●● IRC: #techbytes @ Techrights IRC Network: Sunday, July 04, 2021 ●● ● Jul 04 [00:00] *Techrights-sec has quit (Ping timeout: 2m30s) [00:00] *libertybox has quit (Ping timeout: 2m30s) [00:04] *Techrights-sec2 has quit (Quit: http://quassel-irc.org - Chat comfortably. Anywhere.) [00:05] *Techrights-sec (~quassel@22e8m8t4gqjin.irc) has joined #techbytes [00:58] *psydruid (~psydruid@jevhxkzmtrbww.irc) has left #techbytes ● Jul 04 [01:15] *rianne_ has quit (Ping timeout: 2m30s) [01:15] *liberty_box has quit (Ping timeout: 2m30s) [01:16] *rianne_ (~rianne@22e8m8t4gqjin.irc) has joined #techbytes [01:16] *liberty_box (~liberty@22e8m8t4gqjin.irc) has joined #techbytes [01:27] *psydruid (~psydruid@jevhxkzmtrbww.irc) has joined #techbytes [01:54] *psydruid (~psydruid@jevhxkzmtrbww.irc) has left #techbytes ● Jul 04 [02:30] *rianne_ has quit (Ping timeout: 2m30s) [02:30] *liberty_box has quit (Ping timeout: 2m30s) [02:33] *rianne_ (~rianne@22e8m8t4gqjin.irc) has joined #techbytes [02:34] *liberty_box (~liberty@22e8m8t4gqjin.irc) has joined #techbytes ● Jul 04 [03:58] *rianne_ has quit (Ping timeout: 2m30s) [03:58] *liberty_box has quit (Ping timeout: 2m30s) ● Jul 04 [04:06] *rianne_ (~rianne@22e8m8t4gqjin.irc) has joined #techbytes [04:08] *liberty_box (~liberty@22e8m8t4gqjin.irc) has joined #techbytes [04:12] *psydruid (~psydruid@jevhxkzmtrbww.irc) has joined #techbytes ● Jul 04 [07:20] *DaemonFC has quit (Quit: Leaving) ● Jul 04 [08:24] *rianne_ has quit (Ping timeout: 2m30s) [08:25] *rianne_ (~rianne@22e8m8t4gqjin.irc) has joined #techbytes ● Jul 04 [09:19] schestowitz x https://www.bleepingcomputer.com/forums/t/754269/hacked-via-linux/ [09:19] -TechBytesBot/#techbytes-www.bleepingcomputer.com | Hacked via linux - Virus, Trojan, Spyware, and Malware Removal Help [09:19] schestowitz # M$ site [09:50] *liberty_box has quit (Ping timeout: 2m30s) [09:50] *rianne_ has quit (Ping timeout: 2m30s) ● Jul 04 [10:27] *rianne_ (~rianne@22e8m8t4gqjin.irc) has joined #techbytes [10:28] *liberty_box (~liberty@22e8m8t4gqjin.irc) has joined #techbytes [10:40] *liberty_box has quit (Ping timeout: 2m30s) [10:41] *rianne_ has quit (Ping timeout: 2m30s) [10:42] *rianne_ (~rianne@22e8m8t4gqjin.irc) has joined #techbytes [10:43] *liberty_box (~liberty@22e8m8t4gqjin.irc) has joined #techbytes ● Jul 04 [11:07] *liberty_box has quit (Ping timeout: 2m30s) [11:07] *rianne_ has quit (Ping timeout: 2m30s) [11:08] *rianne_ (~rianne@22e8m8t4gqjin.irc) has joined #techbytes [11:08] *liberty_box (~liberty@22e8m8t4gqjin.irc) has joined #techbytes [11:31] *rianne_ has quit (Ping timeout: 2m30s) [11:32] *liberty_box has quit (Ping timeout: 2m30s) [11:45] *rianne_ (~rianne@22e8m8t4gqjin.irc) has joined #techbytes [11:45] *liberty_box (~liberty@22e8m8t4gqjin.irc) has joined #techbytes [11:56] *psydroid_ (~psydroid@cqggrmwgu7gji.irc) has joined #techbytes ● Jul 04 [13:18] *rianne_ has quit (Ping timeout: 2m30s) [13:18] *liberty_box has quit (Ping timeout: 2m30s) [13:30] *rianne_ (~rianne@22e8m8t4gqjin.irc) has joined #techbytes [13:30] *liberty_box (~liberty@22e8m8t4gqjin.irc) has joined #techbytes [13:48] schestowitz https://twitter.com/LeDave32/status/1411645735364399105 [13:48] -TechBytesBot/#techbytes-@LeDave32: @schestowitz It is like suggesting MSIE7 as alternate browser [13:49] schestowitz https://twitter.com/crystalshen6/status/1411470278073499652 [13:49] -TechBytesBot/#techbytes-@crystalshen6: "As the first load of prisoners arrived at the new military prison camp at Guantanamo, Cuba, on January 11, 2002, h https://t.co/2NnHArk7v4 [13:49] -TechBytesBot/#techbytes-@crystalshen6: "As the first