The DHT exists and is already a fully distributed system.

Even without the DHT, there is no centralization in Bittorrent that would lend itself to federation. Anyone with a complete copy of the data can already start their own tracker.

Do you perhaps mean a federated content index that links to torrents or magnet URIs?

Try it again without Ventoy

That doesn’t answer the question.

This is barely an article. What is Open-source malware? Are they talking about libraries that look legit but contain malware? Typo-squatting? Supply chain attacks? Compromised repositories of legit projects? Or is this actually malware that is released as open-source software so that bad actors can enjoy the freedoms of FOSS?

If you’re not cycling a pedal-powered generator to run your system then is it really self-hosted? My servers only use organic transistors grown in my zen garden.

EU is making a new law which makes your IP the same as (something similar to) your social security number and they say piracy is going to receive a huge blow.

Sounds like an April Fools joke.

What desktop environment are you using?

He signs the post with the date. It couldn’t be more obvious.

What’s mandos? I don’t find anything useful when searching for it.

You used an LLM to write this didn’t you?

SMS messages are not encrypted. Theoretically, this allows telecommunications providers to scan for and blacklist spam campaigns at the network level, if they make enough noise. On the other hand, messages sent via RCS or iMessage are encrypted end-to-end. Although an iMessage will route directly through an Apple server, Apple itself cannot read the content in transit. Lucid takes advantage of this by sending phishing texts via iMessage and RCS, turning this otherwise positive security feature on its head.

That’s it. That’s the “fault” that is being “exploited” that they mention multiple times in the lead-in to the article.

Never click links in emails or messages. Open a new tab and type the website address manually to log in.

Most recent episode is 17th Jan. Did they stop?

Substack is Geocities for the Tumblr generation.

The original report: https://www.zimperium.com/blog/catch-me-if-you-can-rooting-tools-vs-the-mobile-security-industry/

This isn’t so much security research as it is marketing for the company’s mobile endpoint security tool.

Their stats on the surface are interesting. According to the data collected by Zimperium:

According to our data, the exposure factor of rooted devices versus stock devices varies from 3x to ~3000x, which suggests that rooted devices are potentially much more vulnerable to threats than stock devices.

But then the paper doesn’t even speculate as to why that might be. The rest of the report is basically a sales pitch for their security software. Rooting is bad and you need to keep these devices off your corporate networks (by buying our software) is the only message they’re sending.

Off the top of my head, here are some hypotheses for the correlation, each of which has different implications for how to best mitigate the risks:

1. rooted devices are more likely to produce false-positive security alerts in the endpoint detection software
2. rooting tools themselves are used as an initial loader in infection chains
3. users of rooted devices are more technical and therefore more likely to install more apps overall, increasing attack surface area
4. users of rooted devices are more technical and therefore more likely to engage in risky software installation (sideloading untrusted software)
5. rooted devices contain more vulnerabilities
6. stock OS security is good at stopping malware from misbehaving, rooting removes those mitigations

The implication of the paper seems to be that (5) or (6) is the case: “rooted devices are potentially much more vulnerable to threats than stock devices.” If the cause is (3) or (4) on the other hand, then there’s not much that can be done outside of user education, since these users are inherently more likely to increase the attack surface of their devices whether the device is rooted or not.

(1) or (2) however would imply that the whole research is bogus, as in the case of (1) the data would be completely unreliable and in the case of (2) the causation is actually the reverse of what the paper implies, which is to say that malware causes rooting of the device, not the other way around.

Interestingly then, the paper includes this illustration:

Figure 4 illustrates this idea, showing a case of a rooted device that ended with a full compromise after sideloading malicious applications.

The infection with malware occurs 10 seconds after the installation of Magisk, the tool used to get root access to the device. It should be obvious to anyone that this was not a coincidental infection caused by the user rooting their device, but actually the malware was using the rooting tool as the first step in compromising the device. So in this case, malware caused rooting of the device, not the reverse.

The linked Hackread article essentially just regurgitates the points from the Zimperium report without any critical analysis of why or how rooted devices pose a threat. For users of rooted devices it would be helpful to know whether they are actually at more risk, and why, so that they can mitigate the risks. But this article is not about security research, it’s just a sales pitch.

Headline is wrong. “Quantum cryptography” does not mean the same thing as post-quantum cryptography (PQC) which is what the UK NCSC is recommending.

Why is Cloudflare monitoring/recording our passwords on the sites they are supposed to be protecting?

It was a while ago that I compared them so this may have changed, but one of the main differences that I saw was that borg had to backup over ssh, while restic had a storage backend for many different storage methods and APIs.

I’m claiming that the article is wrong and you’re quoting the article at me? Yes I know what the article says because I read it, and then researched the vulnerability.

The CVE is: https://nvd.nist.gov/vuln/detail/CVE-2024-27564

Which was described in an issue in GitHub here: https://github.com/dirk1983/chatgpt/issues/114

Which relates to this GitHub repository: https://github.com/dirk1983/chatgpt/

Which is by github user dirk1983, and if you read (translate) the readme, you will see that it’s a ChatGPT front-end written by this user, not anything officially released by OpenAI.

The confusion comes from the fact that his repository (this front-end with the vulnerability) is just called “ChatGPT”, and neither the journalist nor you did this basic search to find that out.

AFAICT this is not the OpenAI web interface, it’s just a third-party web interface for ChatGPT that calls the OpenAI API and the author of this web interface called it just “ChatGPT”.

Presumably the author of this article is incapable of actually doing the 2 minutes of research necessary to identify that this is not an official ChatGPT codebase that contains the vulnerability.

“hackread.com” ? Written by a hack, more like.