Unless it's a key that needs to be sortable (e.g. insertion order) or a metric/descriptor of some kind, I'm not sure why UUID would be overused or inappropriate for use.
i always worry about tools like this, maintained by small teams, that are so universal that even if only a small fraction of installs are somehow co-opted by malicious actors, you have a wide open attack surface on most tech companies.
e.g. iTerm, Cyberduck, editors of all shades, various VSCode extensions, etc.
I don’t get it, why don’t you all—absolutely all of you reading—use Little Snitch? [1]
It really doesn’t compute in my head why would any macOS user not use a network firewall like this, or similar, to block unwanted outgoing HTTP(s) requests. You can easily inspect the packet with tools like Wireshark or Burp Suite Professional (or Community) edition, or any other proxy tool, of which there are many in the macOS ecosystem.
And this is not unique to macOS, this is all possible in Windows, Linux and any other OS.
It’s a false sense of security, more or less. If an application wants to talk to a C2 they don’t have to make a connection at all, just proxy a connection through something already allowed, or tunnel through DNS. Those juicy cryptocurrency keys? Pop Safari with them in the URL and they’re sent to the malicious actor instantly. If you’re owned Little Snitch does nothing at all for you except give you the impression that you’re not.
This is far too cynical of a take. LittleSnitch might not save you from well-established malware on your machine, but it will certainly hamper attempts to get payloads and exploits on your machine in the first place
My example is “living off the land”, safari already has access to everything, open it and use it to communicate. Needs no permissions, bypasses little snitch entirely.
It wouldn't protect against this attack though. The Notepad++ update servers were hijacked. Presumably you would allow Notepad++ updates through Little Snitch so you would be equally as vulnerable.
No, why would you allow automatic updates? It makes no sense. You should audit every update as if each payload could contain malware. It’s a paranoid way to live, but that’s what it takes.
We also need better computer science education in high schools, teaching students how to inspect network packets, verify SSL certificates, and evaluate whether a binary blob might contain malicious code.
People have gotten complacent about the internet, which is why they still get hacked, when it should be the other way around. With everything we’ve learned over the years, why are breaches more common than ever? I don’t understand why people are so careless about online security today, compared to decades ago when we were taught not to share personal information and not to trust anything on the internet.
Do you go by the smell of the executable or just general vibes? Nobody has never reviewed even a tiny fraction of the software they run, closed source or open source.
The state of the world is such that I have started running everything inside VMs. Baseline OS install + virtual machine management and that is it. Which is still not immune, but makes me feel a lot better than core OS utilities are probably getting better vetting than nifty-utility-123 on which I depend.
I used to love Zone Alarm's ability to notify me on an application's first attempt to connect to the internet, and allow me to approve or deny it. I really wish there was still such an interface today.
Having said that, I absolutely despised the implementation that stole keyboard focus; if it popped up when I was typing it frequently disappeared before I head a chance to read it and I had to go into settings to try and find what had changed. Nothing should ever steal keyboard focus unless it's urgent, and then it should website that you can't accidentally manipulate it with a keyboard (see UAC prompt where it opens in the background if the calling program is in the background, and where once you activate it, you have to hold alt+y/n or tab to a button before it accepts the input; just hitting the y/n key alone won't do anything).
because i dont want to deal with constant whitelist management and i simply don't install applications i don't trust. if there's anything really absolutely essential or damaging if it were to leak i would not put it on a internet connected device to begin with
Similarly I worry about how these apps automatically update themselves. I know it can be done securely. I also doubt that these companies invest the engineering effort to do so.
It's not a matter of "immune" - larger organizations generally have more resources to allocate to things like this. That doesn't mean they get it right 100% of the time, but they are at least able to try, while small teams or volunteer projects often simply don't have the hours to spend on things like this.
I've sat in some pretty large orgs and my own experience was the "resources allocated" went to the PR team. I can assure you that they would have had a more boring, corporate sounding announcement with multiple references to their legal team and the actions they would have taken, alongside some useless information about being PCI compliant or something. I'm not convinced the practical output is any better.
lol larger organizations don’t spend money on this, they add some useless ‘secops’ tools to their CI and call it a day. They are certainly not doing things like reproducible builds, lol half of them don’t deploy signature verification.
Anecdotally, my company has a device driver posted on Windows Update. I inherited the project and was digging through Microsoft’s hardware dashboard trying to find information on the stability of the driver.
