I am pretty confident that in the long run, pretty much everyone is gonna wind up there, though. Like, part of the time spent searching is identifying information on the page and combining from multiple sources. Having the computer do that is gonna be faster than a human.
There are gonna be problems, like attributability of the original source, poisoning AIs via getting malicious information into their training data, citing the material yourself, and so forth. But I don't think that those are gonna be insurmountable.
It's actually kind of interesting how much using something like an LLM looks like Project Babel in the cyberpunk novel Snow Crash. The AI there was very explicit that it didn't have reasoning capability, could just take natural-language queries, find information, combine it, and produce a human-format answer. But it couldn't make judgement calls or do independent reasoning, and regularly rejected queries that required that.
Though that was intended as an academic tool, not something for the masses, and it was excellent at citing sources, which the existing LLM-based systems are awful at.
but LLMs, a very specific and especially inscrutable class of AI which has been designed for "sounding convincing", without care for correctness or truthfulness.
I think that I'd put it in a slightly less-loaded way, and say that an LLM just produces content that has similar properties to its training content.
The problem is real. Frankly, while I think that there are a lot of things that existing LLM systems are surprisingly good at, I am not at all sure that replacing search engines will be it (though I am confident that in the long run, some form of AI system will be).
What you can't do with systems like the ones today is to take one data source and another data source that have conflicting information and then have the LLM-using AI create a "deep understanding" of each and then evaluate which is more-likely truthful in the context of other things that have been accepted as true. Humans do something like that (and the human approach isn't infallible either, though I'd call it a lot more capable).
But that doesn't mean that you can't use heuristics for estimating the accuracy of data and that might be enough to solve a lot of problems. Like, I might decide that 4Chan should maybe have less-weight as a solution, or text that ranks highly on a "sarcastic" sentiment analysis program should have less weight. And I can train the AI to learn such weightings based on human scoring of the text that it generates.
Also, I'm pretty sure that an LLM-based system could attach a "confidence rating" to text it outputs, and that might also solve a lot of issues.
That can be used as a heuristic, and that may be good-enough to disrupt widespread use of VPN protocols.
But it's going to be hard to create an ironclad mechanism against steganographic methods, because any protocol that contains random data or data that can't be externally validated can be used as a VPN tunnel.
I can create "VPN over FTP", where I have a piece of software that takes in a binary stream and generates a comma-separated-value file that looks something like this:
employee,id,position
John Smith,54891,Recruiter
Anne Johnson,93712,Receptionist
etc.
Then at the other end, I convert back.
So I have an FTP connection that's transmitting a file that looks like this.
That's human-readable, but the problem is that it's hard to identify that maybe all of those fields are actually encoding data which might well be an encrypted VPN connection.
You can do traffic analysis, look for bursty traffic, but the problem is that as long as the VPN user is willing to blow bandwidth on it, that's easy to counter by just filling in the gaps with padding data.
You can maybe detect one format, but I'd wager that it's not that hard to (a) produce these manually with a lot less effort than it is to detect new ones, and (b) probably to automatically train one that can "learn" to generate similar-looking data by just being fed a bunch of files to emulate.
A censor can definitely raise the bar to do a VPN. They don't need a 100% solution. And they can augment automated, firewall blocks with severe legal penalties aimed at people who go out of their way to bypass blocks. They can reduce the reliability of VPNs, make it hard to pay for VPN service, and increase the bandwidth requirements or latency of VPNs.
But on the flip side, steganography is going to be probably impossible to fully counter if one intends to blacklist rather than whitelist traffic. And if you whitelist traffic, you give up the benefits of full access to the Internet. Some countries have chosen to do that -- North Korea, for example. But that is a very costly trade to make.
EDIT: Probably an even-more-obnoxious "host file" for steganographic data would be a file format that intrinsically encrypts data, like a password-protected ZIP file. For protocols protected by X.509 certificates, like TLS, China can mandate that everyone trust a CA that they run so that they can conduct man-in-the-middle attacks on connections. But ZIP doesn't do that -- it only uses a password. Users cannot trivially backdoor their ZIP encryption so as to let the Great Firewall see inside. So if someone starts using an encrypted ZIP file format to use as an encrypted VPN tunnel, China would be looking at blocking transfers of encrypted ZIP files. And there's gonna be less bandwidth overhead to an encrypted ZIP file in terms of encoding than my above CSV file.
And even if China, after a long, arduous effort, transitions people off encrypted ZIP, all one needs is a new file format in use that uses encryption.
In light of the announcement of Mastodon’s US-based 501c3 Non-Profit, and the reveal of that organization’s board members, there has been backlash from members of the Mastodon community. Some people are even saying that this is the last straw, it’s time for a hard fork of the project!
I feel like there's context missing. What's the objection to the board of the nonprofit?
The announcement also establishes an interesting board of directors: Esra’a Al Shafei of Majal.org, Karien Bezuidenhout from The Shuttleworth Foundation, Amir Ghavi of Fried Frank, Felix Hlatky of SOLARYS, and former Twitter cofounder Biz Stone.
There are two links in the article to content that talks about forking, but it's from people who seem to be arguing about the dev team, not the board of a nonprofit set up to handle contributions.
The CPU features 8 cores: 4x fast Cortex-A76 and 4x efficient Cortex-A55.
Yes.
I think arm architecture are only going to become more prevalent with the success of the M line macs
I dunno. They have a long battery life (though somebody that is just having a large battery in the laptop). But...
This comes running Debian. If you're just running open-source software, like stuff out of a Linux distro, then you can use Debian's ARM build of everything. But if you're gonna run Steam on it, then you're gonna be running x86 code, and that emulation is gonna cut into battery lifetime.
EDIT: Cool, the trackpad is modular, and they even have a trackball option with mechanical buttons. Haven't seen those in ages.
EDIT2: Oh, that's also hot -- they just use standard 18650 batteries. You can just pick up more off Amazon or whatever and replace 'em.
8x owner-serviceable 18650 cells totalling 12 Ah/3.2 V. 5 h approximate battery life
Not huge battery capacity in total, but they say that the hardware is open-source. I wonder if there's some mod to stick more cells in somehow and clue the battery controller into the fact?
EDIT3: Oh, that's cool as hell. The firmware has its own little tiny display right above the keyboard independent of the main display. I'm kind of surprised that no other laptop manufacturer I've seen has thought of doing that.
EDIT4: Hah, awesome. It defaults to having swapcaps (caps lock and control swapped). I have to go through and do this on every computer that I buy.
EDIT5: The reviewer says that he likes their keyboard more than anything else he's used on a laptop -- they made the thing thick, so they've got space for it. goes looking Apparently they not only tell you the mechanical keyswitch type on the store page (Kailh Choc) but give you a choice of either of keyswitches (Brown or White). I'm not familiar with Kailh. Looking at Kailh's store, it looks like the whites are clicky, and the browns quieter -- looks like they have color conventions that follow Cherry's conventions.
EDIT6: Yeah, the reviewer liked mechanical buttons, but not the trackball. I wish they could put a Synaptics trackpad on there, but it sounds like they're only using open hardware, which might constrain them.
EDIT6: Hah, the reviewer swapped in his own Pi compute module, so I guess it's compatible with the Pis. listens further Yeah, the reviewer says that it should be possible to stick in a future Raspberry Pi 5 compute module.
Messing with 18650s is rather risky, I’m not sure if exposing them as individual cells is a good idea.
I mean, there are plenty of devices with them out there. !flashlight seems to only really be interested in lithium-battery-driven flashlights. I don't think that an 18650 is intrinsically unsafe.
My understanding is that you can get (slightly cheaper) unregulated cells, but that normally, for end users, one uses regulated cells. The electronics on each cell aren't smart enough to do things like measure and report charged capacity, but they should be adequate to avoid fires if the battery is shorted.
And there's no standard for a "smarter" battery pack that would do things like report more information.
The native code of the game will be running translated, but the expensive calls to 3D engines and such will all be caught and replaced by native ARM libraries.
Yeah, that's true -- some games are going to be GPU-constrained, and the instruction set isn't gonna be a factor there.
A significant chunk of what I'm getting at, though, is battery life. Like, my understanding is that Apple's got somewhat-better compute-per-watt-hour ratings on their ARM laptops than x86 laptops do. But having that is contingent on one running native ARM software, not running emulated x86 software. Apple can say "we're just gonna break compatibility", and put down enormous pressure on app vendors to do so because they own the whole ecosystem. They have done multiple instruction set switches across architectures (680x0 to PowerPC to x86 to ARM) and that ability to force switches is something that they clearly feel is important to leverage.
For people who are only gonna run open-source Linux software -- and this thing is shipping with Debian, which has a native ARM distribution -- then it is possible that you can do this, because for open-source software, you can recompile against a new target architecture.
But Windows can't do this, because there's a huge amount of binary software that will never be retargeted for ARM. You're going to be burning up your battery life in translation overhead. And you can't do it with Linux if you want to run binary-only software -- often Windows software -- which is what Steam distributes. That library of software is just never gonna be translated; some of it probably doesn't even have the source around anywhere. I don't even know if Steam in 2024 has a native way to distribute ARM binaries (though I assume that one could have the game handle the target and running appropriate code).
I don’t know about M4, but with the M3 Apple’s compute-per-watt was already behind some AMD and Intel chips (if you buy hardware from the same business segment, no budget i3 is beating a Macbook any time soon). The problem with AMD and Intel is that they deliver better performance, at the cost of a higher minimum power draw. Apple’s chips can go down to something ridiculous like 1W power consumption, while the competition is at a multiple of that unless you put the chips to sleep. When it comes to amd64 software, their chips are fast enough for most use cases, but they’re nowhere close to native.
Oh, that's interesting, thanks. I may be a year or two out-of-date. I believe I was looking at M2 hardware.
The primary OS for this disk was Unraid. Its formated in BTRFS. I don't think either of those matter. The disk spins and worked before the reboot. But now. No matter what machine, port or cable I use its not mountable. Is there anything I can try? I was going to attempt Spinrite on it however it doesn't see anything either....
If you have a Linux machine, look in /sys/class/block and see if it shows up there. That'll give you a list of devices at the block device level. There should be an entry there, regardless of what you've done with partitioning or filesystems on those partitions.
If it doesn't show up there, the drive is probably having trouble at a hardware level. There are various tactics that people have tried to get a rotational drive functioning, like different temperatures, having the drive in different orientations, etc. Those might work, but if the drive is having physical problems, it might also continue to degrade.
If that's the case, your best bet, if the information is sufficiently worthwhile to you, is probably to send the drive to a data recovery company. What they'll do is use a drive with the same hardware, and in a clean room, swap the platters, and as long as it's still functional, they can image the drive at that point. IIRC you're talking something in the neighborhood of $500, though I've never needed to do this myself (backups!).
If it does show up, then you can look at whether you're getting kernel log errors when attempting to read from the drive (journalctl -k -b). If so, it might be recoverable, at least in part.
If there aren't any errors, then whatever your issue is might only be in terms of the data on the drive. My first step -- knowing nothing about how Unraid sets things up -- would probably be to look at the partition table on the drive (sudo parted <drive-device-name>). You can manually mount a partition with (mount <partition-name> <mount-point>).
EDIT: Oh, one last note. You might try swapping the cable before throwing in the towel, if you haven't already. While I doubt that this is it, and I don't think I've ever had a problem with a hard drive, a few times in my life, I've run into puzzling problems where a device isn't visible that came down to a faulty data cable. Can't hurt to try, at any rate.
Okay, it looks like you posted this prior to me posting my comment above. I'm not familiar with this graphical utility, but I'm assuming that it means that your disk is visible (like, if you run ls /dev/sda, you see your disk).
So what you've probably got is a functioning hard drive, with a functioning partition table, and on the first partition (/dev/sda1), a LUKS layer.
I haven't used LUKS, but it's a block-level encryption layer for Linux. It'll have some command to expose an unencrypted layer, and you can mount that.
