|
Volmarias posted:What the actual gently caress I think the lawyers for the plaintiffs in a class action like this don't really have to give a poo poo if they're understanding the documents they get in discovery correctly or not though. They can just fish for stuff that looks bad out of context and then apply pressure by going to the media like what is happening here. mystes fucked around with this message at 23:38 on Mar 28, 2024 |
# ? Mar 28, 2024 23:35 |
|
|
# ? Apr 27, 2024 10:48 |
|
Subjunctive posted:is that read access or write access? the inbox API I remember was just for sending messages to people directly (vs the messenger-for-business-pages stuff), which is why it was called that, but it might have changed no idea well, if there’s any meat to these claims then we’ll see Facebook’s rebuttal sooner rather than later
|
# ? Mar 29, 2024 00:48 |
|
only if they decide that it’s material to their defense. they’ll respond on as few of the claims as they need to in order to get the suit not certified, I suspect
|
# ? Mar 29, 2024 00:53 |
|
Based on what some facebook employees are saying on hn, the inbox api thing is the same as what is discussed here https://about.fb.com/news/2018/12/facebooks-messaging-partnerships/ and was so that people could choose to grant netflix permission to send messages so that they could specifically choose to send messages about shows on netflix from within the netflix app I guess once netflix had that permission they could do anything theoretically but it's the same as when you choose to give a third party app full access to your google drive account or something
|
# ? Mar 29, 2024 03:36 |
|
can you imagine having a friends list in netflix except for a pandemic-style remote watch party function, I can’t see a single reason why I would ever want anyone to be on a netflix enabled friends list. I don’t want people know when I’m watching, what I’ve watched, what my opinions are on what I watched, or what I plan on watching. Just ask me like a human being and don’t stalk me I guess this is why I’m never logged into facebook or linked in
|
# ? Mar 29, 2024 07:15 |
|
sb hermit posted:https://arstechnica.com/gadgets/2024/03/netflix-ad-spend-led-to-facebook-dm-access-end-of-facebook-streaming-biz-lawsuit/ whatsapp is actually encrypted tho, and fb seem to be super scared of loving with it because they haven’t even tried to put ads in it yet. facebook messages have never even pretended to be secure.
|
# ? Mar 29, 2024 10:49 |
|
Soricidus posted:facebook messages have never even pretended to be secure. FB has started to roll out E2EE for Messenger as default now, and it’s been an available option since I think 2015
|
# ? Mar 29, 2024 12:31 |
|
Subjunctive posted:FB has started to roll out E2EE for Messenger as default now, and it’s been an available option since I think 2015 mystes posted:Based on what some facebook employees are saying on hn
|
# ? Mar 29, 2024 12:53 |
|
Soricidus posted:whatsapp is actually encrypted tho, and fb seem to be super scared of loving with it because they haven’t even tried to put ads in it yet. technically if E2EE is configured properly they shouldn't be able to gently caress with it even if they wanted to
|
# ? Mar 29, 2024 13:00 |
|
Pile Of Garbage posted:technically if E2EE is configured properly they shouldn't be able to gently caress with it even if they wanted to they control the software at both of the Es, of course they could gently caress with it if they chose to. I remain somewhat surprised that they apparently haven’t tried to do this yet. the reputational damage would be severe but that doesn’t usually stop capitalism Subjunctive posted:FB has started to roll out E2EE for Messenger as default now, and it’s been an available option since I think 2015 oh cool, I knew they’d discussed it a bunch but I thought it always got put off, glad they saw sense
|
# ? Mar 29, 2024 13:34 |
|
Soricidus posted:oh cool, I knew they’d discussed it a bunch but I thought it always got put off, glad they saw sense the UX stuff is still pretty hard, since they want people to be able to keep using the web interfaces, and they have to go back and encrypt past stuff and get the keys in the right place to do that securely it’s bumpy, lots of people being asked for a PIN they don’t understand so far
|
# ? Mar 29, 2024 14:47 |
|
Wiggly Wayne DDS posted:yea we all talked about it itt as it was getting considered for rollout too
|
# ? Mar 29, 2024 14:52 |
|
FB messenger just did a really nice talk about the E2EE rollout at Real World Crypto. https://iacr.org/submit/files/slides/2024/rwc/rwc2024/71/slides.pdf IACR should have the video up any century now
|
# ? Mar 29, 2024 15:05 |
|
Ross Anderson's died apparently
|
# ? Mar 29, 2024 16:13 |
|
Rufus Ping posted:Ross Anderson's died apparently hmm, which one, man?
|
# ? Mar 29, 2024 17:05 |
|
JAnon posted:hmm, which one, man? j, the one from the uk who wrote security engineering.
