Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Cybernetic Vermin
Apr 18, 2005



til that pippin (a ppc 603) ran 68k boot code

the thing was really such a mess that it is sort of hard to get excited for the crack, it was so half-hearted in every way. the write-up is interesting though, and not like i have a pippin anyway :p

Adbot
ADBOT LOVES YOU

Cybernetic Vermin
Apr 18, 2005



this is definitely more 'lol amd' than 'lol lennart' at any rate

Cybernetic Vermin
Apr 18, 2005



Lysidas posted:

so is this a staged rollout for different models? nothing new available for x1 carbons 3rd and 6th gen afaict

e: or are those not affected?

from what i understand nothing is supposed to be available yet and we only know something exists because that one leaked (that may have changed though, or, as likely, I've misunderstood)

Cybernetic Vermin
Apr 18, 2005



just buy her an account

Cybernetic Vermin
Apr 18, 2005



Soricidus posted:

goon project: let’s make a good encrypted chat app with a full set of forums smileys, native clients for windows, linux console, and amiga, amber/green stylesheets, and a goon-made encryption algorithm that you can actually trust not to have any nsa backdoors

counterpoint, the just post thread is here: https://forums.somethingawful.com/showthread.php?threadid=3885452

Cybernetic Vermin
Apr 18, 2005



jre posted:

Huge amounts of hotel booking websites ultimately fax your card details to the front desk fax machine :shepicide:

The banks are finally making them fix this by hiking the merchant rates if you don't use tokenisation

it is sort of key to credit cards precisely that your liability is limited to leave it up to the merchants and credit card company to fight out how to keep things reasonably balanced ease/safety

Cybernetic Vermin
Apr 18, 2005



Soricidus posted:

i can't decide whether to predict minix or gnu hurd

minix is running on more pc's than linux does by a substantial margin, so it is the more proven choice.

Cybernetic Vermin fucked around with this message at 08:52 on May 29, 2019

Cybernetic Vermin
Apr 18, 2005



that's what microsoft gets for selling out and adding unix line ending support to notepad

Cybernetic Vermin
Apr 18, 2005



Jabor posted:

i mean, notepad does do text layout (break into lines, tab spacing, etc.), and unicode

so i wouldn't be too surprised if it turned out some obscure combination of those things blew a stack buffer

that and microsofts recent updating of it (broader encoding support, different line ending support, long path support, etc.) has indeed replaced a lot of that plumbing. so he is most likely teasing a bug in the newer versions of the components notepad uses.

Cybernetic Vermin
Apr 18, 2005



yeah, in principle there can be malware in the uefi firmware or bios, but as the only way to fix that is to toss the laptop and not get a new one (as the new one may have it too) it is not very helpful info. ideally do a full format and reinstall, but whatever reset-to-factory-image is offered up by hp is *probably* sufficient.

there is a lot of stuff malware *could* do to be incredibly well-hidden and persistent, but as the actual reformat is such a rare event in the life of a piece of consumer-grade malware i don't think many bother to try very hard.

Cybernetic Vermin
Apr 18, 2005



while the general thrust of this argument is true microsoft did in fact crack down on the use of this uefi hook for loading software

Cybernetic Vermin
Apr 18, 2005



besides, the nsa already lives in your intel me install.

Cybernetic Vermin
Apr 18, 2005



i originally found thompsons 'trusting trust' talk (you know the ones, the impossibility of figuring out a backdoor inserted by a compiler by source inspection), but it comes up pretty often in this kind of conversation: yeah, no poo poo, you can't trust anything. your intel-based laptop comes with three operating systems installed, and you can only have an effect on the one that is least trusted and loads last.

Cybernetic Vermin
Apr 18, 2005



weeeell, i don't doubt that local government does indeed struggle with security for reasons not entirely in their control, and in fact agree that the culture around the ongoing security catastrophy we all inhabit is part of the problem.

Cybernetic Vermin
Apr 18, 2005



duz posted:

its purely a cost issue

well, that is one read, but there may need to be a larger shift in approach, it might not be reasonable to expect that "security expertise" should be a funded line item in every budget, while e.g. the local school children go hungry

not to lay the blame at the feet of security professionals, but the framing of the problem is not good.

