The 90 minutes are per week I take it

🐐

The last campfire, disco Elysium, hue

Sounds like a porn box set

Bridging a gap for your team mates 😄

Tails and another for storing random stuff, like a copy of documents when travelling.

They must have something to hide 🤨

Welcome to the party pal

You’re wholesome OP 🤗

Imagine paying for an OS to have ads in it. 🐃💩

Thankfully we have Linux/BSD

It doesn’t matter that you can disable it, this stuff shouldn’t be in the OS in the first place

Now if ubisoft could go under too. I’m still pissed the splinter cell games are such a shit show on PC and they have the neck to ask for full price with the bugs and multiplayer being disabled. They can get fucked

Kdeconnect works great too if you are using linux and android

Ive thought about using it for bank apps so I dont have hassle if I lose the phone or it gets robbed. Has anyone tried this ?

Same

Boycott this shit company

You are right, as you note this requires a set of skills that many don’t possess.

I have been looking for ways I can help going forward too where time permits. I was just thinking having a list of possible targets would be helpful as we could crowdsource the effort on gitlab or something.

I know the folks in the lists are up to their necks going through this and they will communicate to us in good time when the investigations have concluded.

I think going forward we need to look at packages with a single or few maintainers as target candidates. Especially if they are as widespread as this one was.

In addition I think security needs to be a higher priority too, no more patching fuzzers to allow that one program to compile. Fix the program.

I’d also love to see systems hardened by default.

I’m curious to know about the distro maintainers that were running bleeding edge with this exploit present. How do we know the bad actors didn’t compromise their systems in the interim ?

The potential of this would have been catastrophic had it made its way into the stable versions, they could have for example accessed the build server for tor or tails or signal and targeted the build processes . not to mention banks and governments and who knows what else… Scary.

I’m hoping things change and we start looking at improving processes in the whole chain. I’d be interested to see discussions in this area.

I think the fact they targeted this package means that other similar packages will be attacked. A good first step would be identifying those packages used by many projects and with one or very few devs even more so if it has root access. More Devs means chances of scrutiny so they would likely go for packages with one or few devs to improve the odds of success.

I also think there needs to be an audit of every package shipped in the distros. A huge undertaking , perhaps it can be crowdsourced and the big companies FAAGMN etc should heavily step up here and set up a fund for audits .

What do you think could be done to mitigate or prevent this in future ?

Your distro should havê a security mailing list you van subscribe to

I like it but I would prefer it to be more restrictive out of the box. Such as have apps declare a list of urls the are permitted to contact , a browser could have * .

I’d like a more granular filesystem list too more akin to apparmors were each file path needed is explicitly defined, in some cases you would need a wildcard or a directory but for most apps this could be done.