"Treat others the way you want to be treated".
homura1650
joined 10 months ago
This: https://m.youtube.com/watch?v=JebyNOvJmCM&pp=ygUfYmFsdGltb3JlIGJyaWdhZGUgY29sbGFwc2UgbGl2ZQ%3D%3D
Police audio from the incident: https://youtu.be/xzOvImnlHFc?si=INIeTXr7ThY5dAlw
The whole bridge just collapsed
Out of all the sovereign citizen nonsense I have seen, this is probably the most likely to work. Not in a "that is the way the law works" kind of way, but in the "the other party might actualy get duped" way.
Essentially, it is a variant of the fake invoice scam. In a fake invoice scam, you send a bill to a company you never worked for. Normally, the company will look at it and ask "what is this about?". However, occasionally the bill will land on top of a pile of paperwork. Then a parent who was up all night with a sick kid will come in in the morning, see an unpaid bill, and write the check before having their morning coffee.
Essentially the same thing happened here. The bank got paperwork from the IRS saying that the bank forgave the loan (point 1 to the scammer for having this come through the IRS). Of course, most of the time, the banks response is going to be "no we didn't", at which point the scammer looses. But occasionally an employee at the bank is going to mess up, and do something that might result in the loan actually being forgiven.
And the police did stop traffic from getting onto the bridge. Listening to the police audio [0], it sounds like they were in position almost immediately after the request came in. Having said that, I don't think they were quite fast enough for the traffic already on the bridge to get off.
If they had responded faster, they might have made it in time for the one officer to be on the bridge evacuating the workers when it collapsed. With the benefit of hindsight, that would have accomplished nothing except 1 more death.
I'm often pretty critical of police, but I see absolutely nothing they could have done better in this case.
Police audio from the event:
It sounds like police got their just in time to stop traffic. One of the officers says that as soon as backup arrives to take over stopping traffic he would go and evacuate the workers; when we get the report that the bridge is gone.
If you watch the stream of the crash, you can see that traffic was flowing just moments before it fell.
Around 2 years ago, I got an email from a products team asking me for urgent help extending a program in time to make a sale.
I looked over the program and wrote back sonething along the lines of "this program was written almost a decade ago by an unsupervisered highschool intern. Why TF are we still using it?".
Of course, I ended up helping them, because that highschool intern was me, and I ended up helping because no one else could figure out what highschool me was thinking.
Java did have a Security Manager that can be used to prevent this sort of thing. The original thinking was that the Java runtime would essentially be an OS, and you could have different applets running within the runtime. This required a permission system where you could confine the permissions of parts of a Java program without confining the entire thing; which led to the Java security manager.
Having said that, the Java Security Manager, while an interesting idea, has never been good. The only place it has ever seen significant use was in webapps, where it earned Java the reputation for being insecure. Nowadays, Java webapps are ancient history due to the success of Javascript.
The security manager was depreciated in Java 17, and I believe removed entirely in Java 21.
But he can be held responsible for the US's actions.
The extant to which treaties carry weight under US law is untested. Congress tried going to court over this in Goldwater v Carter over Carter's withdrawal from the Sino-American mutual defense treaty. However, the Supreme Court dismissed the case as "unfit for judicial review".
Biden is also arguably violating the Foreign Assistance Act, which provides that:
Except under circumstances specified in this section, no security assistance may be provided to any country the government of which engages in a consistent pattern of gross violations of internationally recognized human rights.
However, the Senate voted 72-11 against attempying to enforce the relevent provisions in this case.
And Hamas is never going to agree to terms that require it to stop existing; making that a condition is a non-starter for any negotiation.
This is not a privacy bill. Anyone referring to it as a privacy bill is lying. Not even the bill title claims to be about privacy. It is the "Protecting Americans’4 Data from Foreign Adversaries Act of 2024".
I'd just like to interject for a moment. What you're referring to as Linux, is in fact, GNU/Linux, or as I've recently taken to calling it, GNU plus Linux. Linux is not an operating system unto itself, but rather another free component of a fully functioning GNU system made useful by the GNU corelibs, shell utilities and vital system components comprising a full OS as defined by POSIX.
Many computer users run a modified version of the GNU system every day, without realizing it. Through a peculiar turn of events, the version of GNU which is widely used today is often called "Linux", and many of its users are not aware that it is basically the GNU system, developed by the GNU Project.
There really is a Linux, and these people are using it, but it is just a part of the system they use. Linux is the kernel: the program in the system that allocates the machine's resources to the other programs that you run. The kernel is an essential part of an operating system, but useless by itself; it can only function in the context of a complete operating system. Linux is normally used in combination with the GNU operating system: the whole system is basically GNU with Linux added, or GNU/Linux. All the so-called "Linux" distributions are really distributions of GNU/Linux.
I'm one of those security specialists (although not on mastodon). To be clear, if a vulnerable version of libxz were included in a distribution that we actually use; this would be an all hands on deck, drop everything until it is fixed emergency.
Having said that, for an average user, it probably doesn't matter. First, many users just don't have the vulnerable version installed. All things considered, it was found very quickly; so only rolling release distros would have it. Additionally, it appears that only .deb or .rpm based distributions would have it. Not because they are particularly vulnerable, the attack explicitly tests for it.
However, lets set all of this asside and assume a typical use is running a vulnerable system. In my assessment, the risk to them is still quite low. With most vulnerabilities, the hard part is discovering it. Once that happens, the barrier to exploiting it is relatively low, so you get a bunch of unrelated hackers trying to exploit any system they can find. This case is different; exploiting it requires the attackers private key. Even though the attack is now widely known, there is still only 1 organization capable of using it.
Further, this attack was sophisticated. I'm not going to go as far as others in saying that only a state actor could do it. However, it is hard to think of anyone other than a state actor who would do it. Maybe a group of college kids doing it for the ~~lolz~~ research? But, if the motivation us lolz, I don't see them pivoting to do anything damaging with it. And even if they wanted to, there would still only be a handful of them. In short, this is one of those cases where obscurity works. Whoever did this attack does not know or care about Joe the Linux user; and they were probably never going to risk burning it by exploiting it on a large scale.
However, setting all of that asside, suppose you were using vulnerable software, and someone with the private key is interested in your home system. First, you would need to be running OpenSSH on a remotely accessible interface. [0]. Second, you would need your firewall to allow remote SSH traffic. Third, you would need your router to have port forwarding enabled; and explicitly configured to forward traffic to your OpenSSH server [1].
If all of that happens; then yes, you would be at risk.
[0] Even though the attack itself is in the libxz library, it appears to specifically target OpenSSH.
[1] Or, the attacker would need some other mechanism to get on the same network as you.