In other news today...
-
Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app's perspective
Cellebrite makes software to automate physically extracting and indexing data from mobile devices. They exist within the grey – where enterprise branding joins together with the larcenous to be called “digital intelligence.” Their customer list has included authoritarian regimes in Belarus, Russi...
-
@JBert possibly not. disturbingly many reports. could be some new sort of urban microniche camouflage. wear a hat.
-
In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software. Files will only be returned for accounts that have been active installs for some time already, and only probabilistically in low percentages based on phone number sharding. We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.
MESS WITH THE BEST, DIE LIKE THE REST. HACK THE PLANET!
-
Cracking open the mystery of how many bubbles are in a glass of beer - American Chemical Society
American Chemical Society: Chemistry for Life.
-
@Dragoon said in In other news today...:
American Chemical Society: Chemistry for Life.
Cracking? Bubbles? Beer?
Wait! I've seen this.
-
-
@boomzilla wait. did the patches involve processes named
Robin HoodandFriar Tuck?
-
@boomzilla said in In other news today...:
It fails to mention whether the intentionally buggy patches initially made it through or were caught during the review though.
-
@Bulb From another article I read (German, though) they didn't make it through.
The students tried to walk it back by saying that they handed them in as part of a "statical analysis tool under development". However, they said this after they had been discovered, already admitted to having submitted code know to be bugged and furthermore it's usual to mark code generated by such tools as
found by tool XXX, we are not sure if this is correct or not, please advise
They did not do so.
The university also is not happy:
-
@Rhywden said in In other news today...:
The university also is not happy:
UMNComputerScience on Twitter
It looks like they've suspended work on the research project that led to the buggy patches, but not (yet) suspended/fired/expelled/disciplined the people involved.
From one of the response tweets, it appears there was at least one published paper based on the project, and that tweeter strongly suggested that paper should be retracted due to the unethical basis.
-
@boomzilla said in In other news today...:
Appropriate use of the banhammer. Do not fuck with basic infrastructure.
-
@boomzilla said in In other news today...:
Some of the comments on there...
How about a stiff monetary fine along with some jail time.
They don't have the power to do that. What they should get is some hacker justice. Dox them. Hack into their personal machines and spread their personal info all over the web. They might learn something from that.
Why didn't they release the names of the students? They should be blacklisted from the industry and put on a watchlist, I don't care if it's on the books legally or socially agreed upon, release their names! No one will hire them
EDIT: For the record: I meant to highlight they're horrid comments.
-
@JBert said in In other news today...:
@boomzilla said in In other news today...:
Some of the comments on there...
How about a stiff monetary fine along with some jail time.
They don't have the power to do that. What they should get is some hacker justice. Dox them. Hack into their personal machines and spread their personal info all over the web. They might learn something from that.
Why didn't they release the names of the students? They should be blacklisted from the industry and put on a watchlist, I don't care if it's on the books legally or socially agreed upon, release their names! No one will hire them
Those I don't agree with. Mob justice is on display enough as it is.
-
@Carnage Yah. I think the university will take the appropriate action. That's enough of a big black mark for all participants, given their intentions (stupid curiosity) and actual accomplishments (nothing besides pissing off a lot of people).
-
@boomzilla said in In other news today...:
I might be going against the main opinion, but on first sight I don't think the researchers really did much wrong, and I think the Linux Foundation is badly over-reacting.
I skimmed their paper (or at least the version on github).
First let's get something out of the way: it doesn't look very well written and I'm not really sure it's worth such a long paper for so little actual results. What they actually did is of little interest overall (they didn't even checked that the commits would actually have ended up in the kernel since they pulled the plug immediately after reviewers gave them the go-ahead, without actually committing anything). It looks like average-to-poor research, from a pure research point of view. Not that you probably expected much more from research from students, they have to start somewhere. And hey, remember that half of all papers are below average!
The relevant part (for the ethical aspect of things) is p8-9. As far as I can see, they took valid precautions to ensure it went OK and even asked the university ethics committee (I assume that's what the IRB is here). So really, they designed an experiment to highlight a valid concern with open-source, ran it past others to validate it, added safeguards, and ran it on a tiny scale (3 commits, and that didn't go past email exchanges with reviewers!). That doesn't really sound that awful.
