Literally illegal. Discussing crimes doesn’t equal crime, so there’s no reason for them to requeust IPs. And at least in the EU you aren’t even allowed to disclose information related to your person.
Well in theory you are right. And if you have evidence like in the case of the 2pac murder (he literally wrote about handing the gun over so they could kill him with it), then sure. But to get a subpoena, and let’s use me as an example, you would need to prove that I talked about specifics on how I would or will pirate a stream, and then you would need to find writing of me saying something to the effect of “I did this yesterday” or “I will do this next week” or something very specific like that.
And this is only to get the information. Then they still need to tie you to it and get enough evidence to start suing, otherwise they might not be able to prove their prima facia case.
I know it’s scary, but the truth is we have laws to protect us from government overreach and at the same time those keep companies in check as well. Let’s not make it more dramatic than it is.
Let’s also acknowledge that conspiracy is easy to say in theory and hard to prove in practice, specifically because you need to make sure you can inextricably link 2 defendant together and they are linked in the context of the same instance of a crime. And at that point no one would waste the resources for such a charge. They would rather chase the piracy websites to shut down a whole network for a bit, that’s more efficient. It’s easier to just serve the server providers a cease and desist and have be over with.
Not unless you talk about how you will commit or have committed a specific instance of piracy. E.g. “I downloaded back to the future last night from (insert website)”. Then they have reasonable suspicion and can start to subpoena.
Obligatory IANAL. Always do research and ask in lawyer if you wanna talk specifics.
“Man, you know how easy it would be to get away with insider trading/misreporting earnings/reselling seized fentanyl/asking for a key piece of evidence to go missing? I have a friend/family member/employee/business contact/perp I let go that owes me a favor.”
They don’t care. It’s the film industry equivalent to the Microsoft support scammers. Get a bunch of targets, spam out hundreds of thousands of threatening emails, profit off the small percent of people who fall for it.
Yes they do. They are boxed in neatly in the current laws and unless you are discussing specifics about doing a crime in the past or future, they will not get that subpoena and thus they are in a catch 22.
Now if you are actively torrenting, chances are you could run into one of those fake peers that will grab your IP and they can start suing you. But other than that they would need real good evidence to subpoena.
Subpoenas are tools the government uses to compel a private entity to provide information. This isn’t that though, this is one private entity asking another private entity to just give them data. It’s not a legal case, and because of our non-existant privacy regulations in the US, Reddit is free to just hand over this information, or not if they want. No crime has to even be alleged, Reddit can just hand that information out.
Ok yes sorry I should have specified, what you’re saying might apply to the US.
What I said applies to the EU.
Thing is, companies need to know beforehand if they are dealing with a user from US or EU because they don’t wanna break laws when they have to deal with the court system anyway on stuff like this. So technically they could transmit information about US citizens, but in practice this is super tricky and risky.
Let’s say you got an IP. Alright you can pinpoint The location. Problem: you don’t know whether you just grabbed the target IP or an IP from a VPN or a proxy. There’s ways to obscure this so you might not even be able to find out. Now if you turn this over, there’s a small risk you just did a crime because they are spoofing their location. And if you just captured a VPN or proxy, you are now pursuing the wrong person and in EU law this won’t go over well.
So in practice there’s basically no way to do this and be sure you didn’t make a mistake, and mistakes in law are risky and costly. No company would ever take such a risk.
Now I could go into detail about all the technical details on why things work like that but it would make this twice as long.
TL;DR in theory you are right for US users, in practice there’s no way to tell and it gets risky pretty fast.
Also obligatory IANAL and always check in with a lawyer if you need specific legal advice.
That’s a really interesting point, has it been tested in court? The article is about US companies and US websites so I figured EU law was irrelevant, but I am curious to see if the EU can claim jurisdiction for actions foreign companies take outside the EU, regardless of if they have any official EU presence.
Well I can not give you a specific case for that, but it widely accepted that online actions against users from the EU that violate laws in the EU can get persued.
Do you remember seeing some US websites saying “we don’t service EU users at the moment”? That’s because they didn’t want to get a lawyer so they can comply with the EU GDPR back then. I assume this is because they knew there was some precedent.
If you are keen on it I can go digging for case law though.
Note that one of the headings literally says “Why US companies must comply with the GDPR” and the answer is “because it is extra-territorial in scope”.
