Swatting only works because of how trigger happy yank cops are.
55 publicly visible posts • joined 3 Dec 2021
CISA boss swatted: 'While my own experience was certainly harrowing, it was unfortunately not unique'
Re: What about the people who can't visualize?
"In addition to the correlation between areas of brain activity, Steel explained there's an "opponent suppression" dynamic, in which the two sensing and memory areas of the brain show lower activity when the other is being used. This, he said, suggests a central role of retinotopic code in translating between neural systems in the brain.
When asked to recall an image, activity in mnemonic areas of the brain showed an inverted spike in visually-evoked "population reception fields" that corresponded to the original sensing areas of the brain, suggesting that "retinotopic coding could serve as a shared substrate to scaffold the interaction between perceptual and mnemonic systems," the report posits."
Would be interesting to explore whether this "opponent suppression" dynamic might be backwards or near-permanantly stuck in mnemonic mode for people with aphantasia. I personally can't visualise for toffee when I'm awake and thinking (and my inner dialogue never shuts up so I'm always thinking) but when I'm dozing off or just coming round from sleep I can visualise pretty well.
Re: Notepad++ FTW
Likewise although I recently discovered you can right-click a tab and choose "Rename" to give the tab a name without having to save it which is really helpful for when you want a bunch of tabs open and you want to be able to find a specific one without having to commit to actually saving them explicitly (notepad++ is obv. saving them somewhere).
Re: Sighs are too silent for this
Well maybe you're right but I'm struggling to see the issue. If they are using (F)OSS it's not GPL or the like because those licences would be incompatible with BSL. That only leaves licences like MIT where the author has explicitly decided to make their work available for commercial use. Besides the code does become genuinely (F)OSS after two years, I'm not sure you can really call that spitting on the community.
At the end of the day, developers are not free. If a FOSS alternative exists, by all means use that. If it doesn't then either there's no demand for it (unlikely given Sentry have built it) or nobody is willing to build it for free. Sentry has to at least pay for the developer's time, admin costs etc etc. It's not rational to expect them to just give it away, surely you don't truly believe they should? Except of course they are doing, more or less. You or I are free to build it, host it ourselves, make changes whatever. The only people really getting screwed by this licence are the cloud providers and I'm not exactly shedding tears over that.
Without hyperbole or the sort of emotive language you've used above, please explain what parts of of what I've written above you disagree with?
Re: rambling a bit (yes you are :)
RISC-V is just an ISA. The performance of RISC-V chips will mostly come down to how the internals of each chip is implemented and that is up to the chip designers. The ISA just describes the instruction set, registers etc. To quote Wikipedia:
"An ISA specifies the behavior of machine code running on implementations of that ISA in a fashion that does not depend on the characteristics of that implementation, providing binary compatibility between implementations. This enables multiple implementations of an ISA that differ in characteristics such as performance, physical size, and monetary cost (among other things), but that are capable of running the same machine code, so that a lower-performance, lower-cost machine can be replaced with a higher-cost, higher-performance machine without having to replace software."
This is very cool and hopefully something that RISC-V chip designers will incorporate into their design and validation processes. That way more security issues like the ones found so far can be caught before going to silicon.
I'd suggest adapting it to fuzz Arm but I'm sure the researchers in question don't want to deal with the litigation-happy lawyers Arm seem to be employing at the moment.
Re: I'm sure AI has some use somewhere .....
Ah yes, MacBooks where you have to buy a whole new machine because one small part of it broke and the Apple approved repair people tell you it's busted and you just need to replace it. See Louis Rossmann's many videos on the subject for examples of this happening.
Re: Keyboard Sounds
You really needn't bother. Seems they have to train the algorithm anew for each keyboard that it's listening to with samples of audio and the text that was typed i.e. they already have some way to monitor what you're typiing. On top of that if you're a proficient touch typist even with said training the accuracy really isn't all that. It might have some success in a rather targeted attack under special circumstances but as previous discussions have this have stated, just infecting the target's machine with malware is more practical 99% of the time.
