During World War II, the telegraph interception guys would figure out which enemy units were where, even without having broken the codes, because each telegraph operators each had their own “fist,” or distinct patterns in how they punched in the Morse code, and people listening to the signals day in and day out could learn to distinguish them even when dealing entirely in encrypted text.

In modern times, attribution of hacker groups include other indicators include what time zones certain people seem to be active in, what their targets are (and aren’t), hints about installed language support or keyboard layouts or preferred punctuation or localized representations of numbers. For example, you can tell here on Lemmy when someone uses different types of quotation marks a decent indication of what country that person might be from, even in a totally English language thread.

I get how it works with wifi connections, and Bluetooth scanning (since that’s a peer to peer protocol that needs to broadcast its availability), and obviously the OS-level location services, but I’m still not seeing how seeing wifi beacons would reveal anything. For one, pretty much every mobile device OS now uses MAC randomization so that your wifi activity on one network can’t be correlated with another. And for another, I think the BSSID scanning protocol is listen only for client devices.

Happy to be proven wrong, and to learn more, but the article linked doesn’t seem to explain anything on this particular supposed threat.

I set a simple task to turn off WiFi when my home network is not detected so my phone doesn’t scan and report my location to businesses.

I was under the impression that BSSID scanning was entirely passive, and that a phone that scans for beacons doesn’t actually reveal itself to anyone.

One time pads are perfect encryption, but the problem is that the key length needs to be longer than the message length. So if you have the ability to get the symmetric key to the recipient securely, then you had the ability to get the whole message to the recipient securely.

And that introduces a specific type of supply chain threat: someone who possesses a computer can infect their own computer, sell it or transfer it to the target, and then use the embedded microcode against the target, even if the target completely reformats and reinstalls a new OS from scratch.

That’s not going to affect most people, but for certain types of high value targets they now need to make sure that the hardware they buy hasn’t already been infected in the supply chain.

I still think it’s bullshit that 20-year-old photos now look the same as 20-second-old photos. Young people out there with baby pictures that look like they were taken yesterday.

The first Rambo was definitely about PTSD and how the act of killing fucks up American soldiers.

Where did you learn to write such shitty code?

I learned it from watching you!

Yes, that’s in the picture.

pronounced “Kam”

C’mon we all know the first syllable of “chameleon” is pronounced “cum”

I’ve seen some discussion hypothesizing an explanation that Millennials actually use more sunscreen, use less nicotine, and exercise more than Gen Z. I can buy it.

In the US, because the minimum required by law is so low, the actual distribution of vacation days varies a lot from employer to employer.

This chart, updated annually, shows the average by length of service time: https://www.bls.gov/charts/employee-benefits/paid-leave-sick-vacation-days-by-service-requirement.htm

Seems like the average for people in the private sector with 1 year is 7 days sick, 11 days vacation.

This fact sheet, as of 2021, breaks down the details a bit more: https://www.bls.gov/ebs/factsheets/paid-vacations.htm

Table 1 breaks it down pretty well, with people at the 1 year mark hovering mostly between 1-3 weeks, people at the 5 year mark mostly between 2-4 weeks, and people with 10 years at 3+ weeks.

People with government jobs, which is about 15% of the workforce and about 20 million workers, tend to get better benefits, including paid time off.

I think in some jurisdictions it’s considered a bump stock.

Plus they’re cheaper, relative to repair professionals’ labor.

If a new refrigerator costs the same as 100 hours of skilled labor, then a 10 hour repair job (plus parts that cost the same as 1/10 of a refrigerator) will be economically feasible.

But if a new fridge costs the same as 20 hours of skilled labor, and the more complex parts come in more expensive assemblies, then there’s gonna be more jobs don’t pass a cost benefit threshold. As a category, refrigerator repair becomes unfeasible, and then nobody gets skilled in that field.

For what it’s worth, that particular format war, the format backed by more porn studios (HD-DVD) actually lost to the one with less porn backing (Blu-ray). Personally I think that the PS3 tipped things over the edge.

not meant to be consistent with the human eye.

Even then, postprocessing is inevitable.

As the white/gold versus blue/black dress debate showed, our perception of color is heavily influenced by context, and is more than just a simple algorithm of which rods and cone cells were activated while viewing an image.

It basically varies from chip to chip, and program to program.

Speculative execution is when a program hits some kind of branch (like an if-then statement) and the CPU just goes ahead and calculates as if it’s true, and progresses down that line until it learns “oh wait it was false, just scrub all that work I did so far down this branch.” So it really depends on what that specific chip was doing in that moment, for that specific program.

It’s a very real performance boost for normal operations, but for cryptographic operations you want every function to perform in exactly the same amount of time, so that something outside that program can’t see how long it took and infer secret information.

These timing/side channel attacks generally work like this: imagine you have a program that tests if variable X is a prime number, by testing if every number smaller than X can divide evenly, from 2 on to X. Well, the bigger X is, the longer that particular function will take. So if the function takes a really long time, you’ve got a pretty good idea of what X is. So if you have a separate program that isn’t allowed to read the value of X, but can watch another program operate on X, you might be able to learn bits of information about X.

Patches for these vulnerabilities changes the software to make those programs/function in fixed time, but then you lose all the efficiency gains of being able to finish faster, when you slow the program down to the weakest link, so to speak.

This particular class of vulnerabilities, where modern processors try to predict what operations might come next and perform them before they’re actually needed, has been found in basically all modern CPUs/GPUs. Spectre/Meldown, Downfall, Retbleed, etc., are all a class of hardware vulnerabilities that can leak crypographic secrets. Patching them generally slows down performance considerably, because the actual hardware vulnerability can’t be fixed directly.

It’s not even the first one for the Apple M-series chips. PACMAN was a vulnerability in M1 chips.

Researchers will almost certainly continue to find these, in all major vendors’ CPUs.

Can’t fix the vulnerability, but can mitigate by preventing other code from exploiting the vulnerability in a useful way.

Oh come on you don’t actually believe we should structure the entire system around such a minority use case

Minority use case? I’m talking about how downvotes are useful for communities to enforce their own norms, or ensure that erroneous information is excluded. Someone who insists on a proof that the angles of a triangle add up to more than 180º is probably going to get downvoted, especially if he’s being an asshole about it. Same with someone who insists that the common cold is caused by exposure to cold air, or that the earth is flat.

Or there are broad consensus beliefs about what is or isn’t off topic for a discussion, what types of insults break the forum rules on civility, etc. When a community largely agrees that someone is being an asshole for using racial slurs, downvotes quickly sort that out. In other words, toxicity can get filtered out through the downvote/hide mechanism, as well.

Even for beliefs that are simply matters of opinion/taste/preference, the community can decide what’s actually up for debate and what’s not, within that space. A forum dedicated to fans of Real Madrid doesn’t have to tolerate trolls coming in and saying “Real Madrid sucks” or “lol soccer is a stupid sport you Europeans are so stupid” or “sports are dumb.” Same with a vegan forum downvoting someone’s brisket recipe (or a BBQ forum downvoting a “meat is murder” manifesto). These “echo chambers” are just how people organize with people who share their interests, and it’s weird not to be able to see that there’s value in those communities.

So yeah, I think that you have a problem with people’s desire to organize into groups of similar interests, not with the actual mechanism by which those groups enforce those norms. It wouldn’t be any better with a mod-enforced echo chamber, either.