towerful

joined 1 year ago
[–] towerful@programming.dev 1 points 2 months ago* (last edited 2 months ago)

If your windows computer makes an outbound connection to a server that is actively exploiting this, then yes: you will suffer.

But having a windows computer that is chilling behind a network firewall that is only forwarding established ipv6 traffic (like 99.9999% of default routers/firewalls), then you are extremely extremely ultra unlucky to be hit by this (or, you are such a high value target that it's likely government level exploits). Or, you are an idiot visiting dogdy websites or running dodgy software.

Once a device on a local network has been successfully exploited for the RCE to actually gain useful code execution, then yes: the rest of your network is likely compromised.
Classic security in layers. Isolatation/layering of risky devices (that's why my homelab is on a different vlan than my home network).
And even if you don't realise your windows desktop has been exploited (I really doubt that this is a clean exploit, you would probably notice a few BSOD before they figure out how to backdoor), it then has to actually exploit your servers.
Even if they turn your desktop into a botnet node, that will very quickly be cleaned out by windows defender.
And I doubt that any attacker will have time to actually turn this into a useful and widespread exploit, except in targeting high value targets (which none of us here are. Any nation state equivalent of the US DoD isn't lurking on Lemmy).

It comes back to: why are you running windows as a server?

ETA:
The possibility that high value targets are exposing windows servers on IPv6 via public addresses is what makes this CVE so high.
Sensible people and sensible companies will be using Linux.
Sensible people and sensible companies will be very closely monitoring what's going on with windows servers exposed by ipv6.
This isn't an "ipv6 exploit". This is a windows exploit. Of which there have been MANY!

[–] towerful@programming.dev 8 points 2 months ago* (last edited 2 months ago) (3 children)

I get what you are saying, but the balance is off.
YT premium costs (edit) more than a streaming service per month.
There are no industry leading movies or series released exclusively on YouTube.
YouTubes benefits of premium is "not being delivered 'skip after 5 seconds' live streams" as an ad that will play indefinitely (or at least for hours).
Also, streaming services provide much better series discovery. Ie, find a show you like and easily discover the start of that series, then binge watch the entire series in order.
YT premium is basically a "play next" queue, 1080p, and no ads.
It doesn't (AFAIK) support creators any more. It's literally just a fee to not-be-inconvenienced, and it's not great at that

[–] towerful@programming.dev 4 points 2 months ago

I remember watching some video, falling asleep for a few hours, then waking up to a livestream of an ad. One of those "skip after 5s" but it was a livestream, so it just kept playing. I couldn't believe it!

[–] towerful@programming.dev 3 points 2 months ago* (last edited 2 months ago) (1 children)

As a recent YT premium-tryer, it's amazing how many ads they put in that aren't obviously adverts - comparing between non-premium and premium browsing.
Not sure I'll keep YT premium beyond the free trial, until I find more decent content producers. Even then, it's skipping those video's paid promotion segments.
So it's like paying for a streaming platform to not get ads... But still getting ads

[–] towerful@programming.dev 21 points 2 months ago

Even the shitty mobile ads of "someone watching prerecorded gameplay and commenting it".
How obvious can you be?! "Oh wow, these 2 different people playing EXACTLY the same and saying almost the same thing".
That's not an ad.
Never mind that the gameplay in the ad is an extremely minor part of the game. The rest is some sort of city-builder with mtx shortcuts.

It's just whaling

[–] towerful@programming.dev 2 points 2 months ago (2 children)

If the router/gateway/network (IE not local) firewall is blocking forwarding unknown IPv6, then it's a compromised server connected to via IPv6 that has the ability to leverage the exploit (IE your windows client connecting to a compromised server that is actively exploiting this IPv6 CVE).

It's not like having IPv6 enabled on a windows machine automatically makes it instantly exploitable by anyone out there.
Routers/firewalls will only forward IPv6 for established connections, so your windows machine has to connect out.

Unless you are specifically forwarding to a windows machine, at which point you are intending that windows machine to be a server.

Essentially the same as some exploit in some service you are exposing via NAT port forwarding.
Maybe a few more avenues of exploit.

Like I said. Why would a self-hoster or homelabber use windows for a public facing service?!

[–] towerful@programming.dev 8 points 3 months ago (4 children)

How many people are running public facing windows servers in their homelab/self-hosted environment?

And just because "it's worked so far" isn't a great reason to ignore new technology.
IPv6 is useful for public facing services. You don't need a single proxy that covers all your http/s services.
It's also significantly better for P2P applications, as you no longer need to rely on NAT traversal bodges or insecure uPTP type protocols.

If you are unlucky enough to be on IPv4 CGNAT but have IPv6 available, then you are no longer sharing reputation with everyone else on the same public IPv4 address. Also, IPv6 means you can get public access instead of having to rely on some RPoVPN solution.

[–] towerful@programming.dev 9 points 3 months ago (1 children)

Oh, so if a judge has a vested interest in more than 1 party, then they should recuse themselves from the case.
Good to know where the line is

[–] towerful@programming.dev 5 points 3 months ago

Absolutely.
And casually, that's exactly what I do. To be honest, casually I haven't encountered any (I don't think...).

But for work stuff, sometimes I don't have a choice. I guess I'm just thankful it doesn't require edge IE compat mode, or even IE itself

[–] towerful@programming.dev 24 points 3 months ago (2 children)

Not having control of the core codebase, and branching/tracking based on 1 (declared) legacy feature could lead to huge amounts of work and issue in the future.
Manifest V2 spec is defined, manifest V3 spec is defined... They can be developed against.
JS-whatever-spec is defined, CSS-whatever-spec is defined, HTML-whatever-spec is defined... They have industry standard approved specs (even if they can be vague in areas). They can be developed against.
They have defined spec documents that can be developed against.

Firefox has control and experience of how they implement those specs.
Chrome forks do not have control of how those specs are implemented.
So if chrome changes how things are implemented, forks might not be able to "backport" for manifest V2 compatibility, and might find themselves implementing more and more of the core browser functionality. Browsers are NOT easy to develop for the modern fuckery of the web.
Firefox hopefully does have that knowledge and ability to include V2 manifest backwards compatibility in future development without impacting further spec implementations.... It seems like Google is depreciating V2 to combat ad-blockers (ads being their major funding revenue)

There are already very slight differences how Firefox and Chrome interpret all these specs. I've noticed a few sites & plugins that just work better (or just work) in Chrome. Which is why I still have (unfortunately) an install of Chrome.

[–] towerful@programming.dev 4 points 3 months ago

Google is just as malicious as Apple. They are just better at hiding it.

I feel like they came from a position where that wasn't immediately transitionable.
Even tho Apple comes from a BSD background, it seems like Google was more core to the internet and open-source background when they first released Android.
Since then, they have slowly transitioned all of their captured market to more closed ecosystems. But they have done it slowly out of fear of shedding their more devoted original followers (I dunno how to phrase that).
These days, I agree that Google is predatory as fuck. In some ways, Google is better than Apple, but Apple is better than Google in others. Neither are clean in regards to user privacy or security.

I really hope the recent rumblings of a lawsuit against Google regarding OS attestation becomes a real thing and goes through. This would allow things like OS projects like GrapheneOS to provide even better user experience. I would hope that this could then be leveraged against iOS.

I can't wait for the plateau where software and hardware is generic enough (well, for phones) that OS and hardware can be actually created by separate projects/companies.

[–] towerful@programming.dev 2 points 3 months ago (1 children)

Uncanny valley?
Googling "creepy valley" does hit https://en.m.wikipedia.org/wiki/Uncanny_valley as the first result

view more: ‹ prev next ›