If it were that easy to stop, you'd think the crims that spam message boxes on you with a shoddy TTS voice reading "CRITICAL ERROR FROM MICROSOFT: YOUR COMPUTER HAS BEEN HACKED" wouldn't have any catches. Point is people are gullible.
152 posts • joined 17 Jul 2017
Put down the cat, coffee, beer pint, martini, whatever you're holding, and make sure you've updated Chrome (unless you enjoy being hacked)
Re: Solving problems that do not exist anymore
GTK is pretty well updated on BSD, so I don't think there's much to worry about. While Gnome is questionable on how much uproar would be generated if it were to drop everything but mainstream Linux distros, I very much doubt there would be no one rioting if it were to happen to GTK. It drives too much of desktop *nix to not be available on every platform.
Even if it were to go Linux-only, you already know there would be a fork for it, or at least a replacement.
Re: systemd the cancer
Then I'll make my own damn software, init-agnostic. I'm sure there's no shortage and will never be a shortage of creators that don't want to use systemd[icking] and are curmudgeonly enough to develop their own software in defiance, or just want to write clean, portable software with inplementation details up to distro maintainers, package creators, and independent end-users.
Tens of millions more web accounts for sale after more sites hacked, Mac malware spreads via Windows.exe, and more
Re: Beards on wheels
It's cheap, hourly pedestrian transportation, requiring little effort from both the rider and the company providing them to create a successful business model. What's the problem?
While you get mad, the companies capitalizing will make mad money, and rest of the world will be using them.
While I question your sanity for bragging here of all places, just goes to show that it is shockingly easy to get info. I even stumbled upon a list of some hundreds of card numbers, names, and CCV's on Pastebin, completely unintentionally—I imagine it would be very easy with their "alert you for posts containing XYZ" premium feature.
After I alerted the company that their info had been jacked, they quietly shuttered their windows and then closed their doors. RIP.
Re: You realize that "Made in America" doesn't actually mean what it says?
Not to mention, despite any laws or implied morals that may speak otherwise, every major country is and has been spying on eachother for decades. For the realm of smartmobes for example, no matter which brand or model you have, it's got so many proprietary blobs shoved in its rhetorical sphincter that it would be more likely to have it not spy on you, or at least to have it not have such a capability.
Greedy and Stupid
...and so, as the once-rich slob is hauled away in the back of a paddywagon, glinting gold jewelry jingling and clattering 'round his sweaty neck, he stops staring into the polished reflections and garish frivolity of his accoutrements for one slight moment to jump up in his confines and shout out at the top of his lungs, loud enough for anyone to hear in a ten block radius, even through the thick metal of the armored van as it rumbles out of earshot...
Who needs malware? IBM says most hackers just PowerShell through boxes now, leaving little in the way of footprints
Also, while this comes from someone who dislikes PS, I'll say that PS is inherently more powerful than the average *nix shell, since a) there is lots of builtin functionality in modern PS that can do everything a modern *nix shell can and more by worming its way into every modicum of Windows functionality, and 2) modern versions of Windows ship with .NET and PS can directly utilize its classes, types, methods, et al., giving it even more power. Ever used PS on the latest Server?
I only use PS when it is the best option, but when I do, it puts in work. I utilize it on the job to provision gold images, in deployment, patching workstations, and for remote shell logins... I even replaced our old, crufty, expensive, multi-phase, unmaintained ADToolkit setup with a grand total of 10 lines of PS on the domain controller, running as a scheduled task every hour.
The bottom line is PowerShell has a module for every part of the system; can be extended with scripts, modules, binaries, and .NET classes/methods; and comes preinstalled on every modern Windows in some version or another... Just like Bourne shells, really. Combine that with the fact it's made by Microsoft and is targeted for Windows, and it's suddenly ripe for exploitation and vulnerability automation, so it's a surprise it took until now to finally start getting noticed—by either side.
Addendum: Funnily enough, PS shares a similar issue with *nix shells and unreliable userlands; the latest versions of PS greatly differ from the original incarnation, including changes to syntax and loads of incompatible features. Even the installed .NET version is enough to cause headache.
