neatchee
@neatchee@lemmy.world
- Comment on For security reasons 3 days ago:
Let em figure it out. Wasting their time is a core strategy in reducing their impact and will to continue cheating
I certainly didn’t share it myself but it’s possible my old boss did!
TBH, on my very personal opinion the third party anti-cheat apps are like 50% placebo. Just makes people feel better. They are very protective of their “secret sauce” but I can say none of them are anywhere close to perfect. The thing they’re best at is taking the easy stuff off our plates so we can focus on the more difficult problems of hardening the game itself and analyzing telemetry.
- Comment on For security reasons 4 days ago:
For the same of checking uniqueness it’s probably fine to just ignore them. Yeah, it sucks if johndoe@obscure.domain and john.doe@obscure.domain can’t sign the same petition but outside of the big email services I imagine that kind of collision is pretty rare
- Comment on For security reasons 4 days ago:
Right I’m saying I always thought that was an optional feature, determined by the person who created the petition. I don’t think it’s a universal requirement for all change.org petitions
- Comment on For security reasons 4 days ago:
My understanding is that signing a petition and creating an account aren’t necessarily linked, and it’s up to the person who created the petition whether verification is required.
- Comment on For security reasons 4 days ago:
Yes! I LITERALLY just set up my stuff there a few days ago for TSA Precheck and CBP because I’m heading to Japan next month. I love what they’re doing.
- Comment on For security reasons 4 days ago:
Oh yeah don’t get me wrong, I think change.org as a product is hot sticky garbage. I don’t take anything they produce seriously lol
- Comment on For security reasons 4 days ago:
As it ever will be, much as it may pain our moral sensibilities.
Re: CoD - I loved it. Laughed my ass off. Absolutely a big fan of creative approaches to getting cheaters to tell on themselves. I proposed something similar to my team when we had a problem with players manipulating the position of objects in the world so they were directly in front of the player: add an object of the same type inside map geometry and attach a “kill volume” to it, so it was like a landmine. Move the object in front of the player and they instantly die :P Wish we’d done it but couldn’t get the level designers’ time to implement it unfortunately
One we did do though: back when the product I worked on was on PS3 one of the big problems was hacked consoles spoofing platform entitlements (the thing that tells the game what purchases they should have access to). So we added an entitlement that couldn’t be acquired in any legitimate way, and gave you a specific item in game. Then we just checked player inventories once a week for anyone with that item and banned their account, their console, and any account that played on that console for a meaningful amount of time. Did the same thing with an item you could only get to by clipping through geometry. Even put the word “intrusion” in the item’s name haha.
The cheats are so technically complicated at this juncture that the creative stuff is often the most effective. I mean, people are literally voluntarily installing hypervisor rootkits to run the cheats, so they can talk to their drivers below even the kernel. It’s so hard to come to with technical solutions to a problem like that that doesn’t wind up costing massive server processing power to validate every input.
- Comment on For security reasons 4 days ago:
Funny you mention the robocall thing… I’m literally leaving a company that works on that problem (though not as their primary business) Wednesday. It was a short stint - mostly because they are resistant to solving massive technical debt problems and I’m not trying to doom my future self - but what I witnessed was…depressing. Getting anything done was like pulling teeth, and that’s with the recent FTC pivot to taking this stuff more seriously. STIR/SHAKEN is a reasonable start but it still has almost no teeth behind it.
I’m with you on the identity issue. I mean, if we’re being really honest, the only people losing out by not implementing strong personal identification verification are the legitimate end users because the threat actors have gotten so unbelievably good at fingerprinting user behavior. And it’s only going to continue getting worse. With ML growth as unfettered as it is, there is nothing we can do. So I’d much rather take the reigns and make identity verification a robust feature instead of a bug we can’t squash.
- Comment on For security reasons 5 days ago:
Good info! Sounds like a nightmare :x
Yeah, I can’t say their solution is the most elegant but it certainly makes a kind of sense when their criteria for success is “maximize participation while satisfying ‘uniqueness’ critics”
- Comment on For security reasons 5 days ago:
You’re not wrong, but this isn’t really a security matter, it’s an “apparent uniqueness” matter. Their goal, I assume, is to satisfy critics enough that a given petition’s participants are sufficiently unique while keeping the barrier to filling out the form as low as possible. So they end up in a situation where neither of perfect, but they’re both “good enough” for what the business needs.
I dealt with this in the anti-cheat space: my goal was never to remove all cheating, because that’s too expensive (insanely so). My goal was to make the public believe they weren’t playing against cheaters too often. If the solution was forcing the cheaters to perform at a level that was just below the most skilled human players, that was actually a success, because if the players can’t differentiate between cheaters and pro players, then they can’t effectively determine how prevalent cheating actually is.
Part of me hated that we had to treat it that way, but another part of me understood that if I pushed too hard on “eliminating cheating” my department would become more costly than it was worth and they’d pivot away from gameplay that needed anti-cheat at all
- Comment on For security reasons 5 days ago:
Requiring SMS validation is a massive barrier to entry and not a viable option for a service like Change.org that relies on a certain level of participation.
- Comment on For security reasons 5 days ago:
I don’t think the reason they’re being used is relevant to their problem though. “Think like an attacker” wins the day here: as an attacker, I don’t care what it’s meant for, only how I can use it to my advantage. If it’s something they observed as a problem, I understand why they would want to stop it.
As for “-”, yeah, I don’t have a particularly good explanation for that one except the assumption that it’s something similar to + addressing on a different service.
- Comment on For security reasons 5 days ago:
I imagine because it can’t be used to add additional junk characters to the address, they probably just strip them out before doing their string comparison
- Comment on For security reasons 5 days ago:
Yeah I agree that one seems silly on the surface but for their specific situation I understand why: services like Gmail allow using a + to create faux-labels. So for example foo@gmail, foo+bar@gmail, and foo+baz@gmail all get delivered to the same account. For change.org that’s a problem because it allows a single email account to fill out the form many times.
Ideally, they would simply truncate everything after and including those symbols but it’s possible other services have different rules (maybe yahoo let’s you pretend faux-tags instead of appending them, or something like that) so simply blocking their use altogether could be the more robust solution
- Comment on For security reasons 5 days ago:
Security professional here. This is legit a good call on their part. It’s because those types of addresses won’t bounce emails but aren’t necessarily in your control; it’s very, very easy to spam those petition forms with mail@ for a million real domains without bouncing the emails, making them seem legit.
You own your domain, obviously, so it’s really as simple as creating a forwarding address of “changeorg@domain.tld”. If creating a forwarding address is that much of a problem for you I suggest that you likely shouldn’t be hosting your own email in the first place.
Your laziness isn’t a good reason to be upset with a company taking steps to reduce their security overhead significantly
- Comment on 1000 years from now physics is forgotten and all that remains is the legend of two hobbits, Charm and Spin, and their quest for the Higgyboson. At this point, is physics true? 5 weeks ago:
There is no question that most myths and legends were originally an attempt to convey facts, theories, or guesses into the future.
Humans are built to be pattern matching machines and prediction engines; it’s one of the big survival traits we developed through evolution and we’re better at it than any other species we know of.
BUT objectively speaking we were still really, really bad at it. Yet that doesn’t stop us from trying.
So we tend to do the best we can with the information we have available at the time.
As others have said, “physics” - and science in general - is by definition immutable. It is the thing that can be tested with specific predictions that always turn out to be correct. If I can perform an experiment today, and you can perform the same experiment 100 years from now, and (adjusting for environmental factors and measurement accuracy) we get the same results, and we can repeat that over and over, that’s science.
But our understanding, our knowledge of it, can change as you say. That doesn’t make physics less true, it just make our knowledge of and ability to describe physics less accurate.
We can trace so many stories - including modern religions - to origins that attempt to explain our limited observations in the past. They were our best effort at matching patterns and predicting outcomes in the world around us. And the inaccuracies, the limitations don’t mean we should stop believing the things we think we understand today.
It just means that we must recognize new information when it arrives as testable data, and incorporate it into our current understanding, relegating the wisdom of the past to history.
- Comment on How does the xz incident impacts the average user ? #xz 1 month ago:
Arbitrary. It could be whatever they wanted at any time
- Comment on How does the xz incident impacts the average user ? #xz 1 month ago:
Here’s how it was intended to work:
- debian, fedora, or another RPM-based distribution updates references to liblzma to 5.6.x in their latest release
- the package repository is updated (usually through automation) by getting the infected tarball and compiling it into an RPM which is added to the repo
- if the package is built using glibc and the gnu linker, and for a system that uses systemd, the exploit is enabled during compilation of the x86-64 version of the package; otherwise the result is normal
- when an application is installed that depends on liblzma, possibly during OS installation itself, the infected RPM package from the package repository is downloaded and installed
- in this particular case, OpenSSH was the primary target; if the attacker wanted to, it could have targeted any web-facing service that uses liblzma such as OpenSSL + Apache/nginx, etc
- when the OpenSSH server is started on an infected system, it loads the infected liblzma binary
- the attacker starts an SSH connection to the infected server, having already known about the server or by scanning the internet for visible ssh servers
- during creation of the SSH connection, one of the steps is to negotiate encryption using an RSA key. The attacker uses a specially formed RSA key only available to the attacker that also contains a chunk of code (the “payload”) that they want executed on the server
- liblzma is utilized to compress data in transit; when the infected liblzma decompresses the RSA key on the server, the exploit recognizes the attacker’s special RSA key and executes the payload on the host system. Otherwise, the ssh session continues as normal
- Comment on How does the xz incident impacts the average user ? #xz 1 month ago:
Quick summary:
- only impacts Debian and Linux distributions that utilize RPM for packages
- only impacts cases where liblzma is compiled from a tarball, rather than cloned source repository or precompiled binary
- only impacts x64 architecture
- introduced in liblzma 5.6.0 which was released in late February so only impacts installs receiving updates to liblzma since then
liblzma is a library for the lzma compression format. Loosely, this means it’s used by various other pieces of software that need this type of compression, rather than being an application itself.
