Biomedical Engineer, Medical Student, Lincoln Democrat
15831 stories
·
223 followers

Hacking Tools To Watch Out For!

jwz
1 Comment and 2 Shares




Read the whole story
satadru
75 days ago
reply
Collect the whole set!
New York, NY
mkalus
86 days ago
reply
iPhone: 49.287476,-123.142136
Share this story
Delete

Patreon screws me over, says a big Apple did it and ran away

jwz
1 Comment and 2 Shares
Patreon has two billing models, monthly (bills on the first of the month, or whenever they get around to it) and daily (charges you the moment you sign up.)

For several years now, they have been trying really hard to get creators to switch to daily billing whether they like it or not, with a series of intrusive nags and dark patterns. E.g., the "Settings" tab always has an "unread" alert on it reminding me that I have not made the "recommended" change.

Now they're going to force everyone to switch, and they're blaming Apple for it. And, to be clear, fuck Apple, but also fuck Patreon, this is their choice and it's going to mean that I can no longer use their service.

Here's a support request I just sent them, after clicking 15 levels deep into their FAQ before finding the thing that might contact a human. Since the email alerting me of this change came from a "noreply" address because of course it did.

You recently sent mail saying that you're going to force me to switch from monthly billing to subscription billing.

Subscription billing is unacceptable for my Patreon. It does not work.

I sell monthly memberships to a physical nightclub. The memberships begin on the first of the month. I fulfill and mail the physical membership cards on the first of the month. If you make me switch to daily billing, that means I will have to do merch fulfillment on a daily basis instead, and I simply cannot do that.

If you force me to switch from a monthly cycle to a daily cycle I will have no choice but to stop using Patreon.

To be clear: I do not give a shit about the iOS app. Not one fractional fuck is given. If the solution to this problem is that people cannot sign up for, or access, my Patreon from the iOS app, that is 100% acceptable to me.

(Also you are blaming this on Apple's bullying, which is simply not credible. You've been nagging me to change to subscription billing for years, with the little red error icon appearing everywhere. This is your decision. You are transparently using Apple as an excuse.)

Patreon's absolutely awful level of service and support has been a huge problem for quite some time, but I am really not looking forward to having to figure out how to implement recurring monthly billing on my own.

Patreon, YOU HAD ONE JOB.

Previously, previously, previously, previously.

Read the whole story
satadru
75 days ago
reply
Honestly if your business model is predicated upon seeking out VC money, then enshittification should just be assumed to be a part of your business plan, and prospective users should plan accordingly.
New York, NY
mkalus
85 days ago
reply
iPhone: 49.287476,-123.142136
Share this story
Delete

Gmail's absolutely horrific markup and how Chrome makes it worse

jwz
2 Shares
Wondering why sometimes people paste stuff into your forms and it comes out double- or triple-spaced? Yeah, me too! Check this shit out. Type this text into TextEdit or Notes:

Line One

Line Three

Line Five


Line Eight
Line Nine
Line Ten

Copy that text from TextEdit or Notes. Compose a Gmail message inside desktop Chrome, paste, hit Send, and look at the HTML that Gmail produced. It's insane:

<div dir="ltr">
<p style="margin:0px;font:12px Helvetica">Line One</p>
<p style="margin:0px;font:12px Helvetica;min-height:14px"><br></p>
<p style="margin:0px;font:12px Helvetica">Line Three</p>
<p style="margin:0px;font:12px Helvetica;min-height:14px"><br></p>
<p style="margin:0px;font:12px Helvetica">Line Five</p>
<p style="margin:0px;font:12px Helvetica;min-height:14px"><br></p>
<p style="margin:0px;font:12px Helvetica;min-height:14px"><br></p>
<p style="margin:0px;font:12px Helvetica">Line Eight</p>
<p style="margin:0px;font:12px Helvetica">Line Nine</p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:Helvetica"></p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:Helvetica">Line Ten</p>
</div>

So, first things first, if your application produces markup like that, please leave the software industry immediately. Your work is a net negative on everyone's lives. Tools down, walk away.

Second, here's where it gets fun. Copy that text from the Gmail message and paste it into any plain-text area, such as a <TEXTAREA> in a web page, or into TextEdit after having done Format / Make Plain Text. Or even into Emacs.

If you copy from Safari, what gets pasted is what you see.

If you copy from Chrome, what gets pasted is double- or triple-spaced. "Line Ten" is on line 19.

What Chrome copies:

Line One



Line Three



Line Five





Line Eight

Line Nine

Line Ten
What Firefox copies:

Line One


Line Three


Line Five



Line Eight

Line Nine

Line Ten
What Safari copies:

Line One

Line Three

Line Five


Line Eight
Line Nine
Line Ten

Ok but what's actually going on here? When you strip out all the redundant and useless bullshit, what does that markup actually say?

It says that each line is a paragraph, but one with no margin. In other words, a <DIV>. And then every paragraph break is actually its own paragraph, with one <BR> inside it.

I guess what's going on is, Safari looks at a node with no margin and says, "Aha, I shall copy the text with no extra spacing."

But Chrome looks at it and says, "That's a <P> tag! I know those! Those have a blank line after them!" And then it looks at that <P> with the single <BR> in it says, "That's also a <P> tag! I know those! Those have a blank line after them! I am very smart."