Burger chain Wendy's serves up settlement, NeverQuest hacker guilty, cloudy payroll users hacked and more
Re: All the best music was written before 1988 anyway
The context of the article and comments was more in the vein of streaming, but actually owning copies is definitely the way to go, digital or otherwise. I have always been hesitant of streaming services, not even that they could just poof away your favorite tunes due to licensing or etc. issues, but they usually sound like hot ass rubbing on a piece of sandpaper, to me at least; ever since I bought my first entry-level studio-grade headphones and played some high quality stuff, I haven't been able to go back. I also can't find most of the artists I like on streaming services, either because they're too old or too underground, or sometimes both.
Unfortunately a lot of classical music is just too formulaic for my tastes; and not that there's anything wrong with that, it's just it's merely "alright" in terms of how formulaic it is, you know? Like the pop of classical. There are of course beautifully arranged and composed pieces that are truly inspiring that manage to take the formula to new levels, and there are songs that ditch the norm entirely and create something unique—those are my kinds of pieces from the period. Renditions and recordings also make a huge difference, eg. I like Mars, The Bringer of War by one specific US naval band, but I so far don't like any other renditions I've heard. I find the actual sheet music to not be too to my liking, but the naval band played their own arrangement that sounded a lot better to me.
I'm terrible with names and I don't have my library handy or else I would give some more specific examples. Well, I can at least give you one of my favorite jazz albums of all time. In many a case I prefer Japanese jazz to its American counterpart.
As an aside, a coworker attempted to show me a video where some kid was rapping unintelligably about weed, cars, and women. His stage name started with "Lil ..." and he had multicolored grills. He repeated some of the lyrics a lot, throughout the whole song. Can anyone tell me his name? (PS: this is facetious, but not satirical or in any way untrue; it just so happens that there are multiple possible answers to this question, even if I am only thinking of one in particular.) (No, I did not like the song.) (If it helps to identify it, a tiger appears in some later scenes and the rapper was clearly afraid of it. It was funny.)
Re: All the best music was written before 1988 anyway
What does caveman music sound like? Is it in FLAC?
I'd call that an unrealistic expectation; there's a lot of good music before 1988, sure, but I can guarantee there's a lot of objectively and subjectively bad stuff, too. So yes there's plenty of music before 1988 I have in my library, but it's not like I automatically love all music, as I have pretty high standards on my own scale; people chastize me for going from nordic black metal to medieval lute jams to 80's hairband to hurdy gurdy solos to Carpenter Brut and Aphex Twin, but I like each song in my library for a different reason, and each has its own tonal feel to it. I'm open to any genre and any time period, but it has to be good.
And there's the case of having to select the music... Popular stuff will show up more and make it less straightforward to not "listen to the same song twice" if you're using a streaming service for instance, and if you aren't good luck keeping up with the 4 hours a day tide for the next 50 years! That's a lot of downloads!
Re: All the best music was written before 1988 anyway
To all of you: Go find some indie/underground bands and better music services to help you do so. There is plenty of newer and even current-year music that doesn't subscribe to the vapid, autotuning corporate bullshit. Keep in mind the majority of chart-topping music written within the past 10–20 years was written by the same handful of people, usually either Lukasz Gottwald or Max Martin.
Bandcamp has become a rather nice source for off-the-wall and indie music, and I've found plenty of favorites through the service... And you can download your purchases in FLAC on top of streaming them anywhere, for no extra cost. Qobuz has a really odd-in-a-good-way portfolio with plenty of older music, and also has full high-quality album downloads (even hifi 192kHz FLAC, DSD, DXD, MQA) either discounted or included with a subscription. Soundcloud, while not as "professional" a platform as the previously mentioned services, does hold within it the occasional gem that you won't find anywhere else; lots of self-published, single-artist works of wildly varying genres, unfortunately usually in shite quality despite its potential to be better. There are probably even more good services that I haven't located yet.
Limiting yourself to one or a selection of genres or periods of music is something I can't understand. While I'll agree the popular stuff from today's generation is overhyped and engineered (and even from some past generations) that doesn't mean there aren't good artists out there anymore... It just makes them harder to find.
I'm not going to provide any artists or examples of "good music" because the term is incredibly subjective and everyone likes something different, but I absolutely guarantee there is something for everyone in more recent releases, if one looks hard enough.
Unearthed emails could be smoking gun in epic GDPR battle: Google, adtech giants 'know they break Euro privacy law'
Don't just vote me down, tell me why I'm wrong. I've never used Privacy Badger because I already block all third party content by default—meaning, Privacy Badger has no trackers to detect and is therefore mostly useless. I already have extensions and userscripts that remove link tracking too, which is a feature available for for some first party sites when using Privacy Badger. So I really don't see the benefit, and am legitimately curious why someone would prefer Privacy Badger over a more complete solution.
