brie

joined 1 year ago
[–] [email protected] 3 points 4 months ago

Restricting access to files within a user is why sandboxing is useful. It in theory limits the scope of a vulnerability in an app to only the files it can read (unless there is a sandbox escape). Android instead prevents apps from accessing other apps' files by having each app run as a separate user.

One way to keep the encryption keys encrypted at rest is to require the login password (or another password) to open the app, and use it to encrypt the keys. That said, if an adversary can read Signal's data, they can almost certainly just replace Signal with a password-stealing version.

[–] [email protected] 14 points 4 months ago (2 children)

While I don't disagree, it is possible that Kling picked up the writing style of he/him for unspecified gender. Kling is Swedish, and Swedish only recently made their gender neutral pronoun official. On the English side, it seems he/him for unspecified gender started getting pushed in the 1800s, though I can't find info on when they/them regained usage.

[–] [email protected] 106 points 4 months ago (7 children)

As a reminder, you can always just uninstall OneDrive and call it a day.

Until Microsoft takes that option away as well....

[–] [email protected] 25 points 5 months ago (1 children)
[–] [email protected] 41 points 5 months ago (8 children)

On the one hand, having an AI generated alt-text on the client side would be much better than not having any alt-text at all. On the other hand, the pessemist in me thinks that if it becomes widely available, website makers will feel less of a need to add proper alt-text to their content.

[–] [email protected] 5 points 5 months ago

The original research was regarding supercapacitors, not Lithium-ion. Based on the PNAS preview it seems it has to do with changing the design of a supercapacitor to increase charge rate.

[–] [email protected] 27 points 5 months ago (2 children)

Increasing capacitance (how much charge is stored to reach a certain voltage) or the voltage it is charged to would indeed increase the capacity. Putting several in parallel would work, as would making a bigger capacitor. The main problem as far as I can tell is that the energy density of even supercapacitors is low, so you'd need a much larger volume to have the same capacity (and thus a much thicker phone).

[–] [email protected] 23 points 5 months ago (1 children)

Alexandria and Stract use their own open source crawlers. Brave is also independent, if I recall correctly.

[–] [email protected] 5 points 6 months ago (1 children)

Although it is possible that some messaging apps send completely unencrypted messages, most (reputable) non-E2E apps are probably still using HTTPS. It just means that when the message arrives at the messaging app's servers, they can decrypt the message and store it in plaintext.

[–] [email protected] 15 points 6 months ago (2 children)

DDG's AI chat isn't a search engine. It's just a chat interface for GPT-3.5 Turbo and Claude, without any search access. It's also not very up to date.

GPT-3.5 Turbo:

Who is the PM of the UK?

As of my last update, the Prime Minister of the United Kingdom is Boris Johnson. Please note that political positions can change, so I recommend checking the latest news sources for the most up-to-date information.

Is Queen Elizabeth still alive?

Yes, as of my last update, Queen Elizabeth II is still alive.

The Claude version doesn't fare any better:

Is Queen Elizabeth still alive?

Yes, Queen Elizabeth II is still alive. She is the current and longest-reigning monarch of the United Kingdom, having ascended to the throne in 1952. As of 2023, she is 96 years old.

[–] [email protected] 13 points 6 months ago (2 children)

Are there any search engines other than perplexity that tie the sources to sections rather than just popping them all at the bottom? That always felt like the most practical layout for being able to easily cross-check information against their supposed sources.

 

Fedora 40's Changeset

It's mostly minor changes, but the most noticable one for me was that Gnome 46 now has expandable notifications, no extensions needed. (Making it impossible to read the full notification text was one of the design choices of all time.)

 

Caveat: It isn't available in the app store in the EU, and is instead only available via the developer's marketplace, AltStore¹. As far as I can tell, this genuinely isn't because of greed, but because of a little detail in Apple's EU rules (possibly wrong):

[...] Developers can choose to remain on the App Store’s current business terms or adopt the new business terms for iOS apps in the EU.

Developers operating under the new business terms for EU apps will have the option to distribute their iOS apps in the EU via the App Store, Web Distribution, and/or alternative app marketplaces. [...] Developers who achieve exceptional scale on iOS, with apps that have over one million first annual installs in the past 12 months in the EU, will pay a Core Technology Fee. ²

The problem being, if you're under the old terms, there is no "Core Technology Fee." However, in order to distribute on another marketplace, you must opt into the new terms, meaning you now have to pay the fee even on apps that are distributed on Apple's app store. Thus, if you distribute on the iOS app store in the EU for free, and lets say it gets 2 million installs, you get 1 million installs free... and you now owe Apple half a million dollars.

