The software itself, and the devs, have little to nothing to do with this besides detecting the issue. Which was not obvious, since (it seems) the attack was targeted at specific IPs/hosts/places. It likely worked transparently without alteration for most users, probably including the devs themselves.

It also would only affects updates through the built-in updater; if you disabled that, and/or installed through some package managers, you would not have been affected.

A disturbing situation indeed. I assume some update regarding having adequately digitally signed updates were done (at least, I hope… I don’t really use N++ anymore). But the reality is, some central infrastructure are vulnerable to people with a lot of resources, and actually plugging those holes requires a bit of involvement from the users, depending how far one would go. Even if everything’s signed, you have to either know the signatory’s public key beforehand or get a certificate that you trust. And that trust is derived from an authority you trust (either automatically through common CA lists, or because you manually added it to your system). And these authorities themselves can become a weak point when a state actor butts in, meaning the only good solution is double checking those certificates with the actual source, and actually blocking everything when they change, which is somewhat tedious… and so on and so on.

Of course, some people do that; when security matters a LOT. But for most people, basic measures should be enough… usually.

Notepad++ installed from any package manager was perfectly fine and safe.

I’ve kind of stopped following things up since I left windows, but maybe you’re remembering when this actually happened a while ago? This is just some in-progress post-mortem report.

Oh, yes, I won. I’ve known for months. Microsoft have nothing to do with it anymore.

Maybe if they keep making it worse and worse it will kind of circle back to good.

Steganography is extremely far from undetectable, unfortunately. And trivial to find out once you know its there; if we ever allow a framework to be put in place to intercept communication at a large scale, it will be the inverse of the cat and mouse game we have with encryption : very hard to improve, very easy to detect.

And I’m aware of the many funky things we did. At some point people tunneled DNS queries through HTTPS, to get through wifi captive portal that only allowed HTTPS traffic until authenticated.

Just to be clear, I’m aware of the issues of detecting stealth data, and even detecting encryption against seemingly random data. It’s kinda fascinating to detect the difference, too; some people have looked into that. But the point is, if you’ve already agreed on “banning encrypted communication that can’t be listened to easily”, you can basically just say “this is gibberish, decrypt it or get to jail”. I also know that this sounds insane and throw away the “innocent until proven guilty” principle, but we’re slowly creeping toward a world where our device scans all our document and communication to notify of issues to a central authority, where black box in large networks are already present, and so on.

It’s been slowly creeping toward that. Finding way to hide traffic on public networks can only go so far if the listener can just stop you if it detect what looks like encrypted content.

And, since this is kind of a heated discussion, I’ll reiterate: it would be batshit crazy to go this way. But I would have found batshit crazy to have our own devices spy on us and report suspicious activities to third parties years ago, and yet here we are.

It’s not unsubstantiated. Push for government-sanctioned client-side spyware already happened years ago with the intent to scan all content and keeps happening every other year, each time with more support, inefficient laws about age control have been pushed in many countries and other are following suits, there’s constant harassment to tech company for them to create backdoor for spying on demand, device manufacturer are threatened for allowing custom software that can be used to circumvent such provisions, etc.

If you haven’t seen any of this, then sure, be surprised that a ban on general public encryption is not unthinkable.

Anyone who thinks a government can ban VPNs without destroying economy is deluded

Anyone who thinks government would never do something as utterly stupid as shooting itself repeatedly in the everything out of spite is deluded. Banning all form of encrypted traffic would be insane. Now tell me, how many insane things have we witnessed in the recent years from our collective governments?

Anything encrypted is blocked. Boom, done.

Is it stupid? Yes. Never stopped lawmakers.

It’s E2EE alright. Just, don’t ask what “ends” we’re talking about.

The drunk dude that’s always sitting on the ground near the park entrance and sell weird tissue dolls with curly hairs is more trustworthy, I’d say.