Welcome to Incremental Social! Learn more about this project here!
Check out lemmyverse to find more communities to join from here!

henfredemars

@henfredemars@infosec.pub

This is a secondary account. My main account is listed below. The main will have a list of all the accounts that I use.

henfredemars@lemmy.world

Personal website:

henfred.me

This profile is from a federated server and may be incomplete. Browse more on the original instance.

henfredemars ,

How stupid. You don’t think criminal organizations won’t be smart enough to just do the illegal math that you’re trying to ban? Looks to me that it’s just monitoring and controlling regular people.

This isn’t much different from banning encryption. You’d have to get seriously draconian to ban the use of numbers in unapproved ways.

henfredemars , (edited )

You do it because it makes an attacker’s life harder because now I have to find two bugs instead of one.

The entire boot chain of the phone up to the apps you run are verified successively by the component that loads it. A digital signature helps ensure that only trustworthy code ever runs. A bug must be found to bypass these checks to load malware code. For example, a bug in the image code in a web browser might cause loading of code that isn’t checked. This way the malware gets smuggled onto the phone.

This means that if you get hacked via one bug and malware is loaded, the attacker has to work harder to solve the problem of how do I convince the phone to load it again at boot because the code it’s made of isn’t going to be approved code. When you reboot, you are effectively forcing a validation that all the code you have running is authentic, which would exclude the malware. Trick me once sure, can you survive a full pat down? Probably not. It’ll get caught.

Unless I have a second bug to fool the normal code loading systems too, the malware can’t run. You have to go back and trigger the first bug again somehow, which places more strain on the attacker.

henfredemars ,

I love to talk about computer security. I don’t get the chance often enough.

henfredemars ,

I remember this feature, and I wish it was a standard Android feature. It sounds like it would be trivial to implement and could be completely optional.

henfredemars ,

I don’t think applications can reboot the phone.

henfredemars , (edited )

I don't really consider a malicious app to be an exploit. In this case, the software is doing exactly what it was designed to do -- malicious activity. It's not being manipulated to perform unintended operations through the exploitation of a software bug. Code signing and secure boot are not effective in the face of intentionally shipping malicious code to end users. It's designed to frustrate actual hackers.

For malicious-by-design apps, we rely on a central app store that hopefully reduces the number of bad apps in circulation. If you publish malware, eventually you get caught and we know who you are. Sandboxing with a permissions system helps prevent apps from performing actions contrary to the user's interests. E.g. why is my flashlight app asking for my contacts when I pressed 'change color?'

If you directly exploit your way in, it's harder to know who did this and why because you didn't go through any central vetting or accountability system, and you're not so easily bound by the permissions system. It depends on what your bad guy's goals are, what they want, whom they're targeting. Force your way in the back entrance, crawl through an open window (like a weak security setting), or lie your way in the front door (trojan)? It depends.

None of it is perfect, but I'm sure OS design experts would love to hear about better solutions if any exist.

henfredemars ,

Personally, I restart mine maybe once a week. No need to go crazy with it, but it helps make life harder for bad actors and might make your phone run better.

henfredemars ,

Nothing wrong with that. I don’t think it’s a mistake to not reboot your phone until you need to. It’s your phone. It’s not like rebooting your phone will save lives or the planet.

My wife doesn’t even use a lock screen password. I’m interested in the nuances of such things.

henfredemars ,

You’d have to grant the app permission to access your photos. At this point, I would say the problem is more the person in the driver’s seat. You can’t really protect the user from themselves. If you had a legitimate reason to grant access to your photos, then we definitely have a problem.

You can think of this as a kind of exploit if you prefer. However, this becomes a permissions and ecosystem and reputation issue and not really a technical software one. Because you’re looking at a totally different set of tools, I think it’s useful to restrict exploit to refer only to bugs.

You could take that argument one step further and ask what if my new phone comes with preinstalled malware? The system collapses if you can’t have some level of trust the software you’re running.

henfredemars ,

Aww, thank you!

henfredemars ,

I can’t blatantly associate this account with other identities but I’ll say that I’ll be at DEFCON32 sniffing the air and shaking hands on the Wild Wild West of the open LAN.

I insert a lie or two about real life details every now and then to mitigate profiling. But the gist of what I write is always me.

henfredemars ,

Nope! From Kaspersky:

Reboot Daily: According to research from Amnesty International and Citizen Lab, Pegasus often relies on zero-click 0-days with no persistence. Regular daily reboots can help clean the device, making it necessary for attackers to repeatedly reinfect, thereby increasing the chances of detection over time.

For a case with persistence, Lookout notes another bug was required and details the extra work.

henfredemars ,

I know what you mean, but if it’s any consolation, you are in space.

henfredemars ,

How do you know you aren’t alone?

henfredemars ,

My dog barks at walls and is constantly reminding me of the inevitability of our ultimate demise.

I’m sure she hears things.

henfredemars ,

Last week, on two different days, I drove one hour each way for my boss to tell me that the meeting room is full so just go home and he'll email out the meeting minutes after.

Mind you, I knew how many people were going, and I messaged him the night before, twice, that I should probably skip out so our guests don't feel too packed together, and he never answered.

Killing the environment because people suck. I hope he felt like a big man.

henfredemars ,

No quarter for traitors.

Now, we should be mindful. Some of these people are misguided or misinformed, but there’s also people who are acting in bad faith. For these, you can’t convince them. They fundamentally disagree with human rights, rights in general, and democracy.

I’m A-OK with making fun of modern day Nazis.

henfredemars ,

Still not using metric I see.

henfredemars ,

What else are we supposed to buy? Have you tried to buy a small, basic town car lately? Dealers don't have stock in my area and they push you to the SUVs.

I'm going to keep driving my current car car until the wheels fall off.

