papasquat's recent activity
-
Comment on Nvidia CEO declares AI could start, grow, and run a successful technology company worth more than a billion dollars—excerpt from Lex Fridman Podcast in ~tech
-
Comment on Android to debut "advanced flow" for sideloading unverified applications in ~tech
papasquat Link ParentLots of ways. Accessibility services allowing screen scraping, file system access allowing apps to grab local files, OS vulnerabilities allowing sandbox escapes, keyboard access allowing input...How? Because apps are sandboxed on phones. If they escape the sandbox, it's an issue with the sandboxing and should be rectified promptly.
Lots of ways. Accessibility services allowing screen scraping, file system access allowing apps to grab local files, OS vulnerabilities allowing sandbox escapes, keyboard access allowing input recording and so on.
Side loading right now already requires disabling a security control that people are coached through. Having a check to confirm you're not being coached, requiring a device restart to force a hard reauthorization, and then forcing a wait period are all valid speed bumps that make the process more difficult to circumvent.
Will it stop all malicious sideloaded apps? Obviously no, but no security measure will, aside from the Apple style nuclear option of just completely disallowing third party application installs. They are fairly effective security measures against the specific thing they're trying to stop though.
-
Comment on US regulator bans imports of new foreign-made routers, citing security concerns in ~tech
papasquat Link ParentYes, as an American I'd agree with you. The US has amazing capabilities in hardware design and software development. We no longer have decent manufacturing capabilities though. I'd be very wary of...Yes, as an American I'd agree with you. The US has amazing capabilities in hardware design and software development. We no longer have decent manufacturing capabilities though. I'd be very wary of anything actually built in the US, especially electronic components manufactured en masse for a competitive price. We just have no realistic way to do that without putting out complete crap.
If this ban is something thats actually enforced, it's going to mean a lot consumers being totally priced out of the market, or a lot of new reliability issues that never existed before. (How often does your home router just straight up die to due a hardware failure now? Probably not often).
The thing that the trump admin doesn't seem to understand is that the biggest beneficiary of globalization, and by a long shot, is the US. If we had to manufacture everything domestically, Americans quality of life would plummet. We managed to have a strong global economy, and a ridiculously strong domestic economy because we allowed countries to specialize in what they could efficiently produce. China creates cheap high quality electronics. Germany produces reliable automobiles, Taiwan fabs advanced chips, the EU produces luxury goods and services, Japan produces high end machine parts, and so on. If everyone has to go back to producing everything themselves, we're all worse off, but the US suffers the most out of everyone. We've built our economy on extremely high end financial services, entertainment, and technology. When no one buys from us because we won't buy from them, we need to go back to building low margin manufactured goods. But I digress.
-
Comment on US regulator bans imports of new foreign-made routers, citing security concerns in ~tech
papasquat (edited )Link ParentShort answer, yes it does. I'll be honest with you though, much of it comes from executives or laymen who have no real cybersecurity experience, or especially threat modeling experience. I would...Short answer, yes it does. I'll be honest with you though, much of it comes from executives or laymen who have no real cybersecurity experience, or especially threat modeling experience.
I would say that the norm these days for most organizations is to assume China=bad. I can't think of a single US company nowadays that would be willing to run Huawei networking equipment, for instance.
The issue is that the entire IT hardware supply chain is Chinese. Outside of extremely expensive TAA compliant hardware (even then though in some cases) almost all of the base electronic components are either manufactured in China, or by Chinese companies operating elsewhere. High performance CPUs and GPUs are still fabbed in Taiwan, but your average IC or dimm module or transistor or whatever is going to come from China at some point.
In many cases the hardware is just straight up Chinese.People won't buy Huawei because it's on the covered list already and "sounds Chinese", but ZTE? Sure, go right ahead.
In sober, informed organizations where cybersecurity decisions are left to professionals, the situation is a little different. The risk is dependent on a few different variables.
One, is your organization a likely target of state level actors? I don't mean ransomware gangs that operate out of China; those types of actors wouldn't get access to the CCPs juicy vault of supply chain compromised hosts (if they exist). I mean does your company operate critical infrastructure like oil and gas production, nuclear fuel enrichment, power generation? Do they operate within the defense industrial base? Do they make up a major platform for financial transactions like banking or securities exchanges?
If not, you're probably not going to be targeted by Chinese state hackers. China has not interest in potentially blowing the lid off of very valuable vulnerabilities to learn what the burger of the month is at your fast food chain.
Two, exactly which components are manufactured in countries of concern? If the chassis is made with Chinese steel, but the ICs and SOC are coming from Taiwan, you're probably ok. Same goes for passive electronic components like diodes or resistors or capacitors. (Supply chain compromise is a thing still, but that has other mitigating controls and is a whole other conversation).
Third, where are the devices going to be deployed, and what's their use case?
A digital sign that's deployed in an isolated VLAN without internet access? Not a real concern worth considering in most places.
Your core router? Probably something to look into.
Fourth, and probably the biggest ones, are regulatory constraints. For many of these organizations, it's already just straight up illegal to use devices from certain manufacturers, or components built in certain countries. This is the biggest actual constraint, because it's no longer a matter of opinion or subjective risk analysis, it's a law that you'll be fined or go to jail if you violate.
So yes, it does come up, and it probably comes up more often than it should, in my opinion.
It's a concern in certain situations, yes, but not nearly as much of a concern as the random 10 year old "built in america" firewall that no one knows about anymore running 8 year old firmware that every organization seems to have somewhere in their production network.
-
Comment on US regulator bans imports of new foreign-made routers, citing security concerns in ~tech
papasquat LinkThis doesn't make any fucking sense. I have some expertise in this area, and I can say that the supporting information the administration is citing to justify this is nonsensical. There have been...This doesn't make any fucking sense. I have some expertise in this area, and I can say that the supporting information the administration is citing to justify this is nonsensical.
There have been major attacks linked to compromised routers used in botnets, yes. Actually quite a lot of them. The reason why is because routers inherently sit on the open internet, listening for traffic to forward to the local network.
The thing is, foreign routers are no more vulnerable than the theoretical American consumer router that doesn't exist.
Those routers are exploited because of security vulnerabilities; CVEs. The manufacturers aren't intentionally handing them over to botnet owners. That would make no sense; they'd be screwing their customers over for no reason.
Usually, a new vulnerability comes out, starts being exploited in the wild, manufacturers come out with a hotfix to address them and... no one applies it. Because who logs into their router to check for updates regularly? Some of them update themselves automatically, but not all of them.
The thing is US built routers would have the exact same problem. How do I know this? Because enterprise grade routers designed in the US and built to spec are compromised all the time.
If a US company can't design a $200,000 next gen firewall to never include exploitable CVEs, how in the hell could they do it on a $60 consumer grade router?
Secondly, we have the exact same problem with any device with a network interface. TVs, thermostats, hot water heaters, garage door openers, security cameras, audio assistants, hell, fucking refrigerators have IP addresses nowadays. They all can, and do get compromised and used in botnets.
If instead of randomly decided that routers are what needs to be banned simply because they're built somewhere else, the Trump administration hadn't completely gutted CISA (you know, the agency directly responsible to ensure this kind of stuff doesn't happen), we could get actual supply chain security while not completely fucking over a market and not jeopardizing internet access for millions of Americans. That would be rational and level headed though, and we don't do that sort of thing around here anymore.
-
Comment on Android to debut "advanced flow" for sideloading unverified applications in ~tech
papasquat Link ParentWell, those are sort of two separate issues, aren't they? Protection of your data that you willingly hand over to an app developer on the app store is mostly out of Google's control. They've done...Well, those are sort of two separate issues, aren't they? Protection of your data that you willingly hand over to an app developer on the app store is mostly out of Google's control. They've done a decent job making apps ask for more granular permissions, but if an app asks, you allow permissions or fill out personal info, there's not much they can do at that point besides basic due diligence that the app isn't asking for extremely broad permissions. The way to address that is to pass data protection regulations. Those regulations are meaningless for attackers that operate outside of the boundaries of the law though.
I'll also say that both situations are bad, but there's a pretty big difference between a company selling your demographic data to an advertiser who uses it to enhance your ad profile for more targeted ads, versus an attacker putting an infostealer on your phone and taking your social security number to open credit cards in your name, your credit card numbers to make fraudulent charges, your crypto private keys and bank login information to directly steal your money, and compromising personal information to run extortion schemes on you.
Solving the latter doesn't preclude solving the former either. So it doesn't really make sense to say that Google should do nothing about malicious software because we haven't passed comprehensive data protection laws. The two threats have different solutions and need to be addressed differently.
-
Comment on Thinking of getting Proton and using it as my day-to-day email, but I have concerns in ~tech
papasquat LinkI agree with you, which is why I didn't go with protonmail. Email is not a secure form of communication. It cannot be made into a secure form of communication without jumping through a lot of...I agree with you, which is why I didn't go with protonmail.
Email is not a secure form of communication. It cannot be made into a secure form of communication without jumping through a lot of hoops and fundmentally breaking large portions of how email works, and it shouldn't be used as a secure form of communication.
As soon as your message leaves protons servers, it's cleartext smtp, just like any other email message. Anyone that intercepts it can read your whole email, including metadata.
Sure, you can do pgp, but realistically, who are you talking to with pgp?
If you need secure communications, use something other than email.
If you want an email provider that just doesn't harvest your inbox, in my opinion, there are other providers that are better alternatives than proton.
-
Comment on Android to debut "advanced flow" for sideloading unverified applications in ~tech
papasquat Link ParentWell, most scams may not rely on apps, but some do. There are a massive amount of malicious apks containing infostealers, crypto miners, adware, and all other kinds of nasty stuff you don't want...Well, most scams may not rely on apps, but some do. There are a massive amount of malicious apks containing infostealers, crypto miners, adware, and all other kinds of nasty stuff you don't want on your phone.
They rely on people being socially engineered into disabling security controls because they don't know better.
-
Comment on According to a poll, Finns now trust the US as little as Russia and China and overall social trust is on the decline in ~society
papasquat LinkI'm honestly surprised that the US still ranks higher than China. I know that globally, China dominates manufacturing and uses a lot of state supported unfair trade practices to maintain their...- Exemplary
I'm honestly surprised that the US still ranks higher than China. I know that globally, China dominates manufacturing and uses a lot of state supported unfair trade practices to maintain their edge in that arena, but still, compared to the US, they seem like model partners.
As an American, the surprising thing about our relationship with Europe right now isn't that they're incredibly wary of the US, it's that there's any support for the US whatsoever remaining.
In the past year, our country has launched unprompted attacks against a half dozen sovereign nations, many of them not even related to the same conflict, has threatened to attack dozens more, many of them fellow NATO members, has abruptly ended almost all humanitarian aid across the world, has repeatedly destabilized global trade and screwed over every single major US trading partner, and recently is solely responsible for the worst oil crisis in years. If we did all of this because it benefited US interests, you could at least plan for future moves and have a reasonable idea of what the US would do next and account for it, but most of these actions directly shoot the US in the foot, so it's just pure chaos instead.
If I was in the average Europeans shoes, I'd want nothing more to do with the US. Even after this president, I'd remain deeply suspicious of any society or government framework that allows someone like him to take the reigns and sow that much chaos without any recourse for the majority of the populace that doesn't support him, and even worse, of a society where he still enjoys so much popular support.
We'd be the biggest threat in the world by far, and the one truly terrifying force that I'd identify as causing the most harm and suffering worldwide. Not only do we have an obscene military budget and dominate the global economy, the last year has shown that we're willing to flex that budget solely to cause chaos and destruction in service to a single man's ego and cult of personality.
After all of that, what European would still identify China as a country that inspires less confidence?
For any issues that China has, they're not bombing schools, threatening to annex their allies, and sentencing hundreds of thousands of people to preventable death from AIDS.
-
Comment on Kill chain - on the automated bureaucratic machinery that killed 175 children in ~society
papasquat Link ParentZooming out, efforts to improve targeting and reduce collateral damage are worthwhile, but I think we miss the forest for the trees sometimes when we decide to kill people in other countries. This...Zooming out, efforts to improve targeting and reduce collateral damage are worthwhile, but I think we miss the forest for the trees sometimes when we decide to kill people in other countries.
This is a war. In every war since the beginning of time, innocent, uninvolved people are violently killed, often at a much higher rate than combatants. No matter how many times you say "surgical strikes" or "precision targeting", it will not change this fact.
Thus, every time a leader of the country makes the decision to bomb, invade, drone strike, or fire at another country, they, and the people who support them need to ask themselves "is whatever we're trying to do worth us killing hundreds or thousands or more innocent people that are just living their lives as I am".
Convincing yourself that this time, only the "bad guys" will die is just gross willful self delusion to soothe one's own cognitive dissonance.
-
Comment on Zachtronics returns from retirement to release an add-on for Opus Magnum in ~games
papasquat LinkOpus Magnum is such an interesting, fun game. I sunk some hours into it, but like all Zachtronics games, I eventually got deep enough into it that every time I played it, it made me feel like a...Opus Magnum is such an interesting, fun game. I sunk some hours into it, but like all Zachtronics games, I eventually got deep enough into it that every time I played it, it made me feel like a complete dumbass so I dropped it.
That's not any knock on zachtronics games, I have the same problem with all games that have a slow level of gradually increasing complexity to a point where it gets nuts. Factorio is one of my favorite games of all times but loading one of my old save files fills me with an innate sense of dread.
I wonder if there's a word for that yet?
-
Comment on Android to debut "advanced flow" for sideloading unverified applications in ~tech
papasquat Link ParentI'm not sure how it's a legal problem. All of this activity is already illegal. I guess you could frame it as an enforcement problem, but that seems extremely difficult to solve. Most of the...I'm not sure how it's a legal problem.
All of this activity is already illegal. I guess you could frame it as an enforcement problem, but that seems extremely difficult to solve. Most of the countries that launch these attacks are not willing to work with US or EU law enforcement.
They're place like North Korea, Russia, and Iran, where there's not even a slight chance that their government would cooperate with an investigation or extradite their citizens for cyber crime, if you can even determine who they are. It takes an absolutely massive investigative apperatus to even get that far, and once you do, there's not much you can do to deter or punish the people doing it.
If you're talking about pressuring companies whose platforms are being used for scams... isn't that what this is?
I think Google is doing this at least in part because of anticipated legal pressure. They're one of the companies you've identified as enabling these scams, and this is a solution they're putting in place to help solve it.
-
Comment on Android to debut "advanced flow" for sideloading unverified applications in ~tech
papasquat Link ParentMaybe that's part of it, but let's not pretend that there isn't also a very real security concern here. Modern phone OSes are very secure compared to even modern desktop OSes, and especially...In this case, they simply don't want you to be able to install newpipe on your friend's devices.
Maybe that's part of it, but let's not pretend that there isn't also a very real security concern here.
Modern phone OSes are very secure compared to even modern desktop OSes, and especially desktop OSes from 20+ years ago when downloading software from random websites and trusting they were what they said it was was the every day norm for most people.
The issue is that everyone in the developed world has a computer in their pocket they use every day now, and trust for extremely sensitive tasks like banking, medical care, mental healthcare, cryptocurrency and so on. The financial motivation to compromise those computers has gone through the roof, and the average technical skillset of those computers users has gone into the toilet.
As a result, way more phones get compromised than computers ever did a couple of decades ago. There are way, way way more of them for starters, and the financial motivation exists today in a way that it didn't 20 years ago.
Because of that, the only meaningful way to enhance security on smartphones is by protecting users from themselves.
So probably a little from column a a little from column b.
-
Comment on Android to debut "advanced flow" for sideloading unverified applications in ~tech
papasquat Link ParentThat's the EU, and is only very recent. Android has always allowed side loading though. iOS only started allowing it a couple years ago, and only when they were mandated to in the EU. Apple still...That's the EU, and is only very recent. Android has always allowed side loading though. iOS only started allowing it a couple years ago, and only when they were mandated to in the EU.
Apple still doesn't allow you to side load anywhere else.
Other markets seem very unlikely to require them to enable it, so Google doesn't really have a regulatory concern there.
-
Comment on Robert Mueller, who investigated allegations of Russian election meddling, dies at 81 in ~society
papasquat Link ParentThat excuse would make sense if he hadn't been saying vile things publicly for 50+ years.That excuse would make sense if he hadn't been saying vile things publicly for 50+ years.
-
Comment on BYD claims five-minute electric vehicle charging with new battery tech in ~transport
papasquat Link ParentIt's not a great solution, because the bigger the battery is, the exponentially more expensive it is to build machinery to swap it. Modern EVs have battery packs that are extremely integrated into...It's not a great solution, because the bigger the battery is, the exponentially more expensive it is to build machinery to swap it.
Modern EVs have battery packs that are extremely integrated into the chassis, which makes sense, because they make up a significant amount of mass of the vehicle. Making the batteries hot swappable means the vehicle has to be completely redesigned around that capability, which will always impact things like price, range, performance, durability and so on.
Vehicles would be much more constrained because they'd have to be built around a single hot swap form factor. Heavy and light duty trucks would have to use the same batteries as passenger sedans, performance sports cars, SUVs and so on, which would result in a lot of bad tradeoffs.On the hot swap station side, you need to install high performance motors or actuators to lift and store extremely heavy batteries quickly.
Anything with that many heavy duty, high performance moving parts is always going to be massively expensive compared to a simple high voltage charger.
Finally, one of the huge advantages of electricity as a power source, and the main reason it was adopted as the way to deliver energy to people around the developed world is because it's so easy to transport.
It's the one form of energy we have widely deployed that doesn't require any physical movement, which makes it extremely cheap and efficient to deliver. You just attach some conductors and pump electrons into whatever you want to power.
Battery swapping kind of negates a lot of that advantage. You suddenly have physical objects that are responsible for delivering power, meaning you need to track them and manage stock of them, depreciate them and so on.
If some new battery tech comes out that can't fit the hot swap form factor for some reason, you're just fucked. You have to come up with a new form factor and retrofit every single hot swap station to accept it.
I don't think it's a very good solution for vehicles larger than a small scooter or motorcycle where the battery can be carried by a single person because of all of those things.
-
Comment on Android to debut "advanced flow" for sideloading unverified applications in ~tech
papasquat Link ParentWell, those are two completely different threat landscapes. If most of your family rarely needed to use that room, and it was also extremely common for random people to show up and successfully...Well, those are two completely different threat landscapes. If most of your family rarely needed to use that room, and it was also extremely common for random people to show up and successfully trick them into giving them the key to the room every day, and someone gaining access to that room who shouldn't have be there would result in your life savings being stolen, it might make sense to put some speed bumps in place for the rare case that someone needs to get in there.
-
Comment on Android to debut "advanced flow" for sideloading unverified applications in ~tech
papasquat Link ParentIt does provide improved security. Phone OSes on a technical basis are already extremely secure. The amount of phones compromised by zero days and unpatched vulnerabilities on fully updated phones...It does provide improved security.
Phone OSes on a technical basis are already extremely secure. The amount of phones compromised by zero days and unpatched vulnerabilities on fully updated phones is so miniscule that they're barely worth considering.
The number one way by a gargantuan margin that phones get compromised are by socially engineering users to disable built in security protections. That's because by and large, smartphone users are not technically savvy. The only way to meaningfully improve security on smart phones then, is to protect users from their own technical ignorance.
-
Comment on Android to debut "advanced flow" for sideloading unverified applications in ~tech
papasquat Link ParentThey very much don't. What I don't understand though, is why they still let you do it. I'm not complaining. It would really piss me off and drive me to seek a more open alternative. It does seem...They very much don't. What I don't understand though, is why they still let you do it.
I'm not complaining. It would really piss me off and drive me to seek a more open alternative.
It does seem directly antithetical to Google's bottom line though. It enables alternative app stores, apps like smart tube that directly cut off some of Google's most lucrative revenue streams (YouTube ads), enables piracy apps that I'm sure their partners are not too happy about, and all kinds of other useful tools that negatively impact Google's revenue.
The question for me isn't "why are they trying to make this harder". It's "why do they allow it at all?".
It may be Google's engineer driven culture, it may be Google trying to preserve good will, it may be because of legacy use cases for Android that would blow a lot of stuff up, but none of this reasons satisfactorily explain it for me.
That kinda makes me worried for the future of side loading.
-
Comment on I hope you don't use generative AI - an essay about my experience offering an open-source tool in ~tech
papasquat Link ParentThat's because there was someone else who had a vastly more impact in the art; the actual artist. No different than someone contacted to design a single window in an office of the empire state...The patron has a hand, sure, but if that patron claimed to be an artist or to have created the art
That's because there was someone else who had a vastly more impact in the art; the actual artist.
No different than someone contacted to design a single window in an office of the empire state building pointing to the building and going "I designed that that!".
This isn't really uncommon or new either. Large art installations have dozens or even hundreds of people that assist the artist in doing the grunt work of laying the tile, painting pieces, moving heavy equipment, installing stuff. The artist still gets recognized as the artist though.
The only difference here is that an LLM is tool, not a person, and thus is no more an artist as a paintbrush, or a camera, or a piano, or Adobe Photoshop is. The human using it is the person who made all the artistic decisions, so they're the artist, even if that role is extremely minimal.
And as @Drynyn noted, LLMs don't have experiences. They can't, because experience requires consciousness. It can, at best, parrot written accounts of experiences that people have had, but it has none of its own.
What a ridiculous statement. If it's "now", then where are the billion dollar companies started by AI agents?
If the technology is capable of it, the market should absolutely flooded with ai companies. There's not even a single successful company started by an AI agent, let alone a billion dollar one.