chameleon

To add to that, even the original paper written with 1999-2007 era SDRAM/DDR/DDR2 is not optimistic about the scenario of a machine that was already powered down at regular operating temperatures:

with the fastest exhibiting complete data loss in approximately 2.5 seconds and the slowest taking an average of 35 seconds

And that only got worse with more advanced RAM, not to mention that they lost almost all of the data far quicker than that with only a couple % of bits surviving that long. For all practical intents and purposes, cold boot against an already-powered-down machine is a myth, the cooling has to be applied while it’s on.

One example: https://aur.archlinux.org/cgit/aur.git/commit/?h=oracle-bin&id=eceeb808ef933a66285ea68cefd72c1b5f4374c9 . It seems the AUR team forcepushed the malicious commits out of the repo branches, likely to prevent being accidentally reused by git-bisect in the future, but the URLs still seem to work until they run garbage collection. The author/committer information on each affected commit impersonated a previous maintainer of that particular repository and isn’t real.

The whole thing essentially just boils down to adding a cd /tmp; npm install [random crap] post-install hook to every abandoned repository they easily got access to, which itself had a post-install hook to set up malware things. npm has nulled the affected packages, though it took them somewhere around 24 hours to do so. atomic-lockfile was one of them.

I ended up wanting an online pseudonymous identity as well as an offline real-life identity, which leads to needing multiple phone numbers when things are tied to said number. That’s extremely annoying to manage, especially with Signal’s current activity and update policies that essentially require you to keep a phone in a drawer, charge it and log into it every so often or risk losing your entire account due to inactivity, as only the mobile device counts for that purpose (this might supposedly be changing).

In that particular scenario, I don’t really care if my least-favorite three-letter-agency or law enforcement can link my identities. It’s a nice bonus if they can’t, but not an absolutely required feature. The main worry is the person on the other end trivially learning it. But the person on the other end might have a different set of worries that makes Signal one of the few available options for them.

That said, Telegram also requires a phone number and has exactly the same issue, so this is a rather weird thread to bring that up.

Not sure, but I can reproduce it on my end. The actual download pages on get.videolan.org have ads, the main site does not.