* Posts by JessicaRabbit

55 publicly visible posts • joined 3 Dec 2021

Page:

CISA boss swatted: 'While my own experience was certainly harrowing, it was unfortunately not unique'

JessicaRabbit

Swatting only works because of how trigger happy yank cops are.

Tech billionaires ask Californians to give new utopian city their blessing

JessicaRabbit

Could very well end up being another Bijlmer https://www.youtube.com/watch?v=sJsu7Tv-fRY

Vast botnet hijacks smart TVs for prime-time cybercrime

JessicaRabbit

Doesn't sound like they're attacking externally facing vulnerabilities in the TV to infect them so much as attacking the vulnerability in the dumb meatware operating the TVs (though once the app is installed it does sound like there's some jailbreaking going on to escape the app sandbox).

Brain boffins think they've found the data format we use to store images as memories

JessicaRabbit

Re: What about the people who can't visualize?

"In addition to the correlation between areas of brain activity, Steel explained there's an "opponent suppression" dynamic, in which the two sensing and memory areas of the brain show lower activity when the other is being used. This, he said, suggests a central role of retinotopic code in translating between neural systems in the brain.

When asked to recall an image, activity in mnemonic areas of the brain showed an inverted spike in visually-evoked "population reception fields" that corresponded to the original sensing areas of the brain, suggesting that "retinotopic coding could serve as a shared substrate to scaffold the interaction between perceptual and mnemonic systems," the report posits."

Would be interesting to explore whether this "opponent suppression" dynamic might be backwards or near-permanantly stuck in mnemonic mode for people with aphantasia. I personally can't visualise for toffee when I'm awake and thinking (and my inner dialogue never shuts up so I'm always thinking) but when I'm dozing off or just coming round from sleep I can visualise pretty well.

Britain's Ministry of Defence fined £350K over Afghan interpreter BCC email blunder

JessicaRabbit

Re: So BCC not good anymore ?

There's absolutely no mention of BCC in the linked to BBC article. Maybe someone has been experimenting with Chat-GPT...

Veteran editors Notepad++ and Geany hit milestone versions

JessicaRabbit

Re: Notepad++ FTW

Likewise although I recently discovered you can right-click a tab and choose "Rename" to give the tab a name without having to save it which is really helpful for when you want a bunch of tabs open and you want to be able to find a specific one without having to commit to actually saving them explicitly (notepad++ is obv. saving them somewhere).

Black Basta ransomware operation nets over $100M from victims in less than two years

JessicaRabbit

The name does rather remind me of Billy Connolly's Getifu ya basa bit https://www.youtube.com/watch?v=o8bHsn-3RdQ

Palantir bags £330M NHS data bonanza despite privacy fears

JessicaRabbit

Re: opt out?

I used the NHS app to opt out but see https://www.nhs.uk/your-nhs-data-matters/manage-your-choice/

JessicaRabbit

I opted out of the data sharing yesterday as a result of this and I urge anyone else reading this to do so themselves if they haven't already.

License to thrill BSL refuseniks? Sentry introduces Functional Source License

JessicaRabbit

Re: Sighs are too silent for this

Well maybe you're right but I'm struggling to see the issue. If they are using (F)OSS it's not GPL or the like because those licences would be incompatible with BSL. That only leaves licences like MIT where the author has explicitly decided to make their work available for commercial use. Besides the code does become genuinely (F)OSS after two years, I'm not sure you can really call that spitting on the community.

At the end of the day, developers are not free. If a FOSS alternative exists, by all means use that. If it doesn't then either there's no demand for it (unlikely given Sentry have built it) or nobody is willing to build it for free. Sentry has to at least pay for the developer's time, admin costs etc etc. It's not rational to expect them to just give it away, surely you don't truly believe they should? Except of course they are doing, more or less. You or I are free to build it, host it ourselves, make changes whatever. The only people really getting screwed by this licence are the cloud providers and I'm not exactly shedding tears over that.

Without hyperbole or the sort of emotive language you've used above, please explain what parts of of what I've written above you disagree with?

JessicaRabbit

Re: Sighs are too silent for this

Not really, they're paying for the development costs and providing the product for free to end users. They just don't want Amazon, Google, Microsoft et al to take their work, package it up and re-sell it.

