The 3B was like peak RPi though. Nowadays unless you need the GPIO or the low power or form factor, it’s not worth it at all. You can get low-spec 3-5 year old off-lease office desktops for roughly the same price point as a top end RPi now, and they are commonplace and easily found in the secondary market.
Hell I just bought a really clean Ryzen 5 3500 laptop for $200. Only had 8GB mem and a paltry NVMe but these are cheap upgrades if needed.
Nah there’s no kids on TikTok smart enough to figure it out and tell all the rest.
I think you miss the actual point.
The actual point is to expose religious hypocrisy. Not only does forcing the states hand to put the statue there the first place achieve that goal, but in a rare and very much anticipated double-dip maneuver, they also get to expose the hypocrisy in its vandalism.
TST does this through a lot of expert-level trolling. You may not see it as such but it really is.
That’s not a bad thing. Honestly their approach is fucking amazing and it works. Trolling isn’t itself a bad thing. It’s a tool that can be used. It can be used poorly or well. And for good or bad. TST is using it well, for good. Good for them.
ETA, maybe “expected” isn’t the best word. But it’s certainly an opportunity that they can and will take advantage of. I don’t think TST sees the vandalism as an expressly negative thing, but rather a real thick silver lining. If anything, it actually helps their message.
It’s not that simple. The user has to hold the key. And with cloud you want it to all be accessible from all of a users devices. And with a public service you can’t count on the user to be savvy enough to use their certificates.
Of course the fix to that is that the key is stored in the account.
But then Google has the key and can decrypt it.
So then the key itself has to be encrypted. And with what? The users weak ass-password?
All encryption has to begin with something that’s known, and the weaker that initial secret, the weaker the entire system below it.
The vandalism is expected. TST probably put it there hoping for vandalism because that exposes the hypocrisy.
“This morning, we were informed by authorities that the Baphomet statue in our holiday display was destroyed beyond repair. We are proud to continue our holiday display for the next few days that we have been allotted.
Interesting choice and use of the words “informed” and “proud”. Really makes it sound like whoever said this sees it as a net-positive.
You can’t really go anywhere on the internet without using Google in some capacity. Cookies and trackers in all the things. Ads aplenty, and blocking them is perpetually an arms race.
Well, you do. You just don’t know it or like it.
This is why I think that the lines should be owned by the municipalities (or a multi-community partnership) and access to them resold. Not even just for fiber, do all of them. The town already handles the water and the sewer, why can’t they lay the pipe for the gas?
They don’t need to be the ISP, or the cable company, or electric company, or whatever (though they can be). Just own and maintain the infra. Obtain right of way. Lease access.
I pretty much only look at All and somehow like a good third of my feed is Star Trek stuff. Mostly memes, and mosty TNG/DS9.
I somewhat enjoy it because I’m not really a big trek fan and it reminds me what it feels like to not be “targeted” by an ad. But ironically, it had the effect of me starting to put on TNG at night.
Id feel weirdly awkward and embarassed seeing my computers innards posted in a YouTube video, and I don’t know why. Like if my middle school yearbook photo showed up on Facebook.
That actually happened to me recently. My grade school best friend posted a pic from a field trip like 30 years ago and I’m naming off every person in it like I just saw them yesterday…then I see one person in it and I’m like “who the fuck is that hideous looking child? Is that me??? Shit that’s me”
You are missing half the purpose of PKI. Identity is equally, if not more, as important as encryption.
Who gives a shit if your password is encrypted if somebody intercepts DNS and sends yourbank.com and makes it go to their own server that’s hosting a carbon-copy of the homepage to collect passwords?
And DNS isn’t the only attack vector for this. It can be done at the IP level by attacks that spoof BGP. It can be done by sticking a single-board computer in a trashcan at a subway stop. Have it broadcast a ton of well-known SSIDs and a ton of phones in the area will auto connect to it and can intercept traffic. Hell, if not for trusted CAs, it’d be very easy to just MITM all the HTTPS traffic anyway.
In reality, you would tofu the first website you went to and not know if it got intercepted or if they just rotated keys (which is also a common security practice and is handled by renewing certificates and part of the reason why publicly-issued CAs are trending down the life of certificates and it’s not a big deal for admins because of easy automation technology. HSTS and cert pinning is more of a PITA but really barely any effort when you consider the benefits of those).
Now, what certificates don’t protect, nor claim to protect, is typosquatting. If you instead go to yorbank.com, that’s on you, and protecting you from a malicious site that happened to buy it is the job for host-based security, web filters, and NGFWs.
But you only really need one to say it’s authentic. There are levels of validation that require different levels of effort. Domain Validation (DV) is the most simple and requires that you prove you own the domain, which means making a special domain record for them to validate (usually a long string that they provide over their HTTPS site), or by sending an email to the registered domain owner from their WHOIS record. Organization Validation (OV) and extended verification (EV) are the higher tiers, and usually require proof of business ownership and an in-person interview, respectively.