On that page you linked, they say “So far, the EU’s reach has not been tested, but no doubt data protection authorities are exploring their options on a case-by-case basis.” So it hasn’t really been tested yet it seems. It’s true that there are extradition treaties and interpol that aid in cross-border prosecution, but that tends to be used primarily when the alleged crime happened in the prosecuting country’s jurisdiction, or the alleged crime is handled similarly in both countries. A GDPR violation by a US company wouldn’t be considered a crime at all in the US, so it’s entirely possible that they might decline to assist in prosecution.
Ok you wound me up now so I had a little scouring of the internet.
Yes, I can not find case law of extradition of US based companies through US entities.
What I can find is a couple of cases against bigger companies that also act in the realm of the EU. Google has been fined in the Netherlands for global violations if I understand correctly. Meta has been fined even a few times for global violations, enforced in Ireland.
So yes, technically enforcement in the US is not guaranteed, but they basically can’t build up their company in the EU anymore unless they deal with it. It’s not perfect, but violations can still suck for business expansion, and that is good. and then I do have to look into the new EU data privacy laws if they changed enforcement or anything else important.
That makes sense. Companies with no presence in the EU can likely skirt the rules, but any large company with an EU presence will be compelled to follow them.
I had a Microsoft support scammer once… I let him in to my system too…well not really.
I quickly spin up a quick fresh install of slack ware Linux in a virtual machine that didn’t even have x11 never mind wine installed. When it was up I told him a friend uses something called tellynet (aka telnet but I was playing dumb) to help me on the computer.
He telnetted in and could not understand why any of his malware wasn’t working…
I could give you a full breakdown of how it works in EU, but basically there needs to be indisputable evidence that a crime occured for any party to subpoena any ISP or service provider company. Otherwise those companies will be in huge trouble. The one doing the subpoena because they wouldn’t have an order for that and if they fuck around right before suing, courts will not take kindly to that. And the other receiving the subpoena for disclosing personal information (although they’d maybe win a defense to that, because if they did their due diligence they are not supposed to tank the damages).
What I’m saying is, considering currently laws in the EU, I think we’re good. Of course IANAL so ask one if you need specific advice.
More corporations with zero responsibility and way too much fucking power. We need regulators with teeth and we need to remove the legal hand of business from the pockets of our legislatures. I can’t believe someone actually burned down Studio Ghibli HQ before Citizen’s United was. Wtf.
It was Kyoto Animation that was attacked. They have quite a few similarities in artstyle and themes to Ghibli, and you could maybe call them a spiritual successor. But neither is owned by, or a part of, the other.
Ghibli recently released How Do You Live, probably their last film. With the last surviving founders retiring, Nippon TV will manage the studio and the museum.
I get your point that the exploit existed before it was identified, but an unmitigated exploit that people are aware of is worse than an unmitigated exploit people aren't aware of. Security through obscurity isn't security, of course, but exploiting a vulnerability is easier than finding, then exploiting a vulnerability. There is a reason that notifying the company before publicizing an exploit is the standard for security researchers.
You're right that it's never an OK title, because fuck clickbait, but until it's patched and said patch propagates into the real world, more people being aware of the hole does increase the risk (though it doesn't sound like it's actually a huge show stopper, either).
Weakness and risk are distinct things, though—and while security-through-obscurity is dubious, “strength-through-obscurity” is outright false.
Conflating the two implies that software weaknesses are caused by attackers instead of just exploited by them, and suggests they can be addressed by restricting the external environment rather than by better software audits.
In my opinion Dan Goodin always reports as an alarmist and rarely gives mitigation much focus or in one case I recall, he didn't even mention the vulnerable code never made it to the release branch since they found the vulnerability during testing, until the second to last paragraph (and pretended that paragraph didn't exist in the last paragraph). I can't say in that one case, it wasn't strategic but it sure seemed that way.
For example, he failed to note that the openssh 9.6 patch was released Monday to fix this attack. It would have went perfectly in the section called "Risk assessment" or perhaps in "So what now?" mentioned that people should, I don't know, apply the patch that fixes it.
Another example where he tries scare the reading stating that "researchers found that 77 percent of SSH servers exposed to the Internet support at least one of the vulnerable encryption modes, while 57 percent of them list a vulnerable encryption mode as the preferred choice." which is fine to show how prevalent the algorithms are used but does not mention that the attack would have to be complicated and at both end points to be effective on the Internet or that the attack is defeated with a secure tunnel (IPSec or IKE for example) if still supporting the vulnerable key exchange methods.