Ex-GCHQ software dev jailed for stabbing NSA staffer

JessicaRabbit

Terrible what happened but it never ceases to amaze me that with the level of surveillance these organizations are perpetrating against their own citizens that they can't even figure out when there's a terrorist working for them.

Amazon's $1.4B price-raising 'Project Nessie' algorithm exposed in FTC antitrust fight

JessicaRabbit

I can understand why smaller companies or individual would and do settle when facing corporations the size of Amazon but this is the US govt. Surely they have incredibly deep pockets and could easily afford to fight this to the end. Why are they so willing to settle?

Google formally gets to work on Android on RISC-V

JessicaRabbit

Re: rambling a bit (yes you are :)

RISC-V is just an ISA. The performance of RISC-V chips will mostly come down to how the internals of each chip is implemented and that is up to the chip designers. The ISA just describes the instruction set, registers etc. To quote Wikipedia:

"An ISA specifies the behavior of machine code running on implementations of that ISA in a fashion that does not depend on the characteristics of that implementation, providing binary compatibility between implementations. This enables multiple implementations of an ISA that differ in characteristics such as performance, physical size, and monetary cost (among other things), but that are capable of running the same machine code, so that a lower-performance, lower-cost machine can be replaced with a higher-cost, higher-performance machine without having to replace software."

Now Russians accused of pwning JFK taxi system to sell top spots to cabbies

JessicaRabbit

I've never understood this pay to skip the line stuff. Shirley if everyone paid nobody would get to go sooner and if only some pay but there's enough of them to satisfy all the jobs/spots/seats etc in a given time window the non-payers are stuck waiting forever.

Stanford schooled in cybersecurity after Akira claims ransomware attack

JessicaRabbit

Just checking to see if I can actually post a comment here seeing as it seems to be broken for "Tech bros still cling to sexist stereotypes, forgetting female pioneers who coded their path".

The battle between open source and 'sort of' open source is as old as software

JessicaRabbit

If these companies would just use the more restrictive licences that they end up with from the beginning there wouldn't be such a fuss being made about it. It's the bait and switch nature of their practices that grate so much.

Your ex isn't the only one stalking your social media posts. The Feds are, too

JessicaRabbit

America wants its own social credit score system it seems.

Hot fuzz: Cascade finds dozens of RISC-V chip bugs using random data storm

JessicaRabbit

This is very cool and hopefully something that RISC-V chip designers will incorporate into their design and validation processes. That way more security issues like the ones found so far can be caught before going to silicon.

I'd suggest adapting it to fuzz Arm but I'm sure the researchers in question don't want to deal with the litigation-happy lawyers Arm seem to be employing at the moment.

Intel stock stumbles on report Nvidia is building an Arm CPU for PC market

JessicaRabbit

Maybe but they might end up in the same situation as Qualcomm then. ARM seem quite fussy about licences not transferring when acquiring a company.

It is 2023 and Excel's reign of date terror might finally be at an end

JessicaRabbit

Now if only they'd get around to not treating things that look like formulas in csv files as formulas so we don't have to worry about CSV exports that contain a value like =cmd|' /C calc'!A1 in them causing Excel to execute arbitrary commands on the victim's computer.

Not even the ghost of obsolescence can coerce users onto Windows 11

JessicaRabbit

Re: I'm sure AI has some use somewhere .....

Ah yes, MacBooks where you have to buy a whole new machine because one small part of it broke and the Apple approved repair people tell you it's busted and you just need to replace it. See Louis Rossmann's many videos on the subject for examples of this happening.

Make-me-root 'Looney Tunables' security hole on Linux needs your attention

JessicaRabbit

Re: Environment variable

If it's cross-platform then it doesn't use the ld.so dynamic linker and therefore they haven't imported the vulnerability.

ChattyG takes a college freshman C/C++ programming exam

JessicaRabbit
Facepalm

It doesn't learn from previous attempts. At best it 'learns' from absorbing millions if not trillions of samples from the internet. What is being described as learning here is nothing more than additional prompts that changes the weighting of its auto-complete-like predictions.

Mixin suspends deposits and withdrawals after $200m cryptocurrency heist

JessicaRabbit
Facepalm

When will people learn?

