Binary supply-chain attacks are not “minor security issues”.

Yes they are. The binaries for Ventoy aren’t even updated from release to release. It’s not even evident how old they are. So crying about an attack that only matters if these binaries are bleeding edge is absolutely a minor issue. I don’t even understand how someone of sound mind and body could possibly believe otherwise.

Not having a security first posture on these kinds of attacks is how the xz event happened

No one is making the argument that security doesn’t matter. No one is pushing the idea that Ventoy is secure. I’m saying singularly and only that a supply chain attack is just about the dumbest goddamn angle possible to bitch about Ventoy because I could argue that Ventoy would be more vulnerable than it is now to a supply chain attack if the binary blobs are built and updated every time you build a bootable drive. It’s just a truly fucking insane argument that shows a lack of understanding of what a supply chain attack is. The built binaries may be vulnerable and it’s difficult to prove if they are or not, but if you update the binaries all the time they’re more (attack surface is larger) than if they’re only updated when absolutely necessary…

It’s just plain a poor argument and I’m tired of every armchair expert pretending that its not. People in high security environments aren’t using Ventoy. It’s just such a ridiculous argument.

The advantage of Ventoy is its ability to work in any environment and handle 99% of ISOs. Compiling the binaries at build time requires a mature development environment to be able to build these utilities… Your exponentially increasing the size and complexity of the project to solve a relatively minor security issue.

Ventoy is not the only way to create a bootable drive… If you don’t trust the blobs then don’t run the software.

Forking ventoy to add the complexity of building these utilities is only going to be available for *nix base environments so Windows users are pretty much shit out of luck. Your exponentially increasing the size of the project, it’s complexity, and simultaneously significantly narrowing its usability…

I said it before and I’ll say it again it’s such a bad fucking argument. It’s not mature software. It’s a literal confluence of hacks… And if you’re not comfortable with using it then don’t use it. It really is a huge security risk. But advocating that nobody use it is such stupid fucking thing.

Advocate that people understand the risks of using it but to just run around and scream about how nobody should be using it for any reason whatsoever until the maintainer closes the security hole that makes it run is pretty stupid.

Such a great post.

There’s no way to emote it, but you know when those old Italian ladies spit at people to keep the evil away from themselves? I just did that in your general direction…

No. But the argument itself is so stupid to me.

Ventoy has never been a secure tool. People are making the argument that it should be, which is just nutty.

If you’re one of those people that grab random fuckin’ ISO’s from all over the internet to test em out, then no. You really shouldn’t use Ventoy. If you run official ISO from recognized sources, then realistically the risk is ever present, but minimal.

Like getting in a wreck on the way to the store to pick up milk. It’s always a possibility, but not many people would stand around and make the argument that you should stay home forever because you might get into an accident, which is basically the argument against Ventoy. It’s “we’ll, it’s a crazy useful tool, but you shouldn’t use it because something might happen.”

It’s just such a bad argument. Fact of the matter is, is that if there were a non-hacky as shit way to do what Ventoy does, it would be available right now. But it’s not… Because it’s really not.

The only way to avoid the issues that Ventoy employs is to not use ISOs and use something like netboot.xyz, which presents its own set of issues. How do you know you’re not being MITM from the iPXE environment? Like, sure. You can technically verify it, but how do you know for sure on the fly?

Like, if you sit down you can pick apart any software for being an insufferable gaping asshole of security vulnerabilities.

The same way you do any other project. If you’re interested, you go looking. You find my project which has a link to the repo. A link is a link. You’re simply fighting over where the link goes to, and I’m pointing out that it’s a stupid argument to be had.

Github is an important resource.

And there’s dozens and dozens of replacements available. The issue you’re speaking of isn’t an issue with Github at all. It’s an issue with developers.

If Github going off the map borks your development because PROGRAMMERS can’t use anything but Github, you have much bigger problems than you think.

If there’s one thing you want in a website used by almost 75 million beneficiaries it’s a platform hastily put together by a crack team of geniuses–that don’t password protect databases–“in months.”

This is gonna go very very very poorly.

I think you’re kind of missing the point of OSS. Github could completely fall off the face of the earth tomorrow and nothing bad happens. There are dozens of other platforms to facilitate the development of software online. Github is not the end all be all and in the grand scheme is only a small player.

1. Ask them. They’re required to tell you the changes.
2. No.
3. Depends on what the original agreement said. If it says you’re entitled to a refund if they change the terms, then yes. If not (likely) no.

There is no such mention by OP about the legal definition.

It’s contextual. It doesn’t have to be pointed out. If you’re talking about censorship, specifically censorship when dealing with your rights or government in general, then you’re speaking about the legal definition. Speaking about your job censoring you? The noun.

The discrepancy is because you looked up the noun, censorship. The censorship being referred to here is a legally defined term which is when the Government censors information;

The term censorship derives from the official duties of the Roman censor who, beginning in 443 b.c., conducted the census by counting, assessing, and evaluating the populace. Originally neutral in tone, the term has come to mean the suppression of ideas or images by the government or others with authority.

Look up censorship in a law dictionary and you’ll see the difference.

The only type of censorship that you have protection from is from the government. For example your employer can censor you completely legally. They can tell you that you’re not allowed to say certain things and if you do you can lose your job. All of that is perfectly legal. If the government does the same thing it’s illegal.

That’s the difference. Casual censorship versus Governmental censorship.

Thank you for being intelligent.

Censorship in most people’s contextual usage of it is Government censorship or protection from Government censorship–which is the only protection we have afforded to us by the Constitution.

For example you can be censored by your employer completely legally. They can tell you that you’re not allowed to say certain things and if you do you can be fired for those things completely legally. You still have the right to say them but you’re not free of consequence if you do.

The Government does not have the same right unless it deals with non-protected speech, like hate speech.

Decisions have consequences. Unfortunately some bad actors prefer certain TLDs because they’re easy to get and inexpensive. If you choose to also pursue one of those TLDs it’s lamentable but you’re kind of throwing your head into the same ring.

Censorship is blocking TLDs because you don’t like what they’re saying. Blocking TLDs because they’re mostly used by bad actors is just good threat assessment.

lol wtf

Does this key fob log every entry/exit?

Entirely depends on how the reader system is setup and configured. It’s likely, but not a guarantee.

He’s cautious with cell phones and leaves them at home, but wonders if the key fob could potentially cause problems.

They’re a passive, no power system. They require energy from the reader to function. They’re not exactly GPS trackers, but maybe someone somewhere has figured out a way to track them.

With democrats not wanting to stand up, and the judicial branch being silent, there’s nothing that can be done right this second. The best advice anyone not supposed to be here can have right now is to simply not be here. If you are, you might get caught and then sent to some inhumane bullshit camp they got popping up.

No, it’s a nomenclature issue and continually proves that technologists are bad at naming things: https://xkcd.com/927/

Because of US financial laws the virtual card numbers are prefixed as prepaid cards. So in certain situations you’re going to have friction where the merchant you’re dealing with isn’t able to, or can’t use prepaid cards.

Again, this is a nomenclature thing.

You’re correct. mmW exclusively deals with the frequency range of the Gen5 network. But Gen5 networks are branded as 5G. mmW is branded as 5G. Gen5 over 4G LTE is branded as 5G…