It is very widely used. It comes installed on most major Linux distributions and is used by software like openssh, one of the standard remote connection packages.
However, since it was only in the tarball, you wouldn’t see it widely until debian, fedora, et al release a new version that includes the latest liblzma updates. This version hadn’t been added to any of the stable release channels yet, so the typical user wouldn’t have gotten it yet.
I believe this would have gone out in debian 12.6 next week, and the attacker was actively petitioning fedora maintainers to get it added to fedora 40 & 41
The interesting thing about this situation was how much effort the attacker put in to gain trust just to get to the point where they could do this, and how targeted the vulnerability seems to have been. They tried very hard to reduce the likelihood of being caught by only hitting a limited set of configurations
- Comment on I feel old 1 month ago:
Oh my god Gretchen
- Comment on The Karen of Lemmy 1 month ago:
Because deplatforming works. Because tolerating intolerance eventually results in the tolerant being extinguished.
If I’m hosting a party and there’s a Nazi on my front lawn, I don’t care if I and my guests can mute them, block them, whatever. I’m going to get rid of them. I don’t want new guests seeing them when they arrive. I don’t want every single person to have to be exposed to the Nazis first before they can then block them out. I don’t want the Nazis to exist at all. Nazis don’t deserve to exist. We went to war to kill Nazis and I’d vote to do it again if I could.
It’s our house. Our community. No. Fucking. Nazis. No toxicity. We don’t have to suffer them to exist.
- Comment on The Karen of Lemmy 1 month ago:
Before I block you I’ll be kind and make one genuine attempt to help you learn:
Just like nobody is required to invite you into their home, nobody is required to listen to you either. And nobody is required to let you loiter on their property (the server) and act like a douche to their guests (the users).
You are facing the consequences of your actions. People don’t like you and instead of considering why that might be and adjusting, you simply complain that people are kicking you out of the party.
You are not owed an audience. You do not have a right to be heard.
- Comment on The Karen of Lemmy 1 month ago:
Ok this one made me chuckle
- Comment on The Karen of Lemmy 1 month ago:
Oh look, he willfully distorts things too! Tell me about free speech next so I can complete my bingo card
- Comment on The Karen of Lemmy 1 month ago:
I’ve only ever seen the term “feefees” used by people whining over facing the completely predictable consequences of their actions
- Comment on Please Stop 2 months ago:
I didn’t ask them to do their own research. I asked that, if they are skeptical of a claim I made, either do a simple Google search to check if it’s very really verifiable, or ask me directly instead of immediately saying “you’re wrong because I would have heard of it”
- Comment on Please Stop 2 months ago:
Hahaha “niche” is what you call multiple massive financial institutions? And that’s just what I could pull up in 5 minutes off Google.
Your obstinance is genuinely entertaining 🤣
You’re a silly, silly person. Thank you for the laugh. So long, chief
- Comment on Please Stop 2 months ago:
I linked you to my other comment where I provide FIVE links to what you asked for. Excuse me for not retyping the same thing for every single person.
I don’t owe you my time. I provided a one-click path to what you asked for but you couldn’t even be assed to ponder why I linked you that comment.
Done with you now.
- Comment on Please Stop 2 months ago:
- Comment on Please Stop 2 months ago:
You are just simply wrong and I don’t have the energy left to keep digging up the resources to prove it. Go read my other replies elsewhere. There are even people in this thread who have written long comments detailing the same things I’m saying. You do not understand the history of blockchain, only crypto. You do not understand the underlying technology, nor what differentiates the concept of a blockchain from the type of blockchain used in crypto. So I’m done. Too tired of showing people the truth when they refuse to entertain anything but their existing position.