HackerTrans
TopNewTrendsCommentsPastAskShowJobs

Worf

no profile record

comments

Worf
·2 เดือนที่ผ่านมา·discuss
I hope the average person will soon understand the importance of security and will be OK with making the necessary sacrifices to achieve it. Almost everyone has something to protect, be it personal information or property (money, IP).

People love new technologies and features that make their lives easier, but so far only a small subset of these people have made a conscious decision to limit their exposure to risk by depriving themselves of benefits provided by some of these features.

It sure is wonderful to have your whole life digitized on a single computer. You can analyze, share, organize, gamify, record and so on every aspect of your life instantly and effortlessly. It's incredible, really. Technology is amazing. Expect for the pesky bad actors that can do the digital equivalent to most physical crime from the other side of the world anonymously without you noticing.

It's like germs - if you don't wash your hands after touching something questionable and you don't experience any negative consequences, you'll learn not to wash them most of the time. It's just a waste of time. Maybe if you've touched something really gross, you'd wash them, but that would be the exception. Security is the same. If you've been using computers the same way for years, you'll learn nothing bad happens so why bother having a hygiene, why bother making any tradeoffs?

Yes, you've heard the news of someone's nudes posted online, of someone's bank account drained or of some company's files ransomed, but you've also heard of something dying from a brain parasite after touching a muddy puddle and rubbing their eyes afterwards. That happens rarely, we shouldn't worry about it. A car can hit you when you cross the street, a lightning can strike you when you're just walking about, an aneurysm can end you at anytime. No one is washing their hands all the time or constantly trying to minimize the streets they cross or anything like that. That would be foolish and impractical, and I agree.

That mindset is carried over to digital security, sadly. The risks are higher, the effort to keep a good hygiene is lower, the ability for bad actors to completely fuck you is much greater than in meat space. The rewards are seemingly greater, too, until we realize that what we get from technology is just marginally better than what we get without it. Tech is amazing, but it doesn't make us transcend time and space. It let's us organize our schedule, tag people and places in photos and summarize chats. All of that is born out of meat space. Without tech we'd still have conversation, we'd still see new places, we'd still have calendars and todo lists. We get maybe 1% more than we would have if we didn't have any tech but we let all our information and property sit unsecured for that 1% gain. That's fucked up, because the risks are big and will get bigger. And the tradeoffs we have to make to secure our digital lives may seem annoying, but are actually quite trivial. Less unnecessary sharing, more isolation and compartmentalization, different computers for different tasks, less proprietary hardware and software, etc.. We could get 90% of that 1% benefit from tech if we spend just a bit of time and energy of securing out digital lives. But fuck it. Let's but the latest flagship, let's use it for ID, banking, communication, file storage, camera, health tracking, everything. Because it's a tiny bit more inconvenient to get multiple computers for different purposes, to not get the latest and newest, to not install a bunch of unnecessary shit, to be careful about the digital realm at all.

Not really on topic, but a rant. I'm tired of people (friends and friends of friends) complaining to me that they got majorly fucked one way or another and acting like the universe owes them not to get fucked while they buy a computer that exposes their asshole to the world.
Worf
·2 เดือนที่ผ่านมา·discuss
It seemed for a second that the top security firm auditing Proton's password manager was Proton.
Worf
·2 เดือนที่ผ่านมา·discuss
In one of the languages I read, journalists do this when quoting someone and it pisses me off. Instead of "said", they'll cycle through the same 6-7 synonyms. Instead of just quoting everything together, they break it up.

So instead of:

> President Jackson said "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.".

They'll do something like:

> President Jackson noted that "Lorem ipsum dolor sit amet". The head of state also remarked that "consectetur adipiscing elit" while emphasizing that "sed do eiusmod tempor incididunt ut labore et dolore magna aliqua".

> "Ut enim ad minim veniam, quis nostrud exercitation", categorically proclaimed the former business tycoon. He concluded that "ullamco laboris nisi ut aliquip ex ea commodo consequat".