Now on the other side, it's understandable that the Linux Foundation is upset as they were indeed being played. But shift things a bit for context: if it was someone publishing a vulnerability in e.g. Facebook (not exploiting it, and notifying Facebook before publishing it), and Facebook reacted by banning them and their family, would you say that's OK? I hope not. So what's different here? Instead of Big Bad Ugly Facebook, it's White Knight Linux. Mmm, not very convincing. Instead of a vulnerability in existing software, it's a vulnerability in the software development process. Meh, not much different either.
And to top it off, someone somewhere (forgot who/where...) made a good point: what does it say about the Linux Foundation's trust model that the email address from which a patch is sent matters? (and thus that banning a whole email domain is a valid approach) Does that mean patches from universities are less strenuously checked than those from random Gmail addresses? Since the researchers used Gmail addresses and managed to get through, does that really inspire confidence in the review process of university-sent code?
-
@remi Did you go and investigate what happened to form an informed opinion instead of just feeling enraged after reading the byline on the embed above?
-
@remi said in In other news today...:
@boomzilla said in In other news today...:
I might be going against the main opinion, but on first sight I don't think the researchers really did much wrong, and I think the Linux Foundation is badly over-reacting.
I skimmed their paper (or at least the version on github).
First let's get something out of the way: it doesn't look very well written and I'm not really sure it's worth such a long paper for so little actual results. What they actually did is of little interest overall (they didn't even checked that the commits would actually have ended up in the kernel since they pulled the plug immediately after reviewers gave them the go-ahead, without actually committing anything). It looks like average-to-poor research, from a pure research point of view. Not that you probably expected much more from research from students, they have to start somewhere. And hey, remember that half of all papers are below average!
The relevant part (for the ethical aspect of things) is p8-9. As far as I can see, they took valid precautions to ensure it went OK and even asked the university ethics committee (I assume that's what the IRB is here). So really, they designed an experiment to highlight a valid concern with open-source, ran it past others to validate it, added safeguards, and ran it on a tiny scale (3 commits, and that didn't go past email exchanges with reviewers!). That doesn't really sound that awful.
Now on the other side, it's understandable that the Linux Foundation is upset as they were indeed being played. But shift things a bit for context: if it was someone publishing a vulnerability in e.g. Facebook (not exploiting it, and notifying Facebook before publishing it), and Facebook reacted by banning them and their family, would you say that's OK? I hope not. So what's different here? Instead of Big Bad Ugly Facebook, it's White Knight Linux. Mmm, not very convincing. Instead of a vulnerability in existing software, it's a vulnerability in the software development process. Meh, not much different either.
And to top it off, someone somewhere (forgot who/where...) made a good point: what does it say about the Linux Foundation's trust model that the email address from which a patch is sent matters? (and thus that banning a whole email domain is a valid approach) Does that mean patches from universities are less strenuously checked than those from random Gmail addresses? Since the researchers used Gmail addresses and managed to get through, does that really inspire confidence in the review process of university-sent code?
I don't see this as being significantly different from performing unsolicited pen tests on an organisation and then not reporting to the organisation before you make the results public. That would probably get you and your organisation a lawsuit if you did it to Facebook.
It's not the programmer friends of these guys that got smacked with the banhammer, but the organisation that gave them the ok to do it. Seems perfectly in line. That organisation can't be trusted, which they themselves had proven. They should not get to supply code.
The Linux kernel is a piece of software that relies on a lot of trust, they can't let stuff like this slide.
-
@Carnage said in In other news today...:
I don't see this as being significantly different from performing unsolicited pen tests on an organisation and then not reporting to the organisation before you make the results public.
Except that they did report it to the organisation. Immediately after the reviewers told them their patches were OK, they told them that they were not and retracted them (and actually sent the correct ones instead), before anything had been committed for real (which partly makes the research doubtful, as there might have been other checks later on that would have caught the issue, but I'm not familiar enough with the review process to know if that's valid or not, and as I already said the interest of the research is limited anyway).
The only thing that's not clear to me is whether they told the reviewers that they were part of an experiment (rather than just an honest mistake), although I can imagine that they would not have wanted to say it until the end of the experiment (i.e. all patches tried) to avoid reviewers warning each other (which would have compromised the experiment!). But again, maybe they did (maybe just a bit later).
Ideally, they should have worked with someone high-enough in the Linux Foundation to get them in the confidence (without divulging that to anyone involved, of course), so in that regard what they did was indeed not perfect. But to me that doesn't warrant the reaction they got, which looks much more like that it was shame/revenge-driven than anything else.
That organisation can't be trusted, which they themselves had proven.
Which bring the last remark I made. Does that mean that otherwise, an organisation is trusted just because of its name? It looks so (otherwise banning it would be meaningless) and frankly, that's scary.
The Linux kernel is a piece of software that relies on a lot of trust, they can't let stuff like this slide.
Yup, it's much better to bully people into believing that their system works perfectly and forcefully silence anyone who says otherwise, rather than actually ensure their trust-system works
:sarkmark:. The obvious
version here is that people who are already routinely sneaking in bad code for their own purposes (NSA or their equivalents everywhere in the world) don't want anything that risks exposing them.
-
The Cold War Over Hacking McDonald’s Ice Cream Machines
Secret codes. Legal threats. Betrayal. How one couple built a device to fix McDonald’s notoriously broken soft-serve machines—and how the fast-food giant froze them out.
Or, if you don't want to read:
The REAL Reason McDonalds Ice Cream Machines Are Always Broken – 29:46
— Johnny HarrisThat whole thing just screams "class action lawsuit". Too bad the franchise owner are actually only indentured serfs.
-
@Rhywden said in In other news today...:
Or, if you don't want to read:
I also don't want to watch videos
What now?
-
@MrL I can narrate it to you over a Discord call.
-
@MrL said in In other news today...:
@Rhywden said in In other news today...:
Or, if you don't want to read:
I also don't want to watch videos
What now?I know you might not read this, but
Oh, stupid embed. Here:
-
@Rhywden said in In other news today...:
Secret codes. Legal threats. Betrayal. How one couple built a device to fix McDonald’s notoriously broken soft-serve machines—and how the fast-food giant froze them out.
Or, if you don't want to read:
The REAL Reason McDonalds Ice Cream Machines Are Always Broken – 29:46
— Johnny HarrisThat whole thing just screams "class action lawsuit". Too bad the franchise owner are actually only indentured serfs.
Or if you want to read but Wired won't let you:
-
Sportsball done right:
Bauer on Tatis' post-homer trolling: 'I'm all for it'
Los Angeles Dodgers starter Trevor Bauer said he supported Fernando Tatis' post-homer celebrations Saturday night, saying he thinks "it's important that the game moves in that direction."
-
@izzion said in In other news today...:
Sportsball done right:
Bauer on Tatis' post-homer trolling: 'I'm all for it'
Los Angeles Dodgers starter Trevor Bauer said he supported Fernando Tatis' post-homer celebrations Saturday night, saying he thinks "it's important that the game moves in that direction."
still need to give the second baseman a stilletto to really fix baseball.
-
@izzion said in In other news today...:
Sportsball done right:
Bauer on Tatis' post-homer trolling: 'I'm all for it'
Los Angeles Dodgers starter Trevor Bauer said he supported Fernando Tatis' post-homer celebrations Saturday night, saying he thinks "it's important that the game moves in that direction."
The weirdest thing I've ever heard about any sport is that in American football, it's considered bad sportsmanship to build up huge point lead. Like, scoring points is literally the goal of the game; why would anyone not want players trying to score?
-
@Gąska said in In other news today...:
it's considered bad sportsmanship to build up huge point lead.
I've never heard this. There's a slaughter rule but that ends the game early. I guess the perverse incentive from broadcasting would be to try to stigmatize that?
The thing about not liking touchdown celebrations is because football players suck at dancing. See
The Super Bowl Shuffle. It's a shuffle. They still suck at it.
-
I shouldn't post this until August 29th, so don't read it until then.
-
@Gąska said in In other news today...:
@izzion said in In other news today...:
Sportsball done right:
Bauer on Tatis' post-homer trolling: 'I'm all for it'
Los Angeles Dodgers starter Trevor Bauer said he supported Fernando Tatis' post-homer celebrations Saturday night, saying he thinks "it's important that the game moves in that direction."
The weirdest thing I've ever heard about any sport is that in American football, it's considered bad sportsmanship to build up huge point lead. Like, scoring points is literally the goal of the game; why would anyone not want players trying to score?
I thought association football had that tradition too, which is why there's so little scoring.
The tradition is actually a little more complicated than that. It requires the best defensive player on the team that lost the blowout to say that the rule is stupid and that no winning team should ever take their foot off the gas.
Gridiron football is a game bound by many beautiful traditions.
