• 0 Posts
  • 108 Comments
Joined 1 year ago
cake
Cake day: July 24th, 2023

help-circle
  • Perfect example of a (part of a) security vulnerability being fixed in a commit that doesn’t immediately seem security related and would never be back ported to a stablestale distro

    The code which parses the binary MaxMind database after decompression is well guarded as of 2024 but used to look different, potentially providing more attack surface. There is also an interesting commit where a contributor makes adjustments to the gzip::decompress() function which hints at a stack overflow, as the destination buffer was changed from static allocation on the stack to dynamic allocation on the heap, though it was not exploitable due to checks before it is written to







  • Huh weird that it would be removed, that’s a fair comment.

    For Web scraping and other activities by so-called “legitimate” companies to varying degrees, this may be the case. But for general bots, they are generally attempting to scan and probe the entire IPv4 range, since it can be exhaustively checked in a reasonable amount of time and the majority of IPs have hosts on them. Enumerating the entire IPv6 space is quite literally impossible without some external list of hosts known to exist, due to the number of hosts. This happens, but it’s a much higher hanging fruit for an attacker so far fewer will bother. So you generally see few to no continuous probes on things like sshd over IPv6 unless you have a domain name. I’m guessing a lot of bots (in botnets) are dumb old technology that doesn’t even have IPv6.

    NAT was always a hacky workaround. And although it effectively ends up functioning as a firewall under normal usage when combined with a typical “drop invalid incoming packets” rule, it was not designed to be a firewall and shouldn’t be assumed to always function as one. A simple accept established, default drop firewall rule should do the trick and should be used on both v4 and v6 regardless of NAT (and probably is on your router already).

    If your goal is privacy in the sense of blending in, you can still use NATv6 and this is a good use case for it. This is what VPNs like Mullvad use. If your goal is privacy in the sense of being more difficult to track across sessions, you can enable IPv6 privacy extensions which essentially generates a new IPv6 address for every connection your device makes. So in this sense it’s more private than IPv4










  • I think there’s a bit more to it than that.

    It’s very unfortunate that this came as a result of a baseless tantrum from Elon. And his arguments are contrary to free speech.

    That said… GARM is actually bad, and the world is a better place without it in my opinion. They are frequently involved in censoring legitimate journalism of violent events, anything that’s inappropriate from children, etc. You know how so many YouTubers have to carefully tiptoe around mention of controversial topics, even in non-controversial contexts, for fear of getting demonetized? I understand the POV of avoiding advertising near hate, but the fallout has real consequences when legitimate content is inevitably caught up.

    https://www.techdirt.com/2024/08/09/jim-jordan-celebrates-successful-speech-suppression-as-a-claimed-win-for-free-speech/

    Another way to see it is that GARM is simply a trade organization by advertisers for advertisers, with one single goal: to maximize profits for the advertising industry. No corporation actually cares about ethics; it’s just that appearing to be ethical is often profitable, and in this case, advertisers believe that avoiding advertising near controversial content is better for their bottom line. If one believes that advertising is one of the most abusive industries in our modern society, it could be seen that anything to make it a little harder for advertisers to extract more profits is a win.