|
# ? Mar 29, 2024 17:11 |
|
Soricidus posted:whatsapp is actually encrypted tho, and fb seem to be super scared of loving with it because they haven’t even tried to put ads in it yet. kinda weird they haven't, I mean they'd have to be non-targeted ads but ads nonetheless
|
# ? Mar 29, 2024 17:17 |
|
Just in: https://www.openwall.com/lists/oss-security/2024/03/29/4 The upstream xz repository and the xz tarballs have been backdoored.
|
# ? Mar 29, 2024 17:22 |
|
Carbon dioxide posted:Just in:
|
# ? Mar 29, 2024 17:28 |
|
Carbon dioxide posted:Just in: yee fuckin haw
|
# ? Mar 29, 2024 17:30 |
|
Carbon dioxide posted:Just in:
|
# ? Mar 29, 2024 17:32 |
|
Midjack posted:j, the one from the uk who wrote security engineering. oh drat. sorry for your loss
|
# ? Mar 29, 2024 17:33 |
|
Carbon dioxide posted:Just in:
|
# ? Mar 29, 2024 17:35 |
|
TO CHECK IF YOUR DEVICES MAY BE AFFECTED The problem is in liblzma, a library used by xz. Run xz --version If it shows liblzma version 5.6.0 or 5.6.1 that's the ones with the backdoor. My understanding right now is that you ALSO need ssh server (the sshd binary) for it to be abused. This version got pushed to Debian/testing, over there they just released a rollback of liblzma to a version without the backdoor, called 5.6.1+really5.4.5-1. That weird name causes apt to see it as a higher version so it'll automatically update. I guess for other distros and systems, updates will also come available soon.
|
# ? Mar 29, 2024 17:41 |
|
Carbon dioxide posted:Just in: why does this poo poo always happen on fridays lol
|
# ? Mar 29, 2024 17:42 |
|
Carbon dioxide posted:TO CHECK IF YOUR DEVICES MAY BE AFFECTED being on ancient rear end centos 7 until the bitter end stays winning
|
# ? Mar 29, 2024 17:43 |
|
my debian gamebox got patched this morning, thankfully i'm not insane enough to run non-stable poo poo for real things good to have a headsup when i inevitably see broken boxes in the future from people who do tho
|
# ? Mar 29, 2024 17:49 |
|
Also note, there's a detect script attached to that message in the mailing list. It does basically the same as my instructions except it checks specifically which version of liblzma is used by sshd. If for some weird reason you have a different version of the lib installed for xz than you have for sshd, my detection would not work, but the script would.
|
# ? Mar 29, 2024 17:53 |
|
ssh doesn't depend on lzma, but systemd does and systemd handles login now e: i only mention this because there'll be a bunch of people moaning about systemd again lol Truga fucked around with this message at 18:00 on Mar 29, 2024 |
# ? Mar 29, 2024 17:57 |
|
lzma tarballspost hole digger posted:why does this poo poo always happen on fridays lol sounds like a tuesday problem
|
# ? Mar 29, 2024 18:05 |
|
https://news.ycombinator.com/item?id=39866275orange site posted:Very annoying - the apparent author of the backdoor was in communication with me over several weeks trying to get xz 5.6.x added to Fedora 40 & 41 because of it's "great new features". We even worked with him to fix the valgrind issue (which it turns out now was caused by the backdoor he had added). We had to race last night to fix the problem after an inadvertent break of the embargo. Fedora also affected: https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
|
# ? Mar 29, 2024 18:09 |
|
lol homebrew got got Upgrading xz 5.6.1 -> 5.4.6
|
# ? Mar 29, 2024 18:13 |
|
on debian testing it's liblzma5:amd64 5.6.1+really5.4.5-1 lmao
|
# ? Mar 29, 2024 18:15 |
|
flakeloaf posted:lzma tarballs
|
# ? Mar 29, 2024 18:41 |
|
Pretty colors for https://www.openwall.com/lists/oss-security/2024/03/29/4:quote:This injects an obfuscated script to be executed at the end of configure. This FlapYoJacks fucked around with this message at 18:53 on Mar 29, 2024 |
# ? Mar 29, 2024 18:49 |
|
yeah that was in the first link and what we were talking about
|
# ? Mar 29, 2024 18:52 |
|
ok pretend I'm an idiot what exactly is the downstream impact here? compromising sshd for the ability to log in without being authorized?
|
# ? Mar 29, 2024 18:55 |
|
post hole digger posted:being on ancient rear end centos 7 until the bitter end stays winning
|
# ? Mar 29, 2024 19:00 |
|
post hole digger posted:being on ancient rear end centos 7 until the bitter end stays winning
|
# ? Mar 29, 2024 19:01 |
|
|
# ? Apr 27, 2024 10:48 |
|
https://xeiaso.net/notes/2024/xz-vuln/
|
# ? Mar 29, 2024 19:02 |