I think that mount the mount(1) command is probably calling the mount(2) system call, and it's returning ENOENT, error 2. The mount(2) man page says "ENOENT A pathname was empty or had a nonexistent component.".
Hmm. So, I expect from the cyan color there that that "luks-d8..." thing is a symlink that points at some device file that LUKS creates when that luksOpen command runs.
Maybe ls -l /dev/mapper/luks-d8... and see what it points at and whether that exists as a first step? It's probably gonna be some device file somewhere in /dev.
I'd say that in my experience, retro games or games with a retro design philosophy tend to be more enjoyable and replayable.
I don't like chiptune music, where music is designed to sound like it's being played on an old console's frequency synthesizer.
I think that there are some good arguments for low-resolution pixel art in terms of reducing asset cost while still having a playable game -- the brain is good at filling details in. But I don't think that that applies to music, don't think that there are good cost trade-offs.
And while I don't have a problem with low-resolution pixel art graphics, I do have to say that for some of the successful games that I've played with it, I'd really like to be able to buy an HD graphics pack. I'm kind of surprised by how infrequently it is that I've seen game devs do that. Cave Story did it. I'd like to see some games like Caves of Qud have HD DLC.
I read that. I also read the first sentence in the parent's question. He was asking why there was a difference between the US and the UK.
The comment I responded to was saying that not everyone does see it as a good thing, but that doesn't mean that the fact that there is no national ID explains a difference.
Please note this is NSFW. Additionally, the Google Play Store doesn’t allow these types of games as a matter of policy. All of our recommendations are sources for downloading third-party games. You’ll have to sideload most of these, so make sure to check out our guide on installing third-party apps that aren’t on the Google Play Store.
I'm kind of surprised that there isn't some alternate app repo that people have converged on that permits it, just be an F-Droid alternate repo or something.
thinks
Maybe you need to be in the Google Play Store to use Google Play Services and that's required for DRM or something like that. That'd discourage commercial vendors.
System is Arch Linux. NTFS-3G is installed. I have had this problem on Gnome (Nautilus) and KDE (Dolphin). I already tried fixing it with Testdisk. No success. Any help is appreciated....
I have no idea what that GUI thing is you're using to do the mount, but I note that the CLI and the GUI are not using the same mountpoint. Is it possibly the case that the directory /mnt/storage2 exists but /run/media/void/2TB does not?
Also, someone may want a snapshot of Wikipedia, but not need to run a full copy -- like, they don't need article history and such. You can get that too.
Note that I suspect you actually want the third one, in which case I suggest you avoid MediaWiki. Not because it's bad, but because it's almost certainly overkill for your use-case and there's way simpler, easier-to-setup-and-maintain systems with fewer moving parts out there.
I kind of regret that, because I don't like the proliferation of wiki syntaxes. Like, I'd rather have just one syntax that everyone could learn.
I mean, okay. But it's not really the ESA's responsibility to archive art and cultural works for posterity. They're going to care about whether it's going to affect their bottom line and if the answer is "yes", then they probably aren't going to support it. Why ask them?
There was a point in time in the US when a work was only protected by copyright if one deposited such a work with the Library of Congress. That might be excessive, but it could theoretically be done with video games. Maybe only ones that sell more than N copies.
Legal deposit is a legal requirement that a person or group submit copies of their publications to a repository, usually a library. The number of copies required varies from country to country. Typically, the national library is the primary repository of these copies. In some countries there is also a legal deposit requirement placed on the government, and it is required to send copies of documents to publicly accessible libraries.
It's still circular. The ESA doesn't run the Library of Congress. They can argue that the LoC shouldn't do that, but they don't have decision-making authority in that.
A Soulslike (also spelled Souls-like) is a subgenre of action role-playing games known for high levels of difficulty and emphasis on environmental storytelling, typically in a dark fantasy setting. It had its origin in Demon's Souls and the Dark Souls series by FromSoftware, the themes and mechanics of which directly inspired several other games. Soulslike games developed by FromSoftware themselves have been specifically referred to as Soulsborne games, a portmanteau of Souls and Bloodborne.
Apple has complied with the Chinese government's request to remove several popular communication apps from its app store, including WhatsApp, Threads, Signal, and Telegram, due to national security concerns. This action was taken following a directive from the Cyberspace Administration of China. These apps have been crucial for...
The splinternet (also referred to as cyber-balkanization or internet balkanization) is a characterization of the Internet as splintering and dividing due to various factors, such as technology, commerce, politics, nationalism, religion, and divergent national interests. "Powerful forces are threatening to balkanise it", wrote the Economist weekly in 2010, arguing it could soon splinter along geographic and commercial boundaries.
As best I can tell, on Android, while there is scheduling, there isn't a way to trivially say "enter do-not-disturb mode for the next N minutes/hours on a one-off basis", which is normally what I want. I don't want to set up a schedule; I just want to silence the thing without having to worry about forgetting to re-enable the mode. It seems like an odd omission.
I think that SSH, hidden or no, is fine. It's intended to be Internet-facing and secure.
All that being said, we did just infamously have the Jia Tan/xz attack, an attempt to stick a backdoor spanning many Linux distros.
Also, I would treat the public hostname like any other secret, as only I need access to it.
If you're worried about someone malicious having access to your network connection, ssh is going to do a DNS lookup to map the hostname to an IP for the client.
Other than setting up secure configs for SSH and Tor themselves, is it worth doing other hardening like running Wireguard over Tor? I know that extra layers of security can’t hurt, but I want this backup connection to be as reliable as possible so I want to avoid unneeded complexity.
If you're going to be running multiple layers of software, keep in mind that compromising the outer layer -- whether it's a port-knocking system, a VPN like Wireguard, some sort of intrusion detection system that inspects packets prior to them hitting the rest of the system, etc -- can be equivalent to compromising the inner. And attackers have aimed to exploit things like buffer overflows in IDSes before -- this is a real thing. So if, for example, there is a Wireguard exploit, it may permit the same sort of compromise that a compromise of sshd does if gaining control of the Wireguard software is as severe as gaining control of the sshd software. So if you're wanting to add another layer and your goal is that compromise of the first layer still leaves another layer to get through, you may want to structure things such that compromise of the VPN software doesn't compromise anything further.
