Welcome to Incremental Social! Learn more about this project here!
Check out lemmyverse to find more communities to join from here!

Opisek

@Opisek@lemmy.world

This profile is from a federated server and may be incomplete. Browse more on the original instance.

Opisek ,

Wear hearing protection to concerts, kids.

Opisek ,

Apple has the benefit of making everything themselves, down to the secure enclave processors and, as of some time also, the processor as a whole. They get to design their hardware, OS, software, ecosystem, all around security and it all plays together nicely.

If you control everything, you can do whatever you want with it. Android phones being more of a mixed bag of different vendors making different parts of the phone, including the software components, makes this interplay much more difficult. It usually takes android quite some time before they catch up on the latest security concepts.

Opisek ,

The article does not mention reporting it to the police. I get that 99.99% of the time, nothing will come of it, but that's something I would immediately do. Maybe I just don't get the rich aspect of going out and buying the newest latest model right away and forgetting about the stolen phone, even if it is theoretically still in the reach of police forces.

Opisek ,

I believe your statement might contain a slight imprecision, as a histogram is a bar graph displaying the frequency distribution of some value. Did you perhaps mean to say "homogram"?

Opisek ,

I love it. It's like two cats in one. Reminds me of the mood octopus plushies that you can flip to the other side and then it has a different colour.

Opisek ,

What does Firefox Gold include?

Opisek ,

I'm an Arch user flirting with the idea of NixOS. Is it too late to save me?

Opisek ,

I can do it but not to that extent as shown in the picture. I can't get my feet to sit next to one another.

Opisek ,

I'm afraid well-established "standards" are nearly impossible to overturn.

Opisek ,

Just in time for me to finally have completed my Matrix setup a few days ago.

Opisek ,

That computer better be air gapped. Security updates are essential.

Opisek , (edited )

You don't need to click anything suspicious. Remote code execution has in the past been done through images, PDFs, comments on some webpage, or supposedly trustworthy games. Just recently, Minecraft would let an attacker run anything on the victim's computer due to a vulnerability in Log4j.

If your computer is not directly exposed to the internet, you might get away with some security updates that for example fix vulnerabilities that target the system firewall. But the point is, you're constantly exposing yourself to attackers without knowing so.

A few example vectors:

  • Cross-Site Scripting (XSS) allows an attacker to run arbitrary code on the victim's browser. All that's required is a website that doesn't validate its input properly. That is, an attacker can write executable code into a YouTube comment and when you view that comment, your computer will execute that code. Obviously YouTube is secured against that, but there are plenty of websites where this attack can be done. Therefore, modern browsers isolate the code execution to only that "browser tab", so the attacker can't access some sensitive data (unless the browser has some undiscovered vulnerability or for example the page itself contains sensitive information, say your bank account details). While modern browsers should provide sufficient protection against such attacks, the take-away point is that you don't necessarily need to click any "suspicious links". A vulnerability in a well-known website you frequent could be discovered any day.

  • An attacker can easily make your PC go to their website when typing google.com. DNS (how your computer is able to tell which web address is which computer) is not encrypted. It is incredibly easy tamper with. Why you don't get scammed everyday is because of TLS encryption. Your computer is able to tell that the website is not Google, because it doesn't have Google's cryptographic "keys". Assume that we discover a vulnerability in TLS (encryption of webpages) tomorrow and you refuse to update your operating system. Suddenly, an attacker can route any traffic they'd like back to them and you would be none the wiser. Same thing would happen if some vulnerability is discovered in X509 certificates, if ICANN's private keys are leaked, and so on.

There are a lot of things that could go wrong. And they go wrong daily. Security updates fix vulnerabilities that we constantly find. They may be updates for your browser, your games, or indeed your operating system, depending on where that vulnerability is. The examples I gave are exaggerated, because they're meant to be simple to understand. We do not find vulnerabilities in TLS every single day. Still, weak points are being discovered and fixed constantly. One of the bigger exploits were Spectre/Meltdown (attacks on the CPU) that let an attacker read any data they want, provided they can simply run some code on your computer in some way.