I see that monopolistic integration between the Gmail team and the Chrome team has really led to excellent cross-product interoperability, and consistent interpretation of how all of this crap is supposed to work.

(Firefox, meanwhile, somehow manages to split the difference, and I have no theory on what the hell is going on there.)

Anyway, great job everybody, no notes.

Previously, previously, previously, previously, previously.

Read the whole story
satadru
75 days ago
reply
New York, NY
mkalus
82 days ago
reply
iPhone: 49.287476,-123.142136
Share this story
Delete

Microsoft’s CrowdStrike post-mortem

1 Comment

Microsoft has published a post-mortem of the CrowdStrike incident, and goes into great depths to describe where, exactly, the error lies, and how it could lead to such massive problems. I can’t comment anything insightful on the technical details and code they show to illustrate all of this – I’ll leave that discussion up to you – but Microsoft also spends considerable amount of time explaining why security vendors are choosing to use kernel-mode drivers.

Microsoft lists three major reasons why security vendors opt for using kernel modules, and none of them will come as a great surprise to OSNews readers: kernel drivers provide more visibility into the system than a userspace tool would, there are performance benefits, and they’re more resistant to tampering. The downsides are legion, too, of course, as any crash or similar issue in kernel mode has far-reaching consequences. The goal, then, according to Microsoft, is to balance the need for greater insight, performance, and tamper resistance with stability.

And while the company doesn’t say it directly, this is clearly where CrowdStrike failed – and failed hard. While you would want a security tool like CrowdStrike to perform as little as possible in kernelspace, and conversely as much as possible in userspace, that’s not what CrowdStrike did. They are running a lot of stuff in kernelspace that really shouldn’t be there, such as the update mechanism and related tools. In total, CrowdStrike loads four kernel drivers, and much of their functionality can be run in userspace instead.

It is possible today for security tools to balance security and reliability. For example, security vendors can use minimal sensors that run in kernel mode for data collection and enforcement limiting exposure to availability issues. The remainder of the key product functionality includes managing updates, parsing content, and other operations can occur isolated within user mode where recoverability is possible. This demonstrates the best practice of minimizing kernel usage while still maintaining a robust security posture and strong visibility.

Windows provides several user mode protection approaches for anti-tampering, like Virtualization-based security (VBS) Enclaves and Protected Processes that vendors can use to protect their key security processes. Windows also provides ETW events and user-mode interfaces like Antimalware Scan Interface for event visibility. These robust mechanisms can be used to reduce the amount of kernel code needed to create a security solution, which balances security and robustness.

↫ David Weston, Vice President, Enterprise and OS Security at Microsoft

In what is surely an unprecedented event, I agree with the CrowdStrike criticism bubbling under the surface of this post-mortem by Microsoft. Everything seems to point towards CrowdStrike stuffing way more things in kernelspace than is needed, and as such creating a far larger surface for things to go catastrophically wrong than needed. While Microsoft obviously isn’t going to openly and publicly throw CrowdStrike under the bus, it’s very clear what they’re hinting at here, and this is about as close to a public flogging we’re going to get.

Microsoft’s post-portem further details a ton of work Microsoft has recently done, is doing, and will soon be doing to further strenghthen Windows’ security, to lessen the need for kernelspace security drivers even more, including adding support for Rust to the Windows kernel, which should also aid in mitigating some common problems present in other, older programming languages (while not being a silver bullet either, of course).

Read the whole story
satadru
97 days ago
reply
If your security vendor wants to do mundane tasks like downloading updates in kernelspace, you have a bad security vendor and you should stop using them.
New York, NY
Share this story
Delete

Hatchery

1 Comment and 3 Shares
Anadromous fish are more vulnerable in rivers, since the lack of salt means you can quickly crack passwords using rainbow trout tables.
Read the whole story
satadru
109 days ago
reply
This was great.
New York, NY
acdha
116 days ago
reply
Washington, DC
Share this story
Delete

Google is bringing Fuchsia OS to Android devices, but not in the way you’d think

1 Share

To evolve Fuchsia beyond smart home devices, Google has been working on projects such as Starnix to run unmodified Linux binaries on Fuchsia devices. In addition, since late April of this year, Google has been working on a new project called “microfuchsia” that aims to make Fuchsia bootable on existing devices via virtualization. Microfuchsia, according to Google, is a Fuchsia OS build that targets virtual machines and is designed to be bootable in virtualization solutions such as QEMU and pKVM.

↫ Mishaal Rahman at Android Authority

The goal here might be, according to Mishaal Rahman, might be to use this new microfuchsia thing to replace the stripped-down Android version that’s currently being used inside Android’s pKVM to run certain secured workloads. Relevant patches have been submitted to both the Fuchsia and Android side of things for this very purpose.

At this point, it really seems that Google’s grand ambitions with Fuchsia simply didn’t survive the massive employee culling, with leadership probably reasoning that Android and Chrome OS are good enough, and that replacing them with something homegrown and possibly more suited – speculation, of course – simply isn’t worth the investment in both time and money.

It probably makes sense from a financial standpoint, but it’s still sad.

Read the whole story
satadru
117 days ago
reply
New York, NY
Share this story
Delete
Next Page of Stories