New content is clearly not a requirement for posting old links on hn :). This was a little experiment to see how it compares to the overthewire links which show up every few months.
Interesting difference in reactions, the actual hacker content gets a yawn :).
If the last time HN looked at phrack was 2021, you are welcome for me bringing this gem back for anyone who hasn't seen it, and hey maybe we will get some papers for the next issue
Any time I'm in Barnes and Noble (in the US) I find the latest copy of 2600 magazine, which is in the same vein as phrack.
With 2600 at least, I can never find anything that interesting to read. Articles are usually about a) the hacker ethos, b) some ancient system and its exploit or c) a current system that's incredibly niche and its exploit, all with wildly varying article quality.
It has immense security implications. Without transport encryption, an adversary performing a MITM attack can, in certain circumstances, completely rewrite the entire HTTP response from the server. That includes everything from adding a tracking pixel to, at the extreme, serving some webasm exploit for your browser, plus a sandbox escape, to get code execution in (your) userland... where they could quickly and easily dump and exfil saved passwords from all browsers, crypto wallets, etc.
Extreme example, but code execution is code execution.
I'd hope that PHRACK readers would be among those better prepared for such attacks, but case in point, lack of transport encryption for web traffic is ABSOLUTELY a security issue too, not just a privacy issue.
Every site does. HTTPS should be the default, that increases security even if you're just looking at cat pictures in a given context.
> It matters not at all if some government sees me checking the weather, or reading about the best seeds to plant this time of year.
Absolutely does. Much can be deduced from your activity, like whether you're home, what your interests are, who you talk to, what skills you have. If somebody gets poisoned, then your interest in botany might suddenly make you of interest.
For the most part nobody really wants to read your boring emails. But that you regularly talk to some controversial person, or spend a lot of time in their proximity, that's juicy information that may well paint a target on your back in the wrong circumstances.
> And 99 44/100% of the MITM hype is pure theoretical hysteria. There is a very long distance between "could" and "will" and "can" and "did."
Good news: it absolutely happens. MITM has been used for injecting ads in content, which of course can be used to nefarious effect. From just unethical, like replacing a site's original ads with your own and robbing them of the income, to actually malicious payloads.
Holy shit man, ISPs are notorious for injecting ads and other garbage into web pages. Back when I had Comcast (Xfinity) they'd inject giant pop-up windows in web pages served over HTTP if I was approaching the asinine bandwidth limits. I also noticed an uptick in tracking ads on pages served over HTTP.
Your ISP and mobile carriers are not trustworthy neutral carriers of data. Encrypted transports are the only way for end users to avoid their snooping and injection.
Fine and well until someone injects code to exploit some 0day in lynx. Correct me if I'm wrong, but lynx doesn't even have sandboxing the way Chrome & FF do, right? Sure, it's a much smaller attack surface than those presented by traditional browsers, but if I had to hazard a guess, I'd assume it's been far less targeted, and considerably less hardened over the years.
Note: this is NOT an endorsement of Chrome, FF, Webkit, Blink, Gecko, nor is it a suggestion to NOT use Lynx - just a reminder that there are no silver bullets in security.
So you use lynx so therefore MITM injection isn't a problem? I'm having trouble even imagining this is a good faith response because it is so painfully obtuse.
Do you trust certificate authorities? Do you trust the Chinese govt? Russian?
While I agree in principal, in practice https is not very resilient to the attacks you mentioned because CAs are demonstrably [1,2,3] not trustworthy despite being baked into your browser.