I only enable what is needed for website functionality if I trust the source, and I never enable third party cookies. I have WebGL disabled, have heavily restricted my fingerprinting sources (which is of course in and of itself a fingerprintable metric but I'm no state level actor so I think I'll be fine), use a VPN most of the time and all the time for untrusted sources, and have good browsing habits.
Allow me to reiterate in a way more obviously asking for advice: What else could Privacy Badger do for me that I don't already have?
I don't understand Privacy Badger when uMatrix exists. Block everything except first party images. If the site is worth it, enable things until it kinda works. Lists already block the majority of nasties to prevent enabling them accidentally.
What is the benefit to throwing a badger in the bag? It'll probably just rip it up.
Re: Solution is clear
Or, hey, and this is a little crazy, a little daft—but what if websites were less about the clickbait and served actual content?
Want to make money? Make good content that keeps people coming back, sell good services that people want. Let's see a return to the free market the Internet used to be, and every corporation not filled with scumbags will benefit. (Or so I hope.)
Of course, if you live under the FCC, you still have to pay a monthly $3.99 subscription to visit that cool new site you just found, since you have a per-site Internet plan, and all you had on it was Twitter and a bunch of low-cost/free clickbait sites to stay up on the news...
Bad news for WannaCry slayer Marcus Hutchins: Judge rules being young, hungover, and in a strange land doesn't obviate evidence
Patch this run(DM)c Docker flaw or you be illin'... Tricky containers can root host boxes. It's like that – and that's the way it is
Such a straightforward exploit. With the majority of the world running on supposedly secure virtualization and containerization, lord knows how many small overlooked attack vectors like this exist.
Regardless of the content of this fine article, let us also agree that our poor vultures are running out of puns for titles.
Our network infastructure guy that programs the vlans, configures the ports, installs switches... doesn't know how DNS wildcards work, and keeps one-liners in a constantly-open Notepad window to copy/paste into some proprietary terminal emulator, because he doesn't know how to use anything else...
I don't know how he manages it.
Re: Old skool
I wouldn't even say that is true for the modern person.
IT: Solves common problems through basic knowledge and searching car forums (eg. my steering wheel fell off, my car won't start). Maybe runs a few OEM diagnostics, maybe uses some third-party tools... But usually unpaid for this extra work.
Infastructure: Builds and maintains the roads the cars drive on.
Programming: Installs custom parts (or prefab/aftermarket parts from CarOverflow) in a car and prays it still runs afterwards.
Designer: Makes the car look pretty and gives guidelines for the engineers.
Engineer: Building the car to spec.
I transferred to a new college and had to take a math placement exam because my math credits were non-transferrable. I suck at tests and I always go over the time limits; this time was no different. I placed in the lowest percentile and would have to take 5 math courses (not credits, courses—specifically those 5 to meet both the credit and course requirements) to meet the PREREQUISITES to get the lowest CS degree they offered. After those 5 prerequisite courses I'd have to take another few math credits to go toward the actual degree.
I said pah to all that and never went back to class, and I now work in a university datacenter. Funny how things work out.
A reminder that I taught myself programming and light trigonometry in my youth, all for the nobile goal to create (admittedly very bad) computer games.
Heads up: Debian's package manager is APT for root-level malware injection... Fix out now to thwart MITM hijacks
Re: Don't touch ES File Explorer with a barge pole
v22.214.171.124 was the last non-malware version—but even it suffers from this vulnerability. I am thoroughly spooked, but at least I very rarely connect to public WiFi unless 100% necessary. Constant use of private VPNs also helps :)
Looming EU copyright rules – tackling Google news article scraping, installing upload filters – under fire from all sides
Re: ....unless they can prove its not copyrighted
I was going to upvote both you and the person that you replied to, since both posts posit interesting points, but your pompous use of "Have a think, there's a good chap." absolutely demands a downvote. Being a tool is rather socially self-defeating when you are trying to defend an opinion.
Absolutely not; in fact, just the opposite. You are using the wrong definition of "free."
As the name implies, copyleft was created to counteract the restrictions of copyright, in which the original creator of a work may do whatever they want with it, and no one else may do anything with it outside of explicit allowance; whereas copyleft ensures that the work remains free-as-in-freedom and all users of the work are able to do whatever they want with it, including distribution and sale. More specifically, clauses in copyleft licenses will often prohibit redistribution when it is done in a way that prevents others from doing the same, eg. not including source code with software binary releases.
