Pup Biru

doesn’t mean it can’t do damage - like fox news

you’re on programming.dev so i assume you know that secrets is a generic term to cover things like your cloud account login (whatever form that may take - a password, token, api key, etc) for the robot vacuum service and you’re being intentionally obtuse

it’s a realistic attack scenario for some people - think celebrities etc, who might be being targeted… if someone knows what type of vacuum you have, it’s not “carefully take apart” - it’d take 30s, and then you have local network access which is an escalation that can lead to significantly more surveillance like security cameras, and devices with unsecured local access

just because it doesn’t apply to you doesn’t mean it doesn’t apply to anyone… unsecured or default password root access, even with physical access, is considered a security issue

yes and no… i agree with the sentiment, but with root you can extract wifi credentials and various other secrets… you shouldn’t be able to get these things even when you have physical access to the device… the root access itself isn’t the problem

plus one of the main issues with desalination plants for fresh water is… getting rid of the sodium

exactly… stealing any iphone is worse than useless - you can’t use it, and it will track you (both via gps reporting via internet and via the find my network)

that’s about phones in general… they mention iphone once, and that’s about the 1 phone that led to them catching the criminals (which i’d say is a check in the box of “stealing iphones is useless”)

iphones in apple stores as display models are not standard iphones: they lock down and turn themselves into only a tracker the instant they leave the apple store

and it’s basically useless to steal an iphone in most cases anyway, because an iphone gets registered to an apple account, and if a phone is already registered you just can’t use it

even parting it out the huge majority of parts - especially anything even a little bit expensive - has essentially DRM on it that talks to iOS… when you add a genuine apple part to an iphone, iOS checks to see if it’s already been registered to another phone and just won’t proceed with stolen parts

the best you could do is use it or the parts as a prop in some secondary scam

i’m fairly sure it’s untrue yes but didn’t want to comment that because i don’t know for sure, and honestly it’s a little null and void because they definitely do broadcast all kinds of bluetooth stuff which is equally trackable (though i guess with all the wifi location data you can correlate someone in the store to where they live pretty much perfectly accurately where bluetooth info is less useful in that regard)

i’m 99% sure your phone scans for available wifi networks, sees one it knows and then connects, but i could see a situation where it’s 2s faster to just keep trying so for a “good user experience” some shit company decided to start doing it… but i’m pretty sure for apple pr google that’d result in a CVE

that’s pretty disingenuous though… individual lemmy instances go down or have issues regularly… they’re different, but not necessarily worse in the case of stability… robustness of the system as a whole there’s perhaps an argument in favour of distributed, but the system as a whole isn’t a particularly helpful argument when you’re trying to access your specific account

centralised services are just inherently more stable for the same type of workload because they tend to be less complex, less networking interconnectedness to cause issues, and you can focus a lot more energy building out automation and recovery than spending energy repeatedly building the same things… that energy is distributed, but again it’s still human effort: centralised systems are likely to be more stable because they’ve had significantly more work put into stability, detection, and recovery

no matter where you host, outages are going to happen… AWS really doesn’t have many… it’s just that it’s so big that everyone notices - it causes internet-wide issues

Would or is also a really good way to sniff WiFi passwords. If anybody says “Well yes, I am indeed $HOME_NETWORK_NAME” your phone just hands them the password.

okay that’s very untrue… wifi passwords aren’t really passwords; more accurately they’re pre-shared keys… they are used to generate the encryption parameters used to talk to the AP. the password is never sent over the air, and there’s a 4-way handshake

i think they’re 2 different, but equally important things to protect against

shit companies using your information is almost guaranteed so you want to protect against that, but FDE does nothing for that

but losing your laptop with an unprotected disk can be catastrophic for your life… your entire browser session (so probably your email, and therefor password resets and confirmations), any cloud (or self hosted storage with saved credentials) storage that you have… idk about you, but the contents of my disk are plenty to steal my identity even without needing to social engineer, and with my email and other bits of info that’s plenty to social engineer probably anything up to and including a passport

training an LLM on chats might make you feel dirty, but an unencrypted disk can ruin your life for years and cause problems potentially forever

corpos aren’t who you’re protecting against with encrypted drives… they’re not going to gain access to anything via bypassing your OS: they get everything via software you’ve installed or things like tracking

the main thing you’re protecting against with encryption is theft (or if you think you’re being physically targeted, it also stops them from modifying your system… eg replacing your kernel or a binary that gives them access somehow)

which they handled about as well as you can: prompt and clear notification without trying to pass the buck

the potential of a data breach is just a fact of life with any SAAS product - bugs happen… and it’s exactly the SAAS part of the product that makes the invites/login/aggregation of servers so smooth

there are some admin endpoints that are authenticated using any local IP, but the method they use allows spoofing the IP so those endpoints become accessible essentially without authentication

there were some other issues to do with unauthenticated enumeration and playback of content i believe too

i’m not likely to wrangle installing and maintaining wireguard on my mums cheap smart tv

and if that’s the solution, as i said you get plex local playback so that’s free still anyway

my main issues

• jellyfin has known security vulnerabilities and shouldn’t be run on a public network. that means everyone using your server remotely needs to be on a VPN… and then you may as well use plex because it’s “local” so the remote streaming thing doesn’t apply
• swiftfin (which i need for apple tv) doesn’t support media segments

the thing that everyone always glosses over is that jellyfin should not be run on a public network. it has known security vulnerabilities… that includes VPN remote proxy, so now you have to have external users on your actual VPN, and if that’s the case then plex will work fine because it’s “local”, and has a lot more features

(and my main issue: media segments don’t work on swiftfin)

the mozilla foundation is largely responsible for the whole adtech and ai slop nonsense that nobody asked for

the mozilla corporation is responsible for firefox. there is no way to support firefox development

absolutely this

CSP is also a possibility, but really you’re talking about an internal attack on your own infrastructure: either by infra teams on your production or devs on your infrastructure (or an external malicious actor able to deploy code)… i think that’s just so unlikely that it’s not worthy of concern unless you’re something like a bank

perhaps simply putting something like cling wrap over the lens and moving it for each photo would be enough: adding some scratches and roughness that slightly changes each time you move it