Slashdot Mirror

I wanted to end up at KDE for Connect alone ...

KDE Connect Indicator lets you use KDE connect with other desktop environments. It works for me on my Raspberry Pi with ArchLinux-Arm and LXDE.

They just do crazy new OS's :) https://github.com/vygr/Chrysa...

Given the plethora of benefits I am sure the incentive is high enough to keep ZFS on Linux going onward. ZFS root file system would be nice but I am more than willing to work around that now.

I regulary use this Debian on ZFS root script.

> Because Linux normally lets you use your choice of file system on top of your choice of volume manager, on top of whichever RAID implementation you choose, with your choice of IO scheduling options, ZFS isn't exactly the best fit. ZFS mashes all those different things into one big blob. That's not really how Linux is designed.

Criticizing ZFS for "rampant layering violation" has been discussed to death before

"Dumb" API's, such as the ones implemented in Linux, have a STRICT layered approach like this:

* Volume Management
* File Management
* Block (RAID)

Problems start when each layer needs information at the layer above it. This is epitomized with the design flaw in hardware RAID via the write-hole. Link to English version

In contradistinction ZFS takes a holistic, unified approach:

* Volument Management <--> File Management <--> Block

e.g.
The original RAIDZ implementation was written in 599 lines of code in vdev_raidz.c -- less code equals less bugs.
https://github.com/illumos/ill...

> That's the same issue as systemd

No it doesn't. You are comparing apples to oranges. ZFS works because it intentionally "Flattened the stack" -- Yes, this runs counter to the layered Unix approach -- but sometimes that is NOT the best design decision.

Meanwhile Oracle keeps flailing about with Btrfs.

Perhaps it's time to explore a more managed form of AI. Neural nets are too difficult to reverse engineer and comprehend for most mortals. Managed AI allows cleaner divisions of labor, source control, debugging/tracing, and transparent and incremental adjustments.

"One does not simply reboot" - Boromir

Sometimes I actually miss the complexity of assembler. Or maybe I just hate the 12 layers of abstraction that encompasses so many things these days. In a way it's not complexity of assembler I miss: it's the simplicity of knowing exactly what the computer is going to do.

[YubiKey] is what I use for Google/Gmail, Facebook, Github

How does that work?

As far as I can tell, U2F on GitHub is incompatible with Mozilla Firefox, incompatible with Edge, and incompatible with Safari. I'm not even sure it works with other Chromium forks, as the page mentions Chrome. In addition, you need to buy a supported smartphone or tablet first because U2F requires working TOTP, and you still need to generate a password for use when pushing.

[YubiKey] is what I use for Google/Gmail, Facebook, Github

How does that work?

As far as I can tell, U2F on GitHub is incompatible with Mozilla Firefox, incompatible with Edge, and incompatible with Safari. I'm not even sure it works with other Chromium forks, as the page mentions Chrome. In addition, you need to buy a supported smartphone or tablet first because U2F requires working TOTP, and you still need to generate a password for use when pushing.

[YubiKey] is what I use for Google/Gmail, Facebook, Github

How does that work?

As far as I can tell, U2F on GitHub is incompatible with Mozilla Firefox, incompatible with Edge, and incompatible with Safari. I'm not even sure it works with other Chromium forks, as the page mentions Chrome. In addition, you need to buy a supported smartphone or tablet first because U2F requires working TOTP, and you still need to generate a password for use when pushing.

How in the actual fuck is this possible? They have an audio an audio signature of every song built in?

Yes. And this is not surprising; the data needed to identify songs is tiny. Essentially it's just vectors (big numerical arrays), they don't need to store the whole mp3.

More and more can be done locally on the devices. For instance, look at what is actually needed to detect English speech using CMU sphinx:
https://github.com/cmusphinx/p...
(look at the hmm model)

This used to require huge computing power and storage, but now it can work on a mobile device.

Another example: once upon a time you needed Google datacenters to do gender and age recognition on photos. Now you can download pre-trained models for that, and the result can fit on a mobile device. Or you can download the entire dataset (500k photos of celebs) and train it yourself on your own servers;
https://data.vision.ee.ethz.ch...