You can still make money from copyleft works, and it is in fact encouraged to do so. The purpose of copyleft—rather than removing the profits of authors—is to allow others to study and improve upon copyleft works, and to have them give any improvements back to the community even if they don't want to, and even to allow them to profit from it themselves should they give people an incentive to pay them over the original author. For example, there is no problem licensing a work under the GPL, selling it, and not publicly releasing the source code—as long as it is given as part of the sale and with any binary releases, of course. One also does not have to release the source code of a GPL application if it is provided as a service (SaaS) and the binaries are never released. Some licenses may have provisions against the previous use-cases, but it would be possible to argue they are not truly copyleft; see this argument against CC-BY-NC-SA.
Weak copyleft licenses like the MPL, CDDL, or LGPL also exist that play the balance between strong copyleft licenses like the GPL and permissive open-source licenses like the BSD or MIT licenses, where it is possible to create works utilizing free software as part of a larger, potentially proprietary whole, so long as the free software portion of the work remains free and open source. Of course, the intricacies of this vary from license to license, but this is the general idea of weak copyleft.
That's another thing I don't get—compared to the things Google/Alphabet/et al. do in other countries including censorship of search results, are people just blind to how things really work, or seeing what they only want to see? It's no secret China is responsible for lots of bad stuff and censoring it is morally questionable, but other countries demand that of Google all the time.
The problem is the platform. Until Google is challenged and it stops making money, it will never stop.
Great, you've moved your website or app to HTTPS. How do you test it? Here's a tool to make local TLS certs painless
Re: But why is it so complicated?
Alright mister "I can pinch my grandkid's cheeks while simultaneously playing guitar on vacation in the Alps", have at you. Welcome to Certs 101—or How I Learned to Stop Worrying and Love OpenSSH
Certificates are cryptographically secure chains (terminology: the chain of trust) that are able to verify eachother through a web of cryptographic keys and signatures. Just like you don't need to know polynomials to know algebra exists and works, you don't need to know the ins and outs of cryptography to use certificates, and it really is quite straightforward.
Firstly, it is necessary to mention that there are usually 3 separate parts to a valid certificate:
1. The private key;
2. The public key;
3. The signature.
There are other varyingly relevant data points (including expiry date) but this is all you need to know to fathom the idea of certificates. What people call a "certificate" or "cert" is usually a file containing the public key and the signature, as well as various related (and cryptographically secure) metadata. On Windows, they appear as *.crt files, and you might have seen them as .pem on *nix. The private key is kept separate, for reasons outlined below.
A cert's signature is generated using a second cert's private key. The private key should never be shared, ensuring the person that originally created the second cert can sign the first. The public key is used to verify signatures created with its sister private key, but cannot be used to sign new signatures. This process makes it easy to verify the validity and trust of a signature, while making it highly improbable to fake one.
Since we need a private key to sign a certificate in the first place, we can create self-signed certs, also known as root certificates. These root certs can be used to sign other certs down the line, creating the chain of trust. But if the certs in the chain all come back to this root certificate, how can we trust the root, thus giving credulence to the chain?
A CA, or Certificate Authority, is an entity that is responsible for widely-trusted root certs. They create root certs and provide tools to have other people's certs signed by them. We choose to trust CAs and their root certs because they put their reputation as a company and policies behind the certs they provide. If you look through a certificate viewer eg. in your web browser, you'll see all certificates on your computer trickle back up to root certs provided by Microsoft, Google, Verisign, GoDaddy, Symantec, etc. Every operating system and/or web browser has its own list of root certs that it trusts, and these certs are usually provided along with the software.
That's it, really. Not too complicated right? Now we can get to more practical uses of certificates.
The reason why your browser is giving errors when you try to connect over HTTPS to your control panel is likely because of any of these reasons:
1. The certificate is expired;
2. The certificate is self-signed, and your computer/web browser does not have the cert in its list of trusted root certs;
3. There's no certificate at all.
A solution that would work fine for you is to:
1. Create your own cert;
2. Install it in the server;
2. Install it in your browser/OS's trusted cert store.
You can easily accomplish this with many methods, and I will provide one for OpenSSH (works on any platform). Contrary to popular belief you do not need to pay a CA to get a certificate and can easily self-sign your own. A self-signed cert of your own making is not any less safe than a CA-signed cert, and depending on your viewpoint may be more safe since you probably trust yourself more than some faceless company :)
For the creation of certificates, aside from the private key, there is also the certificate signing request which is a simple file outlining some of the extra metadata that is used to generate an X.509 cert, which is the standardized format for the web. Ever see the company name next to the green padlock in your web browser? That's some of the metadata in the cert that the CSR is used to generate.