The reason for the tradition isn't so much sportsmanship as that it's much easier for a gridiron football player to get hurt while playing than it is in other sports. The offense switches to safer plays so as not to get their stars hurt once victory is assured. It's not technically sportsmanship but it looks very similar, which is why people call it that sometimes.
Also the mercy rule @Gribnit mentioned doesn't exist at the professional level of the game, so TV broadcasting doesn't influence it.
-
@GuyWhoKilledBear said in In other news today...:
@Gąska said in In other news today...:
@izzion said in In other news today...:
Sportsball done right:
Bauer on Tatis' post-homer trolling: 'I'm all for it'
Los Angeles Dodgers starter Trevor Bauer said he supported Fernando Tatis' post-homer celebrations Saturday night, saying he thinks "it's important that the game moves in that direction."
The weirdest thing I've ever heard about any sport is that in American football, it's considered bad sportsmanship to build up huge point lead. Like, scoring points is literally the goal of the game; why would anyone not want players trying to score?
I thought association football had that tradition too, which is why there's so little scoring.
Actually, it's due to the tradition of having solid defense in your team. A seemingly foreign concept in handegg, where teams score bajillion points every ten seconds of gameplay (ie. every ten hours real-time).
-
@Gąska said in In other news today...:
the tradition of having solid defense
This does safely remove any onus of skill on the part of either team, while giving them a handy tradition to justify it by.
-
@GuyWhoKilledBear said in In other news today...:
I thought association football had that tradition too, which is why there's so little scoring.
Well, it's hard to score when you're rolling around on the ground pretending to be injured.
-
@Gąska said in In other news today...:
The weirdest thing I've ever heard about any sport is that in American football, it's considered bad sportsmanship to build up huge point lead. Like, scoring points is literally the goal of the game; why would anyone not want players trying to score?
Generally, it's because it can make the winning team look like a bully, picking up too-easy stats against a lesser team (or team that's just having a really bad day). IIRC there was a lot of blowback against someone who scored a grand slam home run in a blowout baseball game last year.
Besides the 'spare the threat of injuries' thing, I hear teams on both sides of a blowout start giving extra play time to their newer players so they have more experience in the game without risking position in the standings.
-
@coderpatsy said in In other news today...:
IIRC there was a lot of blowback against someone who scored a grand slam home run in a blowout baseball game last year.
Cowards!
-
@coderpatsy said in In other news today...:
@Gąska said in In other news today...:
The weirdest thing I've ever heard about any sport is that in American football, it's considered bad sportsmanship to build up huge point lead. Like, scoring points is literally the goal of the game; why would anyone not want players trying to score?
Generally, it's because it can make the winning team look like a bully, picking up too-easy stats against a lesser team (or team that's just having a really bad day).
And that's exactly what I don't get. How's it bullying to play the game like it's supposed to? How's it bullying to be good at what you do? Both teams are playing in the same league - how does it even make sense to say one team is lesser than another? How does having a bad day justify demanding the other team plays as if they have a bad day as well? It just doesn't make sense to me, at all.
The injury thing is at least somewhat reasonable. But you know what would be even more reasonable? Don't make it so everyone is at elevated risk of serious injury all the fucking time by just playing the game like it's supposed to.
-
@Gąska said in In other news today...:
Don't make it so everyone is at elevated risk of serious injury all the fucking time by just playing the game like it's supposed to.
That is how handegg is supposed to be played — 150kg monsters whose muscles are stronger than their bones and joints smashing full-force into each other. There are rules prohibiting actions that further increase the risk, and the penalties for violating those rules are the most severe penalties in the game.
-
@Gąska said in In other news today...:
The injury thing is at least somewhat reasonable. But you know what would be even more reasonable? Don't make it so everyone is at elevated risk of serious injury all the fucking time by just playing the game like it's supposed to.
-
@GuyWhoKilledBear see? Even fist fights don't pose any danger in football! Meanwhile, handegg players never punch each other but still end up with permanent brain injury.
-
@Gąska <whisper>Actually, it's a starting requirement.</whisper>
-
Found some interesting news on a
style interent outage via the Code Project news page:
Hundreds lose internet service in northern B.C. after beaver chews through cable | CBC News
Internet service was down for about 900 Telus customers in Tumbler Ridge, B.C., after a beaver chewed through a crucial fibre cable, causing "extensive" damage. The company said it had fully restored service by Sunday afternoon.