It's really not that hard to find SSH servers running on a non-standard port.
nmap or a similar port-scanning software package can find ports listening for TCP connections. There are software packages -- don't recall names off-the-cuff, but I'm sure that you could go dig one up -- that connect to ports and then aim to identify the protocol from a fingerprint out of a database that they have. The SSH protocol has a very readily-identifiable fingerprint, don't even need specialized software.
Let me just bounce to a machine as an example:
$ telnet tals-host.tals-domain.com 22
Trying tals-IP...
Connected to tals-host.tals-domain.com
Escape character is '^]'.
SSH-2.0-OpenSSH_9.6p1 Debian-4
^]
telnet> q
Connection closed.
$
That being said, I don't disagree with your broader point that I wouldn't personally bother with trying to add more layers on top of ssh, as long as you're keeping current on updates.
Yeah, I've had a couple Kobos. If you just want to put arbitrary documents on it to display, they work well.
I think that the problem is, though, that while eInk ebook readers are really good ebook readers, they're a specialized device in a world with a lot of general-purpose portable devices that people are already carrying.
They have extremely long battery life compared to an LCD or OLED display, and they work fine in brightly-lit environments like outside on a sunny day. And even if you want to use them in the dark, they have a soft backlight that can use very little power. And they're really light and thin.
But...I carry a smartphone. And a tablet. And a laptop. Maybe not everyone carries all three, but they probably have at least one of those. And so you gotta ask yourself whether you want a really good ebook reader that's only really good at reading ebooks (and can run a web browser or similar slowly and poorly), or whether you can tolerate using a device that can read ebooks and can also do things like browse the Web and play videos.
I'd only really suggest that someone consider a dedicated ebook reader if they're regularly carrying paper books around with them because they want to use those books outside or the like. I do that and I still don't think I'd get another ebook reader. It just doesn't buy me enough extra functionality.
I often want to use a non-ebook-reader device to refer to the Web or something to look up something related to a book that I'm reading, and if I'm doing that, I'm using a general-purpose device anyway.
By the same token, MP3 players can be really good MP3 players. Like, they can have really long battery lifetime, and be really small, have physical buttons, etc. But very few people carry dedicated MP3 players today, because they already have a general-purpose smartphone with them that can act as an MP3 player...and even if it isn't quite as good as a dedicated hardware device, it's still good enough. They still exist, but there's enough overlap that for most people, they probably aren't worth getting. Same thing for audio recorders. And I think that ebook readers are in that camp too, albeit maybe not to quite the same degree.
I'm getting the picture that Debian for the bbb is kind of bare bones, no pun intended. Is that right?
I mean, I wouldn't say that.
Debian has various "sets" of packages that you can install, and you can omit things like a desktop environment if you want. It doesn't have a particularly small package repository.
There are "small" distros out there. OpenWRT targets consumer broadband routers, which have limited memory and storage capacity, for example.
If you want a way to characterize Debian...hmm.
Well, l'd say that they've got more of an ideological free-software bent than most distros, require users to enable non-free repos.
Debian is notable for being, in 2024, the biggest "parent" distro. Most Linux distros are derived from some other distros. Today, there are two particularly large "family trees", Red Hat and Debian, with Debian being at the root of the largest tree.
So a large chunk of Linux distros out there take Debian and then modify it in some way to make their own.
It's been around for a very long time, as Linux distros go.
It doesn't have a company running it the way Ubuntu or Red Hat do.
It does major releases of stable about every two years, which is less-frequent then most distros I've used, more comparable to, say, Ubuntu Long Term Support releases.
Maybe less of a focus on ease-of-use for new users.
I mean, I'd like games to be available, but I don't see archive.org's legal basis for providing it. I mean, the stuff is copyrighted. Lack of commercial availability doesn't change that.
Yeah, some abandonware sites might try to just fly under the radar, and some rightsholders might just not care, might not be much value there. But once you're in a situation where a publisher is fighting a legal battle with you, you're clearly not trying that route.
You can argue that copyright law should be revised. Maybe copyright on video games should be shorter or something. Maybe there should be some provision that if a product isn't offered for sale for longer than a certain period of time, copyright goes away. But I don't think that this is the route to get that done.
Cars have cell radios now and transfer data about you using those.
I would imagine that as long as it can generate enough of a return for it to make financial sense, manufacturers of other devices might start doing so at some point.
This particular idea probbaly has technical limitations.
A device can only monitor and analyze and modify what a user is viewing if it's being used as a pass-through device in a daisy chain of devices.
As long as there is any device out there that can take multiple video signals from different inputs, let the user choose which they want to use, they can just not daisy-chain them, have them connected in parallel to different inputs. And even if one could try to get manufacturers colluding on creating a world where daisy-chaining is the only option, they have no incentive to do so on this point -- in doing this, they're trying to steal eyeball time from each other.
Now, that being said, I suppose that device manufacturers may not care, if 95% of users are going to just daisy-chain their devices. If it's only a few privacy nuts out there who are constantly keeping on top of the latest shennanigans and figuring out how to avoid them, if the Roku manual says "daisy chain" and most users just follow the pictures there...shrugs
Ads have funded a lot of content in the past. I don't mean just in the Internet era, but in the TV era and the radio era and the newspaper era. We're talking centuries.
Unless you're gonna get people to pay for your content, which can create difficulties, attaching it to ads can be a way to pay for that content.
Now, all that being said, that isn't to say that one needs to want to choose ads or needs to want to choose ads in all contexts or can want unlimited ads. I'd generally rather pay for something up front. Let's say that it takes $10 to produce a piece of content. For ads to make sense, it has to make the average user ultimately spend at least $10 more on some advertised product than they otherwise would have, or it wouldn't make sense for the advertiser to give the content creator $10. I'd just as soon spend $10 on the content directly instead and not watch the ads. Ultimately, the average user has to pay at least as much under an ad regime as if they just paid for the content up front, and doesn't have to deal with the overhead of me staring at ads.