Cybernetic Vermin
Apr 18, 2005



either way the nsa can no doubt get their primary work done by hacking on a higher level, and may be worried primarily about the black box nature of the preloaded uefi stuff loaded in locations outside nsa control.

Cybernetic Vermin
Apr 18, 2005



Boiled Water posted:

in secfuck of yester-week: the highest danish court of justice ruled on a case of “what happens when you’re defrauded of your digital signature credentials?”

in short, Denmark has a system of digital signatures and logins using 2fa. You use it for things like logging into your bank account or signing for a loan. I did this last year when buying my house. Currently it’s named “NemID”

same issue in sweden, despite the system being slightly more careful using a 2fa app which will display a reason-for-approval-request thing (e.g. "approve transfer of xxx kronor", "sign document xyz"). i think it helps, but getting old people on the phone is of course as always enough for at least some success-rate. i have to think also that android malware will target this stuff a lot harder as time goes on, which will turn into a real shitshow.

Cybernetic Vermin
Apr 18, 2005



Boiled Water posted:

China is at best a police state, the us is not

really loving arguable on a broader level, the us will happily dissappear foreign 'obstacles' at the drop of a hat.

Cybernetic Vermin
Apr 18, 2005



also if you're doing regular videocalls in the office it is worth it picking up a cheap logitech webcam and placing it properly. they vastly outperform whatever you get builtin, for both checking your nostrils and playacting being the smoking man.

Cybernetic Vermin
Apr 18, 2005



didn't know and a bit struck by this info, so still a good post for me

Cybernetic Vermin
Apr 18, 2005



CRIP EATIN BREAD posted:

its amazing that Linus still has control over the kernel even though so many gigantic corporations depend on it's existence.

i'm shocked nobody has tried to wrestle it away from him.

the gigantic corporations don't run a linus-blessed kernel, and have no intent of doing so.

in practical effect redhat controls the kernel that is used.

Cybernetic Vermin
Apr 18, 2005



i presume taviso's point is that they reported before business open day 1 and disclosed after business close on day 90 or some such, but since afaik we don't know that the public snark was pretty uncalled for.

Cybernetic Vermin
Apr 18, 2005



Shaggar posted:

seems like that would be useful in the world of android where no handset is guaranteed to have the same standard underlying system.

yeah, unfortunately this seems a really legitimate and necessary thing to do for a company suffering to make a stable of apps run on every handset in existence.

Cybernetic Vermin
Apr 18, 2005



i can't claim they have the *right*, but i can very easily see myself making the same decision. the metadata is bound to be trash on a non-trivial number of handsets, and if the library doesn't match any fingerprint you've seen before, and your apps are crashing and the users are livid, you'll need to get this stuff out to figure out what the gently caress the platform you're trying to run on even is.

might not be quite right, but i also don't see much of an ethical problem in this. system libraries isn't very private info, and you are grabbing it from users who are agreeing to be fingerprinted in an actually personal way already.

Cybernetic Vermin
Apr 18, 2005



actual crash dumps have way more potential for ethical issues though, messenger and whatsapp crashes may contain plaintext that facebook could not otherwise get at, and in general there may be unposted private things in the memory map. the system libraries just get dumped into the memory space of any dumb application with no checks or questions. if there are secrets to them i think there is some pretty heavy rethinking of platform security needed.

Cybernetic Vermin
Apr 18, 2005



evil_bunnY posted:

it’s not so much the library map uploading as much as knowing fb would use it to assist fingerprint unsuspecting users first chance they got, and doing it silently, in the background, instead of when crashing.

explain how having the entire binary helps with fingerprinting beyond having the, you know, fingerprints?