Or you want a model to recognize basically any kind of object in a photo?
https://github.com/tensorflow/...
(there's a model specifically designed to run on mobile devices)

i know it's disturbing but this is where things are today. Just a few years ago, this XKCD comic was true:

https://xkcd.com/1425/

Now you can actually download the code and models to do that completely offline and in a few ms.

How in the actual fuck is this possible? They have an audio an audio signature of every song built in?

Yes. And this is not surprising; the data needed to identify songs is tiny. Essentially it's just vectors (big numerical arrays), they don't need to store the whole mp3.

More and more can be done locally on the devices. For instance, look at what is actually needed to detect English speech using CMU sphinx:
https://github.com/cmusphinx/p...
(look at the hmm model)

This used to require huge computing power and storage, but now it can work on a mobile device.

Another example: once upon a time you needed Google datacenters to do gender and age recognition on photos. Now you can download pre-trained models for that, and the result can fit on a mobile device. Or you can download the entire dataset (500k photos of celebs) and train it yourself on your own servers;
https://data.vision.ee.ethz.ch...

Or you want a model to recognize basically any kind of object in a photo?
https://github.com/tensorflow/...
(there's a model specifically designed to run on mobile devices)

i know it's disturbing but this is where things are today. Just a few years ago, this XKCD comic was true:

https://xkcd.com/1425/

Now you can actually download the code and models to do that completely offline and in a few ms.

More like Ubuntu? No Thanks. What a train wreck. They're still creating login problems and crap like that. Now I'm running Debian without systemd and life is good.

Consider switching to Devuan when Devuan Ascii is released.

Debian is going to make it harder and harder to stay away from systemd as new releases come out.

For example, the Debian packaging for redis dropped support for non-systemd init systems in Debian Buster (testing).

Note: Upstream redis still ships with support for SysV.

More like Ubuntu? No Thanks. What a train wreck. They're still creating login problems and crap like that. Now I'm running Debian without systemd and life is good.

Consider switching to Devuan when Devuan Ascii is released.

Debian is going to make it harder and harder to stay away from systemd as new releases come out.

For example, the Debian packaging for redis dropped support for non-systemd init systems in Debian Buster (testing).

Note: Upstream redis still ships with support for SysV.

You're welcome.

If you're genuinely interested in running macOS on a Dell XPS (and you don't already own the laptop), I recommend the XPS 15 9550. The primary reason is that you can find a better deal on a used 9550, but there are some other tradeoffs between the 9550 and the 9560. The 9550 gets you working WiFi out of the box, but not Optimus graphics support. The 9560 comes with a Killer NIC, which will need to be replaced. The Dell XPS 13 line suffers from coil whine, which is bad enough that most reviewers recommend against that model.

I dual boot Windows and Sierra on mine, but Windows is always updating when I try to use it. So, I tend to prefer the macOS side.

Almost everything works for me except the SD Card reader. I'm a student, not a video editor, so that isn't a big deal for me. But, it is something to be aware of.

The rest of it works nearly flawlessly. It is one of the nicest laptops I've ever owned, and I highly recommend it as a MacBook replacement.

The best place to start would be over at InsanelyMac, although wmchris' guide is the one to actually follow.

How difficult was it to install Mac OS X on it?

I have a Dell XPS and installing OS X on it is relatively easy. I've installed OS X on the Surface Pro 1, SP3, and Surface Book. The XPS was the most compatible and easiest to set up of the four.

I'm not the OP and technically, it would be the JavaScript engine that is exploited, rather than the JavaScript language per se. But that's a trivial distinction in this context, given that every browser uses some JavaScript engine to execute it.

Anyhow, it's was really easy for me to find a repo of CVEs for JavaScript engine bugs containing the code to reproduce them with that might interest you. As you can see from this list, there are good reasons not to run untrusted code, sandbox or no sandbox.

Someone was nice enough to collect a list of JavaScript vulnerabilities. And I also found a list of Proof of Concepts and many of them are for JavaScript and browser. And includes a nice paragraph description for each.

I can't prove the earlier post's claim that "[the problem of JavaScript security is] one that's very commonly exploited."
But it does seem that there are many well known security issues with popular implementations of JavaScript.

Someone was nice enough to collect a list of JavaScript vulnerabilities. And I also found a list of Proof of Concepts and many of them are for JavaScript and browser. And includes a nice paragraph description for each.

I can't prove the earlier post's claim that "[the problem of JavaScript security is] one that's very commonly exploited."
But it does seem that there are many well known security issues with popular implementations of JavaScript.

UBlock has a bug that hurts security they refuse to fix http://www.theregister.co.uk/2017/10/17/ublock_origin_csp_reports/

You are using the words "hurts security" in a different way than the reader is likely to interpret them.

Most people will read those and think, "Hurts security of uBlock, so my browser is unprotected?"

However, this is not the case, at all.

See the GitHub Issue.

uBlock is blocking CSP reports for the privacy of the user.

Insecure websites, using insecure code, don't get CSP vulnerability reports from the user.

Well, tough shit for those insecure sites.

uBlock is doing exactly what it should: Protect the user who installed it.

Hell yeah this. Everyone even semi-educated can read the Latin script these days -- most languages have a sane letter-to-sound mapping (*cough* English and French), thus even if you don't know that Polish 'w' is pronounced 'v' or Spanish 'j' is 'h', you'll get it close enough to be understood in speech.

I've made program (Debian package "tran") to transcribe (ok, transliterate with a 1/4-assed attempt at transcription) between writing scripts -- it'd be great if Google could pipe the names through this.

This version lacks CJK support as those characters are logographs rather than letters, thus they convey meaning rather than a series of sounds, but if you know which language they're in, the Unihan_Readings database is good enough for a first stab.

So they're now encrypting all the emails being stored on their servers and don't hold the key themselves?

Because if they're not doing that, then they're not anything close to "the most secure email provider on the planet".

Meh.

"Secure" is a word that is meaningless without a threat model. It's often clear what the threat model is, so we often don't state it (and we often don't state it when it isn't clear). In this case, Google is talking about one threat model (security against unauthorized third parties gaining access to your email) and you're interpreting the statement in the context of another threat model (security against access by Google itself).

Also, it's worth noting that you probably don't actually want the thing you're asking for. If your mail provider has no access to the keys used to encrypt your emails then that means that you must have those keys. That's very nice for security, but it means that you have to be extremely careful never to lose those keys, while also being extremely careful never to leak those keys. Key management is hard.

If you do want that characteristic, you can get it with Gmail, though not through the Gmail web UI. You need to use another email client and use S/MIME or PGP mail. Of course, you need to get the people you correspond with to do this as well.

At some point in the future, you will probably be able use Google's E2Email Chrome extension, which implements OpenPGP secure email for Gmail. It's progressing very slowly, though, and is still labeled as "experimental, use only for testing". And even when it's fully usable, you'll still have to get all of the people you exchange email with to use it. That's the real obstacle to secure-from-the-provider email. Because unless you do that, every email you receive arrives at the provider in plaintext. That's how email works.

Yes, but there's no reason to trust that Subaru or any Subaru dealer will do the job right the second time. The article makes it clear that Subaru isn't taking this seriously ("I did [reach out]. I told them about the vulnerability and shared my code with them," Wimmenhove told Bleeping. "They referred me to their 'partnership' page and asked me to fill in a questionnaire. It didn't seem like they really cared and I haven't heard back from them." followed by no response from Subaru to the too-corporate-compliant bleepingcomputer.com which won't link to the relevant Github code page). Subaru's response is flatly not the response of an organization that gives a damn and not linking to the relevant code is showing Subaru far too much deference.

The whole thing would be end-user fixable if the vehicle's complete software were free software. Users could run, inspect, share, and modify the code themselves or get someone they have good reason to trust to do the work for them. They wouldn't have to rely on an organization that apparently got it massively wrong the first time, didn't even put up a showing like they cared when shown the exploit they introduced, and so far hasn't done anything to fix.

As it stands now, all Subaru owners can do is ask the proprietors who fucked up the job the first time to take another stab at it—gratis of course—all the while knowing that it will take some helpful hacker like Tom Wimmenhove to look for a different predictable pattern. No Subaru dealer should charge any Subaru owner for applying this or any subsequent lock fix; they should consider themselves lucky if they're not getting sued for selling defective locks in the first place and get their repair costs covered by Subaru.

Ask Linus for 500 line of his code and see if you get a complete fucking program back.

https://github.com/jezze/grub-legacy/blob/master/grub/main.c

If they're asking you to write a code sample, that's a different story. Make something up.

I usually just tell them I wrote this.

Real men use IBM Model M...

And those who wish they had a keyboard for grown-ups use a prosthetic.

there's a new adblockplus compatible filter list that specifically targets this...

https://github.com/hoshsadiq/a...

it's only about a month in the making, so please contribute as this problem is only going to get worse over time.

Since the client code is open source, you could in theory hack up your own client that doesn't use any of that?

Why would we keep using C and C++ when there's a better language out there in the form of Rust?

Because there exist many non-PC platforms to which a C compiler or a C++ compiler has been ported but a Rust compiler has not. How would you even bootstrap stage 0 of a Rust compiler on a new ABI if it's written in Rust and there are no other independent implementations of Rust? My best guess, which I haven't tried, is to go back to some OCaml compiler, build old Rust, and then build new Rust from that.

While searching for a generic image classification solution I happened to stumble over a project called miles-deep, a "Deep Learning Porn Video Classifier/Editor with Caffe". I have tried it out once (for strictly academic purposes, of course) and it yielded some interesting results. The classification of the acts from a test movie was not perfect, but some of the classifications were correct. It even gave information about what time into the movie a defined act started and when it ended. The project's author seems to be active on the site that shall not be named around here.

As a commenter on TFA mentioned, miles-deep did it first.

Must have been quite the endeavor to "train" and "verify" this deep learning model!

In a non-sexual context, something like this would sure be useful for regular folks to categorize their home videos (sports, home, by person, etc).

That's what it took? That's what had to happen for you idiots to finally realize that indiscriminately loading and running code from a constellation of reputation-less sources is -- and always was -- a FUCKING STUPID IDEA?!?!!

Here. Install it. Use it.

Regardless, the government will just have keyloggers built into the BIOS. The manufacturers are the weak link here.

Keyloggers are a well-known problem -- and one for which security solutions are designed to mitigate. U2F was designed to be secure with a keylogger installed (because spyware is a thing). There are completely open, easily manufactured designs of U2F keys.

GPG cards similarly have an open design, and are designed such that the keys can't be recovered from the device -- and the critical decryption is done on the GPG card.

There's also Coreboot, Libreboot, and OpenFirmware before that -- all open source BIOSes you can audit and compile yourself.

Electronics hobbyists design entire computers -- from PC board design and manufacture (at home) all the way to working Linux computers with internet access. Completely from scratch.

The reality is that the skills and tools to bypass such spying is common, widespread, and well published. Many who have the skills are thrilled when somebody shows an interest in their hobby, and eagerly assist anyone who asks.

Regardless, the government will just have keyloggers built into the BIOS. The manufacturers are the weak link here.

Keyloggers are a well-known problem -- and one for which security solutions are designed to mitigate. U2F was designed to be secure with a keylogger installed (because spyware is a thing). There are completely open, easily manufactured designs of U2F keys.

GPG cards similarly have an open design, and are designed such that the keys can't be recovered from the device -- and the critical decryption is done on the GPG card.

There's also Coreboot, Libreboot, and OpenFirmware before that -- all open source BIOSes you can audit and compile yourself.

Electronics hobbyists design entire computers -- from PC board design and manufacture (at home) all the way to working Linux computers with internet access. Completely from scratch.

The reality is that the skills and tools to bypass such spying is common, widespread, and well published. Many who have the skills are thrilled when somebody shows an interest in their hobby, and eagerly assist anyone who asks.

As far as I am concerned this "new" language is just a repacking of |Liquid>, which Microsoft tried to make look Open Source by moving it to github, and some journos and analysts promptly fell for it, despite the License being right there in the repo.

Microsoft invests heavily to own the future of quantum computing. While now paying lip service to Open Source software, they also aggressively seek software patents in this space.

I have no doubt, that they plan to do the same thing to quantum computing that they did to Linux based Android. They don't have to fear Open Source products if they can collect patent fees.

My start-up tries to build an Open Source quantum computing tool chain, while also trying to secure as many fundamental patents that we can think of, that we then plan to extend to all other Open Source QC projects. (As long as the current laws are on the books, a defensive patent portfolio is the only option to keep companies like MS in check).

We also developed a free AWS image, Bayesforge, where we try to curate all important Open Source tools in this space. (With a docker image to follow soon).

We are just a three guys start-up, but having recently been accepted into the Quantum Machine Learning stream of Creative Destruction Lab in Toronto, we hope to finally attract some more VC money. But no matter the level of financing, start-ups won't be able to secure the quantum computing future from the likes of MS if we can't achieve the same community commitment that powered projects like GNU and Linux.

As far as I am concerned this "new" language is just a repacking of |Liquid>, which Microsoft tried to make look Open Source by moving it to github, and some journos and analysts promptly fell for it, despite the License being right there in the repo.

Microsoft invests heavily to own the future of quantum computing. While now paying lip service to Open Source software, they also aggressively seek software patents in this space.

I have no doubt, that they plan to do the same thing to quantum computing that they did to Linux based Android. They don't have to fear Open Source products if they can collect patent fees.

My start-up tries to build an Open Source quantum computing tool chain, while also trying to secure as many fundamental patents that we can think of, that we then plan to extend to all other Open Source QC projects. (As long as the current laws are on the books, a defensive patent portfolio is the only option to keep companies like MS in check).

We also developed a free AWS image, Bayesforge, where we try to curate all important Open Source tools in this space. (With a docker image to follow soon).

We are just a three guys start-up, but having recently been accepted into the Quantum Machine Learning stream of Creative Destruction Lab in Toronto, we hope to finally attract some more VC money. But no matter the level of financing, start-ups won't be able to secure the quantum computing future from the likes of MS if we can't achieve the same community commitment that powered projects like GNU and Linux.

Here's a benchmark showing hashcat performance, note that md5 is roughly 10 times more than sha-256.
https://gist.github.com/epixoi...

Now maybe you are thinking of cheap single-pass md5 versus some sort of practice incorporating a pb-kdf or similar scheme., but in terms of hash performance, they aren't that far from each other.

Or maybe you are mistaking the hash length for how many guesses are needed. In AES-128 versus AES-256, it is indeed 2**128 more because the unknown key is known to be 256 bit versus 128 bit, but in a crypted password context, the password is the unknown to test against.

Collision attacks only mean something to unsalted password hashes (which are just terrible) and signature verification. It doesn't mean anything for HMAC or HMAC based things like PB-KDF which should be employed if any normal crypto hash is used.

A third-party plug-in for Pidgin supports Skype.

It's nothing new.

PocketSphinx is a lightweight speech recognition engine, specifically tuned for handheld and mobile devices, though it works equally well on the desktop

https://github.com/cmusphinx/p...

See for yourself. https://github.com/Laurelai/de...

You cannot get Linux to run all the hardware on recent MacBooks.

While that's true, it's a driver issue, rather than a purposeful lock out. Stuff that is/isn't working on the 2016/2017 MBP's: https://github.com/Dunedan/mbp...

The Chromebooks all have to be put into developer mode to boot another OS, and a bad button press can wipe out the system. So, while you can still put Linux on them, it's certainly not ideal.

I have no idea what you're looking at, but try the source itself: https://github.com/chrislgarry...

We're talking several ships in the ocean simultaneously, not sure if you've noticed but that's not the vicinity of your house

Re-read my post. Specifically about a system with the antenna disconnected being enough to play around in your local house. I don't think you really appreciate just how weak the GPS signal is when it hits the ground. It's somewhere in the order of -130dBm everywhere. To put that in perspective it's about 1000 times weaker than the point where your phone goes from showing no bars to showing no service.

Being able to fool multiple ships is not a case of any technical feat. Throw up a dipole and put a few watts up it, done.

You need at least 2 antenna's

Because after doing it with one the second one becomes some insurmountable obstacle? Also no you don't. You just need to fool the transceiver. Most of them will simply believe the strongest signals to be the true ones.

How will you reposition a GPS signal for the area of a small city with the SDR?

Dunno, take your pick. There are a variety of open source programs to spoof GPS signals using SDR. There are a constant string of articles about how to do it on hackaday for various purposes including (and disappointingly for our species) for the purposes of making your Pokemon go character walk without having to leave your basement.

GPS signals are not complex. GPS-SDR-Sim is one such program: https://github.com/osqzss/gps-...

GPS has fairly decent signal discrimination (it kind of has to) and you need to be able to imitate not one but at least 3 around the poles if not 5 or more elsewhere separate GPS signals to be able to reposition a thing and it knows how to ignore 'bad' signals.

No it doesn't. In fact GPS receivers have no discrimination for the origin of the signal. All the discrimination is part of the protocol itself, and you can simulate all the satellites all over the world at the same time if you really wanted to. The math doesn't care.

Additionally, fixed GPS systems on boats have somewhat directional antenna's so you need to have a lot more power to be able to influence those.

Yes they are directional. But rarely with a gain larger than 2. Especially important with shipping is that they pickup signals from the entire horizon given the patchy GPS coverage in some parts of the ocean. The kinds of antennas that prioritise high-gain are actually in a different kind of shipping: namely in vehicle GPS systems from delivery companies.

They kind of expected one or more satellites to go haywire in their lifetime and non-consumer equipment is also built on the premise that other things in it's vicinity may go haywire.

Satellites going haywire is dealt with through overlapping coverage zones. Consumer equipment going haywire is dealt with through strict enforcement of regulations, and GPS systems going down is precisely why there's a major crackdown in some parts of the world right now on those cheap nasty 1.5GHz video transmitters you get from China.

GPS on a physical level has no strength. GPS on a protocol level has no protection (except for the military and that only covers faking signals not causing signal outages). And above all, it is incredibly simple.

I do really like the University professor's comments about it being sophisticated and needing atomic level clocks, since a) no you don't, you just need to generate suitable timecodes, and b) I have an "atomic level clock" on my desk right now. Rubidium standard. More accurate than the caesium fountains in old GPS satellites over a short time window allegedly needed to mess things up. Cost me $50 off ebay.

event loop driven mini-OS.

Ugh.... I hate those so much. Every function that runs for more than a millisecond becomes a giant, unwieldy state-machine and a nightmare to debug.

Here's an example of a proper, cooperative multitasking system: https://github.com/kuro68k/xmu...

It does proper context switches via a single function call, so no horrible spaghetti code. There are some down-sides, such as slightly higher stack use and needing to allocate enough stack to each task, but that's a fairly standard thing for embedded developers anyway.

Now, training is a little trickier because I cannot share the data.

I cannot share the current data I'm using because it's copyrighted. Hence asking for people for help getting data that I can redistribute.

So weâ(TM)re supposed to just give jmv a bunch of data with no way to know how he is using it?

Yes, because I have such a track record for keeping things private.

Accept not the data:

Now, training is a little trickier because I cannot share the data.

https://github.com/xiph/rnnois...

So we’re supposed to just give jmv a bunch of data with no way to know how he is using it? This is a joke, right?

Mycroft.ai lets you host your own speech-to-text server and do everything locally if you want.

The entire project is on github.

I found this by going to the link in TFS.

The "new" Skype client is an alternate interface to their new webclient. There are a number of alternative clients that use the same interface. I use Ghetto-Skype and found it to be stable and working pretty nice.

https://github.com/stanfieldr/...

If you need a communication platform for your team that's open source, then Diaspora is surely the way to go. It's written in Ruby using Ruby on Rails, and the code is on GitHub, so it's using cutting edge technologies.

[...] where are our exFAT kernel modules for Linux already?

Here: https://github.com/dorimanx/ex... - but not thanks to Microsoft.