But for that to work, the content provider has to be able to actually get people to pay for whatever content they're putting out. If it gets pirated, or people disproportionately weight the cost of that up-front payment, or people are worried about the security of their transaction, or what-have-you, then the content provider is gonna fall back to being paid in ads.
Looking forward, I'm still more-worried about the fact that state-backed threat actors are targeting open source projects via this social engineering route than the technical issues.
I think that the technical issues that the attacker used can be addressed to at least some degree.
If autoconf is a good place to hide stuff, maybe shift away from distributing autoconf-generated files in the source tarball; I don't know all of the problems that come up with that, but I understand that at least some of them were backwards-compatibility-breaking issues across autoconf versions in the past.
If maintainers are putting up bogus tarballs that differ from what's in git, have github disallow this, and for projects that are currently doing it, have github figure out how to address their needs otherwise. If this can't be done, at the very least, highlight the differences.
The ifunc hooks can probably have some kind of automated auditing added, if they're a favored vector to hide things.
If, in a project takeover, attackers try to embargo any reporting of security holes and ask that nobody but them be notified, it'd be possible to have some trusted third-party notified.
If threat actors try to inject attacks right before freeze -- I understand that Ubuntu may have been a target -- then apply greater scrutiny to those changes.
If distros linking code into sshd with distro patches is exposing sshd to security threats that the opensshd team isn't looking at, disallow that practice in distro policy for some set of security-sensitive projects.
Systemd may be too ready to link libraries into things that don't require it.
Maybe it makes sense to have a small number of projects that are considered "security-critical" and then require that they only rely on other projects that are also security-critical. That's not a magic fix, but it maybe tamps down on the damage a supply-chain attack could cause. Still...my suspicion is that if an attacker could get code into something like xz, they could probably ultimately, even with only user-level privileges, figure out ways to escalate to control of a system. I mean, all you need is a user with admin privileges to run something as a user anywhere with their account. Maybe Linux and some other software projects just fundamentally don't have enough isolation. That is, maybe the typical software package should be expected to run in a sandbox, kind of the way smartphone software or video game console software does. That doesn't solve everything, but it at least reduces the attack surface.
But the social side of this is a pain. We don't want to break down the system of trust that lets open-source work well more than is necessary...but clearly, there are people being attacked by people who have a lot of time to spend on putting together tactics to attack them. I'm not sure that your typical open-source maintainer -- health issues or no -- can realistically constantly be on their guard against coordinated social engineering attacks.
The attacker came via a VPN (well, unless they messed up) and had no history. The (probable) sockpuppets also had no history. It might be a good idea to look for people entering open source projects who have no history and are only visible from a VPN...but my guess is that if we rely on reputation more, attackers will just seek to subvert that as well. In this case, they probably committed non-malicious commits for the purpose of building reputation for years. If you're willing to put three years into building reputation on a given project, I imagine that you can do something similar to have an account lying in wait for the next open source project to attack. And realistically, my guess is that if we trust non-VPN machines, a state-backed attacker could get ahold of one...it's maybe more convenient for them to bounce through a VPN. It's not something that they absolutely have to do.
But without some way to help flag potential attackers, it just seems really problematic from a social standpoint. I mean, it's a lot harder to run an open-source project if one is constantly having to think "okay, has this person just spent the past three years just building reputation so that they can go bad on me, along with a supporting host of bogus other accounts?" I'm not sure that it's possible, even for really paranoid people.
That’s also how the most damaging attacks on proprietary software work.
Yeah, supply chain attacks can happen. There was that infamous SolarWinds supply chain attack recently. But I think that there are some important mitigating factors there.
Proprietary software companies -- unless they're using something open-source like xz upstream in their supply chain, as it's not just a "proprietary software world" and "open-source software world" -- tend to have someone's personal information if they're employed by them. They're not gonna hire and pay some random name who they know only as a GitHub account through a VPN, certainly not make them maintainer of their software.
Many -- not all -- proprietary software companies mandate that employees work locally. I's likely that if I'm working for a US company, a person is also subject to US law enforcement. In contrast, if you have a state-backed group, they're probably targeting people elsewhere. Whoever the people from the Jia Tan group are, my guess is that it's good odds that they will probably aim to avoid being in a country that they are targeting. Even if we expose their identities, they probably aren't going to be directly-impacted by law enforcement. Open source projects hypothetically could do that, I suppose, but normally they're pretty border-agnostic.
That is, I think that this is going to be specially a challenge for the open-source world, as the attacks are targeting some things that the open-source community is notable for -- border-agnosticism, a relatively-low bar to join a project, and often not a lot of personal identity validation.
At some point all organizations need to trust their members and co-workers need to trust each other - I can’t think of a way to be more miserable at work than having to second guess everyone around you.
Yeah, that's kinda what I was thinking, but you put it more-frankly.
It seems like there's a lot of potential for this to be corrosive to the community.
Some of it is that a lot of desktop software paradigms weren't built to operate in that kind of environment, and you can't just break backwards compatibility without enormous costs.
Wayland's been banging on that, but there's a lot to change.
Like, in a traditional desktop environment, the clipboard is designed so that software packages can query its contents, rather than having the contents pushed to it. That lets software snoop on the clipboard.
What's on the screen and a lot of system state like keys that are down and where the mouse pointer is and so forth wasn't treated as information that needed to be kept private from an application.
Access to input hardware like controllers aren't linked to any concept of "focus" or "visibility" in a windowing system. That may-or-may-not matter much for a traditional game controller (well, unless you're using some system where one inputs a password using a controller), but modern ones have things like microphones. Hell, access to microphones and cameras in general on laptops isn't normally restricted on a per-app basis for desktop software. From microphone access alone, you can extract keystrokes.
I don't think that there's a great way to run isolated game-level 3d graphics in a VM unless you're gonna have separate hardware.
