NaN

If they arrest someone to gain access to their key, they don’t need this attack to use their key. They can just use their key.

One thing the article doesn’t make very clear is that for 2FA the PIN requirement comes from the site itself. If the site requires User Verification, the PIN is required. If not, it is not prompted even if set and this attack is possible. The response to the site just says they knew it.

It is different for Passkeys. They are stored on the device and physically locked behind the PIN, but this is just an attack on 2FA where the username and password are known. (In depth it’s more than that, but for most people walking around with a Yubikey…)

It also seems limited in scope to the targeted site and not that everything else protected by that specific Yubikey. That limits how useful this is in general, which is another reason it is sort of nation-state level or an extremely targeted attack. It’s not something your local law enforcement are going to use.

I think the YubiHSM is a much more appealing target, but that isn’t so much a consumer device and has its own authentication methods.

I was confused how a resume or application would be largely affected, but the article points out that software is often used to look over social media now as part of hiring (which is awful).

The bias when it determined guilt or considered consequences for a crime is concerning as more law enforcement agencies integrate black box algorithms into investigative work.

Do you sideload extensions in Chromium browsers often? No browser makes it especially easy, auto-updates are hit and miss (uBo has a zip from GitHub, does that auto update?), and it’s extremely likely that many authors don’t bother with special niche development when the vast majority of their user-base is gone (he doesn’t build an XUL version anymore either).

It’s, in fact, some kind of problem even if it isn’t for you.

It’s effective for probably most typical users (set it and forget it), especially if you “up” the permissions. Downside is the filter rules have to be bundled in the extension, so it doesn’t update dynamically.

The problem with most of them, is they don’t host their own extension repositories, so their support doesn’t really matter unless you side load all the time.

Somewhat. One, a system can be bootable without the entries because they are just pointers to the actual bootloader, so even if windows does the stupid and deletes them it isn’t the end of the world. It does depend on your specific firmware though.

Also two, you can write them again with a single line in efibootmgr, they’re just saying “if I click Fedora load the shim from the EFI system partition on disk 1”.

This is very different than the old world where windows would delete your bootloader entirely and the MBR couldn’t be easily explored. They live in the efi system partition instead - or at least the shim does- and typically every OS leaves the other ones alone (even Windows, except in this case, although it didn’t touch the shim itself).

The initial comment was about the bootloader and really only applies to MBR partitions.

Bash is still in MacOS.

XNU is the kernel in Darwin, XNU is an Apple product derived from BSD and Mach. Darwin has a lot of FreeBSD in it.

Apple shares that code though. It’s on GitHub. There used to be Darwin distributions.

Your Android example doesn’t make very much sense either. The largest Android issues are typically hardware lockdown. Nothing about the GPL prevents someone building an ad platform that spies on you, it just makes them share the source code for it. Google’s licensing choices means they don’t share the source code for the Google pieces they put on top of AOSP, the entire project means people can build the alternatives though.

The lawsuits were about AT&Ts proprietary license. BSD and similar licenses are not that.

386BSD was not available until some months after Linux was released, so you had GNU with no working kernel and BSD not yet available on the hardware he had, hardware a lot of normal people had. I think the GPL also felt more philosophically right to many of them, and it limited how much they needed to re-do work that someone else had already done but kept secret.

The AT&T lawsuit definitely hampered BSD growth just as it was ported to the 386, but it was filed after Linux was already a thing.

Amazon is notorious for combining stock, “the seller” often doesn’t matter.

Marktext is another. Pretty lightweight and more permissive license than Obsidian.

Obsidian should not be suggested for general use without the disclaimer that you have to pay if you use it for any work in most cases (unless you work for a very small place or a non-profit). I think their license is probably one of the most unintentionally violated around, kind of can’t believe they’re on flathub.

Commercial use means using Obsidian for revenue-generating or work-related activities within a for‑profit organization that has two or more employees. Government departments and agencies are considered commercial use, unless registered as a non-profit organization.

Gnome boxes and libvirt do it automatically for their VM directories… it works and a normal user doesn’t have to know a bunch.

I think this is the crux of the article. In the past most people have considered photographic evidence to be very convincing. Sure, you could be removed from a photo of Stalin, and later people could do photoshop (with varying realism), now it’s a few words to make changes that many people believe without hesitation. Soon it will happen to video too, very soon.

Most people are not ready for it. Even shitty AI photos on social media get huge reactions with barely a handful calling them out.

The boot entries live in firmware yes, efibootmgr can create and remove them. The are pointers to the bootloader. Many systems can boot from the disk itself without the entry, the entry just makes it pretty (“Fedora” instead of NVME1).

I blame Linux distributions for not updating when the security vulnerability has been fixed for years a little more than I blame Microsoft for untrusting old vulnerable software versions. That said, failing to figure out if it is dual booting or not when there are multiple ways of doing it was not really a surprise.

(I also remember when some Fedora ISOs were unbootable immediately after release a few years ago for similar issues, they hadn’t updated shim or similar)

Grub has already been patched, that doesn’t mean distributions shipped it. SBAT broke systems that hadn’t been updated.

It’s a lot better in uefi, MBR dual booting was always sort of hacky.

No. You can have more than one EFI system partition with separate bootloaders on each drive and set their boot order in the BIOS, just like booting from USB or anything else.

This is also possible with just one drive. The efi boot entries for each OS are stored separately in the efi system partition.