Xanza @ Xanza @lemm.ee Posts 2Comments 1,080Joined 3 mo. ago
Binary supply-chain attacks are not “minor security issues”.
Yes they are. The binaries for Ventoy aren't even updated from release to release. It's not even evident how old they are. So crying about an attack that only matters if these binaries are bleeding edge is absolutely a minor issue. I don't even understand how someone of sound mind and body could possibly believe otherwise.
Not having a security first posture on these kinds of attacks is how the xz event happened
No one is making the argument that security doesn't matter. No one is pushing the idea that Ventoy is secure. I'm saying singularly and only that a supply chain attack is just about the dumbest goddamn angle possible to bitch about Ventoy because I could argue that Ventoy would be more vulnerable than it is now to a supply chain attack if the binary blobs are built and updated every time you build a bootable drive. It's just a truly fucking insane argument that shows a lack of understanding of what a supply chain attack is. The built binaries may be vulnerable and it's difficult to prove if they are or not, but if you update the binaries all the time they're more (attack surface is larger) than if they're only updated when absolutely necessary...
It's just plain a poor argument and I'm tired of every armchair expert pretending that its not. People in high security environments aren't using Ventoy. It's just such a ridiculous argument.
I'm not scared of what she would do when in power. But having the opinion matters. It matters. You shouldn't elect people to lead us who don't treat others like humans. Period.
I won't help get her elected for the same reason I won't help get a member of the KKK elected--and if you can't see the parallel there, then I won't help you get elected, either.
"Please stop thinking genocide is bad!"
That's what he's saying.
She's pro-Israel. Worth pointing that out. Not sure the government needs more pro-Israel sycophants.
Lemme know if you end up figuring it out. I'm invested.
Permanently Deleted
That's the beauty of it! You can't! AI can't commit malpractice, because you have to prove professional negligence! /s
The advantage of Ventoy is its ability to work in any environment and handle 99% of ISOs. Compiling the binaries at build time requires a mature development environment to be able to build these utilities.... Your exponentially increasing the size and complexity of the project to solve a relatively minor security issue.
Ventoy is not the only way to create a bootable drive... If you don't trust the blobs then don't run the software.
Forking ventoy to add the complexity of building these utilities is only going to be available for *nix base environments so Windows users are pretty much shit out of luck. Your exponentially increasing the size of the project, it's complexity, and simultaneously significantly narrowing its usability....
I said it before and I'll say it again it's such a bad fucking argument. It's not mature software. It's a literal confluence of hacks... And if you're not comfortable with using it then don't use it. It really is a huge security risk. But advocating that nobody use it is such stupid fucking thing.
Advocate that people understand the risks of using it but to just run around and scream about how nobody should be using it for any reason whatsoever until the maintainer closes the security hole that makes it run is pretty stupid.
Such a great post.
This has always been the key. Amazing to me that not many seem to take it seriously.
There's no way to emote it, but you know when those old Italian ladies spit at people to keep the evil away from themselves? I just did that in your general direction...
I still use my 3a XL without issue. This is very likely a usage issue, settings issue or even a hardware issue. It's not a software issue.
Clear your application cache. If that still doesn't work, try uninstalling Google Chat, then re-install it. If it's built in, uninstall the updates, and then re-update. This resets all the notification settings.
No. But the argument itself is so stupid to me.
Ventoy has never been a secure tool. People are making the argument that it should be, which is just nutty.
If you're one of those people that grab random fuckin' ISO's from all over the internet to test em out, then no. You really shouldn't use Ventoy. If you run official ISO from recognized sources, then realistically the risk is ever present, but minimal.
Like getting in a wreck on the way to the store to pick up milk. It's always a possibility, but not many people would stand around and make the argument that you should stay home forever because you might get into an accident, which is basically the argument against Ventoy. It's "we'll, it's a crazy useful tool, but you shouldn't use it because something might happen."
It's just such a bad argument. Fact of the matter is, is that if there were a non-hacky as shit way to do what Ventoy does, it would be available right now. But it's not... Because it's really not.
The only way to avoid the issues that Ventoy employs is to not use ISOs and use something like netboot.xyz, which presents its own set of issues. How do you know you're not being MITM from the iPXE environment? Like, sure. You can technically verify it, but how do you know for sure on the fly?
Like, if you sit down you can pick apart any software for being an insufferable gaping asshole of security vulnerabilities.
No, because the dollar is about to go the same way as the Pengo. I wonder who they're gonna put on the 100 Quntillion Dollar bill.
Because it has integrations for The Internet Archive: https://x0.at/Wny_.png
It says "local html" but I have a feeling it simply grabs a copy from the internet archive. I can't even find where its storing these copies with it enabled.
Imagine the one guy who can be credited the most (aside from Trump/Musk) with us being where we are, complaining that we're here.
I want to punch him till his face is flat....
So does requiring all users to phone you ahead of time to get a temporary password that's only alive for 20 minutes.... But that's also not done because it's...stupid.
There are dozens of tools and methods (like jumpboxes) which facilitate the authorization and usage of currently available and time tested tools for usage with environments without reinventing the wheel. Stepping away from the unix philosophy is heresy of the highest degree.
It's not a problem with the tool, only the plumber.
I think rather you missed something. Not once have I said anything about the value of the dollar being China's responsibility.
I answered your direct question while ignoring the rest of the bullshit you made up without even pointing out that you pulled it from nowhere and it's stupid. I think I did a pretty good job.
The same way you do any other project. If you're interested, you go looking. You find my project which has a link to the repo. A link is a link. You're simply fighting over where the link goes to, and I'm pointing out that it's a stupid argument to be had.