In recent times, it has become increasingly common to hype up vulnerabilities and create an air of terror around them. We have seen this happen in the past with vulns such as Heartbleed, Shellshock, Spectre, and Meltdown. Now, In those cases, the extreme hyping and media freakouts about them were rather justified. These were bug vulnerabilities, and the more publicity they got, the better, as more people could be aware of the threat. However, I feel that this could become a very bad trend, and could be used by (((them))) for nefarious purposes. Certain actors with malicious intents could over-hype or fabricate vulnerabilities in an attempt to sway the public's choices and mislead them. Need proof? We've technically already seen it happen twice. First it was CTS-Labs's clear attempt to manipulate the market through their amdflaws.com website, which tried to make people think there was some spectre/meltdown-tier stuff happening with AMD processors, with catchy names like Ryzenfall, Masterkey, Fallout, and Chimera. The vulnerabilities require administrative account access to the machine in order to exploit, and according to some anons at the time, you actually need physical access to the machine, although CTS-Labs would like you to believe otherwise. Another example would be Efail. I'm not really 100% sure on this one, but from what I gather, most of it could be dodged by simply using plaintext email. The EFF on the other hand, decided to tell readers of their blog to STOP USING PGP ENTIRELY!! It was also easy to see in some of those articles that they were shilling hard for Signal: a centralized """private""" messaging app. Suspicious, wouldn't you say? especially as Signal is, as I said, not decentralized.
I really hope this doesn't become a big trend. I can see it being used to try to get people to use less secure or more spying software out of fear of a made up scare. Your thoughts?
Computing has been being steered by memers for years now. It's fashionable now for soyboys to open heartbleed.com or meltdown.asd on their macbook with a coffee and gossip to their coworkers about the issue and make a knee jerk reaction about how to fix it with some ad-hoc crap they only thought of because they read the vulnerability.
correct but I haven't read the new GPG bug yet which could be a real issue, but Exactly. It's been very trendy for years now to be against OpenPGP and use whatever meme system just came out 5 minutes ago instead. While OpenPGP isn't great, I trust these new projects even less.
That said GPG has and always will have huge issues for being a UNIX Way shit. You can't tell what it's trying to tell you because the console could have all kinds of metacharacters, the way of identifying people is broken, and there's no real API so programs will misinterpret what GPG is saying, and it's some huge ass code written in C. But like I said, all the solutions are just ad-hoc crap created by knee jerk reactions as opposed to real engineers, so really there's no good solution to issues like this right now.
Christopher Williams
The gpg bug had nothing to do with gpg security. It had everything to do with HTML in email. You can fix this bug by using the latest version of enigmail on thunderbird
Joseph Brooks
You nailed it. They also love to accompany the exploit with the perfect logo, and then they can call themselves a "security consultant".
Lucas Martinez
It's a good thing that you research further user. Find what's best for yourself, if there is some kind of criticism or crisis, dig deep and long. It's always best to find what is best for you and not what some market tells you.
Asher Taylor
Well, Heartbleed was massive and it was used for 2 years before being fixed.
Anyway, I've long considered EFF a fake privacy organization. They recommend addons that don't do shit (privacy badger...), do not track header (does nothing and actually could worsen your fingerprint). They write dumb articles such as "Facebook Has A Consent Problem—And The Solution Starts With Transparency". The "solution" is not using facebook, because it is a botnet by default. And they recommend suspicious programs like whatsapp.
Kayden Mitchell
I don't really pay attention to them, but is it possible they were once pure but later subverted?
Charles Rodriguez
Vulnerabilities has been a big industry ever since that phrack article in the mid 90's. Before then, it wasn't a big business. Now that doesn't take away from the fact that many of these vulnerabilities are a real problem, especially if you engage in risky activity like running services or using a bigass browser with javascript. The fact that the hardware itself is totally hosed and open for all cianiggers to fuck you doesn't help anything. Security is basically impossible under these conditions.
Adrian Allen
OP here
I think that's likely. Going off of this: in the past, I used to use privacy badger, and it actually did very well. It learned fast and quickly started blocking cookies and denying trackers. It was rather comfy. Recently I just reinstalled it, and it doesn't do jack shit. Eventually it did start blocking some things, but it took way longer than it did when I used it before.
