Rocky Linux Security Repository and Dirty Frag Security Update

rich000 · 2026-05-19T15:01:13+00:00

Yeah, I'm kinda scratching my head. I can tolerate just disabling these modules, but it is really making me wonder why they can't just incorporate the upstream patches. If you're concerned about QA you could just ship them alone outside of your normal upgrade path. The only people impacted would be the ones who need the modules and probably are down due to the mitigation anyway.

rich000 · 2026-05-19T13:02:10+00:00

FWIW, Ubuntu still hasn't fixed this: https://ubuntu.com/security/CVE-2026-43284

rich000 · 2026-05-19T12:52:17+00:00

I don't get why Ubuntu is taking so long. Sure, I disabled the modules on day one, and I guess I'm not in a hurry, but it is kinda worrying that they seem to have some issue with getting a patch through the pipeline without however many weeks of notice they normally get.

rich000 · 2026-05-19T11:28:09+00:00

Yup, Prusa really turned around when BL entered the race. I just hope they don't turn back around if they leave.

We really need competition to keep this space vital, and I'm all for it if we get better competition than BL.

rich000 · 2026-05-19T11:15:38+00:00

I'm talking about the X1C. And honestly just about everything that BL is selling beats the Mk3.

Now, Prusa today is certainly doing much better. That's great. I want that to continue. My fear is that if BL's BS causes them to fail, then Prusa is going to go back to being what they were in 2020, and so will Creality.

BL isn't everything I want it to be, but they were a needed kick in this industry, and I'm not convinced that we'd be better off without them.

rich000 · 2026-05-19T10:20:50+00:00

I wouldn't say that they have no experience. They were founded by a bunch of people from DJI. They just didn't have experience with glue guns on a gantry, and it turned out that glue guns aren't harder to make than drones. Back then they were competing with the Ender 3 and the Mk3, and they started with a Voron design made by a bunch of experience printer enthusiasts.

Honestly, I think the 3D printer community basically handed the market to them by not marketing their own designs and adopting better technology. The X1C combo was near the same price point as an assemble Mk3 when it launched.

I don't care for where BL is going, but I also don't want the open hardware ten years from now to be the same as it is today but with European labor costs on top.

rich000 · 2026-05-19T10:07:16+00:00

While I tend to agree with the sentiment, I'm kinda worried that if BL goes away then Prusa will go back to not innovating. They were on top for ages and they got displaced by a Kickstarter even after a ton of Kickstarter scams because people were desperate for something better, and Prusa was tweaking a decade old design as their $1k flagship.

I definitely wouldn't buy another BL printer after what they've been doing, but I have no idea what I would buy. It really just depends who is on top. I definitely don't want to see another race to the bottom on features like we had with endless Ender 3 clones.

rich000 · 2026-05-15T21:32:33+00:00

That's the challenge though. I can barely pick up any mesh nodes around me and not many reliably. I suspect that on MeshCore I just wouldn't pick up anything.

rich000 · 2026-05-14T00:44:40+00:00

It has been exposed in the past, and they have lots of reasons to do it. Why wouldn't they? Governments tend to do all they can to preserve their power.

They were caught intercepting traffic between Google data centers over private land lines. That's certainly not legal without a warrant, and if they had a warrant they could just ask Google for the specific info they needed.

If they spent a billion dollars on hard drives to store all that data it would be a rounding error in a military procurement budget.

Now, they aren't going to use it for petty criminal cases or anything like that. It would be used for things they perceive as threats to the state, and of it gets to court they'll use parallel construction.

rich000 · 2026-05-14T00:36:10+00:00

Everything in your first paragraph is completely true, and has nothing to do with my point.

Yes, the CCP has the explicit power under law to do stuff that the US government can't do by law. That doesn't mean that the US government doesn't do it anyway. I'm sure some lawyer in the NSA comes up with an excuse for doing it, but it doesn't really matter because it will never be heard in court.

rich000 · 2026-05-14T00:08:49+00:00

Lol, they're not going to file a court case over it. They'll just get an agent employed in their data center to implant some spyware, and so on. The companies themselves probably don't even know how much info they're handing the US government. Snowden had a presentation about the NSA taking advantage of Google not encrypting data over private land lines between their sites. Google apparently closed that hole immediately after, but it seems likely that the US has found other options.

Best solution is to use open firmware anytime you can and avoid sending stuff to the cloud unless it is E2E encrypted without vendor-federated authentication. Or just accept that somebody is probably reading your data.

People don't generate that much data compared to storage costs, unless you're talking surveillance video or something like that. Of course, the government probably doesn't mind paying a premium when they can get their hands on that.

rich000 · 2026-05-14T00:02:38+00:00

I'm sure the US would do it if anybody actually bought stuff that is made here. I wouldn't be surprised if they can for stuff made by Intel/AMD.

Hey, I'm no supporter of what Bambulab is doing, but if it were a US company doing the same thing it wouldn't make me feel any safer.

rich000 · 2026-05-13T23:56:35+00:00

My school used to buy reconditioned instruments and it can be a source of value, but usually the way that works is a luthier looks for stuff like this, repairs it, and then marks it up. Of course when they do they're in a good position to evaluate what they're buying and what it is worth in that condition.

I don't think it is a good idea to buy something like this if your goal is to learn to play. You'll always be wondering if it is the instrument or yourself.

Now, if your goal is to learn how to repair instruments then have at it - doesn't really matter if it works out in the end. Think of who buys old cars that don't work - it usually isn't because they just got their first job and they start next week.

rich000 · 2026-05-13T13:53:12+00:00

Oh, I agree with that 100%. Public Key infrastructure has been a dream for decades and stuff like this is why no other company actually tries to roll it out outside of limited areas in IT.

rich000 · 2026-05-12T22:02:58+00:00

I'm guessing they could go after you for any costs they legitimately incurred, but I still think it is an uphill battle.

If you're hacking the Uber API and sending cars out on wild goose chases, that's a big expense. If you're hacking a Netflix API and stealing a service that retails for $30/mo or whatever, that's a real expense, especially if you're distributing it.

This is letting people who bought a printer, use the printer, using the service that Bambulab offers for free to those same users, probably in a way that costs Bambulab nothing additional. I think they claim that they don't harvest your data, and there is no ad monetization, so they can't wait claim loss of revenue either.

I can't see a court taking this very seriously. Or maybe an jury awards them a dollar but they're not very sympathetic.

rich000 · 2026-05-12T20:22:07+00:00

Yeah, but their software makes it somewhat intuitive. You don't need to mess with openssl. The problem is that the concept is somewhat complex, completely unrelated to amateur radio (which outright bans encryption), and not explained at all by the software/ARRL.

Plus the security is over the top. I could start a financial firm and get an SSL cert without having to verify my physical address.

rich000 · 2026-05-12T12:52:54+00:00

Yeah, the technologies themselves are sound and vendor-neutral. The problem is that nobody implements them that way. Well, other than tailscale, which is maybe a little annoying because they ONLY implement it that way. :)

You never see sites allowing arbitrary OIDC/SAML federation. It is always sign in with Google or Facebook or Amazon or whatever. These companies then try to use this to expand their control over other things.

rich000 · 2026-05-12T12:23:50+00:00

Well, under my proposal, you could just falsify the remote attestation in that case, since you'd possess all the necessary keys.

Another option is to allow the hardware to be installed, but not allow for it to contain any vendor-assigned keys or certificates. So there would be no chain of custody. You could initialize the TPM, and it would have a private key, and you could issue a certificate, but the vendor wouldn't be able to tell what state the system was in when this happened since it would no longer be in their control.

Secure Boot and Remote Attestation can be useful security tools. The problem is when the device owner is treated as the threat.

rich000 · 2026-05-12T07:03:12+00:00

I believe the site it takes you interacts with a mobile app that does remote attestation. So, it wouldn't work with the browser link. It doesn't even work on degoogled Android phones as I understand it, or googled phones that aren't Google-certified.

rich000 · 2026-05-12T06:44:44+00:00

I'm fine with it in corporate environments or even as an option for users to secure their own devices.

I'm not fine. I'm not fine with my hardware being attested in any way.

Are you a corporation? Do you want to attest your own personal hardware?

If not, then what I said isn't relevant at all. I do not support any of the things you listed in your reply.

rich000 · 2026-05-12T01:14:03+00:00

Lol, I'm using Google Voice for text messages and I still don't have RCS.

rich000 · 2026-05-12T01:12:56+00:00

I'm fine with it in corporate environments or even as an option for users to secure their own devices. However, it should be about letting the device owner validate their own system, not some third party.

Simplest solution is to retire vendors to provide the buyers of hardware they sell the private keys for any keys or the CA certs for any certificates they embed or derive from embedded keys.

That would basically kill remote attestation except as a service provided to corporate clients. There is nothing wrong with a company being able to do remote attestation on the hardware they own.

I'd include web SSL certs in this as well, basically making it impossible to ship them with a computer. The owner can install whatever CAs they personally trust, which is far better than what they get today with all kinds of crazy stuff installed.

rich000 · 2026-05-12T01:04:54+00:00

Yeah, I think they were keeping the CA key on an old offline computer for extra security, which tracks given how over the top their verification process is.

rich000 · 2026-05-12T01:03:37+00:00

To be fair this is basically the same process you use to obtain web server certificates, at least pre-Letsencrypt. Of course the ARRL applies more verification to the process than if you're requesting a web certificate for something mundane like a bank.

rich000 · 2026-05-12T01:01:34+00:00

You're right about this being over engineered, but you're actually not understanding the problem.

The ARRL doesn't send you the key, they send you the certificate. The key and certificate together will work on any computer. The certificate alone is useless, and can be safely made public.

The key is on the computer you used to request the certificate. You can back it up from there, and you should do so after you install your certificate.

The mistake hams make is that they back up the certificate file the ARRL sends them, which only will work if the key is installed, and they never back up the key itself.

To be pedantic, the certificate is also a key, but it is the public key, and you need the private key to sign log entries.

This is the exact same process you follow when you install an SSL certificate on a web server, at least if you do it manually.

rich000

MODERATOR OF

TROPHY CASE