Also, obviously, if you expose yourself to the internet directly (e.g. port forwarding) or connect to an unsecure WiFi network, you'll be bombarded with automated attacks that exploit holes found in firewall and the likes. If you open a port on your computer right now, you'll get around a few hundred such knocks per day.

There are plenty of videos online that display what happens if you for example use a Windows 95 computer, either directly exposed to the internet or not. Might be worth watching to see just how easy it is for attackers to take over in the case of such an ancient system. Same principles apply to newer systems as well, the attacks are just more complex.

Opisek ,

Absolute joke of a comment. You are assuming the browser is a holy grail completely isolating the internet from the operating system.

First of all. The browser runs on the operating system's services. In particular, the isolation that you implicitly cite is done entirely by the kernel. (That's for example why you cannot run chrome in an unprivileged docker container - the crucial isolation-centered system calls are not available) The whole network stack is managed by the operating system. Cryptography can also partially be done OS-sided. The simplest example is CSPRNG, which is usually provided by the OS. (Advanced systems may rely on external physical generators, see Cloudflare's lava lamps).

Secondly. Completely and utterly wrong. The linked video displays the execution of Meltdown/Spectre within a browser. Using JavaScript. This allows the attacker to gain access to any data they want on your computer simply by running some JavaScript code. Easily remotely executed via XSS on a poorly written website. You may read the full article here. Or inform yourself about Meltdown and Spectre here. How is that relevant? Combating this vulnerability was primarily done via critical OS updates. The exploits are inherit to certain CPUs and are therefore not fully fixable. Still, the combination of BIOS, Chipset, OS, and browser updates help prevent very serious attack vectors. (That's the reason why the browser's time measurement is only accurate to about the millisecond.)

So no. Browsers aren't the magic solution to everything (sorry Ubuntu Snap). They very much depend on the OS providing the assumed security guarantees. And even assuming no direct vulnerabilities in the OS, we can never exclude side-channel attacks, like what Meltdown and Spectre were (or still are if you refuse to update your system).

Opisek ,

What do you use instead?

Opisek ,

We can finally parse English with regex?

Netflix Windows app is set to remove its downloads feature, while introducing ads (www.techradar.com)

Netflix has managed to annoy a good number of its users with an announcement about an upcoming update to its Windows 11 (and Windows 10) app: support for adverts and live events will be added, but the ability to download content is being taken away....

Opisek ,

They don't get that their actions lose them money. They will just keep throwing more ads and higher prices at you while their profits continue to spiral down. Who would've thought that people will get pissed and drop Netflix when sharing passwords was cracked down? What do they think will happen this time.

Opisek ,

Is there a Lemmy community for surreal memes? This looks like something that would fit in that category.

Opisek ,

Thanks. Turns out I'm already subscribed but it's just not active.

Self-hosted website for posting web novel/fiction

Hey hello, self-hosting noob here. I just want to know if anyone would know a good way to host my writing. Something akin to those webcomic sites, except for writing. Multiple stories with their own "sections" (?) and a chapter selection for each. Maybe a home page or profile page to just briefly detail myself or whatever, I...

Opisek ,

There are obsidian plugins that export into static pages.

Opisek ,

I think that's just the font used.

Opisek ,

Yup. I constantly found myself appending !g for important queries that I needed an answer for right then and now. Google has stopped providing that commodity. It's almost never worth it anymore to fall back to Google.

Opisek ,

Better than Google now, but still not better than Google back then. It my experience at least.

Opisek ,

This term makes me imagine people marching in a protest against breasts.

Opisek ,

neofetch proudly displaying 5 months of uptime

Opisek ,

As others said, the initial setup may consume some time, but once it's running, it just works. I dockerize almost everything and have automatic backups set up.

Opisek ,

I do that, but only allow access to private services from local IP addresses, rather than putting auth in front of them. Then I use IPsec to access my local-only things.

Opisek ,

sudo!