load of prisoners arrived at the new military prison camp at Guantanamo, Cuba, on January 11, 2002, h https://t.co/2NnHArk7v4 [13:49] schestowitz ""As the first load of prisoners arrived at the new military prison camp at Guantanamo, Cuba, on January 11, 2002, he declared them unlawful combatants who do not have any rights under the Geneva Convention." [13:49] schestowitz https://twitter.com/jrbrtson/status/1411457673011269634 [13:49] -TechBytesBot/#techbytes-@jrbrtson: @schestowitz Who replaces Microsoft Windows? Microsoft has a strong cult following of tinkerers who don't touch the command line. [13:49] schestowitz https://twitter.com/csolisr/status/1411379761658707969 [13:49] -TechBytesBot/#techbytes-@csolisr: @schestowitz As somebody who programmed his phone to automatically upload all pictures to his NextCloud home server https://t.co/uzzJUnO7Wk [13:49] -TechBytesBot/#techbytes-@csolisr: @schestowitz As somebody who programmed his phone to automatically upload all pictures to his NextCloud home server https://t.co/uzzJUnO7Wk [13:49] schestowitz "As somebody who programmed his phone to automatically upload all pictures to his NextCloud home server, it's a very viable alternative" [13:49] schestowitz https://twitter.com/Rex_Aletheia/status/1411353712656781319 [13:49] -TechBytesBot/#techbytes-@Rex_Aletheia: @schestowitz fear campaign doesn't work. Unvaccinated people know what's up and stop listening to the hype. The mor https://t.co/7jKRRdYF8Y [13:49] -TechBytesBot/#techbytes-@Rex_Aletheia: @schestowitz fear campaign doesn't work. Unvaccinated people know what's up and stop listening to the hype. The mor https://t.co/7jKRRdYF8Y [13:49] schestowitz "fear campaign doesn't work. Unvaccinated people know what's up and stop listening to the hype. The more variants we have the more we know its bullshit." [13:50] schestowitz https://twitter.com/glynmoody/status/1411330192644218885 [13:50] -TechBytesBot/#techbytes-@glynmoody: what a callous, evil person he is https://t.co/SQkp1EzS2i [13:50] -TechBytesBot/#techbytes-@schestowitz: NEWS #TruthOut #McConnell Wields a Cruelly Narrow Definition of Infrastructure Like a Bludgeon https://t.co/8GtGHxmElV [13:50] schestowitz https://twitter.com/jvantill/status/1411324040581681152 [13:50] -TechBytesBot/#techbytes-@jvantill: @schestowitz Just like in NL ! [13:50] schestowitz https://twitter.com/ianrobo1/status/1411298110832365568 [13:50] -TechBytesBot/#techbytes-@ianrobo1: How can this be right other than allows certain companies (yes you Apple) to seek rip off service contracts https://t.co/aY4yPdQXvP [13:50] -TechBytesBot/#techbytes-@schestowitz: NEWS #9to5Mac #Hardware British right to repair law comes into force today, but excludes smartphones and comp https://t.co/qL8asnF6h6 [13:50] schestowitz "How can this be right other than allows certain companies (yes you Apple) to seek rip off service contracts" [13:52] schestowitz https://twitter.com/xolve/status/1411266292124815361 [13:52] -TechBytesBot/#techbytes-@xolve: Should be all governement software all around the world. https://t.co/EjMmJJpVUk [13:52] -TechBytesBot/#techbytes-@schestowitz: NEWS #Joinup #Licensing New Estonian law requires administration to make state-owned software publicly availa https://t.co/PTDfTcfEFo ● Jul 04 [14:28] *liberty_box has quit (Ping timeout: 2m30s) [14:28] *rianne_ has quit (Ping timeout: 2m30s) [14:30] *rianne_ (~rianne@22e8m8t4gqjin.irc) has joined #techbytes [14:32] *liberty_box (~liberty@22e8m8t4gqjin.irc) has joined #techbytes [14:54] schestowitz http://ipkitten.blogspot.com/2021/07/when-movie-is-derived-from-literary.html?showComment=1625235399706#c2244879325842589574 [14:54] -TechBytesBot/#techbytes-ipkitten.blogspot.com | When the movie is derived from a literary classicare you an All-In, or a Well, Maybe, viewer? - The IPKat [14:54] schestowitz "As a member of the All-In" class, it was not my cup of "Emma tea". But as a form of movie take-off, I thought it was quite clever." [14:54] schestowitz http://ipkitten.blogspot.com/2021/07/when-movie-is-derived-from-literary.html?showComment=1625233449857#c976518856166256952 [14:54] -TechBytesBot/#techbytes-ipkitten.blogspot.com | When the movie is derived from a literary classicare you an All-In, or a Well, Maybe, viewer? - The IPKat [14:54] schestowitz "Where do Mr. & Mrs. Kat stand on the 1995 film "Clueless", which some pundits have argued is the best Emma adaptation of them all?" [14:57] schestowitz http://ipkitten.blogspot.com/2021/07/russia-adopts-law-that-shakes-cognac.html?showComment=1625387429079#c1125721314044172895 [14:57] -TechBytesBot/#techbytes-ipkitten.blogspot.com | Russia adopts law that shakes Cognac and Champagne importers - The IPKat [14:57] schestowitz " [14:57] schestowitz if the West was not so dependent on Russia for its energy, it would certainly be easier to boycott Russian products. [14:57] schestowitz It might be difficult to export those Russian beverages in countries accepting DOP. [14:57] schestowitz " ● Jul 04 [15:26] *rianne_ has quit (Ping timeout: 2m30s) [15:26] *liberty_box has quit (Ping timeout: 2m30s) [15:27] *liberty_box (~liberty@22e8m8t4gqjin.irc) has joined #techbytes [15:27] *rianne_ (~rianne@22e8m8t4gqjin.irc) has joined #techbytes ● Jul 04 [16:35] *rianne_ has quit (Ping timeout: 2m30s) [16:35] *liberty_box has quit (Ping timeout: 2m30s) [16:40] *rianne_ (~rianne@22e8m8t4gqjin.irc) has joined #techbytes [16:41] *liberty_box (~liberty@22e8m8t4gqjin.irc) has joined #techbytes ● Jul 04 [19:33] *DaemonFC (~daemonfc@c3u36vcnrkska.irc) has joined #techbytes ● Jul 04 [23:06] schestowitz > Hi Roy, [23:06] schestowitz > [23:06] schestowitz > I know it's been quite a while since you published the piece on the [23:06] schestowitz > vulnerability I disclosed in 2019 [23:06] schestowitz > (http://techrights.org/2019/12/07/fake-linux-news-and-clickbait/), I [23:06] -TechBytesBot/#techbytes-techrights.org | From Moderate Advice to FUD and Misinformation: The Case of a VPN Vulnerability (CVE-2019-14899) | Techrights [23:06] schestowitz > just wanted to follow up with you since I enjoy the site and our [23:06] schestowitz > development has continued since then. [23:06] schestowitz > [23:06] schestowitz > I appreciate that you acknowledged our disclosure was "calm and [23:06] schestowitz > rational" - many other bloggers and podcasters called us "alarmists" and [23:06] schestowitz > "so-called researchers" (Steve Gibson), likely because they reported on [23:06] schestowitz > the reporting of our disclosure and didn't bother to read it. The [23:06] schestowitz > discovery of the vulnerability was in no way an attack on Linux and [23:06] schestowitz > Unix, quite the opposite. The reasons we didn't examine was 1. because [23:06] schestowitz > we didn't care about Windows enough to bother with it at the time, and [23:06] schestowitz > 2. it isn't open source. Nevertheless, it seems that our report was used [23:06] schestowitz > as ammunition against Linux by a great number of tech boomers on the [23:06] schestowitz > internet. [23:06] schestowitz > [23:06] schestowitz > Since our disclosure, we have created a way to exploit the vulnerability [23:06] schestowitz > server-side, i.e. from any router in-path between