I really can't wrap my head around why they're so determined to allow untraceable guns. Are they not-so-secretly aligned with criminals? Surely serial numbers on legally owned and operated guns would never be an issue. The whole purpose of these ghost guns is to commit crime with untraceable weapons, no?
For those of you, like me, left scratching their heads about what the actual attack was after reading the article: The attack was that an older version of the npm package pulled binaries from an S3 bucket during installation. The bucket was deleted and the attackers created a bucket of their own with the same name (S3 bucket names are globally unique) and served poisoned binaries from that bucket. Presumably this worked because there are codebases still using the older versions of bignum and CI/CD and new devs working on the codebase are installing the older package and getting the poisened binaries in the process.
Re: MS have a lot of problems, but that ain't one of 'em.
In what way have I defended Microsoft? If anything I'm criticising their lack of a feature that should be available. Also I'm not talking about blocking applications, the article is very specifically about drivers loaded into the kernel. Also it's not users installing the driver, this is about malware that gets onto a computer, uses local privilege escalation vulnerabilties in other OS components to gain System Admin privileges and then using that to install a driver which has been signed thus Windows will accept which is known to contain vulnerabilities which can be used to run arbitrary code at ring 0. Thus allowing them to bypass kernel-level protections including anti-virus etc software which also operates at ring 0.
Plus how is blocking dangerous drivers any different than anti-virus blocking dangerous executables? Suing a company because they protected your customers from an old version of your driver being used to own their machine? Not unthinkable but fuck any company that did that.
The real issue here seems to be that Microsoft are either incapable or unwilling to block the installation of known-to-be-vulnerable drivers. Surely it would not be particularly challenging from a technical standpoint to just maintain a revocation list. It need not even revoke the entire signing certificate for a meely vulnerable driver (stolen certificates is another matter), since any modification to the driver would invalidate the signature it would only need to keep hashes of the driver's binary.
15% but not really
I assume the 15% quoted in the title is 15% of the members not 15% of all possible votes. IIRC this has been covered before but lest anyone forget. Only 25% of all possible votes are split evenly between members. The remaining 75% are split based on number of registered domains which means a small number of large registrars godaddy etc account for the vast majority of all castable votes. That's the real reason not many members bother to vote, their vote is worth near enough sod all!
Re: ...allows the user to modify the history
From the Mozilla docs - https://developer.mozilla.org/en-US/docs/Web/API/History/pushState
"The new history entry's URL is given by this parameter. Note that the browser won't attempt to load this URL after a call to pushState(), but it might attempt to load the URL later, for instance after the user restarts the browser. The new URL does not need to be absolute; if it's relative, it's resolved relative to the current URL. The new URL must be of the same origin as the current URL; otherwise, pushState() will throw an exception. If this parameter isn't specified, it's set to the document's current URL."
Note that the URL has to be the same origin, so you can't inject the URL for some illegal site into the history unless the user was already on that site (and then there's no framing required).
Re: Fighting the wrong people in the wrong place
Unfortunately the people creating the devices that need firmware aren't sufficiently incentivised to care. They don't really want a GPL firmware (GPL perhaps not being the best choice since then it's no good for BSD and such) and since the vast majority of Linux users will just install the proprietary firmware blob and get on with things there's very little demand from consumers even within the Linux community.
It's a curious distinction to make
It's a curious distinction to make imo, if the user bought the hardware it seems reasonable to me to assume they trust the vendor. Even as the article states, you have to trust at least the firmware in the BIOS/UEFI for the motherboard.
All machines (PCs, laptops etc) have closed-source firmware running on them. If the device makers suddenly decided to use ROM/EEPROM chips to store firmware again, I can't imagine many users would suddenly just stop buying those devices just because the firmware was baked in.
So to summarise (and I think the article gets at this just in more words), in the case of Debian it's purist thinking whilst ignoring that short of rolling your own hardware (CPU and motherboard included) you can't avoid propriety closed-source firmware.