He also seems to love to bash FOSS anything as hard as possible, in what to me, feels like a quest to prove proprietary software is more secure than FOSS. When I see his name as an author, I immediately take it with a grain of salt and look for another source of the same information.
Yeah, the sole reason I don’t have linux on my old laptop is that lenovo has completely proprietary video drivers for it. I’m talking “manufacturer’s installers don’t think there’s a video card there” proprietary.
Edit. By software I’m talking about in game features.
Like FSR and such? That’s available on Linux (FSR 1.x is integrated into SteamOS for compositor-level upscaling). AFAIK AMD does not officially support FSR on Linux but it’s written in a way that it should work with minor integration work. It’s written with cross-platform support in mind, given that it’s targeting PlayStation etc. als well.
There are several ways to exploit LogoFAIL. Remote attacks work by first exploiting an unpatched vulnerability in a browser, media player, or other app and using the administrative control gained to replace the legitimate logo image processed early in the boot process with an identical-looking one that exploits a parser flaw. The other way is to gain brief access to a vulnerable device while it’s unlocked and replace the legitimate image file with a malicious one.
In short, the adversary requires elevated access to replace a file on the EFI partition. In this case, you should consider the machine compromised with or without this flaw.
You weren’t hoping that Secure Boot saves your ass, were you?
Ah, so the next Air Bud movie will be what, Hack Bud?
“There’s nothing in the specifications that says that a dog can’t have admin access.”
“Nothing but 'net!”
Doesn’t this mean that secure boot would save your ass? If you verify that the boot files are signed (secure boot) then you can’t boot these modified files or am I missing something?
If it can execute in ram (as far as I understand, they’ve been talking about fileless attacks, so… Possible?), it can just inject whatever
Addit: also, sucure boot on most systems, well, sucks, unless you remove m$ keys and flash yours, at least. The thing is, they signed shim and whatever was the alternative chainable bootloader (mako or smth?) effectively rendering the whole thing useless; also there was a grub binary distributed as part of some kaspersky’s livecd-s with unlocked config, so, yet again, load whatever tf you want
Last time I enabled secure boot it was with a unified kernel image, there was nothing on the EFI partition that was unsigned.
Idk about the default shim setup but using dracut with uki, rolled keys and luks it’d be secure.
After this you’re protected from offline attacks only though, unless you sign the UKI on a different device any program with root could still sign the modified images itself but no one could do an Evil Maid Attack or similar.
The point with m$ keys was that you should delete them as they’re used to sign stuff that loads literally anything given your maid is insistent enough.
[note: it was mentioned in the arch wiki that sometimes removing m$ keys bricks some (which exactly wasn’t mentioned) devices]
Well, not an expert. We learned now that logos are not signed. I’m not sure the boot menu config file is not either. So on a typical linux setup you can inject a command there.
In many of these cases, however, it’s still possible to run a software tool freely available from the IBV or device vendor website that reflashes the firmware from the OS. To pass security checks, the tool installs the same cryptographically signed UEFI firmware already in use, with only the logo image, which doesn’t require a valid digital signature, changed.
“develop a technological standard that might turn a user’s electronic device into the proof of age necessary to access restricted online content.”
Can we not? Can parents just take care of their kids like they have for thousands of years instead of futility trying to babyproof the internet for a minority of people? Jesus.
Can parents just take care of their kids like they have for thousands of years
Okay, so lets be certain that kids do not have a direct connection with every intelligence agency, mafia and terrorist organization in the world right in their pocket, just as they did not for thousands of years. Now, to be clear I really don’t like the approach they’ve chosen here (I think we need to go much deeper into the fundamental design of the Internet), but I would hope it’s not a controversial statement to assert that our society has taken a very sharp turn for the worse ever since the Internet became ubiquitous in children’s development, and I think that really ought to prompt discussion about how it’s being used.
Controversially, I think the Internet has made society better. We’re still in the growing years of the age of information, so plenty of challenges to overcome for sure, but it largely has made for a more informed society and really empowered the average person despite the resurgence of authoritarianism.
Basically PH and other xxx sites need you to verify your identity by uploading your ID. It’s what should be unconstitutional and a violation of privacy.
I believe the responsibility should be on the parents to keep their children from viewing porn before they’re 18. Not the government. I also believe there should be at least some control over what minors have access to. Will it ever be 100%? Nope. All we can do is the best we can do
The difference is that the people involved there are adults and there is no equivalent to the parent responsible for their behaviour so a technical solution makes more sense there.
or a real example that most newer cars have a “check rear seat for occupant” alert because some people forget their babies in the backseat and they die…
This is a world for everyone in it. We shouldn’t actively make it hostile to children, but we also shouldn’t be prioritizing forcing every aspect of it to fit their needs.