PayPal Is Planning an Ad Business Using Data on Its Millions of Shoppers (www.wsj.com)

Wall Street Journal (paywalled) The digital payments company plans to build an ad sales business around the reams of data it generates from tracking the purchases as well as the broader spending behaviors of millions of consumers who use its services, which include the more socially-enabled Venmo app....

henfredemars ,

Friends don’t let friends use PayPal. If something goes wrong and eventually something will, you will find zero customer support. Add exploitation to the list of reasons.

henfredemars ,

I’m pretty sure I’ve seen this book cover.

henfredemars ,

I’m sure the leadership will have cashed out by then. In fact, disgusting wealth has already been generated.

henfredemars ,

There will always be bots on the Internet. I do not believe this is a solvable problem. Instead, we focus on mitigation.

However, Reddit has little incentive to fight the bots because it increases engagement metrics. In fact, it costs money and reduces profits to reduce bot activity. Hence, so many bots.

Right here on Lemmy, because nobody financially benefits from turning a blind eye to the problem, I think we have a head start. This platform is created by users for users. For that reason, I think we should never have the problem quite to the same extent as they do.

henfredemars ,

Dead Internet theory in full effect.

henfredemars ,

Cool username btw.

henfredemars ,

He’s cute!

My wife and I do not enjoy kissing. It’s not very common but I’ve met a few that feel the same.

henfredemars ,

I still have difficulty accepting this concept from time to time. It’s a real relationship issue, I’m talking in the bedroom. I’m trying to be a gentleman and my wife is telling me please just be straightforward and boring. Be literal. Do not be suggestive. Do not imply. I don’t want to imagine I don’t want creativity. Now, every relationship is different, but I can’t help but feel it unceremonious when she uses the example of ordering at a drive-through as her ideal vision for how the evening should go.

Makes me a bit paranoid but does genuinely seem to be what makes her happy in our case.

henfredemars ,

I’m guessing the sign is not included.

henfredemars , (edited )

Ah yes, the nuclear solution. Very reasonable.

With that said, we only have one side of the story.

henfredemars ,

Oh, I am in an engineering field. I guess that makes me an exception to the chart.

henfredemars , (edited )

Reminds me of my core engineering classes. Oh, you got half the points? Quite a success!

henfredemars ,

Is that even legal? How far could this go? Could I overnight a pallet of bricks? I don’t think I need to provide a return address.

henfredemars ,

Ah but then they know who mailed it.

henfredemars ,

Right. Signing off for the day. That will do.

henfredemars ,

Dan would like to know your location.

henfredemars ,

I love penne Gorgonzola.

Microsoft starts bundling Windows 11 with its 'PC optimizer' app in some regions (www.neowin.net)

PC optimizers are not a new concept, and they have been around for quite a while. Nowadays, many consider them unnecessary, but having an official program made by Microsoft that is capable of (allegedly) speeding up your PC may sound quite appealing....

henfredemars , (edited )

Cool idea MS. If only you had access to the OS itself to prevent it from gradually slowing down and littering the system with junk. Since we can't fix Windows (Only the maker of Windows can do that!), let's make a dedicated band-aid app to fix Windows.

Maybe whoever is working on Windows will get the message and fix those problems that your tool was built to fix.

Funny thing that my Android phone and Linux desktop don't need antivirus, don't accumulate junk in registries or system folders, and don't require dedicated optimization tools.

henfredemars ,

To remove all the crap from your OS, first install the crap, then install more crap to remove the crap that you installed. Except it doesn't actually remove it, it just becomes part of the crap mass that users never wanted in the first place.

henfredemars ,

I see it more as a distribution problem. It’s unrealistic to expect users to download software and verify that the sources are trustworthy. Having some kind of store with developer accountability goes a long way to preventing malware. That, and sandboxing.

It’s always possible to write malware for any platform. It’s not entirely a fair comparison.

henfredemars ,

Microsoft tries to offer one, but there’s not a lot of incentive for developers to use it.

henfredemars ,

Forever in our hearts. Paragon of a time when the Internet had fewer walled corporate gardens and more power to its users.

henfredemars ,

You’re in for a scare. I personally find those dinosaurs terrifying.

henfredemars ,

Capitalism is fundamentally, ideologically opposed to a good quality of life for virtually all human beings.

henfredemars ,

That’s just the thing. It’s bad for the sociopaths also because we’re feeding into their delusions. Their hoarding is also an illness.

Even if we argue that the sociopaths benefit, billionaires are a vanishingly small slice of humanity.

henfredemars ,

I’m open to learning. How does capitalism avoid the infinite concentration of wealth into the hands of one eventually?

henfredemars ,

I appreciate the thoughtful and intelligent response.

I will not move the goalposts and change 1 to some arbitrary small number. I will instead ask how do we prevent capitalism from concentrating wealth so much that, like a black hole, it overcomes degeneracy pressure and collapses, changing its own rules to benefit those at the very top and prevent the possibility of actual competition? This is the bastardization that we have today in the USA, and to me, this seems like the inevitable conclusion. It tends to concentrate wealth and power and to not be capitalism anymore. This extreme consolidation eventually warps its own mechanisms, becoming not very different from top-down, planned economy -- just a badly-designed, ad-hoc, self-serving one.

The reality is that economic systems aren't black and white. I don't think we have true unregulated capitalism anywhere, and you admit there are areas (like healthcare) where capitalism is truly stupid or easily reaches critical mass to prevent competition (like oil).

henfredemars ,

Indeed. I like the idea of capitalism, but it rapidly becomes something else, something more sinister and harmful to all. It doesn't just stay capitalism. It concentrates wealth and then the wealth makes the bottom fall out.

henfredemars ,

I wonder if the lack of such cable is related to the high Internet prices there.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • incremental_games
  • meta
  • All magazines
    •