On a side note though, I will be getting POWER9 for my next PC, and likely purism for my next laptop unless some actually decent non-x86 laptop comes out between now and then.
Jaxson Richardson
>However, I feel that this could become a very bad trend, and could be used by (((them))) for nefarious purposes. Certain actors with malicious intents could over-hype or fabricate vulnerabilities in an attempt to sway the public's choices and mislead them.
Joseph Allen
There's ANOTHER GPG exploit now that let's you spoof headers even on PGP encrypted emails.
Benjamin Nelson
I didn't say forget about them, in fact they are more important than ever. But it's a loser's game to constantly play with patches and various kludges when the foundations themselves are fucked. The fact that you want to move to antoher architecture tells me you realize that x86 is fubar.
Ethan James
It's not a single bit better than it was then. The "i'm not clicking that" mindset still exists, and now other retarded shit like "I wont use teamspeak instead of Discord because someone will get my IP address"?
Aaron Torres
whew. At least you're sane unlike some other anons i've seen Yeah it pretty much is. There's still a possibility that things could improve, but i'm not holding my breath. btw, what happened to MIPS? I know that shitty netbook stallman liked was MIPS, as were a lot of the old SGI workstations, but nowadays it's like it disappeared off the face of the earth.
Hudson Nguyen
(((you))) Nice try cointelpro Good attempt at obscurity department of homeland security.
Comes to mind BadUSB, which was hyped as the ultimate physical access vulnerability due to the fact that it affected all operating systems and was "LITERALLY UNPATCHABLE LOL", just to discover the worst it can do is type stuff in your machine. Good luck trying to open a command prompt in my i3 with your shitty "cross platform" USB macros, tho.
Colton Edwards
true
Oliver Lopez
just stab them a couple times, youll get x
you dont, anybody who even talks about stabbing me a couple times, im going to give them x
James Taylor
Back in the day normies had a "lmao nerds" mentality and didn't care about tech. So the only audience for exploits were other technical people. So if you wanted to be somebody the best exploits to find and talk about were the legitimately dangerous, non-trivial ones. There was no incentive to make mountains out of molehills because most people would easily see through the hype and ignore you.
Over the past 2 decades, as internet and computers became mainstream among progressively stupider consumers, they brought their shitty attitude of quasi-religious magical thinking: They identify some talking head "expert" (probably propped by corporate media) who is designed to give off just the right hip&cool vibe to the normie. The normie accepts these characters because they seem cool, and also because their other authority figures and friends meme them as such. Remember, the normie does not want to learn or understand. He wants just to be told what to do, what to think. When normies accepted tech, they brought this attitude with them, and suddenly there was demand for meme tech experts. Now the determinant of value shifted from relevance of the exploit, to how authoritatively you can hype it. This is what you are describing, OP: Non-issues, blown up into real issues, by wannabe (((experts))) trying to make a name for themselves, and (((tech media))) propping them up in a quest to secure their own name as the place to hear about the latest and coolest expert.
The vulns are at least technically real, since if they were completely fake it would be to easy for real experts to come out of the woodwork and discredit them. But if the hype is confined to magnitude of impact, which is ultimately a subjective thing, fake experts can fully leverage their media support to meme irrelevant vulns while distracting from real issues and real solutions.
Unfortunately I think it will only continue to grow. Isn't it something like only 2 billion people have internet? Imagine what happens when all the africans and indians get connected. Imagine what will happen when kids today who grow up with youtube become the main demographic. You thought the "TV generation", Hollywood telling people who to vote for was bad? Wait till society defaults to always doing what their twitter, instagram and youtube "influencers" say.
Our only hope is to somehow segregate ourselves into a parallel platform, that is both technically difficult and also inherently uncool to normies, where we can get back to being able to have sane discussions in peace. At least until someone popularizes it, and the cycle has to repeat...
Joshua Mitchell
I forgot to say, there is also a sort of race to the bottom among these meme experts. Since the meme tech expert does not have to actually be an expert on tech, the only required skill is to market yourself, as such there are countless upstarts trying to dethrone an established one. If other experts start talking about whatever latest trendy exploit and you don't, you rapidly lose cool status in the eyes of your normie audience, and they will instead go to those competitors that do talk about it. So shitty commentators who will latch on to literally every single overhyped meme, and then amplify it even more, naturally rise to the top and become prominent. And that's how we got to where we are today.
