04 13:49
-TechBytesBot/#techbytes-@csolisr: @schestowitz As somebody who programmed his phone to automatically upload all pictures to his NextCloud home server… https://t.co/uzzJUnO7WkJul 04 13:49
-TechBytesBot/#techbytes-@csolisr: @schestowitz As somebody who programmed his phone to automatically upload all pictures to his NextCloud home server… https://t.co/uzzJUnO7WkJul 04 13:49
schestowitz"As somebody who programmed his phone to automatically upload all pictures to his NextCloud home server, it's a very viable alternative"Jul 04 13:49
schestowitzhttps://twitter.com/Rex_Aletheia/status/1411353712656781319Jul 04 13:49
-TechBytesBot/#techbytes-@Rex_Aletheia: @schestowitz fear campaign doesn't work. Unvaccinated people know what's up and stop listening to the hype. The mor… https://t.co/7jKRRdYF8YJul 04 13:49
-TechBytesBot/#techbytes-@Rex_Aletheia: @schestowitz fear campaign doesn't work. Unvaccinated people know what's up and stop listening to the hype. The mor… https://t.co/7jKRRdYF8YJul 04 13:49
schestowitz"fear campaign doesn't work. Unvaccinated people know what's up and stop listening to the hype. The more variants we have the more we know its bullshit."Jul 04 13:49
schestowitzhttps://twitter.com/glynmoody/status/1411330192644218885Jul 04 13:50
-TechBytesBot/#techbytes-@glynmoody: what a callous, evil person he is https://t.co/SQkp1EzS2iJul 04 13:50
-TechBytesBot/#techbytes-@schestowitz: ● NEWS ● #TruthOut ☞ #McConnell Wields a Cruelly Narrow Definition of Infrastructure Like a Bludgeon https://t.co/8GtGHxmElVJul 04 13:50
schestowitzhttps://twitter.com/jvantill/status/1411324040581681152Jul 04 13:50
-TechBytesBot/#techbytes-@jvantill: @schestowitz Just like in NL !Jul 04 13:50
schestowitzhttps://twitter.com/ianrobo1/status/1411298110832365568Jul 04 13:50
-TechBytesBot/#techbytes-@ianrobo1: How can this be right other than allows certain companies (yes you Apple) to seek rip off service contracts https://t.co/aY4yPdQXvPJul 04 13:50
-TechBytesBot/#techbytes-@schestowitz: ● NEWS ● #9to5Mac #Hardware ☞ British right to repair law comes into force today, but excludes smartphones and comp… https://t.co/qL8asnF6h6Jul 04 13:50
schestowitz"How can this be right other than allows certain companies (yes you Apple) to seek rip off service contracts"Jul 04 13:50
schestowitzhttps://twitter.com/xolve/status/1411266292124815361Jul 04 13:52
-TechBytesBot/#techbytes-@xolve: Should be all governement software all around the world. https://t.co/EjMmJJpVUkJul 04 13:52
-TechBytesBot/#techbytes-@schestowitz: ● NEWS ● #Joinup #Licensing ☞ New Estonian law requires administration to make state-owned software publicly availa… https://t.co/PTDfTcfEFoJul 04 13:52
*liberty_box has quit (Ping timeout: 2m30s)Jul 04 14:28
*rianne_ has quit (Ping timeout: 2m30s)Jul 04 14:28
*rianne_ (~rianne@22e8m8t4gqjin.irc) has joined #techbytesJul 04 14:30
*liberty_box (~liberty@22e8m8t4gqjin.irc) has joined #techbytesJul 04 14:32
schestowitzhttp://ipkitten.blogspot.com/2021/07/when-movie-is-derived-from-literary.html?showComment=1625235399706#c2244879325842589574Jul 04 14:54
-TechBytesBot/#techbytes-ipkitten.blogspot.com | When the movie is derived from a literary classic—are you an “All-In”, or a “Well, Maybe”, viewer? - The IPKatJul 04 14:54
schestowitz"As a member of the All-In" class, it was not my cup of "Emma tea". But as a form of movie take-off, I thought it was quite clever."Jul 04 14:54
schestowitzhttp://ipkitten.blogspot.com/2021/07/when-movie-is-derived-from-literary.html?showComment=1625233449857#c976518856166256952Jul 04 14:54
