Isn’t Ubuntu Pro basically just an extended support for a set of universe packages for their LTS versions and free for private use?

How is making enterprises pay for extended LTS because of corporate no-update-just-insert-coin mentalities even remotely close to ransomware?

Like I get everyone who doesn’t like Ubuntu for various reasons, but this sounds completely dumb to me.

I’m very interested to hear what went wrong.

We’ll probably never know. Given the impact of this fuck up, the most that crowdstrike will probably publish is a lawyer-corpo-talk how they did an oopsie doopsie, how complicated, unforseen, and absolutely unavoidable this issue has been, and how they are absolutely not responsible for it, but because they are such a great company and such good guys, they will implement measures that this absolutely, never ever again will happen.

If they admit any smallest wrongdoing whatsoever they will be piledrived by more lawyers than even they’d be able to handle. That’s a lot of CEO yachts in compensations if they will be held responsible.

Yes, in your head, and in your second factor, if possible, keeping derived secrets always encrypted at rest, decrypting at the latest possible moment and not storing (decrypted) secrets in-memory for longer than absolutely necessary at use.

Been a few days since using electron, but AFAIK electron can’t be used as a wrapper for android apps, or can it? Or is their android app a web app wrapped into a “native” android app too?

Also, since this seems to be an issue since 2018, 6 years should be plenty to rewrite using a native secure storage…

Kinda expected the SSH key argument. The difference is the average user group.

The average dude with a SSH key that’s used for more than their RPi knows a bit about security, encryption and opsec. They would have a passphrase and/or hardening mechanisms for their system and network in place. They know their risks and potential attack vectors.

The average dude who downloads a desktop app for a messenger that advertises to be secure and E2EE encrypted probably won’t assume that any process might just wire tap their whole “encrypted” communications.

Let’s not forget that the threat model has changed by a lot in the last years, and a lot of effort went into providing additional security measures and best practices. Using a secure credential store, additional encryption and not storing plaintext secrets are a few simple ones of those. And sure, on Linux the SSH key is still a plaintext file. But it’s a deliberate decision of you to keep it as plaintext. You can at least encrypt with a passphrase. You can use the actual working file permission model of Linux and SSH will refuse to use your key with loose permissions. You would do the same on Windows and Mac and use a credential store and an agent to securely store and use your keys.

Just because your SSH key is a plaintext file and the presumption of a secure home dir, you still wouldn’t do a ~/passwords.txt.

How in the fuck are people actually defending signal for this, and with stupid arguments such as windows is compromised out of the box?

You. Don’t. Store. Secrets. In. Plaintext.

There is no circumstance where an app should store its secrets in plaintext, and there is no secret which should be stored in plaintext. Especially since this is not some random dudes random project, but a messenger claiming to be secure.

Edit: “If you got malware then this is a problem anyway and not only for signal” - no, because if secure means to store secrets are used, than they are encrypted or not easily accessible to the malware, and require way more resources to obtain. In this case, someone would only need to start a process on your machine. No further exploits, no malicious signatures, no privilege escalations.

“you need device access to exploit this” - There is no exploiting, just reading a file.

So, the “license to kill” is fine, as long it’s non US citizens?

Your definition of democracy and basic human rights is fucking unhinged.

These were casual, mutual conversations that sometimes leaned too much in the direction of being inappropriate, but nothing more. Nothing illegal happened, no pictures were shared, no crimes were committed, I never even met the individual. […] That’s on me as an adult, a husband and a father.

Jesus fucking christ. If you, as a father, are “leaning too much in the direction of being inappropriate” with a minor, you’re a fucking pedophile. There is nothing to discuss that’s leaning into being inappropriate with a minor, except if you’re a pedophile. Trying to make it sound less of an issue just because there weren’t pictures sent, is a pathetic attempt of an excuse for being a pedophile.

For being so real and no filter, there’s a fucking lot of sugarcoating for admitting the fact that he sexted with a minor.

I specifically don’t get how you can do that as a father, and even being the complete asshole that he is, not even once thinking that the victim could be his own child. I really wonder what he would say about such a tweet in this case.

Absolutely fucking disgusting.

Check your blocklist and keep in mind that YouTube is testing server side ads muxed into the media streams, which will not be blocked by traditional adblocking techniques.

If you can not install anything, your only choice is probably to set up a pihole or something similar on your network.

Edit: Some models seem to have advanced settings, where you can change the DNS - you could try to use adguard dns servers, or any DNS adblocker you want to use.