CrowView: A clamp-on, portable second laptop display

JessicaRabbit

This actually looks pretty cool. I've not much faith in Kickstarter so I won't be backing it but if it ends up being mass produced and available to buy retail I'd certainly consider picking one up.

Author discovers fake, likely AI-generated books written under her name

JessicaRabbit

Re: Keyboard Sounds

You really needn't bother. Seems they have to train the algorithm anew for each keyboard that it's listening to with samples of audio and the text that was typed i.e. they already have some way to monitor what you're typiing. On top of that if you're a proficient touch typist even with said training the accuracy really isn't all that. It might have some success in a rather targeted attack under special circumstances but as previous discussions have this have stated, just infecting the target's machine with malware is more practical 99% of the time.

US Supreme Court allows 'ghost guns' to fall under federal purview

JessicaRabbit

I really can't wrap my head around why they're so determined to allow untraceable guns. Are they not-so-secretly aligned with criminals? Surely serial numbers on legally owned and operated guns would never be an issue. The whole purpose of these ghost guns is to commit crime with untraceable weapons, no?

Techie's quick cure for a curious conflict caused a huge headache

JessicaRabbit

Your point stands and you have my upvote but I should think /u would not have been left world writable by an otherwise competent system's programmer. The scenario you describe should only be possible to the same extent that the user accidentally hit enter after typing the same thing in /bin

Experiment arrives at the ISS to see if astronauts can keep things cool

JessicaRabbit

Re: Tea for more than two

Very clever. You deserve far more upvotes than you've received (up to now).

EU antitrust team closer to full-blown Microsoft probe, say sources

JessicaRabbit

I'm all in favour of the EU going after MS for their dubious behaviour but I think it's a bit rich that Google are complaining about it when they're just as bad for it with their Ad business!

Hijacked S3 buckets used in attacks on npm packages

JessicaRabbit

For those of you, like me, left scratching their heads about what the actual attack was after reading the article: The attack was that an older version of the npm package pulled binaries from an S3 bucket during installation. The bucket was deleted and the attackers created a bucket of their own with the same name (S3 bucket names are globally unique) and served poisoned binaries from that bucket. Presumably this worked because there are codebases still using the older versions of bignum and CI/CD and new devs working on the codebase are installing the older package and getting the poisened binaries in the process.

GitHub accused of varying Copilot output to avoid copyright allegations

JessicaRabbit

Pretty sure it would be, yes. That's why you have to have things like clean room reverse engineering.

Barracuda tells its ESG owners to 'immediately' junk buggy kit

JessicaRabbit

Quite so and not to mention up to 11,000 devices now headed to landfill.

10 years after Snowden's first leak, what have we learned?

JessicaRabbit

Re: what have we learned?

From what I've read a number of countries wanted to but as usual the US bullied them into retracting their offers or the countries weren't reachable directly and the countries in between would have captured and deported him.

Malwarebytes may not be allowed to label rival's app as 'potentially unwanted'

JessicaRabbit

I'd be interested to hear Malware Bytes' justification for labelling Enigma's software as a PUP.

BOFH: Ah. Company-branded merch. So much better than a bonus

JessicaRabbit

Re: Acronym-Ignorant

It's the phrase the PFY keeps using when referring to the can of petrol.

How fiends abuse an out-of-date Microsoft Windows driver to infect victims

JessicaRabbit

Re: MS have a lot of problems, but that ain't one of 'em.

In what way have I defended Microsoft? If anything I'm criticising their lack of a feature that should be available. Also I'm not talking about blocking applications, the article is very specifically about drivers loaded into the kernel. Also it's not users installing the driver, this is about malware that gets onto a computer, uses local privilege escalation vulnerabilties in other OS components to gain System Admin privileges and then using that to install a driver which has been signed thus Windows will accept which is known to contain vulnerabilities which can be used to run arbitrary code at ring 0. Thus allowing them to bypass kernel-level protections including anti-virus etc software which also operates at ring 0.

Plus how is blocking dangerous drivers any different than anti-virus blocking dangerous executables? Suing a company because they protected your customers from an old version of your driver being used to own their machine? Not unthinkable but fuck any company that did that.