the user and the VPN [23:06] schestowitz > server. This attack, we can confirm, does affect Windows, as well as [23:06] schestowitz > Android, Apple, and every Linux and BSD we tested. [23:06] schestowitz > [23:07] schestowitz > We produced a paper on this vulnerability, which will appear in Usenix [23:07] schestowitz > '21, and included an artifact with demos, PCAPs, and a virtual [23:07] schestowitz > environment to test the attack, if you are interested: [23:07] schestowitz > [23:07] schestowitz > https://breakpointingbad.com/papers/Blind-in-path-attacks-VPN-USENIX21.pdf [23:07] schestowitz > [23:07] schestowitz > https://git.breakpointingbad.com/Breakpointing-Bad-Public/vpn-attacks [23:07] -TechBytesBot/#techbytes-git.breakpointingbad.com | Breakpointing-Bad-Public/vpn-attacks - vpn-attacks - Gitea: Git with a cup of tea [23:07] schestowitz > [23:07] schestowitz > I think in your initial analysis, you may have been too quick to shrug [23:07] schestowitz > this off as a small issue and hope that I can convince you otherwise. [23:07] schestowitz > [23:07] schestowitz > The main point is that while this was an easy fix for Linux and BSD [23:07] schestowitz > users, this was not a fix that Android or Apple users could make to [23:07] schestowitz > their devices, leaving them to wait until a patch was released. This [23:07] schestowitz > took Apple until July 2020 to patch [23:07] schestowitz > (https://support.apple.com/en-us/HT211288), while it was reported in [23:07] -TechBytesBot/#techbytes-support.apple.com | About the security content of iOS 13.6 and iPadOS 13.6 - Apple Support [23:07] schestowitz > November 2018. Android was reported on the same day, and issued a patch [23:07] schestowitz > earlier, yet after testing last night, it appears they haven't fixed it. [23:07] schestowitz > I haven't tested iOS again, but I'm not optimistic. [23:07] schestowitz > [23:07] schestowitz > To the severity of the attack, there are a few things to consider. For [23:07] schestowitz > your average person in the West using a VPN to hide their torrenting and [23:07] schestowitz > pornography habits, the risks are minimal, but for the vulnerable [23:07] schestowitz > populations we are concerned about for our research and outreach [23:07] schestowitz > projects, it can be devastating. Testing to see if a user has an active [23:07] schestowitz > connection to an entire list of banned websites takes seconds and can be [23:07] schestowitz > performed in parellel, and in some nations with especially egregious [23:07] schestowitz > surveillance and censorship information controls, this alone is a crime. [23:07] schestowitz > [23:07] schestowitz > The initial attack required the attack to control a malicious access [23:07] schestowitz > point, such as a coffee shop or perhaps an ISP with control of your [23:07] schestowitz > modem/router. The server-side attack attack covers any hop after this. [23:07] schestowitz > The key difference in the new attack is that the packets are [23:07] schestowitz > indistinguishable from legitimate traffic, so there is no apparent [23:07] schestowitz > mitigation. [23:07] schestowitz > [23:07] schestowitz > Thanks again for acknowledging the FUD created by all those bullshit [23:07] schestowitz > websites. This was my first disclosure and really did not anticipate the [23:07] schestowitz > response we got to what people thought we said. What a mess. [23:07] schestowitz > [23:08] schestowitz > Take care, [23:08] schestowitz > [23:08] schestowitz > Wm. [23:08] schestowitz Thanks, I shall take a look. [23:35] *psydroid_ has quit (connection closed)