Our need to keep it alive isn’t just for children, it’s for everyone, which is also completely unrelated to censorship of sexual content
Especially since parenting is the only thing that’s going to actually work. Do you think kids won’t figure out a VPN? If they heard enough to type “pornhub”, they’ll hear about the one extra step.
And there are worse things on the Internet than porn. Some likely on Roblox.
You’re just going to have to parent your kid with or without this nanny state blocking scheme.
I for one want to be in compliance. Here is my IP, I checked it in Microsoft windows so it is correct. 192.168.0.1
Text me at that IP if I need to pay a fine or if I need to go to my local jail. Thanks guys, I’m sorry I pirated and I will re upload all the movie films that I downloaded to try to make this right.
Do we really have to go through this shit again? As long as you refuse to make watching movies convenient and reasonably priced, people will pirate. You were already so close, but then you got greedy and fucked it all up again so here we are.
They really had achieved the dream. They made a streaming account affordable and more convenient than pirating, so they had tons of customers, with piracy a long lost pastime for people like me. Then they got greedy like you said, and annoying, and many of us dusted off our sailing gear.
The arrs are amazing. I had been out for a while. It’s more fun than streaming. Random stuff shows up that I wasn’t expecting when it downloads a new show or moviess that I like.
Radarr, sonarr, prowlarr and others. Apps that monitor your library, your preferred shows and movies and download them automatically for better quality or just new releases. Particularly good for tv shows.
Don’t misunderstand what a server means, however. Just because something is called a server doesn’t mean it’s not made for the desktop. It’s a technical term that doesn’t necessarily relate to networking, it might just relate to stuff like inter-process communication.
However, Wayland is designed for the desktop environment. It’s like the main reason why it replaces X11, which was designed for terminals.
My comment was mostly meant as a joke. I’m aware most of them use their networking capabilities for IPC and being able to use them remotely is just a cool feature resulting from that (except X11).
Linux is an everything OS with whatever features you want/need. Do you need a hardened enterprise server? Linux got you. Do you need a user friendly OS for even non-technical people? Linux got you. Do you need something that can do a little of everything? Believe it or not, Linux got you.
I know this is a joke comment but Linux is for sure an enterprise kernel first and foremost. It did not start that way but that is how it has been developed and managed for many years now. Maybe the most incorrect thing anybody has ever said on record in the computer industry is when Linus said Linux was “not going to be anything big and professional”.
Linux distributions, which are conceived and managed totally independently from the kernel are available for every niche. Many of them are desktop and “consumer” oriented. With many Linux distributions, I would say that it is more accurate that they are hobbiest oriented more than what Microsoft would mean be “consumer”.
embedded windows in the japanese arcade scene has been working fine so far. for example, most of bandais arcade machines in the past like 7 yaers or so basically run embedded windows.
it was a benefit to non arcade users because a majority of games that were on those machines eventually got pc versions, or a new game on pc for the first time (e.g Tekken 7, Taiko No Tatsujin), where historically, theyve basically never been on PC officially.
So let me get this straight – your defense of Microsoft, in this instance, is Japanese cabinet makers, making arcade machines, where the user doesn’t interact with the operating system in the slightest bit? A Japan that still faxes even in modernity? That’s your defense of MS? I bet they aren’t even using a special build of windows — just the desktop schlock with some shitty 3rd party app on top.
im not defending mocrosoft at a whole, im just saying windows embedded isnt as bad as you actually think it is, and consumers benefitted from it more than it not
A Japan that still faxes even in modernity?
what a country does has barely anything to do with rhis context. thats like saying the U.S is shit because they didnt have tap to pay until Covid happened, whoch other countries have been usong for a decade before, or having terrible public transportation and internet infrastructure, and in the latter case, basically invented it.
That’s your defense of MS? I bet they aren’t even using a special build of windows — just the desktop schlock with some shitty 3rd party app on top.
that shows how ignorant you are with it because all of the games arent directly ported. look into the efforts required to port Gundam Extreme Versus 2 on teknoparrot. if it was a native game, then they wouldnt have to jump through as many hoops as the game doesnt have a PC port (nor any of its predecessors have ever had one)
I don’t know that Microsoft has any business trying to make Windows support these devices better…
Windows is entirely built around two pillars:
Enterprise support for corporations, and team machine management
Entirely open compatibility so they can run almost any hardware you put into it, plug into it, and backwards compatibility for all that for as long as possible.