Jack Hall
You missed the point. BadUSB is not about keyboard emulation at all, and your shitty threat model considers security through obscurity. The biggest threat about BadUSB is that a malicious flash drive can pretend to be any device such as network card and sniff your network traffic if your OS is configured to accept it by default, but also it could exploit a USB driver and execute malicious code at kernel level without the need for command prompt and root password.
You come up with a bunch of boogey-strawmen and debunk them in the next sentence. "Normies", "meme". What exactly do you want to say? Stop watching Linux Foreskin Tips and read actual bug reports/descriptions. The exploits are real, people who talk about them first-hand, the real kernel/software developers usually make explanation websites with colored pictures to attract journalists and spread the word to less-inclined folks so those people would not forget to update their puters. Not everyone is a computer technology wizard, it is impossible for every human to be well-versed in all directions, I highly doubt you'd understand what those "normies" do for their living even after a brief introductory article in a subject-related publication, like construction methods, company management or surgery. But I agree with you on some points, today technological literacy is becoming the new literacy in "ability to read, write and do arithmetic calculations", as if it already hasn't become. remember when big-corp CEOs said things like "teach you children how to program, it'll help them a lot in their life". Guess, that wasn't of a bad advice innit?
Chase Clark
You missed the point. BadUSB is not about a malicious flash drive pretending to be any device. The idea behind BadUSB is that you exploit a regular flashdrive and install custom firmware in order for it to do malicous things.
Michael Martinez
That's what it means to charge a mass-storage USB disquette with malicious firmware.
Angel Williams
You have to hype vulnerabilities as otherwise no one cares. Everyone shit themselves over heartbleed and shellshock and buried my company in emails even though we don't have a webserver on our product. Meanwhile, glibc had a resolver bug so severe that it could have led to a worm taking down the internet and there were many puckered assholes behind closed doors in networking yet no one noticed as it wasn't hyped.
Christian Johnson
But it is. It was explicitly listed as a usecase, when it came out. No, my "shitty" threat model considers that, given the infinite combinations of input states your computer could be in and keybindings, it would be impractical or even impossible to program the macros for all possible keybindings, specially considering USB have no idea about that, and so the macro should find a common way to exploit all computers in all possible states, so a mass infection scenario is unlikely, a server infection scenario is unlikely because more often than not they run without any users sessions open, and thus would require for the attackers to already know the password, and basically, only personal desktops and laptops would be vulnerable if you are being specifically targeted. If I recall correctly, USB network adapter imitations could only attempt to make the OS or the user download bad and potentially malicious data when connecting to the Internet. There was a proof of concept attack for that shit, which was pretty clever, but required having an open browser making unencrypted connections to a site, and then hacing your cache enabled, which you shouldn't have in any secured setup. That, and the default behaviours of Windows and OS X, that apparently are dumb enough to send user credentials to the USB in the case of OS X, I think it outright gave the USB the credentials to access the computer, whereas Windows sent the hashed password No shit. That's far from "literally unfixable", though.
As far as vulnerabilities go, it's pretty shit, even though it was hyped to hell and back.
Grayson Moore
nobody cares about networking except sysadmins, cisco pajeets and reebsd users
Samuel Hall
USB can be used for DMA attack also. Then you don't even care about the CPU or OS, you can just directly crawl the entire memory.
Dominic Jackson
That's what it means to charge a mass-storage USB do you know what it means to charge a usb with large amount of capacitance?
If you can't even understand basic imageboard terminology, r/technology might be more your speed. They are very welcoming to newbies as well so you can wallow in a cesspool of credulous retards to your heart's content.
Chase Price
Ebin cuckchan and reddit menes and exaggerated straw-man mental gymnastics with wild urge to label things you don't like with trendy words are now considered imageboard terminology. okay, c00l kid, you owned me, totally got trolololled xD Stop talking like a teenager and get to the facts. This cryptic language doesn't indulge it's users to productive conversation which is problematic for a technology forum.
Gavin Bell
How are you even not funposting, sheesh. I'm afraid I'll have to dock another one of your (You)'s!
