(safe) Unsecure security

Selection of quotes:

This is despite the fact that it has been well-established law for almost 60 years that U.S. people have a First Amendment right to receive foreign propaganda.

The law limits liability to intermediaries—entities that “provide services to distribute, maintain, or update” TikTok by means of a marketplace, or that provide internet hosting services to enable the app’s distribution, maintenance, or updating. The law also makes intermediaries responsible for its implementation.

The law explicitly denies to the Attorney General the authority to enforce it against an individual user of a foreign adversary controlled application, so users themselves cannot be held liable for continuing to use the application, if they can access it.

Enacting this legislation has undermined this long standing, democratic principle. It has also undermined the U.S. government’s moral authority to call out other nations for when they shut down internet access or ban social media apps and other online communications tools.

Our lawmakers should work to protect data privacy, but this was the wrong approach. They should prevent any company—regardless of where it is based—from collecting massive amounts of our detailed personal data, which is then made available to data brokers, U.S. government agencies, and even foreign adversaries.

Thoughts?

Wait... what about ..chain?

But there is a saying in our field that attacks only get better.

ECDSA NIST-P521 keys used with any vulnerable product / component should be considered compromised and consequently revoked by removing them from authorized_keys, GitHub, ...

Although the vulnerability was addressed in August 2018, the maintainers of Lighthttpd patched it silently in version 1.4.51 without assigning a tracking ID (CVE).

This led the developers of AMI MegaRAC BMC to miss the fix and fail to integrate it into the product. The vulnerability thus trickled down the supply chain to system vendors and their customers.

BMCs are microcontrollers embedded on server-grade motherboards, including systems used in data centers and cloud environments, that enable remote management, rebooting, monitoring, and firmware updating on the device.

In short - it is a BIOS/virtual keyboard and mouse accessible via internet and if you can access it - you are controlling the computer. Of course, to have such devices exposed without adequate protection is an interesting idea by itself, but there are quite some dedicated server providers that do it for various reasons (less work).

Probably web runs on PHP - upgrade!

Check https://news.ycombinator.com/item?id=39865810 comments as well

This is quite important, but still there is hope - to be fully exploited it seems that one needs to have malware present in the computer, so if that is already the case - there are more problems to solve.

The little known “manufacturer” or “manager” reset codes could let third parties—such as spies or criminals—bypass locks without the owner’s consent and are sometimes not disclosed to customers.

The fact the DoD protected its own interests while not warning the public gives a stark demonstration of what could happen if a backdoor was inserted into a consumer electronics device or similar.

The documentation also explicitly says that sometimes the existence of a manager code may not be sent to an actual user of the device. “In some instances the Manager Code and associated Operating Instructions are not issued to the End User,” it reads, meaning that people may be using these locks without understanding that they can include a backdoor code.

"Khurana was handsomely compensated," Meta continued in its complaint. "But ... that was not enough." Despite that fat pay package and VP title, Khurana may have failed to consider the level of monitoring or logging that goes on inside Meta's networks, if the lawsuit's allegations are correct.