I ended up finding that our driver was crashing rather frequently. Looking closer, the name of the driver shown was curious as it contained the name of our driver as defined in the inf file, and appended at the end was “(WeTest)”.
I looked through all source code looking for a reference to this string with no avail. Eventually I googled “WeTest” and find out WeTest is something owned by Tencent.
I double checked all drivers that were ever posted to the server from our account and found no reference to “WeTest” in any of the driver packages uploaded.
I emailed our Microsoft contact and got no answers as to where this driver came from and why it was visible from our account.
After a few months, this driver finally was removed from our dashboard and our administrator for the account had to submit government documents to Microsoft to show he worked at where he said he did.
I won’t give specifics on who’s or what’s, and anyone is more than welcome to dismiss what I’m saying without evidence. But your comment, “when Microsoft’s update servers get compromised..”, made me want to share this experience.
Maybe it was some terrible software bug on Microsoft’s end that managed to combine information from two different entities, but we were never given an explanation as to how this happened.
That didn’t cause tangible pain for the everyday person, even if it did cause non tangible long standing damage. Every windows PC ransomwaring at the same time worldwide would cause mr robot level chaos.
This is great, I've been looking for an easy to use local chat app for me and my kids, and Adium on Bonjour has been flaky with my VLAN setup at home. Will have to give this a try...
Isn't circular funding how the entire economy works?
I can see how you could make an argument that this particular ouroboros has an insufficient loop area to sustain itself, or more significantly, lacks connection to the rest of the economy, but money has to flow in circles/cycles or it doesn't work at all.
Parties in an economy don't normally buy something that they sell at the same time. It's hazier than that here, but still looks like Nvidia is buying GPUs from itself via OpenAI and Oracle.
Btw there are examples involving sanctioned economies. Most US saffron comes from Spain, all of whose saffron comes from Iran. Azerbaijan exports way more gas than they produce, cause they also buy from Russia.
Only when using non aligned intwrests, like government funding roads.
When interests directly align and parties are largely owned by the same people, its wash trading.
The point of wash trading is to make activity increase the value of an asset via a netzero activity. Since nothing is generated from the activity its circular, eg, nothing physical changes hands.
Crypto trading is the golden child of wash trading as the primary mode of increasing the value of an asset.
Its unsurprising then that the company that got rich on crypto wash trading is doing its own attempts to drive artificial demand.
Author here, kinda sorta. I should've been a bit more specific than that.
You can have a profile showing a function taking up 99% of the time, but when you dive into it, there's no clear bottleneck. But just because there's no bottleneck, that doesn't mean it's optimized; vice versa-a well-optimized program can have a bottleneck that's already been cycle-squeezed to hell and back.
What I wanted to say was that a spiky profile provides a clear path to optimizing a piece of code, whereas a flat profile usually means there are more fundamental issues (inefficient memory management, pointer chasing all over the place, convoluted object system, etc.).
It sounds like a flat profile essentially is a local optimum, compared to cases where there's a path "upwards" along a hill to some place more optimal that doesn't require completely changing your strategy.
That's actually a good observation, yeah. It's often the case that you dig deeper and deeper and find some incomprehensible spaghetti and just say "fuck it, I'll just do what I can here, should be enough".
I've seen a few of these in my career, if I understand the author correctly. You have a big ball of mud that can theoretically be 10x or 100x faster, but the costs are diffuse and can't be solved by just finding a hotspot and optimizing it.
It often happens for good reasons. Features get added over time, there are some scars from a mocking framework, simpler (faster) solutions don't quite work because they're supporting X which supports Y which supports Z (dead code, but nobody noticed), people use full datetime handling when they mean to access performance counters, the complexity of the thing means that you blow your branch prediction cache size budget, etc....
The solution is to deeply understand the problem (lots of techniques, but this comment isn't a blog post) and come up with a solution, like a ground-up rewrite of some or all of the offending section.
It's ACPI - most laptops ship with half-broken ACPI tables, and provide support for tunables through windows drivers. It's convenient for laptop manufacturers, because Microsoft makes it very easy to update drivers via windows update, and small issues with sleep, performance, etc. can be mostly patched through a driver update.
Linux OTOH can only use the information it has from ACPI to accomplish things like CPU power states, etc. So you end up with issues like "the fans stop working after my laptop wakes from sleep" because of a broken ACPI implementation.
There are a couple of laptops with excellent battery life under linux though, and if you can find a lunar lake laptop with iGPU and IPS screen, you can idle around 3-4W and easily get 12+ hours of battery.
LG Gram user here with Debian as a daily driver. Can confirm, maybe not 15h, but I don't think about charging. Plus, it's super stable, not a single crash or hang-up over years. It just works. I hope LG will keep this up and not mess up next iterations of the hardware.
I had an LG gram before the battery in it gave out and now it won't boot with the battery plugged in. The battery life was amazing, it always slept properly, etc.
Now I have a Framework. It randomly reboots when I close the lid, the battery life is terrible, etc. I live with it since I like the idea of a repairable laptop.
What's standing in the way of doing something like NDISwrapper but for ACPI? Just that nobody with ghe required skills has spent the effort? Or something technical?
If the observable behavior is bad Linux performance, it's a Linux problem.
There's a saying in motorcycling: it's better to be alive than right. There's no upside in being correct if it leaves you worse off.
There are ways to make things better leveraging the Linux way. Make more usable tools for fixing ACPI deficiencies with hotloadable patches, ways of validating or verifying the patches for safety, ways of sharing and downloading them, and building a community around it.
Moaning that manufacturers only pay attention to where their profits come from is not a strategy at all.
Decompile your ACPI tables and then do a grep for "Linux". You are likely to find it, meaning the vendor took time to think about Linux on their hardware. Some vendors take the time to write good settings and code for the Linux ACPI paths, some dump you into no-man's land on purpose if your OSI vendor string is "Linux".
It's quite literally a vendor problem created by vendors leading anyone that doesn't run Windows astray in some cases.
If you run Linux, then dare to change your OSI vendor string to "Windows", you've entered into bespoke code land that follows different non-standard implementations for every SKU, where it's coded to work with a unique set of hardware and bespoke drivers/firmware on Windows. You also forgo any Linux forethought and optimizations that went into the "Linux" code paths.
My point is that from the Linux side, you're damned if you and damned if you don't no matter how you tackle the issue. If the layer above Linux is going to deliberately malfunction and lie on the Linux happy path, or speak some non-standard per-device driver protocol if you lie to use the Windows path, there's not much that can be done.
It's only a "Linux problem" if you're trying to run Linux on hardware that is actively hostile to it. There are plenty of vendors who supply good Linux happy paths in their firmware, using their hardware is the solution to that self-imposed problem.
I think the correct strategy in this case is to return your laptop to the store if it has linux compatibility issues, and keep trying until you find one that works.
i.e. don't support vendors whose laptops don't work in Linux.
I thought this article would first start with the most essential question: "How to decide what you need on your devboard".
Without that critical piece of design work, you may as well call this "How to build a Raspberry Pi Nano from scratch". Which, to be fair, is also a good article to write.
But step 1 for really building a dev board is answering the question, "What do I need from this that I can't get from a $5 Amazon purchase?"
"I built my house without any inspection or licensing and connected to the electric grid"
Where exactly do you live? I'm not saying you're lying, but this smells like a tall tale. You can easily buy solar panels and batteries, and if no government inspectors are coming by anyway, then it doesn't matter.
Maybe what you're saying is, "my power company wouldn't let me use grid-tied solar without it being permitted." ?
>"my power company wouldn't let me use grid-tied solar without it being permitted." ?
Nah they didn't give a shit what I connected it to. I literally stubbed a 200 amp service entrance on vacant land then just went wild connecting it to whatever I like. I shot the shit with their engineer when they ran secondary off the power pole and that was it, I've never seen them again.
> no government inspectors are coming by anyway, then it doesn't matter.
I don't know for certain but having an unpermitted solar panel visible via satellite would likely trigger a visit.
Great, so it sounds like installing unpermitted solar at your house is about as illegal as jaywalking, and you probably shouldn't worry about it so much.
What law governs this? I'm familiar with a lot of restrictions on grid-tie systems, but I've never heard of it being this strict for something that could (presumably) be done without a back feed.
I mean, are you saying that someone sticking up a few panels+batteries to run an electric fence, gate, and camera system has to have permits?
For example, here is the one that to install certain PV you need permit with roof and building plan, which is impossible on my house because I have none (literally built my roof off the cuff after thumbing IRC).
People have guns in all of the US. Sure, AZ ownership might be around double that of CA, but that's just going from 1 in 4 to 1 in 2. The odds are high either way.
> The I-team also found six sergeants in the Sheriff's Office who live out of state - in Idaho, Nevada, Texas and Tennessee. Two of them work on the bomb squad where they made almost $600,000 in pay and benefits last year.
reply