Stick Insect posted:

and on top of that, the facebook app is usually pre-installed on androids with no option to remove it.

really nefarious, cutting a deal with the manufacturer, who picks and installs the system libraries, to get an app installed on the handset which they use to steal info on what system libraries it has installed. the perfect plan.


still, this is absolutely yet another reason to not run any facebook-made app, and it is at minimum a bit shady a thing to do, but i really haven't heard an explanation of the actually shady usecase for it that measures up to "facebook wants to run their testsuite on the apps in each environment they are deployed, but android installs are a shitshow of hacked up esoteric variants impossible to get a hold of, so they try to recreate them based on what actually gets loaded on user systems".

Cybernetic Vermin fucked around with this message at 09:27 on Sep 1, 2019

Cybernetic Vermin
Apr 18, 2005



Subjunctive posted:

(I said “code”, so it’s not much of an italicized stretch to extend my post to indicate that.)

counting the number of projects, as though the GTK IRC clients and billion abandoned React components are as significant as the Linux kernel or postgres, seems uncommonly naive

gets a bit circular talking about "significant" though, as it is most natural to define it economically, which will of course coincide with where companies are very active.

Cybernetic Vermin
Apr 18, 2005



Subjunctive posted:

what attribute would you rather compare?

the argument is that commercial organizations make money off of it and should therefore pay for it, so it seems appropriate to look at the economic impact, but I’m game

i don't care at all about the argument, as it is such a vague idea, just wanted to poke fun at going "most open source code, by a very large margin..." and then throwing in some implicit commercial weighting

Cybernetic Vermin
Apr 18, 2005



hmm, yes, that is indeed some impressive digging uncovering that slack

Cybernetic Vermin
Apr 18, 2005



Shaggar posted:

the amount of user tickets generated from not knowing if it's the password or the token is not worth the added security. especially when you can handle it other ways like brute force detection, unknown location detection, disallowing common passwords, etc...

you could just tell them which was wrong if they got one right though, and it indeed seems more secure that way.

otoh just limiting to three attempts an hour with some logic to fully ban bruteforce attempts is indeed 99.9% of the security with less juggling of responsibilities.

Cybernetic Vermin
Apr 18, 2005



pretty sure apple eol'd it anyway

Cybernetic Vermin
Apr 18, 2005



user-hostile security threatre is just awesome

Cybernetic Vermin
Apr 18, 2005



the late stymies two gimmicks; warning about the dangers of alcoholism, and espousing the inherent immorality of computer touching; were both entirely correct and very effective trolling for yospos. rip~

Cybernetic Vermin
Apr 18, 2005



Pile Of Garbage posted:

getting tired of all these exceptionally esoteric CPU vulns. beep boop it affects everything and you can't mitigate it but also we haven't seen it used in the wild as an attack vector but it could be right?

its also a waste to vaccinate your kids against a bunch of diseases no one i know has had

Cybernetic Vermin
Apr 18, 2005



Shame Boy posted:

if u think about it life is just one big app that requests all your permissions all the time whether or not it needs them or you want to give them

i dare bet that every sovereign citizen nut also micromanages their app permissions.

Cybernetic Vermin
Apr 18, 2005



zoom seems perfectly adequate.

Cybernetic Vermin
Apr 18, 2005



what i look for in a standardized 2fa implementation is developers that change it every minute of every day. just pipe all of npm into my tokens or i will scream.

Cybernetic Vermin
Apr 18, 2005



presumably the longer term plan and expectation is that they'll switch all their electron stuff (and probably electron itself) over to edgium and put in more work to stabilize and fix up that.

Cybernetic Vermin
Apr 18, 2005



Phone posted:

a better approach than the 737 max 8 :v

well, no, precisely the same. it is the nature of the "aborting" people are complaining about.

Adbot
ADBOT LOVES YOU

Cybernetic Vermin
Apr 18, 2005



Dylan16807 posted:

https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt

qualsys rediscovered some integer overflows from 15 years ago in qmail that were never fixed because they couldn't be exploited on a normal config

oops, now they can be exploited on the default config

the response is "whatever, don't configure it that way"

haha, gently caress you djb for your rear end in a top hat response to those exact same overflows 15 years ago. one of the few old security vulnerabilities i remember precisely because the response was so overbearing.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply