Society is only one Android release away from most consumer traffic metadata being tunnelled by default through a new instrument of political policy, thanks to a company who not so long ago wouldn't even let you select…
I can't see into the future, unfortunately, but you're welcome to bookmark the parent comment and set a calendar entry to compare it with reality about once every 6 months. It's possible to speculate, though. Google…
you appear to have jumped to step 2 in the masterplan, and completely skipped step 1. It's not even mandatory yet, but when it is, the choice will be between N<10 providers, most of them almost certainly American…
They can fight it on the basis of censorship, and I'll support them on the basis of a decentralized Internet that does not rely on some folk who leaked private data all over the Internet a few years ago. Fuck DoH. It's…
What I mean is https://i.ibb.co/P6N35qv/Screenshot-from-2019-08-10-10-27-25... does not make it clear whatsoever that 'public' really means public. Before we get into blaming the customer, there should be a bright red…
For EBS, step 1 is reading the docs, step 2 is cutpasting a documentation example. For S3 I'm not sure how people are building their lists. AFAIK the API provides no enumeration. So this is possibly something coming…
> Who on Earth is thinking that it is a good idea to take an EBS snapshot and make it public? Non-marketplace AMIs are built on public EBS snapshots, but that's something they should still fix. Marketplace AMIs already…
Public EBS snapshots are great, and thankfully a design other clouds didn't copy. I've found all kinds of stuff in there, including a 900GB Oracle backup of a publicly traded manufacturer's accounting system. It doesn't…
Google can claim many firsts, but hopping from a baseband to an application processor most certainly isn't one of them. I'm sure you can find presentations from e.g. CCC much older than 2017
It's unusual but certainly not novel. There have been similar attacks against e.g. server network cards >10 years ago, where (IIRC) a magic pattern used for factory testing could put the card into firmware download…
> It makes cross-platform desktop development much easier. That is literally how Adobe Air was billed
Pwn2Own fell out of the spotlight over time because they managed to piss off sponsors and teams alike, not because any material improvement occurred in software security, involving systems that for the most part…
> we all know that it's basically impossible to attack a modern well configured system Where in the world did this fantastic idea come from? https://events.linuxfoundation.org/wp-content/uploads/2017/1...…
I'm curious about how these things are expected to scale.. 1000 subscribers, dedicated support person 5000, ??? 10000, ??? At some point these community efforts must grow back into a company again, right? And the cycle…
Tears of joy.
If SCM_CRED passing were a real problem in _any_ scenario, SELinux should target that instead, not an entire subsystem on which half the system is built
One reason to dislike SELinux is the arbitrary assumptions baked in by default that barely anyone knows how to or cares to change, which makes carefully designed software look broken when the framework itself is broken.…
Don't worry about it, I'm sure it's in the backlog
The western world has sad tendency to believe its ideals are the only ideals, so you're unlikely to attract much productive comment. Fanaticism is found everywhere, it's just common for some cultures to give it another…
Not in civilized parts of the world
They pay a team to embarrass competitors. The technical aspect is a small part of what is happening here.
Project Zero has always been disguised marketing, and IMHO an extremely nasty form of it. I have no doubt they plan coordinated releases like this on a regular basis (these downvotes are confusing. Do you disagree that…
> offset the deploying mechanism and control (probably to varying degrees) to a third party that’s dependent on another third party This sounds exactly like working inside any big company, and all that pre-canned…
I'm no Java ninja, but a few things jump out of https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/19fb8f93c... : - at least one heap allocation for every line. After it finds the EOL it first uses 'new String' followed…
You can find much slower machines able to route gigabit, the limitations are mostly on the bus and ability for the driver/chip to efficiently process notifications. We're only talking about 125MB/sec, and if any of that…
Society is only one Android release away from most consumer traffic metadata being tunnelled by default through a new instrument of political policy, thanks to a company who not so long ago wouldn't even let you select…
I can't see into the future, unfortunately, but you're welcome to bookmark the parent comment and set a calendar entry to compare it with reality about once every 6 months. It's possible to speculate, though. Google…
you appear to have jumped to step 2 in the masterplan, and completely skipped step 1. It's not even mandatory yet, but when it is, the choice will be between N<10 providers, most of them almost certainly American…
They can fight it on the basis of censorship, and I'll support them on the basis of a decentralized Internet that does not rely on some folk who leaked private data all over the Internet a few years ago. Fuck DoH. It's…
What I mean is https://i.ibb.co/P6N35qv/Screenshot-from-2019-08-10-10-27-25... does not make it clear whatsoever that 'public' really means public. Before we get into blaming the customer, there should be a bright red…
For EBS, step 1 is reading the docs, step 2 is cutpasting a documentation example. For S3 I'm not sure how people are building their lists. AFAIK the API provides no enumeration. So this is possibly something coming…
> Who on Earth is thinking that it is a good idea to take an EBS snapshot and make it public? Non-marketplace AMIs are built on public EBS snapshots, but that's something they should still fix. Marketplace AMIs already…
Public EBS snapshots are great, and thankfully a design other clouds didn't copy. I've found all kinds of stuff in there, including a 900GB Oracle backup of a publicly traded manufacturer's accounting system. It doesn't…
Google can claim many firsts, but hopping from a baseband to an application processor most certainly isn't one of them. I'm sure you can find presentations from e.g. CCC much older than 2017
It's unusual but certainly not novel. There have been similar attacks against e.g. server network cards >10 years ago, where (IIRC) a magic pattern used for factory testing could put the card into firmware download…
> It makes cross-platform desktop development much easier. That is literally how Adobe Air was billed
Pwn2Own fell out of the spotlight over time because they managed to piss off sponsors and teams alike, not because any material improvement occurred in software security, involving systems that for the most part…
> we all know that it's basically impossible to attack a modern well configured system Where in the world did this fantastic idea come from? https://events.linuxfoundation.org/wp-content/uploads/2017/1...…
I'm curious about how these things are expected to scale.. 1000 subscribers, dedicated support person 5000, ??? 10000, ??? At some point these community efforts must grow back into a company again, right? And the cycle…
Tears of joy.
If SCM_CRED passing were a real problem in _any_ scenario, SELinux should target that instead, not an entire subsystem on which half the system is built
One reason to dislike SELinux is the arbitrary assumptions baked in by default that barely anyone knows how to or cares to change, which makes carefully designed software look broken when the framework itself is broken.…
Don't worry about it, I'm sure it's in the backlog
The western world has sad tendency to believe its ideals are the only ideals, so you're unlikely to attract much productive comment. Fanaticism is found everywhere, it's just common for some cultures to give it another…
Not in civilized parts of the world
They pay a team to embarrass competitors. The technical aspect is a small part of what is happening here.
Project Zero has always been disguised marketing, and IMHO an extremely nasty form of it. I have no doubt they plan coordinated releases like this on a regular basis (these downvotes are confusing. Do you disagree that…
> offset the deploying mechanism and control (probably to varying degrees) to a third party that’s dependent on another third party This sounds exactly like working inside any big company, and all that pre-canned…
I'm no Java ninja, but a few things jump out of https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/19fb8f93c... : - at least one heap allocation for every line. After it finds the EOL it first uses 'new String' followed…
You can find much slower machines able to route gigabit, the limitations are mostly on the bus and ability for the driver/chip to efficiently process notifications. We're only talking about 125MB/sec, and if any of that…