underisk

Pretty on the nose that the Israeli spyware company named their spyware after what we call people who sexually assault children.

It’s true I saw a video of it online and it was horrific. They’re so numb to this they treat it like a tourist attraction.

Didn’t he very publicly advertise he would pay people to vote republican? I seem to remember this happening during the campaigning and nobody did shit about it then. Why would the result be any different now when the only politicians who nominally oppose the “destruction of democracy” didn’t do shit about that either and no longer have any power?

I don’t really care if they’re just interns when their job is to launder the reputation of a murderous immoral multinational corporation. If they had done PR for Nazis that would have made them Nazis.

“Just don’t let my ex know where I am I owe her tons in child support”

Unless you're based in or have some kind of presence in those countries there's no reason to even ban them. Banning by geolocation isn't exactly trivial or reliable. Let them figure out a way to ban you instead.

You can self host stoat.

Carrier pigeons aren’t trained to establish a safe society for humanity. So if they get destroyed they haven’t failed at their primary objective. Governments, though…

I didn't think you were making the post to defend Bitwarden or something. I was just adding the details of one of the exploits the paper found that directly contradicted their claim.

Well, permanent because if it gets destroyed it you can't call it successful, and utopia because you need an ideal to measure success against even if its not realistically achievable.

BW06: Icon URL Item Decryption. Items can include a URL field, which is used to autofill the credentials and display an icon on the client. The client decrypts the URL and fetches the icon from the server, including in its request the domain and top-level domain of the URL. For instance, if the URL is “https://host.tld/path%E2%80%9D, the client request includes “host.tld”. This means that the adversary can learn (part of) the con- tents of URL fields. Using Attack BW05, an adversary can place the ciphertext of sensitive item fields, such as a user- name or a password, in the encrypted URL field. After fetch- ing the item, the client will then decrypt the ciphertext, confus- ing it for a URL. If the plaintext satisfies some conditions (i.e. containing a ‘.’ and no !), it will be leaked to the adversary. A URL checksum feature was deployed in July 2024, mak- ing the clients store a hash of the URL in another encrypted item field, therefore providing a rudimentary integrity check and preventing this attack. Note that old items are never up- dated to add such a checksum: this feature only protects items created after its introduction. Furthermore, URL checksums are only checked if a per-item key is present for the item. As we will see, an adversary can prevent per-item keys from being enabled with Attack BW10.

IMPACT. The adversary can recover selected target ciphertexts in the item, such as the username or the password.

REQUIREMENTS. The user opens a vault containing items that do not use per-item keys (i.e., items created before July 2024, or after Attack BW10 is run). The target plaintext must satisfy some additional conditions, detailed in Appendix

-- from the paper the article is discussing

So you could potentially expose your passwords to a compromised server or some kind of MITM. If they meet the conditions for the validation check, anyway.

A permanent utopia free from geopolitical influence has yet to be established under any system of government, therefore no system of government has ever worked.