Now, if you want to know if the site was compromised or malicious, that’s a different problem entirely. Certificates do not and cannot serve that function, and it’s wrong to place that role on CAs. That is a security and threat mitigation problem and is better solved by client-based applications, web filtering services, and next-gen firewalls, that use their own reputation databases for that.
A CA is not expected to prevent me from hosting rootkits. Doesn’t matter if my domain is rootkits-are.us or totallylegitandsafe.net. It’s their job to make sure I own those domains. Nothing more. For a DV cert at least.
Public key cryptography, and certificates in particular, are an amazing system. They don’t need to be scrapped because there’s a ton of misunderstanding as to its role and responsibilities.
Yeah, except you aren’t supposed to TOFU.
Literally everybody does SSH wrong. The point of host keys is to exchange them out-of-band so you know you have the right host on the first connection.
And guess what certificates are.
Also keep in mind that although MS and Apple both publish trusted root lists, Mozilla is also one of, if not the, biggest player. They maintain the list of what ultimately gets distributed as ca-certificates in pretty much every Linux distro. It’s also the source of the Python certifi trusted root bundle, that required by requests, and probably makes its way into every API script/bot/tool using Python (which is probably most of them).
And there’s literally nothing stopping you from curating your own bundle or asking people to install your cert. And that takes care of the issue of TOFU. The idea being that somebody that accepts your certificate trusts you to verify that any entity using a certificate you attach your name to was properly vetted by you or your agents.
You are also welcome to submit your CA to Mozilla for consideration on including it on their master list. They are very transparent about the process.
Hell, there’s also nothing stopping you from rolling a CA and using certificates for host and client verification on SSH. Thats actually preferable at-scale.
A lot of major companies also use their own internal CA and bundle their own trusted root into their app or hardware (Sony does this with PlayStation, Amazon does this a lot of AWS Apps like workspaces, etc)
In fact, what you are essentially suggesting is functionally the exact same thibg as self-signed certificates. And there’s absolutely (technically) nothing wrong with them. They are perfectly fine, and probably preferable for certain applications (like machine-to-machine communication or a closed environment) because they expire much longer than the 1yr max you can get from most public CAs. But you still aren’t supposed to TOFU them. That smacks right in the face of a zero-trust philosophy.
The whole point of certificates is to make up for the issue of TOFU by you instead agreeing that you trust whoever maintains your root store, which is ultimately going to be either your OS or App developer. If you trust them to maintain your OS or essential app, then you should also trust them to maintain a list of companies they trust to properly vet their clientele.
And that whole process is probably the number one most perfect example of properly working, applied, capitalism. The top-level CAs are literally selling honesty. Fucking that up has huge business ramifications.
Not to mention, if you don’t trust Bob’s House of Certificate’s, there’s no reason you can’t entrust it from your system. And if you trust Jimbo’s Certificate Authority, you are welcome to tell your system to accept certificates they issue.
At least they got that far.
There’s a good reason as a web server to block anonymizing VPNs. Turns out the bad guys use them too. Who knew.
Their citation for that is their own article, which doesn’t mention anything about selling data from phones, but does talk about cars generating upwards of 25GB per hour of raw telemetry data. Again, mostly uncited.
The point of that line is to drive intra-site clicks and mislead you into getting more upset and drive the ever important “engagement”. Unfortunately a common theme in modern media.
But tons of stuff would have to get sync’s every time you connect your phone. Better to have them cached, encrypted at rest, decrypted by key stored in the phone, and just do a diff-sync.
This should be very easily possible with CarPlay and Android Auto. I have no idea if it does or not. But as Apple and Android both control both their respective app and the OS of the attached phone, there’s no reason it can’t (and even pre-compile diff packages for known cars, or expire and purge both sides after X days without a connection)
That may not be true for regular old Bluetooth though…which likely has more to gain in performance from caching the resources due to BTs limited throughput, but also has to conform to standards.
Seriously, these cases seem like giant nothingburgers.
Did you expect that your car wouldn’t have your text message when it’s displaying it on the screen or reading it out loud?
Now, is there malicious intent? Can they be retrieved by technicians at the dealership if your phone isn’t plugged in? Is it forwarding them back to Honda Corporate or Zuck himself? If so, that’s a significant problem that would probably belong to Android Auto and Apple CarPlay…they should be storing them encrypted and only be able to decrypt them when the phone is connected. But I don’t see any mention of that in the article.
Dude has so many rants on it too. He just released another one yesterday I think (reverse alarms).
Notepad is supposed to be the simplest most basic way to view a text file in Windows.
Yet if I have a large text file (like a log), it’s usually faster for me to just fire up WSL and use
less. How is this still a fucking problem?