-TechBytesBot/#techbytes-ipkitten.blogspot.com | When the movie is derived from a literary classic—are you an “All-In”, or a “Well, Maybe”, viewer? - The IPKatJul 04 14:54
schestowitz"Where do Mr. & Mrs. Kat stand on the 1995 film "Clueless", which some pundits have argued is the best Emma adaptation of them all?"Jul 04 14:54
schestowitzhttp://ipkitten.blogspot.com/2021/07/russia-adopts-law-that-shakes-cognac.html?showComment=1625387429079#c1125721314044172895Jul 04 14:57
-TechBytesBot/#techbytes-ipkitten.blogspot.com | Russia adopts law that shakes Cognac and Champagne importers - The IPKatJul 04 14:57
schestowitz"Jul 04 14:57
schestowitzif the West was not so dependent on Russia for its energy, it would certainly be easier to boycott Russian products. Jul 04 14:57
schestowitzIt might be difficult to export those Russian beverages in countries accepting DOP. Jul 04 14:57
schestowitz"Jul 04 14:57
*rianne_ has quit (Ping timeout: 2m30s)Jul 04 15:26
*liberty_box has quit (Ping timeout: 2m30s)Jul 04 15:26
*liberty_box (~liberty@22e8m8t4gqjin.irc) has joined #techbytesJul 04 15:27
*rianne_ (~rianne@22e8m8t4gqjin.irc) has joined #techbytesJul 04 15:27
*rianne_ has quit (Ping timeout: 2m30s)Jul 04 16:35
*liberty_box has quit (Ping timeout: 2m30s)Jul 04 16:35
*rianne_ (~rianne@22e8m8t4gqjin.irc) has joined #techbytesJul 04 16:40
*liberty_box (~liberty@22e8m8t4gqjin.irc) has joined #techbytesJul 04 16:41
*DaemonFC (~daemonfc@c3u36vcnrkska.irc) has joined #techbytesJul 04 19:33
schestowitz> Hi Roy,Jul 04 23:06
schestowitz> Jul 04 23:06
schestowitz> I know it's been quite a while since you published the piece on theJul 04 23:06
schestowitz> vulnerability I disclosed in 2019Jul 04 23:06
schestowitz> (http://techrights.org/2019/12/07/fake-linux-news-and-clickbait/), IJul 04 23:06
-TechBytesBot/#techbytes-techrights.org | From Moderate Advice to FUD and Misinformation: The Case of a VPN Vulnerability (CVE-2019-14899) | TechrightsJul 04 23:06
schestowitz> just wanted to follow up with you since I enjoy the site and ourJul 04 23:06
schestowitz> development has continued since then.Jul 04 23:06
schestowitz> Jul 04 23:06
schestowitz> I appreciate that you acknowledged our disclosure was "calm andJul 04 23:06
schestowitz> rational" - many other bloggers and podcasters called us "alarmists" andJul 04 23:06
schestowitz> "so-called researchers" (Steve Gibson), likely because they reported onJul 04 23:06
schestowitz> the reporting of our disclosure and didn't bother to read it. TheJul 04 23:06
schestowitz> discovery of the vulnerability was in no way an attack on Linux andJul 04 23:06
schestowitz> Unix, quite the opposite. The reasons we didn't examine was 1. becauseJul 04 23:06
schestowitz> we didn't care about Windows enough to bother with it at the time, andJul 04 23:06
schestowitz> 2. it isn't open source. Nevertheless, it seems that our report was usedJul 04 23:06
schestowitz> as ammunition against Linux by a great number of tech boomers on theJul 04 23:06
schestowitz> internet.Jul 04 23:06
schestowitz> Jul 04 23:06
schestowitz> Since our disclosure, we have created a way to exploit the vulnerabilityJul 04 23:06
schestowitz> server-side, i.e. from any router in-path between the user and the VPNJul 04 23:06
schestowitz> server. This attack, we can confirm, does affect Windows, as well asJul 04 23:06
schestowitz> Android, Apple, and every Linux and BSD we tested.Jul 04 23:06
schestowitz> Jul 04 23:06
schestowitz> We produced a paper on this vulnerability, which will appear in UsenixJul 04 23:07
