I live in a constant state of fear and misery

Do ya miss me anymore?

To the feature creep: that's kind of the point. Why have a million little configs, when I could have one big one? Don't answer that, it's rhetorical. I get that there are use cases, but the average user doesn't like having to tweak every component of the OS separately before getting to doom-scrolling.

And that feature creep and large-scale adoption inevitably has led to a wider attack surface with more targets, so ofc there will be more CVEs, which—by the way—is a terrible metric of relative security.

You know what has 0 CVEs? DVWA.

You know what has more CVEs and a higher level of privilege than systemd? The linux kernel.

And don'tme get started on how bughunters can abuse CVEs for a quick buck. Seriously: these people's job is seeing how they can abuse systems to get unintended outcomes that benefit them, why would we expect CVEs to be special?

TL;DR: That point is akin to Trump's argument that COVID testing was bad because it led to more active cases (implied: being discovered).

And that's assuming they even have a support staff. Most of the time I see this bullshit, it's small dev teams maintaining niche software with less than the bare minimum of documentation.

The only problem I have with your stance is that it's not petty, pointless nor pedantic. It's a plague on the world of software. Discord is terrible for the use-case it's intended for (group chats), why the fuck are people using it for their community forums????

You really have to be an asshole to live in Texas at this point

Terrible take. A lot of us can't "just move elsewhere." All the surrounding states are still pretty conservative and shitty, moving isn't free, and you can't just sell all your shit and hitchhike and expect to be welcomed with open arms.

It took all of my measly life savings just to move, I still struggled with housing and finding a job for months, healthcare is a removed, CoL is higher, and I have to live in the city long enough to find my footing when I was raised to be accustomed to smalltown life. Don't get me started on the weather and day/night cycle and difference in climate, nature, environment. There's a bit of culture shock there.

And if all the non-fascists left, where are they supposed to go en masse? Somewhere that's slightly better? Overwhelm blue states that aren't prepared infrastructurally? A lot of the time, this kind of mass migration overwrites local culture and just ends up recreating the problems of the homeland. You're telling me California can handle an influx of 12,000,000 psychologically damaged texans who need to be deprogrammed and integrated?

Those are my comrades that are stuck in that hellhole, not some faceless NPCs who love trump and wholeheartedly support the decline towards theocratic fascism. That's our home as much as it is the fuckin nazis', and it sucks shit to be lumped in with them just because we're not gung ho about completely starting over when we barely scraped by to begin with.

Fuck you.

so it got me wondering what the privacy implications would be if I hypothetically were to use it. I imagine it would be terrible!

I don't see why. Dial-Up just describes how the modem connects to a remote server, not what security protocols are possible once the connection is established

For the record I agree with @fernandofig@reddthat.com, but I also want to add that a DoS is not necessarily a security risk. If it can be leveraged to expose sensitive information, then yes, that's a vulnerability; this isn't that.

Digging into the CVEs:

CVE-2024-24989:

#Security Advisory Description

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. (CVE-2024-24989)

Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3.

#Impact

Traffic is disrupted while the NGINX process restarts. This vulnerability allows a remote unauthenticated attacker to cause a denial-of-service (DoS) on the NGINX system. There is no control plane exposure; this is a data plane issue only.

CVE-2024-24990 basically says the same.

Some choice clauses:

undisclosed requests can cause NGINX worker processes to terminate

Traffic is disrupted while the NGINX process restarts.

So it doesn't take down the server nor the parent process, it kills some threads which then... restart.

Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental

I was able to find that the affected versions:

NGINX Plus R30 P2 and R31 P1
Open source subscription R5 P2 and R6 P1 Open source mainline version 1.25.4

but most importantly:

The latest NGINX Open source stable version 1.24.0 is not affected.

And saving me the hassle of linking and quoting all 5 of the version history pages for the affected products, the uniting factor is: they're all based on Open Source versions 1.25.*

None of them are using the latest stable version.

It's not even going to affect most sites, and definitely not ones for whom downtime is a major issue: they would not be using the non-stable version, much less enabling experimental features in a non-stable version.

But the part that irks me the most is the dillution of what a CVE is. Back in the day, it meant "something that can lead to security breaches," now it just seems to mean "hey guys, I found a bug." And that's bad because now you have one of two outcomes: 1. unnecessarily panicking users by leading them to believe their software is a security risk when it isn't, or 2. compromising the integrity and usability of CVE reports by drowing the important ones in waves of "look guys, the program crashes when I can leverage root privileges to send it SIGKILL!"

If this was just a bug hunter trying to get paid, that's one thing, but these were internally assigned and disclosed. This was an inside job. And they either ignored or never consulted the actual experts, the ones they have within their own staff: the devs.

Why? To what end? Did they feel left out, what with not having any CVEs since 2022? Does this play some internal political struggle chess move? Do they just hate the idea of clear and unambiguous communication of major security holes to the general public? Are they trying to disrupt their own users' faith in their paid products? Does someone actually think a DoS is the worst thing that can happen? Is there an upper level manager running their own 1.25 instance that needs this fixed out-of-band?

It's just all so asinine.

It's terrible for secure/private communications, it requires hacks that violate the TOS and EULA to modify the client to get rid of ads and change themes, it's not FOSS, and it locks features behind a paywall...

But it does what skype already did, so I'm glad we all have to migrate to the new fad site that strips even more of our dignity and privacy every 10 years that'll die anyway because it offers nothing and has a terrible business model.

The big takeaway is that you do not own this computer. It is not yours, it is being lent to them for a very specific purpose. And what you want to do, hell what you're already doing, is way outside of that purpose.

How would you feel if you lent a friend your conputer to check their email and found out they had bypassed a lot of your security mechanisms (passwords) to set up their own admin account?

What about when you begrudgingly get a MFA app on your personal phone because your employer's too cheap to shell out for a yubikey or hardware token? How would you feel if their app also rooted your phone just for shits and giggles?

What you're proposing is not only dangerous to your career, it's also potentially illegal. And also just downright unethical.

Kid's online safety doesn't requite massive online censorship and surveillance...

It's just that the alternative is active parenting, and that's unrealistic or infeasible for the average wage slave

Thousands of selfless individuals contribute to FOSS
Tech journos: 🥱
Some profit-driven business contributes to FOSS
Tech journos: ✊🍆💦💦💦😩

I love how you can tell this was edited by the first dude to pat themself on the back for disliking something benign, and then OP's comments prove that's the case

No home internet connection. I only use public wifi.

Please never do anything important online. It's way too easy for someone to have their Access Point broadcast the same SSID as starbucks (or whatever network) and then just sit and watch people connect, and MITM everything.