  1. https://news.ycombinator.com/item?id=40067556
  2. https://developer.apple.com/support/core-technology-fee/
 

TL;DR: Update immediately, especially if SSH is enabled. xz versions 5.6.0 & 5.6.1 are impacted. The article contains links to each distro's specific instructions of what to do.

https://news.opensuse.org/2024/03/29/xz-backdoor/

Current research indicates that the backdoor is active in the SSH Daemon, allowing malicious actors to access systems where SSH is exposed to the internet.

In summary, the conditions for exploitation seem to be:

  • xz version 5.6.0 or 5.6.1
  • SSH with a patch that causes xz to be loaded
  • SSH daemon enabled

Impact on distros

  • Arch Linux: Backdoor was present, but shouldn't be able to activate. Updating is still strongly recommended.

  • Debian: Testing, Unstable, and Experimental are affected (update to xz-utils version 5.6.1+really5.4.5-1). Stable is not affected.

  • Fedora: 41 is affected and should not be used. Fedora 40 may be affected (check the version of xz). Fedora 39 is not affected.

  • FreeBSD: Not affected.

  • Kali: Affected.

  • NixOS: NixOS unstable has the backdoor, but it should not be able to activate. NixOS stable is not affected.

  • OpenSUSE: Tumbleweed and MicroOS are affected. Update to liblzma5 version 5.6.1.revertto5.4. Leap is not affected.

CVE-2024-3094

 

As far as I can tell this basically means that all apps must be approved by Apple to follow their "platform policies for security and privacy" even if publishing on a third party app store. They will also disable updating apps from third party app stores if you stay outside the EU for too long (even if you are a citizen of an EU country, with an Apple account set to the EU region).

The idea that preventing app updates is in line with their claims of protecting security is utterly absurd. "Never attibute to malice what can be explained with stupidity," but Apple isn't stupid.

 

I used a sentence from the article as the title since I felt it represented the actual issue better, let me know if I should change it.

Essentially, Snap Store has basically no restrictions on publishing new applications, allowing for scammers to impersonate legitimate applications. In this case (and several times in the past) the target was a cryptocurrency wallet, resulting in ~$490,000 worth of bitcoin being stolen.

The "Safe" rating reminds me of this xkcd:

If someone steals my laptop while I'm logged in, they can read my email, take my money, and impersonate me to my friends, but at least they can't install drivers without my permission.

(For comparison, it seems being proprietary is an automatic unsafe rating for any application, which could be considered too extreme in the other direction.)

 

There's also more example videos on the technical report

Personal take: If they didn't say how the videos on the page were created, I genuinely think that several of the AI generated videos could be passed off as being made with a camera or CGI (though there's probably still inconsistencies when looking hard enough).

This failure example is quite amusing.

 

TL;DR: Explanation of why the escape sequence for 256 color and 24 bit color modes are weird and can vary. \E[38:5:​_n_​m is technically the correct form for 256 color, but \E[38;5;​_n_​m is the form terminals more widely support.

I saw this on Hacker News today, and found the article interesting because I'd recently seen a Terminal Guide page on 256 color that mentioned how terminals support different versions of the codes (with semicolons being the most compatible). Semi-relatedly there's XTerm's criticism of Gnome Terminal and VTE (which is talks about compatibility in general).

91
Wine 9.0 released (gitlab.winehq.org)
 

We have collected personal details of most individuals involved in [Tachiyomi] and plan to proceed with strong legal and institutional responses against over 100 forked GitHub pages.¹

It sounds like Kakao Entertainment's "Global Anti-Piracy Task Force" (P.Cok) might plan on directly targetting the developers, rather than just the project itself ¹ ². Tachiyomi has in response removed all of their extensions except for selfhosted services ³.

I'm not too sure how much of a legal leg they have to stand on, but it isn't very surprising since Tachiyomi did have a lot of extensions for... dubious sources. It doesn't seem like they plan on adding back extensions that scrape official sources though.

  1. https://nitter.net/kakaoent_pcok/status/1744889648265175197
  2. https://newsroom.kakaoent.com/news/meet-p-cok-kakao-entertainments-global-anti-piracy-task-force/
  3. https://tachiyomi.org/news/2024-01-09-extensions-removal
 

Fossify Gallery on the official F-Droid repo

The removal isn't directly related to the buyout/fork. Simple Gallery was taken off of F-Droid due to a dependency on the nonfree Google VR being discovered by IzzySoft¹ ². Fossify's fork has removed the dependent features to be compliant³.

  1. https://gitlab.com/fdroid/fdroiddata/-/merge_requests/14284
  2. https://github.com/FossifyOrg/Gallery/issues/36
  3. https://github.com/FossifyOrg/Gallery/issues/36#issuecomment-1873458105
3
submitted 10 months ago* (last edited 10 months ago) by [email protected] to c/[email protected]
view more: next ›