Something that I've wondered about is potential vulnerability via Steam. None of the software there is isolated in a "this might be malicious" sense -- not from the rest of the system, not from other software sold via Steam. And Steam is used to distribute free software...I haven't looked into it, but I don't think that the bar to get something into Steam is likely super high. And then consider that there are free-to-play games that have to make money however they can, and some of that is going to be selling data, and some of how they do that may be to just offer to run whatever libraries with their game the highest bidder offers. How secure are those supply chains? And on Steam, most of the software is closed source, which makes inspecting what's going on harder. And that's before we even get to mods and stuff like that, which are from all over the place.
I mean, let's say that random library from ad company used by a free-to-play game is sending up the identity of the user on the computer. It has some functionality that slurps in a payload from the network telling it to grab credentials off the existing system, and does so for ten critical users. Would anyone notice? I have a really hard time believing that there'd be any way to pick up on that. Even if you wanted to, you can't isolate many of these games from the network without breaking their functionality, and there's no mechanism in in place today isolating them from the user's storage or other identity information.
I own IL-2 Sturmovik: 1946. It's published and developed out of Russia, and the publisher, 1C, has apparently even been sanctioned as part of general sanctions against Russia. Russia is at war with Ukraine, and we in the US are supplying Ukraine. 1C runs a lot of software on user computers and can push updates to it. If the Russian authorities come knocking on 1C's door and want a change made to some library, keeping in mind 1C's position, are they going to say "no"? Keep in mind that what they say may determine whether the company survives an already-difficult environment, and that they may have no idea the full extent of what the state has going on. Now, okay, sure, probably -- hopefully -- there aren't US military people or defense contractors running IL-2 Sturmovik directly on critical systems. But...let's say that they run it at home. How carefully do they isolate their credentials and home information on that system? Does their home machine ever VPN in to work? Is there personal information -- such as access to personal email accounts -- that could be used for kompromat on such systems?
I've managed to get some Ren'Py software (no 3d requirements, normally limited access to input hardware required, one common codebase for most functionality, can generally use one's local Ren'Py engine running games instead of using the binaries provided, all favorable characteristics for sandbox) running in firejail (and in the process, discovered that one of the games I had was talking to a chat channel...this was described in the source as reporting numbers of users, and the game is a noncommercial effort, but chat channels have been used for commanding botnets before, and even if it's not malicious, if it can do that without attracting attention, I'd very much expect that malicious software could do so). That is about the extent of my attempts to really sandbox games, and even with that very limited and superficial effort, I already ran into something that I'd have some security concerns about. My guess is that there are a lot of holes out there, even if unintentional.
As things stand, Valve and similar app store operators have no incentive to isolate what they distribute, so if they do so, it's out of some kind of general sense of responsibility to users. Users generally don't have the technical expertise to understand what the security implications of Valve's decisions are, so they can't take that into account in purchasing decisions. We could mandate something like strict liability to Valve and other app store vendors or maybe OS vendors in the event of compromise -- that'd probably make them introduce isolation for software that they distribute. But there'd be some real costs to that. It'd make games more expensive. It might make it harder for smaller "app stores" like gog.com, itch.io, or Lutris to operate. I use Debian. Debian doesn't cost anything, and if you put the Debian project in the position where it may be legally liable, they're gonna have to charge for their OS to cover those costs. With charging probably comes DRM. With DRM probably comes restrictions on what one can do with software, which smashes into problems with open-source software. It's definitely a problem.
If MS would sell me a license to own my computer, I would buy it, but they don’t offer that. Instead it’s ads and spam and data collection. And I want nothing to do with that.
I kind of feel like that about Google's services (to a lesser extent). Like, Google produces some really outstanding services. YouTube is great, and I'd have no problem with paying for it. But I have no idea whether, if I buy YouTube Premium or whatever Google calls it, I can buy privacy or whether it's just going to mean that they can link my data to my financial information and carry on data-mining.
I've been using Linux on my desktop since the 1990s. I'm certainly not opposed to people using Linux on their desktop. But I can definitely think of things, even in 2024, that someone might want Windows for.
If you go and buy a piece of hardware from a vendor, even really obscure stuff, there will almost certainly be a Windows driver. These days, Linux support is pretty common, and stuff like USB device classes providing a standard interface for a lot of hardware deals with a lot of that. But if I were getting something weird like, oh, one of those projectors that displays 3D images on mist, I'd be more-cautious. VR headsets are probably one of the more-prominent recent examples. Yeah, you can get a VR headset for Linux, but not all of the VR headsets out there are Linux-compatible.
Maybe a more-prominent issue -- while it's rare for hardware to not work, it's more-common for some functionality not to be available. tries to think of an example Okay, here's one. I have a flightstick and throttle from CH from some years back. These are standard ol' USB Human Interface Devices. Their axes and buttons are detected, and I can use them just fine. But they also have a little button on both their throttle and joystick that -- besides acting as a button -- cycles a series of one illuminated LED through three LEDs, green,yellow,red. I believe that it's intended to switch between different "profiles" -- so, like, say you're just flying along, you have one set of controls, but then you enter into combat in some flight system, you can toggle to the "yellow" profile by tapping a button. Whatever software CH ships to handle that on Windows isn't shipped for Linux. Okay, you could probably set something similar up for Linux if you've the time and technical chops, and maybe there's a way to do it for Steam games using Steam Input. But there isn't gonna be software provided to do it out-of-the-box on Linux, whereas there is on Windows.
There are still a few pieces of software that you can't run. If you specifically need or really want to run something, that may be a problem. There are very few games on Steam that I can't run, but one happens to be Command: Modern Operations, which suffers from both relying on 3d hardware -- so not being VM-friendly -- and not having anyone manage to get it working. There are other military simulation games, but no real direct alternatives. Now, I can live without that software package, though I sure would like to run it, but there may users that don't have that kind of flexibility.