schestowitz> '21, and included an artifact with demos, PCAPs, and a virtualJul 04 23:07
schestowitz> environment to test the attack, if you are interested:Jul 04 23:07
schestowitz> Jul 04 23:07
schestowitz> https://breakpointingbad.com/papers/Blind-in-path-attacks-VPN-USENIX21.pdfJul 04 23:07
schestowitz> Jul 04 23:07
schestowitz> https://git.breakpointingbad.com/Breakpointing-Bad-Public/vpn-attacksJul 04 23:07
-TechBytesBot/#techbytes-git.breakpointingbad.com | Breakpointing-Bad-Public/vpn-attacks - vpn-attacks - Gitea: Git with a cup of teaJul 04 23:07
schestowitz> Jul 04 23:07
schestowitz> I think in your initial analysis, you may have been too quick to shrugJul 04 23:07
schestowitz> this off as a small issue and hope that I can convince you otherwise.Jul 04 23:07
schestowitz> Jul 04 23:07
schestowitz> The main point is that while this was an easy fix for Linux and BSDJul 04 23:07
schestowitz> users, this was not a fix that Android or Apple users could make toJul 04 23:07
schestowitz> their devices, leaving them to wait until a patch was released. ThisJul 04 23:07
schestowitz> took Apple until July 2020 to patchJul 04 23:07
schestowitz> (https://support.apple.com/en-us/HT211288), while it was reported inJul 04 23:07
-TechBytesBot/#techbytes-support.apple.com | About the security content of iOS 13.6 and iPadOS 13.6 - Apple SupportJul 04 23:07
schestowitz> November 2018. Android was reported on the same day, and issued a patchJul 04 23:07
schestowitz> earlier, yet after testing last night, it appears they haven't fixed it.Jul 04 23:07
schestowitz> I haven't tested iOS again, but I'm not optimistic.Jul 04 23:07
schestowitz> Jul 04 23:07
schestowitz> To the severity of the attack, there are a few things to consider. ForJul 04 23:07
schestowitz> your average person in the West using a VPN to hide their torrenting andJul 04 23:07
schestowitz> pornography habits, the risks are minimal, but for the vulnerableJul 04 23:07
schestowitz> populations we are concerned about for our research and outreachJul 04 23:07
schestowitz> projects, it can be devastating. Testing to see if a user has an activeJul 04 23:07
schestowitz> connection to an entire list of banned websites takes seconds and can beJul 04 23:07
schestowitz> performed in parellel, and in some nations with especially egregiousJul 04 23:07
schestowitz> surveillance and censorship information controls, this alone is a crime.Jul 04 23:07
schestowitz> Jul 04 23:07
schestowitz> The initial attack required the attack to control a malicious accessJul 04 23:07
schestowitz> point, such as a coffee shop or perhaps an ISP with control of yourJul 04 23:07
schestowitz> modem/router. The server-side attack attack covers any hop after this.Jul 04 23:07
schestowitz> The key difference in the new attack is that the packets areJul 04 23:07
schestowitz> indistinguishable from legitimate traffic, so there is no apparentJul 04 23:07
schestowitz> mitigation.Jul 04 23:07
schestowitz> Jul 04 23:07
schestowitz> Thanks again for acknowledging the FUD created by all those bullshitJul 04 23:07
schestowitz> websites. This was my first disclosure and really did not anticipate theJul 04 23:07
schestowitz> response we got to what people thought we said. What a mess.Jul 04 23:07
schestowitz> Jul 04 23:07
schestowitz> Take care,Jul 04 23:08
schestowitz> Jul 04 23:08
schestowitz> Wm.Jul 04 23:08
schestowitzThanks, I shall take a look.Jul 04 23:08
*psydroid_ has quit (connection closed)Jul 04 23:35

Generated by irclog2html.py 2.6 | ䷉ find the plain text version at this address.