HackerTrans
TopNewTrendsCommentsPastAskShowJobs

Sayrus

1,588 karmajoined 8 yıl önce
Personal blog: sayr.us

comments

Sayrus
·evvelsi gün·discuss
Since there have been multiple 0-day in kernels, we should drop all security boundaries in them because you'd only need execution on the machine and a known vulnerability.

Since there have been with bypass on service X, we should remove auth because all you need is the vulnerability.

Address space layout randomization wouldn't exist with this mindset, and yet it does and helps for many exploits.

SGX is not fully secure. But neither are the other part of the stack. Security (or trust in this case) is done through layers because it's a question of when you'll be vulnerable, not ifs.
Sayrus
·4 gün önce·discuss
As much as I love to discuss how expensive AWS is, I find this comparison quite strange:

- Small instances are used, including a burstable instance for AWS, with no indication on where and how much throttling happened. Saying that the instance is burstable but a price-match isn't even true because later it is discussed that $48 is not a match in price due to services around the instance itself

- It seem Hostim doesn't support large instances, the largest dedicated instance offers 100GB / 4 Cores / 8 GB RAM. At that price point, you either go with AWS for prototyping speed or compliance but definitely not for performance.

- Talking about speed, you got performance, but you'll now spend time developing your own backup and restore processes which are a "coming later" feature. What's the impact of backups compared to disk snapshots on those other network-attached disks?

- It mentions only once the network-attached block storage used by RDS and the Hetzner instance compared. Which is weird because you could go for local storage for cheaper and get more performances, but that introduces some trade-offs.

- Instances are configured with different settings.
Sayrus
·5 gün önce·discuss
Peeker's advantage is not directly related to fog of war. The peeker is moving so before the movement is even sent to the server, the client's camera began moving. As such, the peeker will have at least a tick, usually more before that new position is available to the opponent.

"Fixing" this would make movement sluggish: any movement would need to be validated by the server. Meaning delay between pressing keys and actual movement.
Sayrus
·10 gün önce·discuss
Why stop at tracking license plates? Once you've started you should report on pedestrians, bikes, whether people are at-home, which building people are entering, the way they walk and many more. Those are all "alternative revenue streams" that are as valid from the operator/investor point of view and completely unrelated to whether the way of transportation or activity is meant to be untrackable or unrelated to a way of transportation at all.

There is also a factor of scale: a cop can follow you, but a system where everyone is monitored 24/7 is a very different story.
Sayrus
·18 gün önce·discuss
Then surely Europe shares that trends and shows growth in pedestrian death.

But that isn't the case at all, maybe Europeans are immune to smartphones: https://road-safety.transport.ec.europa.eu/document/download...
Sayrus
·18 gün önce·discuss
I've seen VISA cards with several banks in France where there is commission after 1 to 3 monthly ATM so I'd be doubtful about VISA having such as requirement.
Sayrus
·18 gün önce·discuss
At least in France, most of what people call "credit cards" are actually debit cards.
Sayrus
·22 gün önce·discuss
Historically, AWS own infrastructure relies on us-east-1. Loosing us-east-1 usually means loosing many other AWS Global services which are required for services in other regions to be healthy.
Sayrus
·22 gün önce·discuss
> Tokens saved are tokens saved.

Not always. RTK strips flags and other information. Sometimes you spend more tokens getting them back later. Sure your saved 70% tokens on that tool call, but nothing in the metrics says whether you ran 3 tool calls instead of 1.

There is also a question of whether that stripped output requires more thinking tokens or not.
Sayrus
·24 gün önce·discuss
I'm not sure how Garmin works, but for instance with Google Wallet-compatible watches, you need a phone where wallet can run. I've had this setup for a year where I loaded the cards from another phone and used a watch to pay.

However Wallet didn't like this setup. Tokens expired at varying delays, sometimes a day, sometimes a week or payment failed without reasons.

Nowadays, I just use my bank's app which work fine on GOS.
Sayrus
·29 gün önce·discuss
Excluding server costs, having that 100Gbps on egress can cost $50k a day. since it's a very high-margin product, AWS support would probably refund or reduce that to hundreds. Not sure how you get to millions either.
Sayrus
·geçen ay·discuss
The data-sharing surely is for all providers. I think the sentence "When models become available, onboarding details will be shared." hides a lot of things.
Sayrus
·geçen ay·discuss
> Through Google Cloud's Agent Platform: Retention will need to be enabled for your new covered model, and retained data stays in your GCP environment. When models become available, onboarding details will be shared.

From https://support.claude.com/en/articles/15425996-data-retenti...
Sayrus
·geçen ay·discuss
MV3 itself isn't what breaks uBlock Origin, it is the bundled removal of capabilities that Chrome decided to do. Firefox MV3 supports full WebRequest "scopes" while Chrome only supports declarativeNetRequest.
Sayrus
·geçen ay·discuss
Most panels are from China. Panels have a very long lifetime. Over their lifetime they generate way more than their price in oil. Europe is not a huge producer of oil and relies on imports to sustain its usage. Sourcing panels is effectively reducing the amount of money leaving Europe in the long term.
Sayrus
·geçen ay·discuss
> Now that the attack window has changed to 7 days, all new exploits like these will come with time bombs to not trigger until 8 days.

Many automated scanners use static code analysis rather than run the installation script. Not all of them are caught, but a good part of them are and you'd be saved by a delay.
Sayrus
·2 ay önce·discuss
You still need criteria to handle reputation: does an account invited years ago and now spamming affects the reputation of the inviter, how much? What about the hacked accounts?

For small platforms it makes a lot of sense, for larger the potential for abuse is still there in different forms.
Sayrus
·2 ay önce·discuss
> Gecko doesn't have a WebView implementation (GeckoView is not a WebView implementation), so it has to be used alongside the Chromium-based WebView rather than instead of Chromium, which means having the remote attack surface of two separate browser engines instead of only one. Firefox/Gecko also bypass or cripple a fair bit of the upstream and GrapheneOS hardening work for apps. Worst of all, Firefox does not have internal sandboxing on Android.

> The sandbox has been gradually improving on the desktop but it isn't happening for their Android browser yet.

Context is definitely interesting to have with your statement (From https://grapheneos.org/usage).
Sayrus
·2 ay önce·discuss
Thanks for writing all this, this really shows how the failures you encountered don't overlap with my use of the phone.

I don't use RCS and Android Auto.

I have HeliBoard to replace Stock/Google Keyboard. It is way ahead the stock keyboard experience but far behind Google Keyboard's, especially when writing in two languages.

Tap-to-pay works with my bank apps. But that means I can only use one card unlike with GPay.

I rarely use second account as the latency to switch from one account to the other is a pain. I only have a secondary sending notifications to the first one.

I don't let the phone auto-reboot for installs, I let it install automatically and click reboot when I want it to install.

I am on a physical SIM / different carrier and never encountered network issues so I can't comment on that one.
Sayrus
·2 ay önce·discuss
I think parent is talking about Play Integrity being integrated into banking apps. It's a hit or miss depending on the bank, some will be fine without, some with integrate it but not rely on it to directly refuse login, some will require a lower integrity level, and some will actually require the highest integrity level leading to issues on custom ROMs.