Portable game machines are not an enterprise product. Nor do you care about broad hardware support or upgradability. Nor do you care about plugging in your parallel port printer from 1985. Nor do you care about running your ancient vb6 code to run your production machines over some random firewire card.
Windows’ goal is entirely oppositional to portable gaming devices. It makes almost no sense for them to try to support it, as it’d go against their entire model. For things like these, you want a thin, optimized-over-flexible, purpose built OS that does one thing: play games. Linux is already built to solve this problem way better than Windows.
But, Microsoft will probably be stupid enough to try anyway.
Most fastboot options dont show the logo until windows bootloader comes along.
Though i am not sure how or why the logo is displayed when windows loads? Is that the same image? Loaded and displayed again or just didnt clear the display?
Did anyone really think that making UEFI systems the equivalent of a mini OS was a good idea? Or having them be accessible to the proper OS? Was there really no pushback, when UEFI was being standardized, to say “images that an OS can write to are not critical to initializing hardware functionality, don’t include that”? Was that question not asked for every single piece of functionality in the standard?
It breaks the cardinal rule of executing privileged code: Only code that absolutely needs to be privilaged should be privileged.
If they really wanted to have their logo in the boot screen, why can’t they just provide the image to the OS and request through some API that they display it? The UEFI and OS do a ton of back and fourth communication at boot so why can’t this be apart of that? (It’s not because then the OS and by extension the user can much more easily refuse to display what is essentially an ad for the hardware vendor right? They’d never put “features” in privileged code just to stop the user from doing anything about it… right?)
Did anyone really think that making UEFI systems the equivalent of a mini OS was a good idea
UEFI and Secure Boot were pushed forcibly by MS. That’s why FAT32 is the ESP filesystem.
If I had to guess, a brief was drafted at MS to improve on BIOS, which is pretty shit, it has to be said. It was probably engineering led and not an embrace, extinguish thing. A budget and dev team and a crack team of lawyers would have been whistled up and given a couple of years to deliver. The other usual suspects (Intel and co) would be strong armed in to take whatever was produced and off we trot. No doubt the best and brightest would have been employed but they only had a couple of years and they were only a few people.
UEFI and its flaws are testament to the sheer arrogance of a huge company that thinks it can put a man on the moon with a Clapham omnibus style budget and approach. Management identify a snag and say “fiat” (let it be). Well it was and is and it has a few problems.
The fundamental problem with UEFI is it was largely designed by one team. The wikipedia page: en.wikipedia.org/wiki/UEFI is hilarious in describing it as open. Yes it is open … per se … provided you decide that FAT32 (patent encumbered) is a suitable file system for the foundations of an open standard.
You may be surprised to learn that they didn’t all run out until 2013. UEFI had been around for 7 years by this time, and Microsoft was doing patent enforcement actions against Tom Tom during this time period.
Sure, they’re expired now, but not at the time. It was supposed to be an open standard at the time.
Just checked my own sshd configs and I don’t use CBC in them. I’ve based the kex/cipher/Mac configs off of cipherlist.eu and the mozilla docs current standards. Guess it pays to never use default configs for sshd if it’s ever exposed to the Internet.
Edit: I read it wrong. It’s chacha20 OR CBC. I rely heavily on the former with none of the latter.
Even the researcher who reported this doesn’t go as far as this headline.
“I am an admin, should I drop everything and fix this?”
Probably not.
The attack requires an active Man-in-the-Middle attacker that can intercept and modify the connection’s traffic at the TCP/IP layer. Additionally, we require the negotiation of either ChaCha20-Poly1305, or any CBC cipher in combination with Encrypt-then-MAC as the connection’s encryption mode.
[…]
“So how practical is the attack?”
The Terrapin attack requires an active Man-in-the-Middle attacker, that means some way for an attacker to intercept and modify the data sent from the client or server to the remote peer. This is difficult on the Internet, but can be a plausible attacker model on the local network.
It definitely receives more clicks. I’ve posted this link here a day ago, but arstechnicas title is more engaging. My first thought was whether there’s been another vulnerability found.
That said, this headline isn’t as bad as it could’ve been.
Yeah, if the attacker is in a position to do a MitM attack you have much larger problems than a ssh vulnerability that so far can at most downgrade the encryption of your connection in nearly all cases
arstechnica.com
Top