Is there a good resource for determining how “effective” your donation to any given open source org is? As in how much of it is going to be paid to the actual devs, QA, and other related workers vs higher management?
IIRC that’s a major complaint with Mozilla and a lot of other large open source orgs.
Same with Google allowing literal malware to advertise themselves posing as legitimate apps that show above the actual app’s website.
They even let ads spoof the display domain name to match the official website (and do no checks for whether they actually own the display domain despite literally having the infrastructure to do that in their SEO tools) while redirecting to a different domain when you click the ad.
John Hammond video: https://www.youtube.com/watch?v=Nlnuk8W2A0Y (also a good video to send to anyone who still thinks Macs “can’t” get malware)
Even if this is genuine incompetence and not malice, they’re so disgustingly incompetent that they don’t deserve to exist just the same as if it was malice.
Yeah the malware is called Windows 11
Karl Marx. And never. Marx is immortal.
Run it in a VM? Maybe even one of those fancy ones that make it appear as a normal window in your Linux DE. Doesn’t solve the problem of the spyware existing but at least it’s contained and can’t touch your Linux apps.
“Hey Gemini write me a React app”
Academic tradition requires you to cite works…
Yeah looks to me like scaling artifacts from shrinking the image. AFAIK AI isn’t that consistent especially with high contrast shapes.
If you’re willing (and/or able) to disassemble the phone and solder to the main board, you should be able to replace the battery with a 3.7v DC power supply.
Unless there’s some protocol that communicates with the battery controller to validate it that I’m not aware of which will refuse to accept power input otherwise? I feel like that shouldn’t be the case if the battery is internal and they don’t expect you to replace it anyway?
Definitely helps if it’s like a Fairphone or something with the battery contacts already exposed and easy to access. Actually, someone should 3D print a Fairphone battery dummy that just has wires coming out of it to hook up to your own power supply. Maybe with an ATTiny chip to spoof whatever digital signals it wants from the battery if that’s required.
it sounds like a Linux password is a red herring, and a secure password even more so
Yes and no. A secure password is extremely important against some security threats, but completely useless against others. It’s like vitamin C. If you don’t get enough, that’s a massive problem and opens you up to a ton of serious issues, same as if you don’t have enough complexity in your password. But even if you do, it won’t effectively protect you from, say, cancer or unprivileged malware respectively.
There’s nothing stopping any program from attempting to bruteforce your Linux password, literally running through possibilities hoping to guess it. Modern password implementations usually have some form of bruteforce protection. If you’ve ever entered your password wrong in sudo or KDE’s lock screen, it usually hangs for a few seconds before telling you your password is wrong, even though any modern computer will have determined it was wrong in literally an instant. This is to prevent a malicious program from endlessly trying random guesses until it gets it by making the time it would take to guess a sufficiently unique password too long to be practical. Your phone and optional software available for Linux go a step further, imposing longer and longer delays with each subsequent failed password attempt, and also prevents malicious programs from spawning many threads each independently calling sudo to bruteforce in parallel by completely disabling access until the time penalty elapses. Though you absolutely do need a sufficiently secure password, making it overly long has diminishing returns past a certain point, it doesn’t matter how many millions of years it would take to bruteforce with a 1 second delay for wrong attempts, but the upgrade from millions of seconds with a simple password like “hunter2” to years is the important part.
Also, a password with no encryption is like a padlock on a wooden box. Even if they don’t have the key, they can still just cut the box open. In computer terms this would be like if someone accessed the files in your SSD directly and injected malware with root privileges, since both completely bypass the check that’s “normally” supposed to stop unauthorized users. Encryption can help but like you said, physical access is generally considered game over anyway unless they found your computer while it’s off and it is never returned to you for you to enter your password. A computer with encrypted everything wouldn’t be able to boot. Your EFI partition and especially your BIOS/firmware have to be unencrypted, and anything unencrypted can be tampered with by a sufficiently skilled attacker with physical access to add things like keyloggers and backdoors that sit dormant until you graciously decrypt everything for them.
Your password strength matters a lot more with encryption though. If you’re going to the trouble of full disk encrypting your computer, make the password as long and random as you can practically remember. If someone is trying to decrypt your computer’s drive, they’ve probably imaged it and are using a separate machine with no rate limiting whatsoever, and modern GPUs can do a ton of cryptographic operations in a short time. And don’t use that password for your user account once decrypted.
If SSH is disabled the class of attacks to be prevented are users ‘voluntarily’ running malware pretending to be goodware.
More or less as far as I know, provided you don’t have any other way of remote access (VNC, RDP, Anydesk/Teamviewer and similar, that weird Steam remote desktop app, a server running vulnerable software on an open port that can be hijacked, etc). In computing, the general rule to follow is if you don’t need it, don’t enable it, otherwise it’s ripe for abuse. That being said, your router should be configured to block local port access from the internet anyway, but if you have another infected device on your network, that’s a major threat. If you do want SSH, configure it to only accept the keys of your trusted devices and not just respond with a password prompt to any device that comes knocking.
True, but does anyone operate this way? At that point it becomes an iPad or a Chromebook.
“Trust” in computing is fickle and complicated, just like real life. At the end of the day, you have to make a decison on who and what you personally trust. An iPad or Chromebook would be the least trustworthy computers in my mind because they’re locked down and administered by companies I absolutely do not trust, and though the locked down architecture does prevent other malware from infecting it, there’s probably already malware by any other name on it with proper Google or Apple security signatures that came with the device from the factory.
This is the same as if your distro maintainer is untrustworthy. They could slip in malware into the official package manager or installer ISO and you’d never know. I personally trust a reputable Linux distro over the literal biggest tech corporations in the world, but I’m still putting my faith in an organization I do not control nor personally know the people in control.
Open source is more trustworthy than proprietary software because the source code is available, but even that isn’t completely guaranteed to stop malicious code from making it in. The recent xz backdoor comes to mind. You’re still trusting that the other people looking at the source code actually catch the malicious part, and that’s not guaranteed even with the most trustworthy people when everyone working on it are overworked, stressed, and in the grip of tunnel vision to get their small part of it done like software developers tend to be, and even when that happens, it might be months or years down the line after the damage has already been done. There’s a reason a full security audit of an app can cost anywhere from thousands to millions of dollars depending on how big the codebase is. Also, because the vast majority of software aren’t compiled in a reproducible way, you don’t really have a guarantee that the actual binary executable that’s on your computer exactly matches the source code unless you go through the (usually difficult and frustrating) process of actually compiling it yourself. Sure, you can probably assume that the official binary released by the source code authors and signed with their cryptographic keys matches the source code since both come from the same place, but that’s not guaranteed and you’re still trusting a person or organization.
But wait, there’s more! The compiler you use is itself a program that needed to be compiled by another compiler, and so on and so fourth until you literally reach the stage decades back when someone manually wrote the individual bits for the very first compiler in that chain. A malicious compiler can be made to obfuscate the fact that it’s malicious, and only a manual review and reverse engineering of the raw binary (without reverse engineering software, mind you) can prove or disprove it’s compromised.
Finally, there’s hardware. Even if you audit every single literal bit of software, the processor itself has immense complexity that you can’t audit without, 1, extremely expensive scientific equipment, and 2, destroying it in the process, and that’s only one chip out of the tens of chips in a computer. Your processor could have secret instructions that bypass all security and your only real hope is to bruteforce every possible input to see what happens. And proving existence of a backdoor is intrinsically much easier than proving absence.
I’m not trying to scare you, but I do want to illustrate just how hard it is to have absolute trust in any computer. At the end of the day, you can never have a computer you completely trust unless you manually assembeled it from raw materials (not aided by any existing computer) and hand wrote every bit that goes into it. Like I said, we all need to make a decision to have faith in some person or organization we do not know. You can spend every waking minute auditing every last part of your computer, hardware and software, but then you wouldn’t have time to actually use it for the things you want to do. There’s no solution to this, there’s only higher and lower degrees of trust and security, which only you can determine for yourself.
So no, no one operates that way, because it’s impossible.
It does look like flatpaks or docker containers isolate behavior, so that’s a win.
Generally, yes, but remember there’s always the possibility of a bug that allows containers to break out of containers. This is not unique to Docker, any sandbox or hypervisor can be breached if there’s an exploit, just like any other software. Doesn’t invalidate the value of containerization, but it must be kept in mind that nothing guaranteed to be completely safe and “malware proof.”
I mean, compared to what? Picking your nose on transit? The people sitting across from you is probably a bigger source of “spying” (and judgment) than the cameras in that case. IMO if you’re okay with being spied on in your car you really don’t have much more to worry about on a train or in a station.
I further submit that cars, being your personal space but still very much “in public,” give you much more of an illusion of privacy while in most cases being just as if not more invasive than transit.
Also, if we’re talking only the transit or road system and not the spying at your destination, driving gives much more precise location data than transit. They’ll know which exact house or building you pulled up to compared to which train station or bus stop you get off at. And if you do consider all surveillance, then they can figure out where you’re going even if you walk because there will be cameras at your destination.
OK, edited.
unprivileged programs have limited/no ability to do scary things to your computer. they might be able to read some data, but it’s not going to implant malware in the boot sequence for Windows.
No, but they can still severely harm your computer/data. Unprivileged programs can still delete or encrypt everything in your home directory or inject themselves into other unprivileged programs or a commonly used shortcut file. You’re probably thinking of containerized apps which are much more limited than the default user permissions and access can be given only to what is needed instead of everything your user has access to.
Linux is as susceptible to this as Windows. It’s not that hard to write a proof of concept malware in Python that copies itself to somewhere in your home directory and appends python ~/.some-boring-config-directory-most-people-never-open/some/more/subdirectories/for/obfuscation/persist.py to your bashrc. You can do the same on Windows with Powershell, JScript, or even VBS, all of which can do severe damage even without privilege escalation.
For example, there was that fake captcha scam a while back which social engineered people into pasting Powershell scripts into their run window, and is able to persist even without UAC permissions. A well known equivalent attack on Linux are those bash shell tutorial sites with the handy copy button next to the listed commands, which can control what is pasted into your clipboard and might not actually give you the command it appears to give you. Even on a user space bash terminal, something like rm -rf /* can delete all your data, ironically not the system and application files that can be replaced (since those require root) but it can delete your personal files that you actually care about just fine. They can also persist on your system by appending stuff into your bashrc with >, because that file is owned by your user and therefore doesn’t need extra permissions.
Any modern operating system is so complex and has so many parts interacting with each other that it’s always possible to hide something malicious somewhere in the Rube Goldberg machine which most people will never notice. Real malware don’t use the typical persistence methods normal programs do because they are well documented and easy to defend against. Linux can be said to be better than Windows in this regard due to being open source and auditable and therefore doesn’t have nearly as many undocumented hiding places (and Linux is generally less Rube Goldbergy), but it is definitely not immune. Never ever run any untrusted program or script, not even unprivileged. The biggest thing Linux has over Windows in this regard is the package manager, which is actively moderated by your distro maintainers, so you don’t have to download random installers from the internet like on Windows.
So do roads, and your metal cage literally has a code on a plaque tied directly to your government ID, with a retroreflective background and each character carefully engineered to be machine readable from any angle and lighting. Hell, a good number of the cars you pass have 360 degree camera arrays pointed directly in your windows, or if you spring for a higher end model with all the features, you get the privilege of a camera pointed straight at your face and at your passengers’ faces.
Also, you can cover your face on transit with something like a medical mask and sunglasses. If you try covering your license plate you’ll literally get arrested.
Specific info, and I’m guessing really specific:
One of the closest allies of the U.S., the U.K. has reportedly suspended sharing some intelligence with the Pentagon due to concern over the boat strikes in the Caribbean, according to CNN.
[…]
In response to a request for comment from TIME, a U.K. government spokesperson said on Wednesday: “It is our longstanding policy to not comment on intelligence matters.”
They went on to say that the “U.S. is our closest ally on security and intelligence. We continue to work together to uphold global peace and security, defend freedom of navigation, and respond to emerging threats.”
Which makes me think they haven’t actually stopped sharing all that much
how can I improve my privacy when buying a modern car?
Buy a train ticket with cash? Not guaranteed to be fully “private” in the cyberpunk shithole we live in but presumably more private than a car.
On that note, fuck every transit agency (including TransLink in Vancouver) who make it more expensive to buy tickets with cash compared to a transit card. And especially fuck you if your transit card system is a P3 with the data handled by a private company (again, including TransLink). You’re probably paying the money they thought they could have made selling your commute data to advertisers.
Bonus non privacy related rant: TransLink, the Earth and our decedents also say fuck you for using plastic RFID cards even for single journey tickets that will get promptly thrown in the trash when they expire in 90 minutes instead of a simple piece of paper that can biodegrade. They even waste more resources to wrap the plastic in paper to give the illusion of the ticket being made of paper when it absolutely is not. Yeah make single use microcomputers and antennas why don’t you? Can’t have transit being too eco friendly after all. They’re not futuristic, future generations will curse us for being so barbarically wasteful of precious resources while digging those RFID tickets out of landfills to extract silicon and metal from. Just print QR codes on normal paper tickets for god sake since the RFID cards probably only store a single unique ID that needs to be looked up against a database anyway, or better yet, just have coin slots on the fare gates and skip giving you a ticket altogether. Oh wait, but then they wouldn’t able to know which station you get off at and refuse to let you out until you’ve paid the upcharge for having the audacity to ride a fully automated train system even one station outside your home city.
“DUHH, IT’S BECAUSE SPEECH IN CHINA IS CENSORED AND YOU’LL LITERALLY GET SENT TO A XINJIANG CONCENTRATION CAMP IF YOU TRIED BEING A VLOGGER”
The winner of the Dynamite “Peace” Prize likes war, what a surprise.
Yeah, someone who actively supports genocide with not only a gun and license to kill, but in charge of all the other state thugs. As a famous bobcat once said, what could possibly go wrong?
As a general rule of thumb, any in-store prepared food in a large grocery store (the ones that come in the store’s own packaging) was probably raw food that had been sitting for ages and they couldn’t sell in time. They’ll literally cut mold out of fruits and slice up the rest for those plastic platters. Every time they re-print a label, it resets the expiry date and you have no idea how many times they’ve done that and just shuffled food around by turning it into different forms.
CBC Marketplace video: https://www.youtube.com/watch?v=ZxCT_D6HBd8
KDE has a built in RDP server you can enable!
If you’re using X server and not Wayland, xrdp is also good.
Remmina is a good RDP client.
GNOME Boxes might be what you’re looking for? KVM if you need a full blown hypervisor.