Pup Biru

saying Microsoft requires that you go out and obtain a signed certificate that proves your identity as a developer

clearly that’s not the case if this was exploitable… again, N++ has an auto update mechanism that they current use. if they used a microsoft signing key to sign a builds hash, this hijack would not be possible

thus they have an update mechanism that works around microsoft signing… how is irrelevant. that is the current state of the software

The update mechanism was successful hijacked because integrity checks and authentication checks were not properly in place

that part we definitely agree on

Notepad++ even said that they moved hosting providers after this happened to them

side note: doesn’t remotely solve the problem… software updates should be immune to this to start with. it’s a problem that the hosting provider was compromised, but honestly we’re talking about a state sponsored hack targeting other states: almost no hosting provider would include this in their risk assessment, let alone shared hosting providers

Can you point out an existing open source application that runs on Windows that only uses GPG signatures?

again, that’s irrelevant… the concept that we’re talking about isn’t even specific to GPG. signing a hash using a private key is basic crypto, and GPG is a specific out of the box implementation

if we remove microsoft signing as an option for whatever reason (which we have) then it’s still very possible, and very easy to implement signed updates into your own custom update mechanism

yes but as you yourself said

I think they want to, but Microsoft has made it expensive for open source developers who do this as a hobby and not as a job to sign their software. I know not too long ago, this particular dev was asking its users to install a root certificate on their PC so that they wouldn’t have to deal with Microsofts method of signing software, but that kind of backfired on them.

the part that we’re arguing against isn’t that a microsoft signing key would have fixed the problem, it’s

No, because you wouldn’t be able to execute the updated exe without a valid signature. You would essentially brick the install with that method, and probably upset Microsoft’s security software in the process.

this update mechanism already exists: it’s the reason the hijack was possible. whatever the technical process behind the scenes is irrelevant… that is how it currently works; it’s not a “what if”

adding signing into that existing process without any 3rd party involvement is both free, and very very easy

which is why this is a solved (for free) problem on linux

Windows and MacOS do not use that method to verify the authenticity of developer’s certificates.

completely irrelevant… software authenticity doesn’t have to be provided by your OS… this is an update mechanism that’s built into the software itself. a GPG signature like this would have prevented the hack

The update mechanism works fine, but you will not be able to execute the binary on a Windows or MacOS system

that’s what we’re saying: this update mechanism already exists, and seems to install unsigned software. that’s the entire point of this hack… the technical how it works is irrelevant

there are more ways to do signing than paying microsoft boat loads of money… just check a gpg sig file ffs (probably using detached signatures: again, it’s already built into existing tools and it’s a well-known, easily solved problem)

what’s irrelevant is the argument about how the auto update mechanism would work because it already exists

that’s all completely irrelevant…, there is already an update mechanism built into NPP: that’s the entire point of the attack… it’s this update mechanism that got hijacked

i’m certain all of us that haven’t bought into any of this will be fine and rich hedge funds won’t buy up property and stock from people with no options forced to sell at prices far less than what they paid

i think it’s certainly possible that it could start down that path, and it’ll become blatantly obvious that trickle down economics, “socialism is evil”, anti-intellectual crap that the red states bow at the alter of is a huge reason for their suffering and they’ll want to join those coalitions, but those coalitions will have years if not decades of policy on their side to make sure they aren’t overrun with the same ideas

could the process then just start over again? perhaps… it could just be a property of the system

but also… they’re arguing for small government. maybe y’all should start pushing in the same direction: make the federal government smaller, keep your blue state tax money, stop giving them as much… it’s what they want after all

and then use that money to form blue state coalitions: form a new, voluntary CDC, FDA, etc between aligned states that are far more robust than what you’ve been able to achieve with republican bad faith tampering

geopolitics is consistently hypocritical… especially when it comes to the US… we absolutely can, and should be telling everyone to stop being imperialist but in lieu of that, we can just tell russia to cut the shit

or the argument holds water and also the US has consistently been in the wrong for the same reasons

i closed reader view and scrolled just to see and wow the POPUPS and 50% of the page length being ads

WHAT

who uses the internet like this and finds it acceptable?!

buys you a little extra time to move to linux

the concept of someone working a 40hr week and not having money relax let alone pay their rent is literally foreign to me

it’s wild that people can work 80hr weeks and still barely scrape by

australia kinda does it like that… our minimum wage is tied to CPI (which covers much more than just food: also entertainment, rent, transport), and afaik was originally based on living standards

a wage that is fair and reasonable… sufficient to meet the normal needs of an average employee, regarded as a human being living in a civilised community.

in fact, australia invented the concept of a “living wage” in 1907

so it should be exactly that today: enough for an average person to live a decent existence (including entertainment, food, housing, etc)

generally people think men are evil by default, and women are good by default

i think this is a misunderstanding of the dynamic

we see this play out pretty regularly with the “not all men” arguments and the like: men getting annoyed by women being careful, and taking “you could hurt me” behaviour as some kind of insult. the statement is true: not all men are evil to women, but any man could be evil to women and thus need to be treated as though it’s possible in order to protect themselves

i mean… fucked up version of do unto others?

also the emdash thing kinda proves that the majority of training data comes properly published works rather than user comments, and that the training methods merge “knowledge” from user stuff like reddit together with books at papers etc

deleted by creator

if every user of the fediverse were to change to this style, it would still be a drop in the ocean

and if you somehow did manage to poison the data then what… the AI company isn’t going to catch it? no they do a find and replace… they don’t even need to do it in the training data (though they would)… they could just filter the output

because the US electoral system is fundamentally broken and if you vote for who you want to vote for you’re likely to get the exact opposite because that’s the spoiler effect for ya!