You can easily create a private key, CSR, and certificate in order using the following oneliner:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 1096
key.pem is the private key that was used to sign the cert. cert.pem is the public key, signature, and metadata, in one file. You will be prompted for various pieces of information to fill out the CSR after running the command. The CSR is consumed in the process here; it's optional to save it since you likely won't need it in this instance.
The only thing you need to worry about in the CSR is the Common Name, which should be the address you are accessing the web service through. The Common Name is how your web browser knows it's using the right cert for the right site. If you access it via IP, since you are only using it locally, it is safe (though not recommended) to use local IPs for the CN, eg. 192.168.50.1.
As for installing the cert in the system/OS's trusted store, if you visit the site with the new cert installed in the web server, on a modern browser it should ask you if you want to allow the cert, and if you want to store the changes permanently. This method should work on all major operating systems and browsers and should be all you need to do. Alternatively, if you don't want to have to repeat this process for all the browsers you may use, while mildly outdated here's the easiest way to install a certificate into Windows' trusted store: https://blogs.technet.microsoft.com/sbs/2008/05/08/installing-a-self-signed-certificate-as-a-trusted-root-ca-in-windows-vista/
I don't know how your software works so I won't comment on how to get the cert in there.
(Most of this came from memory so I apologize if I was wrong or misleading somewhere.)
Finally, yes, it doesn't really matter if you have a valid cert on your local network or not, but denying the information just because it might not be immediately relevant is not a very good practice to keep. Even if you don't go through with setting things up properly, let this at least be a lesson into certs and how really not confusing they are. Things can get crazy with OCSP stapling and other additive technologies, but those are outside of your use-case and you likely will never need to care. The basics, however, are still important. Even knowing the basics can give a lot of insight into what might otherwise be considered ungrokable geekspeak, and with how widespread HTTPS is, that makes it even more inportant to know.
Certs 201 is next week and I expect to see you there young man.
Re: I use FreeBSD, and for good reason.
Alpine, Slackware/Salix, and Void are the closest you can get to FreeBSD in Linux-land. Debian GNU/kFreeBSD is an interesting experiment but I wouldn't recommend it.
Salix for the most BSD-like experience; very similar tools and philosophy. Uses OpenRC by default last I checked which is similar to FreeBSD rc, though FreeBSD doesn't have an equivalent to runlevels. Package manager spkg is less similar to FreeBSD pkg_ng and more similar to old-style BSD pkg_add and apt/dpkg in my opinion. It's the largest of all the choices I've said but that makes it feel more FreeKitchenSinkBSD eh?
Slackware if you're a masochist, since you aren't used to Linux. Salix just adds some nice user-friendly tools and modifications to Slackware and is backwards-compatible, so you should absolutely use it over vanilla.
Alpine if you like minimalism and/or non-GNU (userland is Busybox). Package manager apk is very straightforward and is closest to FreeBSD pkg_ng. Also uses OpenRC so the points for Salix I mentioned also apply here. I highly recommend it if you're wanting a system that will let you build your own environment while still remaining very user-friendly. I use it everywhere—servers, gateways, desktop, laptop, SoCs... Also it's tiny. Tiiiny.
Void is somewhere between Alpine and Salix; it's quite minimal but is much bigger than Alpine and doesn't have all the out-of-the-box features that Salix does. Feels more like Arch, including its package manager xbps that feels like some kind of frankenstein mush of pacman and apt/dpkg. I really don't like the package userland tools and they do not feel anywhere close to either pkg_ng or pkg_add. Additionally, it uses runit which while dead simple is nowhere near the robustness of FreeBSD rc or even OpenRC.
Since I'm an Alpine shill I recommend it first, but Salix is probably the "most BSD"; after all, Slackware has always been known for being the "most-Unix Linux" by a lot of people, since it's also the oldest distro still around, and it really hasn't changed much. You should try all of them to see what you like best.
I heard they might be switching to systemd a while ago, though... Hope that never happens.
And if you don't like any of them, install Gentoo.