Hacker Newsnew | past | comments | ask | show | jobs | submit | BTeam's commentslogin

They switched their AV1 decoder from libaom to dav1d.


Version freezing attack can be done even if the client tries to connect over TLS, simply by dropping SYN requests to the update server, or by DNS manipulation, etc.


There's a difference between "failed to contact update server" and "no new updates found", though. And DNS manipulation wouldn't work if certificate pinning is used.


That’s not quite the same attack. What you describe can only keep you from updating at all, freezing you at whatever your current version is. The attack described above would let the MITM choose the exact version to update you to.


Absolutely not: the installer blocks downgrade attacks.


I’m not talking about a downgrade attack. I’m talking about upgrading to a known vulnerable version. You are at version X, attacker upgrades you to known vulnerable version X+1, even though the real latest version X+2 has a fix.


They have a network of voluntary mirrors using very different stacks that give them storage and bandwidth for free. Similar to Debian's APT [0].

VideoLAN isn't in a position to enforce it's hosts to serve the files over TLS.

However the cryptography of the signature check will be updated in the future.

[0] https://whydoesaptnotusehttps.com/


The BitTorrent protocol uses UDP only when using a congestion control mechanism on top of it (uTP). In fact uTP is aware when the send buffer is filled and when latency is introduced so that it automatically back-off and let interactive traffic some time to be exchanged in priority.

The standard BitTorrent protocol uses TCP by default and is arguably worse: since it uses more TCP connexion by nature compared to a client-server file delivery, it have more chances to be prioritized.

So BT over UDP with uTP transport protocol is in fact a clever way to balance heavy traffic and interactive one.


It's on the roadmap for VLC 4.0, the new medialibrary (C++11) is in the process of being added as a module. The interface is also being reworked in QML.

This medialibrary is already used in VLC for Android for music album classification in an SQLite database.


SSH is a cryptographic network protocol that doesn't use SSL/TLS.


My bad. I should have said SSL/TLS/SSH.

* SFTP/FTPS (SSH)

* SSH (SSH)

* SMTPS (SSL, TLS)


Still wrong. FTPS is vanilla FTP over TLS.


> Still wrong

You know that thing that gives security practitioners a bad reputation with engineers?

You're doing it.

As opposed to this, why not something more like "it's not uncommon for these two to be confused, but FTPS is FTP over TLS and isn't interchangeable with SFTP"?


Because it's longer? Pardon my foreign mind, but I do not understand, why you are offended by a simple short and valid statement nor why you are differentiating between "security pratitioners" and "engineers".


Netflix and Amazon also already encode in HEVC, they stream it to compatible players/hardware


Furthermore webm/Matroska AV1 mapping isn't finalized, same situation with MP4.


x264 is an AVC encoding software by VideoLAN.


Damn. How embarrassing! Two major factual mistakes in two sentences while nitpicking at someone else's mistakes on the internet. I of course meant to write h264 ;-)


There is Orgzly, but it's not very practical.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: