Don't have to do anything too complicated. Here's the knocker code in a short Bash script, produced by GPT4:

~ % gpt4 'write a very short bash script that takes the number stored in ~/.ssh/knock_seq, increments it by 1 and saves it to the file. It then takes the new number and concatenates it with the value stored in the file ~/.ssh/secret. It pipes the resulting string to sha1sum, spitting out binary. It then takes both the resulting sha1sum and the number used and pipes their concatenation to "nc -u $host $(cat ~/.ssh/knocking_port)". be brief'

  knock_seq=$(cat ~/.ssh/knock_seq)
  let knock_seq++
  echo $knock_seq > ~/.ssh/knock_seq
  concat_seq_secret=$(echo -n "${knock_seq}$(cat ~/.ssh/secret)")
  sha1_output=$(echo -n $concat_seq_secret | sha1sum -b | awk '{print $1}')
  final_output="${sha1_output}${knock_seq}"
  host=localhost
  knocking_port=$(cat ~/.ssh/knocking_port)
  echo -n $final_output | nc -u $host $knocking_port

The knockee PoC should also be straightforward, can use socat + udp-listen + fork with a script that checks that input matches `sha1sum(secret||num)||num` and `num>previously_seen_num`, and if so, adds an iptables rule.

This should prevent against replays. Throw in some rate limits somewhere maybe to not get DDoSed, especially if you let socat `fork`.

> At the point an attacker has remote code execution

The attacker doesn't have remote code execution in the xz case unless they can speak to your port 22. Port knocking prevents them from doing so, provided they don't know how to knock.

Assuming they have injected code into the sshd executable, couldn't that code just do the exploit without a connection? What I'm saying is that the structure of this payload is the way it is because sshd is accessible. Had it not been accessible, the payload just wouldn't have required an external connection.

I mean, this is the twisting logic. xy hack put's a backdoor in sshd. You need to access sshd port to go through the back door and get RCE. Hacker could have put something even more nefarious that could phone home somewhere. We would like to think that would have been a little easier to spot, but who knows.

To me, that is what makes this hack so noteworthy. Hacker got access, and then kept playing the long game. Very spooky. And yes, someone capable of this probably has a plan for gaining network access if they had a target in mind. Even with best security practice, this rabbit hole goes pretty deep.

Except it's not used correctly here. "A iff B" means "A implies B and B implies A".

"I'd be willing to entertain, or even support, this way of them making money iff they spelled out honestly what they're doing and why" implies both of these:

- "If they spelled out honestly what they're doing and why, I'd be willing to entertain [...]"

- "If I'd be willing to entertain [..] then they will honestly spell what they're doing and why".

The second of which doesn't make sense to me, unless I'm missing something? He should have used "only if" rather than "iff" here.

I believe the bidirectional implication in iff is logical implication, not causal implication. If the GP is willing to entertain ... then you can conclude Mozilla will honestly spell what they're doing. Iff in general use does not introduce a causal relationship, just a bidirectional set of conclusions. In other words, iff sets up necessary and sufficient conditions.

A iff B doesn't mean that B is because of A. It simply means that if A is true then B must be as well.

> - "If I'd be willing to entertain [..] then they will honestly spell what they're doing and why".

This is true, because if they won't, then you wouldn't be willing to entertain [..]

You're right, I guess it depends on what you choose A and B to be. For:

A = OP supports Mozilla making money from address bar ads

B = Mozilla is honest about making money from address bar ads

"B -> A" (OP supports Mozilla if Mozilla acts a certain way) makes sense. "A -> B" sounds confusing in a sentence, but its contrapositive, "!B -> !A", also makes sense.

However, for:

B = Mozilla decides to make money from address bar ads and is honest about reasons

"A -> B" no longer makes sense, since OP can support Mozilla having the address bar ads with an honest justification, but Mozilla can still decide to not have the address bar ads.

(1) IFF is shorthand for "if and only if". Try to read the original sentence, it makes perfect sense and is used correctly.

(2) Logically, iff, equivalence and double implication are themselves equivalent, the expression in question is (necessarily) logically correct even in those forms, though it is irrelevant as of (1) and a confusing way to express the relationship, as the causality clearly flows in one direction.

(3) It was not meant nor interpreted as a bare logical proposition, hence it is improper to blindly apply logical transformations and reinterpret in a different system.

I do think the second implication makes sense, if you take out the tenses, i.e.:

If I am willing to entertain then they honestly spell what they're doing and why.

It means that if you know that I am entertaining the idea you can infer from that they were honest.

I think the 'if' is the first point you list, and the 'only if' is saying that if Mozilla doesn't spell it out honestly then they'd not be willing to entertain which is a bit strange but logically equivalent to the second point you have.

Implication is not causation. "If I'd be willing to entertain [...] then they will honestly spell what they're doing and why", as if they wouldn't honestly spell it, there's no way I'd be willing to entertain the idea.

I agree with all the other responses here that it is used correctly. First off, they are using it informally, and it's perfectly clear what they are trying to say, so even if it was formally wrong, exercises like these would still be tedious and beside the point.

But even playing the game of treating informal language by the rules of strict logical formalisms, it still makes sense. The two elements implying one another would be (1) trusting mozilla and entertaining this new program, and (2) mozilla communicating clearly about their ads. You trust them if they communicate honestly, and communicating honestly garners trust. Makes sense to me.

the fact that my first instinct was to mock you with "ummm ahhhctuallly" is telling that maybe your comment wasn't really needed.

We understand the intent and thought behind the use of iff in the original comment, regardless of what it may be interpreted to mean outside of a _very informal_ setting.

Could you point what you believe to be the issues in the thread?

If nothing else, it significantly reduces the entropy of your IP when websites are fingerprinting you, especially if your ISP assigns you a static IP.

Even if you don't have a static IP, I suspect the entropy of your /24 (IPv4) is also a lot smaller when over VPN.

There are plenty of homeless people in London.

Being homeless in Britain is essentially a choice. It might be surprising to you but people do actually make that choice.

If that's how you're reading it, it is because you want to.

Loneliness isn't fixed easily and it requires a lot of effort on your part to fix it. Until you hit the point that you're determined to fix it, it won't get fixed.

It's not a virus that just has to run its course. You have to purposefully have the resolve to change it and over time, being lonely for long enough will make you hit a point where you say "Enough is enough. I'm not going to spend my life lonely."

Step 1 might be hitting the gym or joining a workout group like F3 or cross fit. Looking for a club like Toastmasters to help make you more comfortable stepping out of your shell. Invite people to lunch.

Start following a sports team and find other people who do too to talk about it with and get together with to watch / attend the games. Hockey games are a blast in person once you figure out what's going on.

None of it is going to make a difference unless you, personally, are determined to fix it.

> (Hint: go ahead and start interviewing and have semi-serious job leads before this talk)

I think this bit of advice is at odds with OP's statement: "I don’t think I’d come across very well (or as sharp as I usually) in interviews at the moment without a break."

I was quite burned out at my previous job, as well, and decided (against most people's advice) to quit without an offer. I had similar "I'd rather give it a shot at being a bartender than write more code" thoughts. I was unemployed for a few months, but ultimately ended up with a few good offers. Leaving without a backup was definitely the right choice in my case.

Yeah, i don't think its good idea to move during burnout straight to another job, with high expectations for seemingly senior position, tons of stuff to learn, integrate with new teams/culture/etc.

Just stating a looming burnout and serious will to rather NOT work at all than continue working at that company under current situation should let them realize how grave the situation is. Don't leave them room for interpreting this as 'he just needs a pat on his back and some sweet talk and he is back on track'. Polite and honest, but firm stance.

People are so freaking afraid to be on their own without job for few months. Unless OP's finances are very tight, it sounds like this kind of break is exactly what he needs. Too much at stake, and after proper breakdown, there might not be a way back.

When the job is actively hurting you, that may well be the best thing to do. A middle road might be to take some vacation. (Though assuming this is even an option might be very European of me.) Or call in sick. (But again, European.)

Makes me think of the gradual increase of identity politics in mainstream media, politics and liberal circles, to the point it's driving me insane. Most people around me seem undisturbed by it though.