There's also some software that you can make use of on a machine running Linux, but need to run in a Windows VM. That...works, but is also kind of annoying. A good example might be something like Solidworks, which doesn't support Linux. There are engineers out there who are going to need to use Solidworks to do their work. I understand that you can run it in a VM -- and there's sufficient demand that apparently the company certifies VM environments with a dedicated GPU for pass-through use with the VM but that's kind of annoying, if you're someone whose work revolves around the package.
we know about the singapore VPN because they connected to IRC on libera chat with it.
Hmm.
I don't know if the VPN provider is willing to provide any information, but I wonder if it's possible to pierce the veil of VPN in at least approximate terms?
If you have a tcpdump of packets coming out of a VPN -- probably not something that anyone has from the Jia Tan group -- you have timings on packets.
The most immediate thing you can do there -- with a nod to Cliff Stoll's own estimate to locate the other end of a connection -- is put at least an upper bound and likely a rough distance that the packets are traveling, by looking at the minimum latency.
But...I bet that you can do more. If you're logging congestion on major Internet arteries, I'd imagine that it shouldn't take too many instances of latency spikes before you have a signature giving the very rough location of someone.
Some other people pointed out that if they used a browser, it may have exposed some information that might have been logged, like encodings.
I have a server running Debian with 24 TB of storage. I would ideally like to back up all of it, though much of it is torrents, so only the ones with low seeders really need backed up. I know about the 321 rule but it sounds like it would be expensive. What do you do for backups? Also if anyone uses tape drives for backups I am...
Yeah...I've never totally lost my main storage and had to recover from backups. But on a number of occasions, I have been able to recover something that was inadvertently wiped. RAID doesn't provide that.
Also, depending upon the structure of your backup system, if someone compromises your system, they may not be able to compromise your backups.
If you need continuous uptime in the event of a drive failure, RAID is an entirely reasonable thing to have. It's just...not a replacement for backups.
I have to say that I was really surprised that apparently there isn't a general solution for gluing together different-sized drives in an array reasonably-efficiently other than Synology's Hybrid RAID. I mean, you can build something that works similarly on a Linux machine, but there apparently isn't an out-of-the-box software package that does that. It seems like the kind of thing that'd be useful, but...shrugs
Saying "Fediverse" is too broad, like talking about "the Internet" when one is talking about Reddit.
Saying "lemmy" -- currently the most-widely-used software package to do a Threadiverse instance -- is too narrow, and excludes kbin and some other software packages.
"Reddit-alike" doesn't seem ideal, as I'd imagine that the Threadiverse will evolve past whatever Reddit has been and already differs in some ways. I'm also not really enthralled in terms of branding the thing in terms of Reddit.
I don't intrinsically feel that "Threadiverse" has to be the term for that, but I do think that there's a need for a term for that. It's the only term I've seen used so far for it.
It does rely on punning on "Fediverse" and sounds similar, which I regret a bit -- I think that it might be nicer if it sounded more different, so that one couldn't perhaps mistake one term for the other. But I'm generally okay with it, myself.
It includes in its Blocked Instances list, has defederated with, 181 instances.
Now, you might well agree with some of those being blocked. Like, maybe they're spammers or harassing people or God knows what. They might host speech that might be illegal in some jurisdictions, be classified as hate speech there. They might contain content that's socially-unacceptable in some countries -- one of my first experiences on the Threadiverse was being sent by a random kbin.social sidebar comment recommendation into a conversation that Ada, the lemmy.blahaj.zone instance admin, was having with some guy in the Middle East, whose country had apparently blocked that instance at the national firewall level due to it having LGBT content or something like that. There's pornography on lemmynsfw.com. Consentual-nonconsentual and synthetic child pornography on burggit.moe. Piracy material on lemmy.dbzer0.com. Some instances won't approve of that being accessible from their instances, and in those cases, the instance admin is already blocking things.
I chose my home instance -- lemmy.today -- specifically because it was an instance policy to try to avoid defederating with instances, and it presently has an empty blocklist. But as best I can tell, most instances have some level of content or user behavior or whatever on other instances that they consider unacceptable and will defederate over. Maybe not it's not Threads, but they're aiming to block something.
Honestly, while the way they deployed the exploit helped hide it, I'm not sure that they couldn't have figured out some similar way to hide it in autoconf stuff and commit it.
Remember that the attacker had commit privileges to the repository, was a co-maintainer, and the primary maintainer was apparently away on a month-long vacation. How many parties other than the maintainer are going to go review a lot of complicated autoconf stuff?
I'm not saying that your point's invalid. Making sure that what comes out of the git repository is what goes to upstream is probably a good security practice. But I'm not sure that it really avoids this.
Probably a lot of good lessons that could be learned.
It sounds like social engineering, including maybe use of sockpuppets, was used to target the maintainer, to get him to cede maintainer status.
Social engineering was used to pressure package maintainers to commit.
Apparently automated software testing software did trip on the changes, like some fuzz-tesing software at Google, but the attacker managed to get changes committed to avoid it. This was one point where a light really did get aimed at the changes. That being said, the attacker here was also a maintainer, and I don't think that the fuzzer guys consider themselves responsible for identifying security holes. And while it did highlight the use of ifunc, it sounds like it was legitimately a bug. But, still, it might be possible to have some kind of security examination taking place when fuzzing software trips, especially if the fuzzing software isn't under control of a project's maintainer (as it was not, here).
The changes were apparently aimed at getting in shortly before Ubuntu freeze; the attacker was apparently recorded asking and ensuring that Ubuntu fed off Debian testing. Maybe there needs to be more-attention paid to things that go in shortly before freeze.
Part of the attack was hidden in autoconf scripts. Autoconf, especially with generated data going out the door, is hard to audit.
As you point out, using a chain that ensures that a backdoor that goes into downstream also goes into git would be a good idea.
Distros should probably be more careful about linking stuff to security-critical binaries like sshd. Apparently this was very much not necessary to achieve what they wanted to do in this case; it was possible to have a very small amount of code that performed the functionality that was actually needed.
Unless the systemd-notifier changes themselves were done by an attacker, it's a good bet that the Jia Tan group and similar are monitoring software, looking for dependencies like the systemd-notifier introduction. Looking for similar problems that might affect similar remotely-accessible servers might be a good idea.
It might be a good idea to have servers run their auth component in an isolated module. I'd guess that it'd be possible to have a portion of sshd that accepts incoming connections (and is exposed to the outside, unauthenticated world) as an isolated process. That'd be kind of inetd-like functionality. The portion that performed authentication (and is also running exposed to the outside) as an isolated process, and the code that runs only after authentication succeeds run separately, with only the latter bringing in most libraries.
I've seen some arguments that systemd itself is large and complicated enough that it lends itself to attacks like this. I think that maybe there's an argument that some sort of distinction should be made between more- or less-security-critical software, and different policies applied. Systemd alone is a pretty important piece of software to be able to compromise. Maybe there are ways to rearchitect things to be somewhat more-resilient and auditable.
I'm not familiar with the ifunc mechanism, but it sounds like attackers consider it to be a useful route to hide injected code. Maybe have some kind of auditing system to look for that.
The attacker modified the "in the event of an identified security hole" directions to discourage disclosure to anyone except the project for a 90-day embargo period, and made himself the contact point. That would have provided time to continue to use the exploit. In practice, perhaps software projects should not be the only contact point -- perhaps it should be the norm to both notify software projects and a separate, unrelated-to-a-project security point. That increases the risk of the exploit leaking, but protects against compromise of the project maintainership.
Also, even aside from the attack code here having unknown implications, the attacker made extensive commits to liblzma over quite a period of time, and added a lot of binary test files to the xz repo that were similar to the one that hid the exploit code here. He also was signing releases for some time prior to this, and could have released a signed tarball that differed from the git repository, as he did here. The 0.6.0 and 0.6.1 releases were contained to this backdoor aimed at sshd, but it's not impossible that he could have added vulnerabilities prior to this. Xz is used during the Debian packaging process, so code he could change is active during some kind of sensitive points on a lot of systems.
It is entirely possible that this is the first vulnerability that the attacker added, and that all the prior work was to build trust. But...it's not impossible that there were prior attacks.
Apparently the backdoor reverts back to regular operation if the payload is malformed or the signature from the attacker's key doesn't verify. Unfortunately, this means that unless a bug is found, we can't write a reliable/reusable over-the-network scanner.
Maybe not. But it does mean that you can write a crawler that slams the door shut for the attacker on any vulnerable systems.
EDIT: Oh, maybe he just means that it reverts for that single invocation.
Slack users horrified to discover messages used for AI training ( arstechnica.com )
Web publishers brace for carnage as Google adds AI answers ( www.washingtonpost.com )
Archive link
How the Great Firewall of China Detects and Blocks Fully Encrypted Traffic ( gfw.report )
Archived version...
The Trouble with Forking Mastodon ( wedistribute.org )
This laptop was MADE to be HACKED! ( www.youtube.com )
HDD spins but OS doesnt see mountable disk
The primary OS for this disk was Unraid. Its formated in BTRFS. I don't think either of those matter. The disk spins and worked before the reboot. But now. No matter what machine, port or cable I use its not mountable. Is there anything I can try? I was going to attempt Spinrite on it however it doesn't see anything either....
Am I the only person that feels that retro games are better?
Less DRM, smaller filesizes, no stupid anticheat, and no always online bs. Anyone agree with me?
Boris Johnson turned away from polling station after forgetting to bring photo ID ( www.theguardian.com )
cross-posted from: https://lemmy.world/post/14955332
AI Wallpaper Changer for Android ( play.google.com )
Hello there, fellow lemmings!...
Why can I only mount external disk via CLI? ["SOLVED"] ( lemmy.world )
System is Arch Linux. NTFS-3G is installed. I have had this problem on Gnome (Nautilus) and KDE (Dolphin). I already tried fixing it with Testdisk. No success. Any help is appreciated....
hello! i made a versatile file syncing tool in C++ it's called lunas
cross-posted from: https://programming.dev/post/13156830...
Closing the thread, I've got a suggestion to kill myself on matrix, you're the worst ( sh.itjust.works )
ESA says members won’t support any plan for libraries to preserve games online ( www.gamedeveloper.com )
Why are there two different genres both called ARPG?
ARPG aka Action Role Playing Game....
Apple pulls WhatsApp, Threads and Signal from app store in China ( www.washingtonpost.com )
Apple has complied with the Chinese government's request to remove several popular communication apps from its app store, including WhatsApp, Threads, Signal, and Telegram, due to national security concerns. This action was taken following a directive from the Cyberspace Administration of China. These apps have been crucial for...
Pause alerts during the night
Well, as the title says, I've had a few notifications that alerted over night and I'm wanting to sleep instead...
Do I Need to Harden SSH over Tor?
cross-posted from: https://infosec.pub/post/10908807...
Kobo announces its first color e-readers ( www.theverge.com )
cross-posted from: https://lemmy.ml/post/14277930...
Kobo's new color E Ink eReaders start at only $150 ( www.pocket-lint.com )
Debian on beagle bone black, basics?
Messing around with Linux for the first time in a bbb....
"The largest campaign ever to stop publishers destroying games". ( www.youtube.com )
https://stopkillinggames.com/
Roku’s New HDMI Tech Could Show Ads When You Pause Your Game ( kotaku.com )
'xz utils' Software Backdoor Uncovered in Years-Long Hacking Plot ( unicornriot.ninja )
Windows users don't want copilot on their taskbar ( windowscopilot.news )
“the lesson *I'm* choosing to take from xz, as an oss maintainer, is that anyone trying to pressure or guilt me into doing something should immediately be told no, for security reasons” ( crabby.fyi )
How should I do backups?
I have a server running Debian with 24 TB of storage. I would ideally like to back up all of it, though much of it is torrents, so only the ones with low seeders really need backed up. I know about the 321 rule but it sounds like it would be expensive. What do you do for backups? Also if anyone uses tape drives for backups I am...
Fedi Garden to Instance Admins: "Block Threads to Remain Listed" ( wedistribute.org )
backdoor in upstream xz/liblzma leading to ssh server compromise ( www.openwall.com )