I've seen this way before LLMs and how much it's used varies a bit from language to language. But it's so formulaic, I can't help but imagine some brain-dead moron sitting in front of the keyboard, trying to make 5 paragraphs from 2 sentences someone said without adding anything else.
Worf
·2 เดือนที่ผ่านมา·discuss
There's almost nothing written about Haiku's security [0]. Am I missing something?

I also don't understand this:

> Our infrastructure contains sensitive personal user data, and we aggressively keep this information private on a need-to-know basis at all times.

What do they mean by "infrastructure" here? Do they mean each installation or their site, bug tracker and so on (the usual interpretation of "infrastructure")? Why would it contain sensitive personal data?

From the FAQ and about pages I gathered that Haiku is just supposed to be simpler, more uniform in design/vision and less bloated than Linux, but nothing specific about why anyone should choose it. If I'm happy with my Linux DE and so on, why would I choose Haiku?

[0] https://www.haiku-os.org/about/security
Worf
·2 เดือนที่ผ่านมา·discuss
Could a case be made not from a free speech POV but from a antitrust one?
Worf
·2 เดือนที่ผ่านมา·discuss
While the EU currently offers more privacy than the US, the best solution would be to use services which no one could have any meaningful control over, as much as possible, except the user.

Self-hosting (including object storage, backups, CDNs) is hard, but doable for some companies. For others it's life-and-death due to costs.

Analytics should be kept at a minimum and should always be self-hosted.

Email should die and be replaced with some E2EE solution. Matrix is far from perfect but if I were to make a website now, I would offer the choice of a Matrix address for account creation and comms. It's still federated and, while not offering 100% privacy, is much better than email, which offers none.

Using a service for transactional email is something that shouldn't be required in an ideal world. That it is only shows how email is captured by a few big players who simply won't deliver your message even if you follow the best practices when setting up your server.

Payment services shouldn't be required in an ideal world, either. They're needed because of a bunch of regulations and unnecessary complexities that could've been avoided and aren't needed from a technical POV.

AI use is troublesome when a company is not using their self-hosted models. As a customer, I wouldn't want my data being shared to a US company or an EU one, although if I had to choose, I'd say EU would be the lesser evil.
Worf
·2 เดือนที่ผ่านมา·discuss
Can you elaborate on how that would work exactly? What would the flow be - which party would request what from whom? Would there be technical assurances that no list is stored by the government?
Worf
·2 เดือนที่ผ่านมา·discuss
Sorry for the late reply. Right now I don't use Android (in any form) or iOS. I have a dumb phone for calls and SMS. I'm fortunate enough that I can keep it on mute for days. I don't really need a tiny computer right now. My desktops and laptops are more than enough.
Worf
·2 เดือนที่ผ่านมา·discuss
Sorry for the late reply. While that's a good example of a vuln that's not "owned" by the affected party and mitigation would be hard to create and distribute, IMO we should still make it public relatively quickly because we can't know whether it has already been discovered by someone else. The public as a whole will likely create countermeasures like patches or workarounds more quickly than a small subset comprising of OS developers and CPU vendors. Personally, I might heavily restrict using JS on random sites or downloading random binaries or scripts (even if they're virtualized), virtualize whatever I can (it seems the 2 previous actions are contradictory, but virtualization could help so why not), separate some data and processes on different physical machines or use a different CPU architecture for some things.
Worf
·2 เดือนที่ผ่านมา·discuss
The company can almost always shut down their service until they fix it. They'll lose money and their customers could also lose money if they depend on the service. That's the price they'll have to pay. Otherwise, they should either work frantically 24/7 to fix the vuln or if they can't, they should accept the fact that they've pushed code without any regard for security and bear the consequences.

Why do we need to put up with excuses? If a company has lots of complicated code that would need enormous amount of time to fix, it's on them. They decided to release this code into the wild.

