HackerLangs
TopNewTrendsCommentsPastAskShowJobs

Sayrus

1,588 karmajoined 8 lat temu
Personal blog: sayr.us

comments

Sayrus
·przedwczoraj·discuss
Since there have been multiple 0-day in kernels, we should drop all security boundaries in them because you'd only need execution on the machine and a known vulnerability.

Since there have been with bypass on service X, we should remove auth because all you need is the vulnerability.

Address space layout randomization wouldn't exist with this mindset, and yet it does and helps for many exploits.

SGX is not fully secure. But neither are the other part of the stack. Security (or trust in this case) is done through layers because it's a question of when you'll be vulnerable, not ifs.
Sayrus
·4 dni temu·discuss
As much as I love to discuss how expensive AWS is, I find this comparison quite strange:

- Small instances are used, including a burstable instance for AWS, with no indication on where and how much throttling happened. Saying that the instance is burstable but a price-match isn't even true because later it is discussed that $48 is not a match in price due to services around the instance itself

- It seem Hostim doesn't support large instances, the largest dedicated instance offers 100GB / 4 Cores / 8 GB RAM. At that price point, you either go with AWS for prototyping speed or compliance but definitely not for performance.

- Talking about speed, you got performance, but you'll now spend time developing your own backup and restore processes which are a "coming later" feature. What's the impact of backups compared to disk snapshots on those other network-attached disks?

- It mentions only once the network-attached block storage used by RDS and the Hetzner instance compared. Which is weird because you could go for local storage for cheaper and get more performances, but that introduces some trade-offs.

- Instances are configured with different settings.
Sayrus
·4 dni temu·discuss
Peeker's advantage is not directly related to fog of war. The peeker is moving so before the movement is even sent to the server, the client's camera began moving. As such, the peeker will have at least a tick, usually more before that new position is available to the opponent.

"Fixing" this would make movement sluggish: any movement would need to be validated by the server. Meaning delay between pressing keys and actual movement.
Sayrus
·10 dni temu·discuss
Why stop at tracking license plates? Once you've started you should report on pedestrians, bikes, whether people are at-home, which building people are entering, the way they walk and many more. Those are all "alternative revenue streams" that are as valid from the operator/investor point of view and completely unrelated to whether the way of transportation or activity is meant to be untrackable or unrelated to a way of transportation at all.

There is also a factor of scale: a cop can follow you, but a system where everyone is monitored 24/7 is a very different story.
Sayrus
·17 dni temu·discuss
Then surely Europe shares that trends and shows growth in pedestrian death.

But that isn't the case at all, maybe Europeans are immune to smartphones: https://road-safety.transport.ec.europa.eu/document/download...
Sayrus
·17 dni temu·discuss
I've seen VISA cards with several banks in France where there is commission after 1 to 3 monthly ATM so I'd be doubtful about VISA having such as requirement.
Sayrus
·17 dni temu·discuss
At least in France, most of what people call "credit cards" are actually debit cards.
Sayrus
·22 dni temu·discuss
Historically, AWS own infrastructure relies on us-east-1. Loosing us-east-1 usually means loosing many other AWS Global services which are required for services in other regions to be healthy.
Sayrus
·22 dni temu·discuss
> Tokens saved are tokens saved.

Not always. RTK strips flags and other information. Sometimes you spend more tokens getting them back later. Sure your saved 70% tokens on that tool call, but nothing in the metrics says whether you ran 3 tool calls instead of 1.

There is also a question of whether that stripped output requires more thinking tokens or not.
Sayrus
·24 dni temu·discuss
I'm not sure how Garmin works, but for instance with Google Wallet-compatible watches, you need a phone where wallet can run. I've had this setup for a year where I loaded the cards from another phone and used a watch to pay.

However Wallet didn't like this setup. Tokens expired at varying delays, sometimes a day, sometimes a week or payment failed without reasons.

Nowadays, I just use my bank's app which work fine on GOS.
Sayrus
·29 dni temu·discuss
Excluding server costs, having that 100Gbps on egress can cost $50k a day. since it's a very high-margin product, AWS support would probably refund or reduce that to hundreds. Not sure how you get to millions either.
Sayrus
·w zeszłym miesiącu·discuss
The data-sharing surely is for all providers. I think the sentence "When models become available, onboarding details will be shared." hides a lot of things.
Sayrus
·w zeszłym miesiącu·discuss
> Through Google Cloud's Agent Platform: Retention will need to be enabled for your new covered model, and retained data stays in your GCP environment. When models become available, onboarding details will be shared.

From https://support.claude.com/en/articles/15425996-data-retenti...
Sayrus
·w zeszłym miesiącu·discuss
MV3 itself isn't what breaks uBlock Origin, it is the bundled removal of capabilities that Chrome decided to do. Firefox MV3 supports full WebRequest "scopes" while Chrome only supports declarativeNetRequest.
Sayrus
·w zeszłym miesiącu·discuss
Most panels are from China. Panels have a very long lifetime. Over their lifetime they generate way more than their price in oil. Europe is not a huge producer of oil and relies on imports to sustain its usage. Sourcing panels is effectively reducing the amount of money leaving Europe in the long term.
Sayrus
·w zeszłym miesiącu·discuss
> Now that the attack window has changed to 7 days, all new exploits like these will come with time bombs to not trigger until 8 days.

Many automated scanners use static code analysis rather than run the installation script. Not all of them are caught, but a good part of them are and you'd be saved by a delay.
Sayrus
·2 miesiące temu·discuss
You still need criteria to handle reputation: does an account invited years ago and now spamming affects the reputation of the inviter, how much? What about the hacked accounts?

For small platforms it makes a lot of sense, for larger the potential for abuse is still there in different forms.
Sayrus
·2 miesiące temu·discuss
> Gecko doesn't have a WebView implementation (GeckoView is not a WebView implementation), so it has to be used alongside the Chromium-based WebView rather than instead of Chromium, which means having the remote attack surface of two separate browser engines instead of only one. Firefox/Gecko also bypass or cripple a fair bit of the upstream and GrapheneOS hardening work for apps. Worst of all, Firefox does not have internal sandboxing on Android.

> The sandbox has been gradually improving on the desktop but it isn't happening for their Android browser yet.

Context is definitely interesting to have with your statement (From https://grapheneos.org/usage).
Sayrus
·2 miesiące temu·discuss
Thanks for writing all this, this really shows how the failures you encountered don't overlap with my use of the phone.

I don't use RCS and Android Auto.

I have HeliBoard to replace Stock/Google Keyboard. It is way ahead the stock keyboard experience but far behind Google Keyboard's, especially when writing in two languages.

Tap-to-pay works with my bank apps. But that means I can only use one card unlike with GPay.

I rarely use second account as the latency to switch from one account to the other is a pain. I only have a secondary sending notifications to the first one.

I don't let the phone auto-reboot for installs, I let it install automatically and click reboot when I want it to install.

I am on a physical SIM / different carrier and never encountered network issues so I can't comment on that one.
Sayrus
·2 miesiące temu·discuss
I think parent is talking about Play Integrity being integrated into banking apps. It's a hit or miss depending on the bank, some will be fine without, some with integrate it but not rely on it to directly refuse login, some will require a lower integrity level, and some will actually require the highest integrity level leading to issues on custom ROMs.