In inforamtion technology, we do not only need to care for bugs nowadays, but for beavers too!
-
@Gribnit said in In other news today...:
@izzion said in In other news today...:
Sportsball done right:
Bauer on Tatis' post-homer trolling: 'I'm all for it'
Los Angeles Dodgers starter Trevor Bauer said he supported Fernando Tatis' post-homer celebrations Saturday night, saying he thinks "it's important that the game moves in that direction."
still need to give the second baseman a stilletto to really fix baseball.
Knife or shoe?
-
@Jaloopa
either option could bring that game from cricket levels of boring to 'would watch'
-
@remi said in In other news today...:
Immediately after the reviewers told them their patches were OK, they told them that they were not and retracted them
The way you describe it, it sounds like killing a messenger for the bad message.
Yeah, a great idea by great managers to create trust by preventing the truth from becoming known...
-
@remi said in In other news today...:
Does that mean that otherwise, an organisation is trusted just because of its name? It looks so (otherwise banning it would be meaningless) and frankly, that's scary.
This is how humanity generally works, yes. We form groups. And groups of groups. And the groups have face, shared by the members and enforced by the group.
Consider: In absence of other information, we'd trust an electrical appliance that comes from "Japan" to not randomly burst into flames. But same trust would not be extended to one from e.g. "North-Korea".
Same phenomena, different level.
-
@BernieTheBernie said in In other news today...:
@remi said in In other news today...:
Immediately after the reviewers told them their patches were OK, they told them that they were not and retracted them
The way you describe it, it sounds like killing a messenger for the bad message.
That's what they describe in their paper on github. There is always the possibility that they didn't actually do things like they claim they did, but then we'd need to check claims from everyone from every side -- which I hope someone did, but it's definitely
for me.Yeah, a great idea by great managers to create trust by preventing the truth from becoming known...
Exactly. Which is why I think Linux's reaction is all wrong. To me it sends an awfully bad message. "Don't even think about testing our trust model, or we'll ban you and everyone you're associated with."
-
@acrow said in In other news today...:
@remi said in In other news today...:
Does that mean that otherwise, an organisation is trusted just because of its name? It looks so (otherwise banning it would be meaningless) and frankly, that's scary.
This is how humanity generally works, yes.
But not how Linux (or any open-source project, but this one in particular) is supposed to. That, in practice, they trust more some names than others is indeed human and natural. But even though it happens, they pretend it doesn't, and their workflows are designed to minimise it, and their trust model relies on the fact that it doesn't happen. So when an official ruling relies on the unspoken assumption that this happens, it's bad because it shows how little they actually try to avoid it.
But that's not the main point, really, just an aside. The main point to me is that they shouldn't ban someone who didn't cause any damage but exposed a flaw in their process.
Consider: In absence of other information, we'd trust an electrical appliance that comes from "Japan" to not randomly burst into flames. But same trust would not be extended to one from e.g. "North-Korea".
Sure, but we're not "in absence of other information" and in this case it's the entity supposed to create that trust that breaks it. To further your analogy, it's an ISO-certification company saying "we will stop delivering certifications to products made in NK because NK has shown that, and explained to us how, our certification process can be easily circumvented."
-
@remi said in In other news today...:
Exactly. Which is why I think Linux's reaction is all wrong. To me it sends an awfully bad message. "Don't even think about testing our trust model, or we'll ban you and everyone you're associated with."
Eh, the message should be "contact Linus first and only keep the lower levels in the dark after getting the green light." But it seems Kroah-Hartman has about the same temperament as Torvalds and they'd probably have told them to GTFO anyway if they went for it the proper way.
-
@acrow said in In other news today...:
Consider: In absence of other information, we'd trust an electrical appliance that comes from "Japan" to not randomly burst into flames. But same trust would not be extended to one from e.g. "North-Korea".
But Linux can't rely on that, because on lkml noone knows you are a dog.
-
@Bulb said in In other news today...:
because on lkml noone knows you are a dog.
Which is exactly how it should be, and yet people complain that there's not enough representation for... wait, sorry, garage content snipped.
-
@acrow said in In other news today...:
groups have face
It is also possible to attain negative face, and there are qualia associated with degrees of negative face.
Linux Foundation Bans University After It Intentionally Submitted Buggy Patches
UMN Computer Science & Engineering on Twitter