If I publish the vuln publicly, the users would have the option to stop using the software/service until it's patched. If a customer is using a service without caring about security, it's on them. I want to protect the customers who would monitor the news for such vulns and protect themselves.
Worf
·2 เดือนที่ผ่านมา·discuss
> On the other side you have "bugs are bugs" culture. This is especially common in Linux, where the argument is that if the kernel is doing something it shouldn't then someone somewhere may be able to turn it into an attack. Just fix things as quickly as possible, without drawing attention to them. Often people won't notice, with so many changes going past, and there's still time to get machines patched.

The 3rd one is what I practice when giving companies time to fix their issue. Note, I haven't reported anything to FOSS projects, but to several companies I found exploits in. I give them 5 days. If they don't respond at all in the first day, I deduct 1 day - apparently they're either incompetent or don't care. After the 5 days have passed, I make it public. So far they've all fixed the issue on the 3rd or 4th day.

If I were to report something to a FOSS project, I'd give them a bit more, say 8-9 days. Enough time for everyone to wake up, review the vuln, patch it and ship it. Enough time for all the downstream projects to also ship the patch.

90 days is ridiculous, especially for companies. If I report something on Friday 23:30 and they reply Monday 15:00 - what were they doing during the weekend? Did they forget their software is used 24/7? I had one company complain quite a bit, threatening to sue. When they realized there was no one to sue (me being anonymous with my report), they fixed it in less than a day.

Bottom line - if you're a company offering a product or service, you should have a security team 24/7.

If you're a FOSS project - either alert your users to stop using your software or disable the service yourself, if you can.

If it's an extremely important life-or-death service you can't shut off - then fix it quickly. What are you doing with life-or-death stuff when you can't react quickly enough?

Fuck the 90 days standard - it's what companies want us to do because it's easier on them. If security hasn't been your top priority, you have a few days to make it your top priority.

With AI, that makes even more sense now. Bugs won't be able to stay hidden for months. Especially bugs I've reported like IDORs or SQL injections - things everyone tries first.

(and I love Linux, but getting an "Oh noes!" from Anubis at kernel.org because I don't have cookies enabled (I do??) really makes me not want to report anything to the Linux kernel in particular. If I ever did find something, I'd just immediately post it as a HN comment or something like that)
Worf
·2 เดือนที่ผ่านมา·discuss
I don't use Android right now and haven't used Google'd Android for almost a decade. And I won't. If this is the hill I die on, so be it.

I'm not going to use any sort of hardware attestation, especially one controlled by Google. You shouldn't either, even if you have an unrooted Google-certified Android phone.
Worf
·2 เดือนที่ผ่านมา·discuss
From what I've seen no such solution guarantees privacy to the user if the signing body (or the government) and the website collude to deanonymize the user.
Worf
·2 เดือนที่ผ่านมา·discuss
3) micropayments

There are many issues with those, like the wildly different standards of living across the globe. OTOH anyone can acquire Monero if they want to. But someone from a rich country will likely be able to pay for more fake accounts/visits than someone from a poor country. With the ad market the difference between where the visitor is from is very important. Some ad clicks may cost a dollar if they're coming from a rich country and 0.01 cents if they're coming from a poor country.

I'm not suggesting cryptocurrency micropayments for accessing the web but it's on par with PoW in that it only requires money, not privacy.

Perhaps the way forward is for people to wake up and stop visiting sites that infringe on their privacy.
Worf
·2 เดือนที่ผ่านมา·discuss
I absolutely want to increase or decrease the font while keeping the whole width unchanged. This is not possible with PDF. Or maybe it is, but I've never seen a PDF file that supports it. I may be reading on a tiny phone or on a FULL HD monitor. Or I may want to put the file on the left side of the monitor and something else on the right. If I'm on a huge monitor, I might not be OK with tiny fonts. I actually like tiny fonts sometimes, but other times I want to zoom everything. I think at night, where my eyes are more tired and when I have shut off the lighting in the room, I prefer bigger fonts.

