Unplugging and repowering the laptop right below 10% so it won’t restart and disconnect my VM and SSH sessions I’m using for work.
For SSH, assuming that the remote system is Linux, run tmux on the remote system and do your work in that. If your SSH connection gets killed off, you just ssh back in and tmux attach to your old tmux session.
For the command line, do what OpenSSH does, take passwords on terminals.
For environment variables, the issue is passing them to all programs; you don’t want to put credentials in a .bashenv or similar.
This does kind of drive home some points. Obviously, once malware is running with your full user permissions, all bets are off. But there are some things that could have mitigated harm here.
The malware wasn’t just mining cryptocurrency—it was also stealing as much sensitive information as possible. It collected:
- SSH keys from ~/.ssh/
If you password-protect your SSH keys with a decent password, it will help address this. Now, the problem is that any software that can get at your SSH keys probably has a shot at also setting up some kind of keylogger system, but at least it makes it not a one-step process.
- Shell history from .bash_history and .zsh_history
Avoiding using sensitive data as command line arguments is a good habit to be in. They’re visible systemwide to all processes on a normal system, which already creates a meaningful leak on multiuser systems, and various pieces of command-line software go out of their way to avoid having passwords and the similar secrets passed on the command-line.
In this case, I assume that some of the goal may be looking for other hosts that the user might be sshing to, but best not to compromise other credentials here as well.
- AWS and Azure credentials from ~/.aws/ and ~/.azure/
Not familiar with the current forms of these, but I bet that they provide some way not to store unencrypted credentials there.
- Environment variables and system information
Environment variables are a really good place to avoid putting sensitive data, at least if one’s talking variables exported to all processes run by a user, because software that crashes and uploads a crash dump to God-knows-where will also tend to dump environment variables along with it, as it’s important debugging information. Storing credentials in an environment variable is not a good idea.
This experience was a harsh reminder to never blindly trust PoC exploits, especially ones that include random files like PDFs.
I feel like one thing that might help is software making it really easy to create a container that by-default runs in isolation with minimal access to the rest of the system, and then lets a user easily add individual permissions. I’ll sometimes use firejail, but it’s a “default-insecure” model, which really isn’t great for dealing with this sort of thing. Maybe use iptables or something to detect network access attempts and let a user approve per-host network access; you can’t simply block outbound network access for this sort of software, which is presumably demonstrating some kind of network-based exploit.
twice as fast as Tesla’s.
Also, BYD’s CEO presumably isn’t presently involved in trying to set his brand on fire.
Like, the Powerwall things? Yeah, sure, they’re in the same sort of class. I think — not gonna go looking through all of 'em — that the things I linked to above all are intended to have someone plug devices directly into them, and the Powerwalls get wired into the electrical panel, but same basic idea. They aren’t really devices where energy density matters all that much, because once you put the battery somewhere, it probably isn’t going to move much after that.
If people want to get one for the hell of it, I’m not going to stand in their way, but I really don’t think that this product plays well to the strength of sodium-ion batteries.
My understanding is that sodium-ion batteries are not as energy-dense, but are expected to be cheaper per-kilowatt-hour than lithium-based batteries.
But this is a small, very-expensive-relative-to-storage-capacity, portable battery.
I’d think that sodium-ion batteries would be more interesting for things like an alternative to this sort of thing — large-capacity, mostly-non-moved-around batteries used for home backup during power outages, stuff like that. Maybe grid buffering.
Facts are not copyrightable, just their presentation. So I don’t think that it’s possible to say that it’s impossible to summarize material. A court is going to say that some form of summary is legal.
On the other hand, simply taking material and passing it through an AI and producing the same material as the source — which would be an extreme case — is definitely copyright infringement. So there’s no way that a court is going to just say that any output from an AI is legal.
We already have criteria for what’s infringing, whether a work is “derivative” or not.
My bet is that a court is going to tell Brave “no”, and that it’s up to Brave to make sure that any given work it produces isn’t derivative, using existing case law. Like, that’s a pain for AI summary generators, but it kind of comes with the field.
Maybe it’s possible to ask a court for clearer and harder criteria for what makes a work derivative or not, if we expect to be bumping up against the line, but my guess is that summary generators aren’t very impacted by this compared to most AI and non-AI uses. If the criteria get shifted to be a little bit more permissive (“you can have six consecutive words identical to the source material”, say) or less permissive (“you can have three consecutive words identical to the source material”), my guess is that it’s relatively easy for summary generators to update and change their behavior, since I doubt that people are keeping these summaries around.
“Where to find the time of day changes depending on what [driving] mode you’re in,” he said. “The buttons that go through your six favorite channels don’t work if it’s satellite radio channels. It takes so many tries to hit one button in your jiggly car, and it just doesn’t work.”
Well, Woz. You’re famous for doing a universal control panel for another prominent piece of consumer electronics and figuring out how to interface it to lots of different brands.
https://en.wikipedia.org/wiki/Universal_remote
In 1987, the first programmable universal remote control was released. It was called the “CORE” and was created by CL 9, a startup founded by Steve Wozniak, the inventor of the Apple I and Apple II computers.[2]
All you had to do then was to reverse-engineer the infrared protocols used to communicate with the televisions.
I bet that it’s probably possible to figure out a way to have a third-party control panel interface with various auto UIs. Like, build a universal interface, and then just design mounting hardware on a per-car basis? Use Android Auto or CarPlay, OBD-II, and such?
Can Android Auto do climate control?
kagis
Sounds like it doesn’t, but may start being able to do so:
https://www.androidauthority.com/android-auto-climate-controls-3533161/
Android Auto could be about to turn up the heat (and AC) on car comfort
Climate control may finally be coming to Google’s in-car interface.
Android phones don’t have physical buttons for car features. But…that’s not a physical limitation. Just is a result of reusing a phone as a car panel.
So instead of having third-party car computers being the province of a few hobbyist hardware hackers, there’s an out-of-box solution for everyone? Make the “Wozpanel” or whatever that I just mount in my car? Stick physical buttons on it? Maybe have a case and faceplate that wraps it to match interiors?
the importation into the United States of artificial intelligence or generative artificial intelligence technology or intellectual property developed or produced in the People’s Republic of China is prohibited.
This guy might get a bill through that bans Chinese AI stuff, though I think that enforcement is gonna be a pain, but as per the text, this is banning all Chinese intellectual property, AI or not. That’s a non-starter; it’s not going to go anywhere in Congress. Like, you couldn’t even identify all instances of Chinese intellectual property if you wanted to do so.
EDIT: Okay, they define the phrase elsewhere to specifically be “technology or intellectual property that could be used to contribute to artificial intelligence or generative artificial intelligence capabilities”, which is somewhat-narrower but still not going anywhere, because pretty much any form of intellectual property meets that bar; you can train an AI on whatever to improve its capabilities.
While 50 is a small sample size, the issue might be widespread since they bought their drives at a dozen different retailers, some of which are on Seagate’s official “where-to-buy” list. Some of the impacted retailers are quite large, such as Amazon and Mindfactory.
I mean, Amazon lets anyone sell through the site. Unless an order is specifically from Amazon itself, you could get it from any seller out there. It’s not like they’re going to conduct some kind of technical evalution of the product.
Drives do have serial numbers, though, so I suspect that it’s not going to be very hard to trace back up the chain, see who they were originally sold to, find who they sold them to, and figure out who has been fiddling with the firmware to make old drives look new.
I recently went looking to see if there was a practical way to expose a USB powerstation to Linux as a battery under /sys/class/power_supply, the way internal laptop batteries are. Unfortunately, that didn’t appear to be the case. There are UPSes that NUT can monitor, but not a route to treat them the way Linux does laptop batteries. Kind of annoying, since for a luggable computer, it’d be really neat to have an external, expandable battery that looks to the computer like the one in a laptop.
Well, he’d like Google+, I guess. I’m pretty happy with pseudonymity, though.
Either way, garmin’s user manual(link) says it is not needed. See page 36, saying “Data Storage Life: Indefinite; no memory battery required”
I don’t think that they’re saying that the button cell is some sort of undying thing, but rather that your GPS traces and such are being written to nonvolatile memory.
I assume that you already went looking for a replacement cell and couldn’t find one, else you’d have replaced it rather than resoldered the existing one.
Assuming that the button cell is actually the problem and that it’s rechargeable, it occurs to me that you might try pulling the cell off again and checking the recharging voltage across the connectors to try to get an idea of what type of cell it is, try getting a new cell with similar characteristics. Might kill the unit doing so if you get the replacement cell voltage wrong, but if it’s not usable now and you’re confident that the cell is the issue…shrugs
To be honest, if I had the unit, I would probably pitch it rather than invest time in fixing it. It looks like this is a fifteen-year-old unit, and my smartphone is probably a more-capable GPS unit running free software. The value of the time I’d spend on fixing it probably exceeds the value of the unit. There’s a reason that consumer electronics repair isn’t much of a business. If you’re viewing the repair as a hobby or something, though, fair enough.
I finally dropped Lenovo last month, got a laptop from Tuxedo. No three physical button trackpad, but it does have a 100 Wh battery.
I don’t care about the Trackpoint, but I do like the three Thinkpad physical buttons on that Synaptic trackpad, which are also a signature feature going way back on the Thinkpad. Hard to find feature on laptops.
If you’re willing to use an external keyboard, the same factory that made the IBM Model M was bought by the employees when IBM sold the line to Lenovo, and is still making buckling spring keyboards off in Kentucky. Some of theirs still have a Trackpoint option.
https://www.pckeyboard.com/mm5/merchant.mvc?Screen=PROD&Product_Code=UB40PGA
A lot of this sounds pretty abstract to me.
It argues that drones transmit data about use to Chinese drone manufacturers, which could leverage that data to provide an edge globally.
Okay, fine. I’ll believe that farms have models of when to spray and such, and that these models have value. And this effectively gives drone manufacturers a fair bit of that data.
But…how secret is that data now? Like, is this actually data not generally available? There are a lot of corn farms out there. Did each corn farm go carefully work up their own model on their own in a way that China can’t obtain that data? Or can I go read information publicly about recommended spraying intervals?
More radically, agricultural data could be used to unleash biological warfare against crops, annihilating an adversary’s food supply. Such scenarios pose a significant threat to national security, offering China multiple avenues to undermine critical infrastructures by devastating food availability, threatening trade and economic resilience, and destabilizing agricultural systems.
That seems like an awful stretch.
Biowarfare with infectious disease is hard to control. Countries historically have been more interested militarily in stuff like anthrax, which works more like a chemical weapon. I am dubious that China has a raging interest in biowarfare against American crops.
Even if we assume that China does have the intent and ability to develop something like a crop disease, I have a very hard time seeing as how somewhat finer-grained information about agriculture is going to make such an attack much more effective. Let’s say that China identifies a crop that is principally grown in the US and develops an infectious diease targeting it. Does it really need to know the fine points of that crop, or can it just release it at various points and let it spread?
As for food security, the US is not really a country at any sort of food security risk.
It exports a lot of staple food. It’s the source, not the consumer.
It has large margins due to producing luxuries that could be reduced in a wartime emergency – I recall once reading a statistic that if the US went vegetarian, it could provide for all of Europe’s food needs purely from the increased output without bringing any more land into production.
It is wealthy enough to have access to the global food market. If the US is starving, a lot of the world is going to be starving first. In some cases, one can cut off physical transport access to the global market via blockade even where a country could normally buy from those markets – as Germany tried to do to the UK in World War II or the US did to Japan in World War II, but that would be extraordinarily difficult to do to the US given the present balance of power. The US is by far the largest naval power in the world. This assessment is that in a defensive naval and air war, which is what such a blockade would involve, it could alone prevail against the combined militaries of the entire rest of the world. And on top of that, a substantial portion of the other major naval powers are allied to the US. China is very unlikely to be in a position where it could blockade the US, and if we imagine the kind of changes necessary to create some scenario where it was, I’d suggest that this scenario would also very probably bring with it other issues that would be of greater concern to the US than food security.
I’m willing to believe that it might be possible to target “university IT systems” for commercially-useful data, but it’s not clear to me that that’s something specific to drones or to China. There are shit-tons of devices on all kinds of networks that come out of China. I’d be more worried about the firmware on one’s Lenovo Thinkpad as being a practical attack vector than agricultural drones.
Now, okay. The article is referencing both American national security concerns and potential risks to other places, fine. It’s talking about Brazil, Spain, etc. Some of my response is specific to the US. But I’m going to need some rather less hand-wavy and concrete issues to get that excited about this. You cannot hedge against every risk. Yes, there are risks that I can imagine agricultural drones represent, though I think that just being remotely-bricked around harvest time would be a more-realistic concern. But there are also counters. Sure, China no doubt has vectors via which it could hit the US. But the same is also true going the other way, and if China starts pulling levers, well, the US can pull some in response. That’s a pretty significant deterrent. Unless an attack can put the US in a position where it cannot respond, like enabling a Chinese nuclear first strike or something, those deterrents are probably going to be reasonably substantial. If we reach a point where China is conducting biowarfare against American crops to starve out the US, then we’ve got a shooting war on, and there are other things that are going to be higher on the priority list.
5G infrastructure is, I agree, critical. TikTok might be from an information warfare perspective. You can mitigate some of the worst risks. But you cannot just run down the list of every product that China sells and block every way in which one might be leveraged. Do that and you’re looking at heading towards autarky and that also hurts a country – look at North Korea. Sanctions might not do much to it, but it’s also unable to do much.
To quote Sun Tzu:
For should the enemy strengthen his van, he will weaken his rear; should he strengthen his rear, he will weaken his van; should he strengthen his left, he will weaken his right; should he strengthen his right, he will weaken his left. If he sends reinforcements everywhere, he will everywhere be weak.
You have a finite amount of resources. You can use them to mitigate some threats. You cannot effectively counter all potential threats. You have to prioritize. If we want to counter agricultural drones as an attack vector, then we accept greater vulnerability elsewhere to do so. The question is not simply “does a potential vulnerability exist”, but “is this the optimal place to expend resources”?
I think that it’s kind of globally-applicable.
And I’ve wondered in the past whether the long-run for the Internet was always going to be people generally winding up with VPNs for similar reasons. I’m far from the first:
The Net interprets censorship as damage and routes around it.
Or does it make it more taboo and thus more appealing?
Honestly, it might be a good thing long-run to have a higher percentage of users on VPNs. They aren’t a magic cure-all, but they do help make it safer to use untrusted networks and discourage some things on the service side, like geolocating and data-mining users based on IP.
“This might address some security problems” is somewhat abstract to appeal to most users, I think. “VPN or no tits” is something that I think is more generally-relatable.
I mean, there was a point in time, quite some years back, when I had to do up modelines, but Xorg can generally handle things without an xorg.conf.