Opisek ,

Brother scanner utilities: /opt
Pretty sure I had to change something in /usr once, but I forgot what.
Now, /var would be very unusual.
But most of the time, all the configuration files happen to be somewhere in /etc.

Opisek ,

nginx at the very least, but there's way more

Opisek ,

Yeah I missed the "anything but", sorry

Opisek ,

Because that's their thing. That's the first thing that's right in your face when you open their website. It's like asking why AdGuard or even PiHole block DNS results.

Opisek ,

That sounds stressful. Do you need to check this many or do you just do it because you're fast enough.

Opisek ,

At the moment it's either that or manufacturing huge batteries.

Opisek ,

The original post refers to a Tweet made by BP. They supply cars. Good luck putting thermal or gravity energy storing in cars.

Opisek ,

Can you recommend me where to get started with Star Trek?

Roku explores taking over HDMI feeds with ads (www.lowpass.cc)

Roku is exploring ways to show consumers ads on its TVs even when they are not using its streaming platform: The company has been looking into injecting ads into the video feeds of third-party devices connected to its TVs, according to a recent patent filing.  ...

Opisek ,

That, and you can also decide what (if anything) gets blocked on a per MAC/IP/FQDN basis, so you can explicitly allow ads for specific devices.

Opisek ,

What I despise most in when SMS is not just optional but forced upon me as "backup" to TOTP. "Lost your authenticator app? Send an SMS instead." How about no?

Opisek ,

TLS has become too easy to acquire for it to have any effect, I'm afraid. Didn't Chromium remove the padlock signifying HTTPs connection due to just that? That it doesn't really mean anything anymore in terms of illegitimate websites (still obviously crucial against MitM)?

Opisek ,

Not sure about that. Phishing scams make sure to hide their identity really well and while something like .com might require your personal information, I can imagine .ru allowing anonymous registration. Once you've got a domain, getting a certificate for it with Let's Encrypt happen in seconds with no personal information iirc. Even if you'd need to disclose something, you could just lie. Let's Encrypt is highly automatized and I doubt anyone would check the information for some random domain. Yeah that cert/domain will be taken down quickly, but they're incredibly cheap and easy to create.

Opisek ,

Gawd, not Tizen. Their documentation is horrendous, there's no wonder it never took over if developers were mentally punished for thinking of creating apps for it.

Opisek ,

Love the original Watch Dogs

Opisek ,

The sequel disappointed me greatly. Haven't even played Legion. The original story was so captivating and emotional. Took my by surprise and I was so invested in it.

Opisek ,

Doesn't Bitwarden already have that feature? https://bitwarden.com/passwordless-passkeys/

Opisek ,

Ah I see. Hope to see it brought to mobile soon.

Opisek ,

Did the same thing for mine. I've got one with ADF scanning, but it's only one-sided. So I simply wrote some script on my scan server that merges the current scan with the last scan if they have the same amount of pages and now I can easily scan stacks of paper with both sides. After that it goes through some compression and off to my NAS. Ah, love my pipeline, so glad how simple the printer's Linux drivers made it.

Opisek OP ,

Gotta, say, the barrier between you and other people by having a headset obscure most of your face, sure feels strange, as far as human interactions go. They really haven't innovated at all in that regard, despite the promises of the virtual eyes at the front. I can't see the technology becoming ubiquitous in daily life, until it's nearly seamless.

Opisek OP ,

I wonder how it compares to staring down at one's phone though. At least in an AR scenario, you're looking straight ahead right? I can both see how that could improve your spatial and social awareness, but I can also see how you could tunnel vision on your content just as easily.

Opisek OP ,

Oh yeah, no, I don't think anything virtual will ever make a conversation with a headset on seem natural. The best form factor I can picture is some sort of smart glasses, smart contact lenses, etc. Basically, as little obstruction as possible. Doubt it will happen anytime soon, though it is a shame development was stalled after Google Glasses' flop.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • incremental_games
  • meta
  • All magazines
    •