I don't particularly care about increasing fonts ONLY. I've mainly done that on Firefox for Android years ago. The standard browser zoom (with CTRL++, CTRL+- or CTRL+WHEEL_UP, CTRL+WHEEL_DOWN) increases everything proportionally. The exceptions are newer websites that try to cram too much logic about what should be zoomed or hidden at a given level of zoom, but I'm not talking about 5 MB SPAs, but normal HTML sites.

I have read vast amounts of docs and I prefer HTML. So OK, I agree that some people want something unresponsive that looks like a printed page. But I think the issue is with how unpolished most EPUB readers are, not in the format itself.

For "underetministic" rendering, it's usually a PDF that had 2 columns, placed an image on the bottom of column 2 and referred to it from the top of column 1. If you automatically make an EPUB from that, the image would be far from where it's referred to. But nothing's stopping you from putting an image right after the paragraph that refers to it.
Worf
·2 เดือนที่ผ่านมา·discuss
I get "Keine Leseprobe verfügbar" which is "no sample available" according to DDG.

I'm downloading a 101 MB EPUB from Anna’s Archive. I'm not sure if it's an official EPUB or someone converted it from something else. There's no PDF available there. In a few hours I'll try to report how several readers handled it.
Worf
·2 เดือนที่ผ่านมา·discuss
I understand your point that you want a fixed presentation layout and pagination. I prefer to be able to responsively resize the document and to follow the ToC instead of pages. I've yet to see documentation that's thousands of pages long that doesn't include a very detailed ToC. For me remembering "section 8.3.16.2" is better and makes more sense than remembering "page 1292". I've had to read scanned math books years ago and I remember using some PDF reader to put bookmarks that correspond to the ToC, so I'd put "2.5.1.2 - Theorem about X" in the sidebar. That's how I was able to actually go back and forth easily. With just pages it would've taken me tens of seconds to locate a theorem (or lemma, proof, definition, whatever). And it was a dense book, so I had to constantly go back and reread stuff. But I agree that PDFs can, and often do, have ToCs, too.

> the size ratios between various elements may be inappropriate

I can't recall having this issue on websites or on EPUBs. What kinds of elements are we talking about? HTML and CSS are pretty good at keeping sizes from what I've seen. I agree that there are many EPUB readers, most of them very unpolished. And perhaps there aren't EPUB readers that are good at everything, yet.

For formulas, MathML and other tech has been satisfactory. I was able to find this basic math paper arXiv uses as a demo for their HTML papers:

https://ar5iv.labs.arxiv.org/html/1910.06709

It doesn't have figures, but the math is rendered perfectly. I can easily remove the "justify" style and increase and decrease the letters. If it was a long paper, it would've been nice to have a clickable ToC, but most EPUBs have one.

I think that right now most EPUB readers and some HTML renderings are bad, but I believe they'll get better.
Worf
·2 เดือนที่ผ่านมา·discuss
My issue with EPUB readers is about features a PDF reader wouldn't even have. Small and annoying things like how much freedom I get when changing fonts and whatnot.

I haven't had a need to use annotations. I guess that could be solved by EPUB editors, but I haven't tested any, apart from any text editors after unzipping the EPUB.
Worf
·2 เดือนที่ผ่านมา·discuss
But you can actually edit PDFs if you're into pain. For immutability there are hashes, signatures and so on.

I've seen rendering differences on different readers over the years. Rarely, but it happens. Probably not for basic documents or scanned papers. At least with HTML or Markdown you can read the source.
Worf
·2 เดือนที่ผ่านมา·discuss
> correct behavior on windows size change

Except the PDF is not responsive at all and you can't increase or decrease the font size without increasing the whole width of page.

> Some vendors have switched to online-only for some documents and it always annoys me.

HTML shouldn't mean online-only. If the vendor isn't trying to make it hard to download, you should always be able to convert to PDF. But PDF to HTML is very hard or impossible.