JessicaRabbit

The real issue here seems to be that Microsoft are either incapable or unwilling to block the installation of known-to-be-vulnerable drivers. Surely it would not be particularly challenging from a technical standpoint to just maintain a revocation list. It need not even revoke the entire signing certificate for a meely vulnerable driver (stolen certificates is another matter), since any modification to the driver would invalidate the signature it would only need to keep hashes of the driver's binary.

Microsoft begs you not to ditch Edge on Google's own Chrome download page

JessicaRabbit

Re: Cease and desist

I'm not sure they would and I'm not sure we'd want them to because do you know what else 'hijacks' webpages? Ad blockers and screw browsing the web without one of those installed.

FTC floats rule to ban imposed non-compete agreements in US

JessicaRabbit

Will be interesting to see how lobbyists and corrupt officials fuck this one up just like with the right to repair bill in NYC - https://www.youtube.com/watch?v=7xGBB-717AI

He's only gone and done it. Ex-Register vulture elected to board of .uk registry

JessicaRabbit

15% but not really

I assume the 15% quoted in the title is 15% of the members not 15% of all possible votes. IIRC this has been covered before but lest anyone forget. Only 25% of all possible votes are split evenly between members. The remaining 75% are split based on number of registered domains which means a small number of large registrars godaddy etc account for the vast majority of all castable votes. That's the real reason not many members bother to vote, their vote is worth near enough sod all!

There can be only one... Microsoft Excel Champion

JessicaRabbit

Amazing

and I thought this KRAZAM video was just a joke... https://www.youtube.com/watch?v=xubbVvKbUfY

Old-school editor Vim hits version 9 with faster scripting language

JessicaRabbit

If only Vi could be relied upon to be installed. Most Debian based systems these days seem to come with nano installed but not Vim :(

How refactoring code in Safari's WebKit resurrected 'zombie' security bug

JessicaRabbit

Re: ...allows the user to modify the history

Yes

From the Mozilla docs - https://developer.mozilla.org/en-US/docs/Web/API/History/pushState

"The new history entry's URL is given by this parameter. Note that the browser won't attempt to load this URL after a call to pushState(), but it might attempt to load the URL later, for instance after the user restarts the browser. The new URL does not need to be absolute; if it's relative, it's resolved relative to the current URL. The new URL must be of the same origin as the current URL; otherwise, pushState() will throw an exception. If this parameter isn't specified, it's set to the document's current URL."

Note that the URL has to be the same origin, so you can't inject the URL for some illegal site into the history unless the user was already on that site (and then there's no framing required).

Debian faces firmware furore from FOSS freedom fighters

JessicaRabbit

Re: Fighting the wrong people in the wrong place

Unfortunately the people creating the devices that need firmware aren't sufficiently incentivised to care. They don't really want a GPL firmware (GPL perhaps not being the best choice since then it's no good for BSD and such) and since the vast majority of Linux users will just install the proprietary firmware blob and get on with things there's very little demand from consumers even within the Linux community.

JessicaRabbit

It's a curious distinction to make

It's a curious distinction to make imo, if the user bought the hardware it seems reasonable to me to assume they trust the vendor. Even as the article states, you have to trust at least the firmware in the BIOS/UEFI for the motherboard.

All machines (PCs, laptops etc) have closed-source firmware running on them. If the device makers suddenly decided to use ROM/EEPROM chips to store firmware again, I can't imagine many users would suddenly just stop buying those devices just because the firmware was baked in.

So to summarise (and I think the article gets at this just in more words), in the case of Debian it's purist thinking whilst ignoring that short of rolling your own hardware (CPU and motherboard included) you can't avoid propriety closed-source firmware.

Rolling Rhino: A rolling-release remix of Ubuntu

JessicaRabbit

Re: YALD

I upvoted you because I largely agree with your point but to answer your question, the reason I think people want Linux to go mainstream is because then it becomes a platform that more hardware and software developers will consider writing drivers/software for.

Microsoft proposes type syntax for JavaScript

JessicaRabbit

Waste of time. If people are clamouring for static typing it's for compile-time and run-time guarantees, something TS can't give you because JS doesn't support it and this won't change that.

Linux kernel edges closer to dropping ReiserFS

JessicaRabbit

Not sure 'just' has anything to do with it (and nor should it). It's clear that the proposal is for entirely technical reasons and the suggestion to mark it as deprecated for a few years before actually removing it makes good sense to me at least.

Page: