floof.org
(scene: the USB implementers forum. the room is dark and full of smoke. the industry representitives are lit from below, their faces hidden)
"OK folks! Now it's time to write the spec for USB C extension cables and USB C to A adapters. Thoughts?"
"What if we just don't standardise those? We just say in the spec that they're disallowed."
"But extension cables are pretty essential, sometimes there's no alternative. People are going to make them whether they're allowed by the spec or not. So won't every company that makes one do it a bit differently, and they'll all be broken in slightly different ways?"
"Yes, exactly."
"Great, done. What's next?"
re-upping this one again
so many forms of writing are rendered nearly useless if they have no info on *when* they were written
https://infosec.exchange/@0xabad1dea/109768393609628133
to quote an old tweet of mine: Put the date in your paper. Put the date in your pastebin. Put the date in your blogpost. Please, the date, put it.Infosec Exchange
X is training Grok AI on your dataโhereโs how to stop it
Some users were outraged to learn this was opt-out, not opt-in.
Referring to distances and weights in kibimeters and kibigrams just to confuse everyone
POSTSCRIPT: After typing this, I suddenly wondered if anyone had ever had this thought before. I searched on Google for "kibigram" to see if I could find an example of someone using the word. I did. It was @foone
A very rad cat, spreading joy especially for those who may recognize him.
Fanart inspired after visiting Czechia, such a beautiful country!
Digital. Procreate
You can see the short time lapse process video on the first comment of this submission on my Telegram channel: https://t.me/panda_paco
Or get access to the full time lapse video, full resolution and newer submissions before anyone else at supporting me on Patreon: https://www.patreon.com/pandapaco
If anyone is curious just how long the lessons of #CrowdStrike will last, US Navy research suggests everyone will be cautious for about 6 months before going back to the way things were before.
https://navalsafetycommand.navy.mil/Portals/29/LL%2019-13%20The%20Half-Life%20of%20Scared.pdf
Btw - for folks that still have Twitter account (active or not):
They sneakily snuck in an option to siphon user data to train their LLM (opt out, not in, ofc)
You should go turn that right the heck off. You can find and disable it under: Settings > Privacy & Safety > Grok
The direct link to the setting is:
https://x.com/settings/grok_settings
*There is no option to opt out on the mobile app* - you will need to open the site on browser to opt out.
Aside: ublock still works on Firefox mobile and blocks Twitter ads - it's a better way to use the site if you are still using it, tbh.
Tomorrow I will be at Tails in Wales which is an awesome and cosy furmeet in Bangor! And they'll be celebrating their two year anniversary!
๐ท Nauta Sinneau
๐ชก @selkiesuits
#FursuitFriday
I hope this is common knowledge, but just in case not: Authorized Fetch does not protect media attachments. Only post contents and (some) user profiles are authenticated.
Likewise, uploaded media is always public. Even if sent as a DM, anyone with the link can access the files without authentication. That includes blocked users / instances, so be careful what you upload!
lol
https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github
You can access data from deleted forks, deleted repositories and even private repositories on GitHub. And it is available forever. This is known by GitHub, and intentionally designed that way.trufflesecurity.com
Campfire Stories ๐ฅ
Commission for Kaiyoht from Jack-Jackal! :3 Higher res version, time lapse video, and drawing stage snapshots are up on my Patreon!: https://www.patreon.com/posts/campfire-stories-108754627
#Furry #FurryArt #FurryArtist #MastoArt #Commission #ArtCommission
Everytime I look up advice/details of how to do something on Linux and the project/guide doesn't explain what to do, but instead has a docker image, my resolve to never use docker increases a little bit more.
I get why docker exists and I'm not saying that it's not useful but wow I really do not want the question "How do I do x" to be answered with "Use this docker image"
Honestly if you like docker then that's great but here me out:
Docker on enterprise servers? โ
Yep
Docker instead of VMs? โ
Sure why not?
Docker because you want to? โ
Of course!
Docker on a single board computer for one job? โ Nonononono please just tell me the steps involved so I can learn how the system works!
@garrwolfdog Sorry I didn't mean to come across as "never use docker at all" but that I dislike that answers have in some cases become "use this docker image"
For example I want a SBC to monitor the temperature of my hot water tank. The first guide I found said that I should use multiple docker images to provide Prometheus and Grafana, and other guides were similar.
In the end Darac pointed me to Munin and that's exactly what I want. :)
@garrwolfdog Like in your case if you're already au fait with docker and it fits into your network then it makes sense, but for me who's still running servers with multiple services for an internal home network I'd prefer to have the details of how to configure it myself :)
It wouldn't be an issue if it was "here's how to do it from scratch but also there's a docker image if you want" but I keep seeing guides that are "you must use docker"
@garrwolfdog Sorry let me clarify; I know nothing about docker and the first time I tried to follow one of these guides I ran into a problem with no way of being able to troubleshoot the fault. I couldn't find an easy answer of how to look at the logs or files within the docker so I had no idea what was going on.
That one did have all the code/scripts/etc not in a docker image and the first time I ran all that I found the fault straight away just by looking at the system logs.
@garrwolfdog That's how I've seen a lot of people using it for small projects, hence my aversion to it in small projects.
I've always seen it as one of those things that you have to know/be invested in learning before you use it in a production environment but some people are treating it like FlatPak/AppImage
@pippin part of the point of the containers is to avoid the very issue it sounds like you're worried they cause. There are potential Escape Routes (usually if run with too many permissions) but the idea is almost more "I don't trust this to _not_ get compromised so I'm isolating this with limited connections for networking/data out of it" with the added benefit of "I also don't have to worry about package collisions or it fucking with local packages".
Outside of official containers I tend not to trust ones where I can't see the Dockerfile, and can read to see how the container image was built and what it'll do inside itself. Useful sometimes for writing my own Dockerfile stuff like for the mastodon image I use.
But yeah the dual purpose is definitely "contain" first, hence the name, with the benefit of "isolate libraries" second meaning if your container ever goes sideways you can just tear it down, and not have to worry about "alright what files got fucked up by building or package management?" And kinda making the data a little more portable. Definitely makes migrating/moving stuff a lot less painful.
@Kay Ohtie @Epoxy / Renby ๐๐ณ๏ธโโง๏ธ I don't drive recklessly just because I'm wearing a seatbelt, though. ๐คทโโ๏ธ
I'm just very dubious about the benefits, haven't had the time and motivation to spend to learn this whole new thing, and haven't had any problems doing it the way I've always done it.
(I'm probably in the "anything invented after you turn 30 is newfangled trash" phase, too.)
I'm the same with snap/flatpak/appimages, for local desktop use I want a bloody package I can keep up to date with standard utilities.
Docker is for remote systems IMO.
"You! Explain what this world is about!"
Seems this sabre has been transported in time to the modern day, and is grumpy about it!
๐ธ @silverfoxwolf
๐ฏ @tungro as Seritus the Sabretooth Tiger
โ๏ธ @madebymercury
๐ 2024-07-20
๐ LondonFurs, London, UK
"IT'S A SWORD, IT'S NOT MEANT TO BE SAFE." My favourite scene from The Hogfather. ___ See how this comic was made here.adi-fitri (Tumblr)
In 2012, an industry-wide coalition of hardware and software makers adopted Secure Boot to protect against a long-looming security threat. The threat was the specter of malware that could infect the BIOS, the firmware that loaded the operating system each time a computer booted up. From there, it could remain immune to detection and removal and could load even before the OS and security apps did.
To this day, key players in securityโamong them Microsoft and the US National Security Agencyโregard Secure Boot as an important, if not essential, foundation of trust in securing devices in some of the most critical environments, including in industrial control and enterprise networks.
On Thursday, researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than 200 device models sold by Acer, Dell, Gigabyte, Intel, and Supermicro. The cause: a cryptographic key underpinning Secure Boot on those models that was compromised in 2022. In a public GitHub repository committed in December of that year, someone working for multiple US-based device manufacturers published whatโs known as a platform key, the cryptographic key that forms the root-of-trust anchor between the hardware device and the firmware that runs on it.
The repository included the private portion of the platform key in encrypted form. The encrypted file, however, was protected by a four-character password, a decision that made it trivial for Binarly, and anyone else with even a passing curiosity, to crack the passcode and retrieve the corresponding plain text. The disclosure of the key went largely unnoticed until January 2023, when Binarly researchers found it while investigating a supply-chain incident. Now that the leak has come to light, security experts say it effectively torpedoes the security assurances offered by Secure Boot.
โItโs a big problem,โ said Martin Smolรกr, a malware analyst specializing in rootkits who reviewed the Binarly research and spoke to me about it. โItโs basically an unlimited Secure Boot bypass for these devices that use this platform key. So until device manufacturers or OEMs provide firmware updates, anyone can basicallyโฆ execute any malware or untrusted code during system boot. Of course, privileged access is required, but thatโs not a problem in many cases.โ
Keys were labeled "DO NOT TRUST." Nearly 500 device models use them anyway.Ars Technica
โImagine a house where the drywall, flooring, fireplace, and light fixtures are all made by companies that need continuous access and whose failures would cause the house to collapse. Youโd never set foot in such a structure, yet thatโs how software systems are built.
โItโs not that 100 percent of the system relies on each company all the time, but 100 percent of the system can fail if any one of them fails.โ https://hachyderm.io/@wka/112849901858780783
brittleness is profitable only when everything is working โ Barath Raghavan and Bruce Schneier, โThe CrowdStrike Outage and Market-Driven Brittlenessโ https://www.schneier.Hachyderm.io
