Note that this is not a vulnerability. You are supposed to be able to extract plaintext secrets with the Data Protection API if you are logged in as the user who the secret belongs to. That is the whole point.
I’m not sure the author knows this. He points out that this is useful for post-exploitation data gathering. That is, you’ve already compromised a machine/account and are looking to gather as much potentially useful information as possible. But he puts “securely” in scare quotes, which is not honest because this is secure storage: if you’re not authenticated, the key can’t be read. The encryption key is derived from the user password, so it can’t be defeated by offline reading either.
Yep. He just manually accessed stuff (de-obfuscated some layers) he had already access to. Try to do it with another user on the same system and then call it a day/vulnerability. If you, as a user, store some secrets, you have to eventually read them (i.e saved credentials)
You are supposed to be able to extract plaintext secrets with the Data Protection API if you are logged in as the user who the secret belongs to.
Yup. It's like saying you're able to read the private key out of ~/.ssh/id_rsa because you're logged in as the user, though with more steps because you need to deserialize the key from the internal representation. If you want this to not be possible even when logged in as the user, then use a hardware token like a smart card or smart-card-capable security key.
Could still be useful for post-exploitation as the OP mentions.
There isn't even a "compromised" situation here: this is literally how it's meant to work.
Admin accounts have access to everything, whether that's the registry, or a subdir in your user profile dir. That's the whole point of admin rights. Whether your private key is in a file in an .ssh dir or stored in the registry, admins can always get to them.
I don't see us as having created a representative democracy to protect democracy from the masses. I like to think we are a representative democracy because the masses are supposed to have better things to do than keep the lights of government on.
It's pretty well documented in the Federalist Papers. I recommend reading them in their entirety, because it's IMO one of the most profound writings of political exposition in written history, even if you disagree with the philosophies being promoted.
Federalist No. 10[1] is probably one of the most highly regarded of the papers, and explicitly lays out these concerns. Selected quotes:
"AMONG the numerous advantages promised by a well-constructed Union, none deserves to be more accurately developed than its tendency to break and control the violence of faction. The friend of popular governments never finds himself so much alarmed for their character and fate, as when he contemplates their propensity to this dangerous vice."
"Complaints are everywhere heard from our most considerate and virtuous citizens, equally the friends of public and private faith, and of public and personal liberty, that our governments are too unstable, that the public good is disregarded in the conflicts of rival parties, and that measures are too often decided, not according to the rules of justice and the rights of the minor party, but by the superior force of an interested and overbearing majority."
"By a faction, I understand a number of citizens, whether amounting to a majority or a minority of the whole, who are united and actuated by some common impulse of passion, or of interest, adversed to the rights of other citizens, or to the permanent and aggregate interests of the community."
"If a faction consists of less than a majority, relief is supplied by the republican principle, which enables the majority to defeat its sinister views by regular vote. It may clog the administration, it may convulse the society; but it will be unable to execute and mask its violence under the forms of the Constitution. When a majority is included in a faction, the form of popular government, on the other hand, enables it to sacrifice to its ruling passion or interest both the public good and the rights of other citizens."
"From this view of the subject it may be concluded that a pure democracy, by which I mean a society consisting of a small number of citizens, who assemble and administer the government in person, can admit of no cure for the mischiefs of faction. A common passion or interest will, in almost every case, be felt by a majority of the whole; a communication and concert result from the form of government itself; and there is nothing to check the inducements to sacrifice the weaker party or an obnoxious individual. Hence it is that such democracies have ever been spectacles of turbulence and contention; have ever been found incompatible with personal security or the rights of property; and have in general been as short in their lives as they have been violent in their deaths."
Hamilton also talks a little bit about this phenomenon in Federalist No. 68, and Federalist No. 62 lays out the impetus for having an equally represented Senate (which is inherently undemocratic), part of which was to check the immediate impulses/passions of the people, as can be the case with the House of Representatives.
The "experts" have destroyed their own credibility. Do you remember the mass protests in every major and minor city a few weeks ago, where the "experts" responded by encouraging the protests, because "racism is a deadly pandemic too" or some equivocating nonsense like that? Doctors and nurses were participating in these mass protests. People were packed shoulder to shoulder for multiple city blocks. This was right after all of the "experts" forcefully condemned tiny anti-lockdown protests. Even the NYT was forced to confront the stunning hypocrisy https://www.nytimes.com/2020/07/06/us/Epidemiologists-corona... . The vast majority of news outlets are still pretending that the protests had nothing to do with the spike in cases.
It also damages their credibility when they cross the line from "here are the epidemiological facts" to "here are the appropriate tradeoffs between economic stability and acute illness prevention". The latter is not a question that an epidemiologist is any more qualified to speak to than anyone else. Those are political decisions.
They do the same for global warming. The nature and extent of anthropogenic climate change is a question for scientists. But they have all also latched onto the conclusion that global wealth redistribution is the only solution. Again, they are laundering their scientific expertise into political authority. I more or less think that the scientific process moves us to toward better understanding, but the collective political opinions of scientists should not be mistaken for science.
When the experts are abusing their status to pursue political ends, then it's no surprise that the people they seek to politically vanquish put up a resistance by attacking that expertise.
In my opinion this has nothing to do with science and with experts being right or wrong.
It‘s people deciding stopping the spread of COVID-19 isn‘t as important as protesting for their civil rights.
You can‘t dismiss the science just because people have different priorities and decide to act against it because of that.
I also wouldn‘t say it‘s hypocrisy at least not by the protestors and scientist.
Maybe it’s hypocrisy by the media because they didn‘t state that they agree or disagree with protests because they think another issue is more or less important than the pandemic.
People died alone and couldn’t have funerals because epidemiologists said it was too dangerous. A week later, those same epidemiologists were cheering on mass demonstrations.
It’s pretty clear that these “experts” are abusing their status as supposedly objective scientists to advance a political movement. Why should anyone trust anything they say?
You’re disproving your point by noting the Times speaking against this, showing that it was never more than a ridiculous minority opinion.
Additionally, enough time has now passed to assess the danger of these protests. Considering they mostly happened in the large cities of the north, there is absolutely no evidence that they had any major effect in the resurgence of the virus, which is mostly spreading in the south and west. Even there, rural areas are often hit harder than cities.
Their issue is that they're making moral claims without clearly defining their relation to science. Mixing morality and science doesn't have a good track record.
And it's obvious that these claims damage their credibility when people had loved ones die alone - it's suddenly fine for there to be crowds of thousands when gatherings were previously limited to <100.
There's hypocrisy all over the US political spectrum, sure. How about instead of focusing on that we all do our part to get this virus under control for the good of everyone?
Other countries have done so, there's no reason the US can't also.
A quarter today is worth less than a penny in 1900. Maybe this is a good time to get rid of all coins except maybe the quarter. It is frankly ridiculous to be dealing with pennies, nickels, and dimes, worthless coins.
It is right and just for a nation to encourage its young to defend their mothers and fathers, and children and grandchildren not yet born. Any nation that sees this as wrong has lost its will to exist and is living on borrowed time.
> Twitch viewers in the Army’s channel are repeatedly presented with an automated chat prompt that says they could win a Xbox Elite Series 2 controller—an enhanced controller with customizable options and extra paddles for advanced play that costs upward of $200—and a link where they can enter the “giveaway.” It, too, directs them to a recruiting form with no additional mention of a contest, odds, total number of winners, or when a drawing will occur.
If that’s true, it’s wrong. And was it a policy or a few losers trying to pad their numbers? I’ll withhold judgment at least until the official army response.
That whole forum is a dumpster fire. When a search takes me there, I brace myself to read a poorly-written, incorrect, dismissive answer. Nine times out of ten, the questioner is clearly more knowledgeable about the problem than the person answering it.
People making themselves wealthy off of crime is a problem for the whole public. It is grossly unfair to everyone, not just the people they directly defraud.
Only if there's some possible connection to the while public.
It's highly likely that whoever is buying art forgeries is spending money they defrauded from the public, so I'd rather those funds get redistributed to an artist and laborers.
Also, the harm, as a percentage of victims' net worth, is trivial compared to crimes the authorities don't help solve.
>But more importantly, the license doesn’t “infect” things.
[I’m not your lawyer and this is not legal advice.]
It can have that effect. My understanding is that if you include GPL code in your software[1] and distribute it without sharing your source code, you are committing an ongoing contract/copyright violation that can be remedied either by recalling and destroying the offending products, complying with license terms by releasing your source code, or settling with the original copyright owner (effectively, paying a license).
As for a court forcing you to release the code, that is in fact what the GPL contract requires so the court is within its rights to require specific performance instead of monetary damages. Even though common law courts strongly prefer monetary damages, they will turn to specific performance if they think it's appropriate.
All of this is going to turn on some questions about when you can bring copyright infringement vs. contract actions. It's not an area I'm super familiar with, but see my response below about at least one case that suggests you could sustain a contract action for a GPL violation in some circumstances.
[1] In the way that requires you to release your own software under the GPL. Of course, there are ways to use GPL software that don't implicate that. I'm not talking about those.
> they will turn to specific performance if they think it's appropriate
Do you know of any cases with the GPL where a court has in fact done so? I'm not aware of any outcomes where code has been forcefully licensed as a penalty. Absent strange outside circumstances (like a signed contract) I'd instinctively (but without legal training) think that that a court would treat the violator as "acting without a license" rather than "had specifically agreed to the terms of a contract and then broken it".
It was a live issue in the Artifex case. The parties ultimately settled so we don't have a final answer, but the district court was going along with the contract theory. The availability of specific performance remains an open question too. But if you can in fact enforce the GPL as a contract, then it's not a big step to some plaintiff getting specific performance, which is going to turn on case-specific things like the adequacy of monetary damages.
Plenty of people are throwing around inflated or manufactured accusations of racism. Or trying to publicly ruin private citizens for sharing forbidden thoughts among friends and even family. There have been a string a highly dubious rape accusations in the press. In many cases, gross exaggeration or outright fabrication of the claims has been proven. The climate we live in now is very similar to these previous purges. That you find yourself politically sympathetic to their cause only makes it easier for unscrupulous elites to use the mob to do their bidding.
You might think you're safe today, but you'd better hope that your moments of candor stay off camera, because no one lives life carefully enough to be immune to this angry mob.
> Plenty of people are throwing around inflated or manufactured accusations of racism
Such as?
> There have been a string a highly dubious rape accusations in the press. In many cases, gross exaggeration or outright fabrication of the claims has been proven
Such as?
Are we back to finding the worst possible examples of a cause on twitter and using it to discredit the whole cause, just like McCarthyism used one or two actual pro-Stalinists to demonise everyone asking for more equality?
There was a recent case of a Karen receiving mob justice to the point people began harassing the law firm her husband runs (granted she also works there), affecting their livelihood. We don’t want to get to a point in society where your character flaws destroy your life.
Just the other day, an out of context video embarrassed a supposed Karen on the front page of Reddit. We later learned the situation was more complex and didn’t have racial undertones. The mob still publicized a woman’s life.
#MeToo had several examples of people’s career being thrown out for offenses that were basically round objects being pushed into a square hole (Aziz Ansari, Al Franken, there were a few more).
I understand the need to use a chainsaw to cut a birthday cake, it highlights the desperation of the lack of tools to do a very basic thing. We now know, and quite frankly, we need to replace the chainsaw with a table knife sooner or later. Someone’s going to get hurt.
To keep the parallel, it’s important to see that the mob becomes the authority figure.
"There was a recent case of a Karen receiving mob justice to the point people began harassing the law firm her husband runs (granted she also works there), affecting their livelihood. We don’t want to get to a point in society where your character flaws destroy your life."
To be clear, this was after it was filmed that the couple was pointing guns at peaceful protestors who were protesting on the street. The woman in particular had her finger on the trigger and was pointing it at black people walking by. (EDIT: I don't know if you're familiar with gun handling, but this is considered extremely poor "trigger discipline", which is a term describing how to handle and hold a gun safely. This is comparable to driving drunk in its reckless endangerment. One should never point their gun at a person unless they intend to shoot that person. One should never put their finger on the trigger of their gun unless they intend to fire that gun. This woman, in violating both, is expressing her intent to shoot people.)
"#MeToo had several examples of people’s career being thrown out for offenses that were basically round objects being pushed into a square hole (Aziz Ansari, Al Franken, there were a few more)."
Aziz Ansari totally, 100% owned up to not recognizing how his fame affected the social dynamics in which he now functioned and how that in turn affects consent. He apologized and his career is ongoing.
Al Fraken took photos of himself groping a female soldier while she slept in her uniform, so there's definitive proof he was doing these things. He was in a position of power where he could access women and he chose to have photos taken of him groping people who are serving their country.
I see no round objects being pushed into square holes, here? What should be done with Al Franken, who groped soldiers in their sleep?
(EDIT: I should also note that character flaws ruin lives all the time. Someone who is more prone to recklessness or thrill seeking can get themselves or others killed. Someone who is more prone to addiction becomes addicted to a life-ruining dependency. Someone who is too arrogant can ruin their professional network. Someone who is too complacent in a setting where stuff can be made out of date quickly can swiftly find themselves out of work. I don't take it to be a large leap that someone with the character flaws of "threatens to kill innocent bystanders" and "gropes women in their sleep" might not also be negative in their lives.)
What she did was indefensible, but her husband and his business is also having to reconcile this.
I believe Al Franken took a juvenile photo of a reporter friend. I don’t think he was a senator at the time, I could be wrong.
I think we will enter ‘full blinders on’ mode if we accept that the axe being wielded is not a catch all. We have to accept that the axe came out of desperation, but we need to find the solution where the axe is no longer necessary.
If there’s anything to debate, it’s only how long the guillotine should be necessary. Certainly we can’t have the guillotine forever. The guillotine was used to make it pretty freaking clear things have changed, and don’t even try to think things will go backward. I understand and accept it as a necessary strategy.
You still have to create the post-guillotine society.
In poetic terms, Robespierre was given the guillotine he created. Things go too far, often.
There's no guillotine. Aziz Ansari's career is totally fine. The statute of limitations on rape and other sexual assault ranges from 3 to 30 years. It seems completely reasonable to me that Al Franken should continue to have consequences on whose lives he harmed via sexual assault years after doing it. The effects of trauma last a lifetime. I don't understand why we should be sympathetic to one man having his life ruined for credibly also ruining the lives of multiple others.
Regarding the Tamara Harrians situation I don't know anything about it, could you link to another media besides NYPost?
30 seconds of googling can get you the Tamara Harrrians link.
Look, patterns are important. The same way we failed in jailing people for modest drug possession, is the same way we are going to fail in measuring reciprocity, or more clearly, exact legal justice on sexual harassment, racial discrimination.
I’m interested in fixing patterns.
I’m not going to die on the Al Franken hill. Frat boy behavior in professional context is unacceptable, it will get you over time. In his particular case, I didn’t see any escalation into rape or abuse of power (fuck me or you won’t get this job or promotion - Harvey Weinstein).
We will be accurate in our words, accusation, and judgement, henceforth. We will cut cleanly and carefully, no more chainsaws, we will visit all crime sites, and assess. No more games.
It’s not reasonable to me for someone to suffer outsized social justice beyond the price paid at the moment of sentencing. You take someone like Louis CK, he paid the public shame, and career loss (financial loss). If the transgressions were beyond, such as underage sex (for example), I expect the law to quantify the retribution. Beyond that, I expect him to pay nothing more on a social level.
Name your price, I guess, and nothing more. Let it be paid, and move on. We are not gods that dole out eternal shame.
I don't think there's eternal shame to dole out. I think it's perfectly equivalent to say if you give someone lifelong trauma that the result should be lifelong consequences, including that people don't want to affiliate with you.
Restoration is a consequence. But additionally, I don't think anyone should be morally obliged to befriend someone who did something against their moral code. For example, if I had a friend who I understood to have committed CSA there is no timeline of which I would be okay with continuing to be their friend.
Again, if the regular legal system would get in gear and e.g. prosecute the police who killed Breonna Taylor, or routinely take sexual assault allegations seriously, we wouldn't be needing any of this.
The dysfunctionality of regular politics creates its own escalation. People are used to being given a sticky door, or a button that doesn't work. They're used to shoulder-charging the door of power being completely ineffective. So when it actually gives way it's a surprise to everyone.
The author has plenty of good ideological arguments but doesn't really seem interested in what the effect of eliminating single-family zoning will be on day to day life for people and communities. People like living in single-family zoned neighborhoods. People don't want high-density development in their neighborhoods. People leave behind exciting city lives and move to the suburbs because they want to live somewhere peaceful, boring, low-crime. Now someone wants to transform their neighborhood and make it look like those places they decided not to live in.
As for this guy calling himself a conservative, somewhere along the way, libertarians in America began calling themselves conservatives and forgot what the term really means. Conservatism isn't knee-jerk ideological opposition to any rules.
There are countless people who live happily in areas that don't have single-family zoning. So I don't know what effects you would expect, other than an increased availability of housing. Low-rise zoning makes sense - some people just don't like having a skyscraper next door - but I don't see any reason that a 6-unit apartment building would infringe on the day to day life of people in the 2 story house next door.
I’m not sure the author knows this. He points out that this is useful for post-exploitation data gathering. That is, you’ve already compromised a machine/account and are looking to gather as much potentially useful information as possible. But he puts “securely” in scare quotes, which is not honest because this is secure storage: if you’re not authenticated, the key can’t be read. The encryption key is derived from the user password, so it can’t be defeated by offline reading either.