Admiral Patrick

I’m surprisingly level-headed for being a walking knot of anxiety.

Ask me anything.

I also develop Tesseract UI for Lemmy/Sublinks

Avatar by @SatyrSack@feddit.org

  • 2 Posts
  • 33 Comments
Joined 2 years ago
cake
Cake day: June 6th, 2023

help-circle


  • If they expected you to read the install script, they’d tell you to download and run it. It’s presented here for lazy people in a “trust me, bro, nothing could ever go wrong” form.

    • There are SHA256 checksums of each binary file available in each release on Github. You can confirm the binary was not tampered with by comparing a locally computed checksum to the value in the release’s checksums file.

    • Binaries can also be signed (not that signing keys have never leaked, but it’s still one step in the chain of trust)

    • The install script is not hosted on Github. A misconfigured / compromised server can allow a bad actor to tamper with the install script that gets piped directly into your shell. The domain could also lapse and be re-registered by a bad actor to point to a malicious script. Really, there’s lots of things that can go wrong with that.


    1. That’s been the way to acquire software since shortly after the dawn of time. You already know what you’re getting yourself into.
    2. There are SHA256 checksums of each binary file available in each release on Github. You can confirm the binary was not tampered with by comparing a locally computed checksum to the value in the release’s checksums file.
    3. Binaries can also be signed (not that signing keys have never leaked, but it’s still one step in the chain of trust)
    4. The install script is not hosted on Github. A misconfigured / compromised server can allow a bad actor to tamper with the install script that gets piped directly into your shell. The domain could also lapse and be re-registered by a bad actor to point to a malicious script. Really, there’s lots of things that can go wrong with that.

    The point is that it is bad practice to just pipe a script to be directly executed in your shell. Developers should not normalize that bad practice





  • It’s not like they are a secret.

    They’re also not public info, either. Typically they’re combined with name, address, etc for fraud protection, but those details are even easier to acquire than account numbers. The routing numbers are public information, though. In the result of a data breach, a bad actor has everything they need.

    What are any potential hackers going to to with my bank account numbers?

    Just about anything they want since they’ll likely have your personal details too. When adding a bank account to any of my utility payment accounts, there is no verification whatsoever; enter details, authorize payment.

    I don’t use CashApp and the like, but in the past, PayPal would deposit a few cents into the account, and you had to verify ownership of the account by entering those random amounts into the signup form to complete the process. That’s also trivially defeated if enough of your data was breached and in the hands of an attacker (e.g. call the bank, pretend to be you, and ask for the info).

    Not to mention, why would attackers in phishing/scam emails ask for bank details if they’re not secret or are useless?







  • Is it still possible to interact with the communities (post, vote, etc.)?

    Yes, but only locally.

    If your instance already knows about the community, people on your instance can still post and interact with the community. However, anything submitted to it will not federate to other instances, so it’s analogous to a local-only community.

    Unless the LW admins removed them already, there were some Beehaw communities that were still showing activity on Lemmy World from local LW users despite Beehaw not federating with LW. (Those communities were resolved prior to Beehaw defederating). The one I recall seeing no longer comes up, so they probably did remove them (admins were aware).

    is it still possible to delete them if the ownership of the community (aka the top mod) belongs to an user from another instance

    I don’t think so, at least not in 0.19.3. There are some operations that, if using a remote mod account (even if it’s top mod), throw a “not a moderator” error.