skullgiver

skullgiver, 1 hour ago

I can’t find any mention of a specific dB level in the submitted documents though I can’t find every document online for free. Apple tried to have the case dismissed but seems to have messed up their paperwork.

The claim is not just about rupturing the eardrum, but also about tinnitus. While I doubt the 105dB maximum is enough to rupture the eardrums of a healthy young boy, I can imagine it being enough to induce tinnitus.

It remains to be seen if the supposed 105dB limit you quote was actually applied as intended. The limit is enforced in software, and software can be buggy.

I’m sure a medical professional will be consulted during the lawsuit, so you’ll probably get your answer eventually. The courts move slow, though, so it may take a while to get a definitive answer.

skullgiver, 5 hours ago

This has come up in the past. I believe Mandarin has a short and quick word for this. English doesn’t have the same cultural background so there’s no quick name for it.

Compare this to writing out “MothersOrFathersBrotherOrSistersDaughterOrSon” instead of “cousin”. In fact, my own language doesn’t even have a word for “sibling”, all we have is “brother or sister”, despite being surrounded by languages that do have such a word.

skullgiver, 3 hours ago

Same reason there would be an “or” in “BrotherOrSistersOrBrotherInLawsOrSisterI LawsDaughter” when describing “niece” in the same way.

English happens to have short words for certain cultural relationships that other languages don’t, and other languages have their own culturally relevant familial descriptions.

From what I recall, this is a translation of a Mandarin word.

skullgiver, 22 hours ago

Without some kind of signature scheme, this can easily be abused, though. The first server to fetch the embed can put just about anything in there when it pushes that embed to other servers.

skullgiver, 21 hours ago

Sharing Federated content in general works like that. However, the originating server will still receive an onslaught of HTTPS requests of remote servers fetching the signing key used to sign the federated message.

“Just defederate” is not a real solution. I’ve observed malicious behaviour on all major Lemmy, Kbin, and Mastodon services, and even more on smaller services like personal Mastodon servers.

skullgiver, 14 hours ago

That kind of centralisation is exactly what the Fediverse was built to prevent. What’s the point of decentralising if you’re going keep a whitelist of servers and break link previews for all other users? I would certainly keep that feature disabled.

skullgiver, 14 hours ago

ActivityPub doesn’t require followers, it’s a push-based protocol. You can tag a user, and your post gets embedded in the remote timeline. The lack of the ability to cut down on notifications is actually one of the problems many of the more popular fediverse accounts often talk about.

One could implement a sort of “I trust your supposed representation but only if the recipients follow you” approach, but then you’ll need to explain to users why sometimes link previews work and why sometimes they don’t.

This issue could still be prevented entirely in a whitelisted federation model where hacked servers get defederated immediately, but I don’t think that’s a particularly popular model within ActivityPub circles.

There are a few reputation systems out there, but they have the exact same problem email reputation services have: your small server will never be able to exchange messages with the four or five largest servers because there’s no way for you to build up a reputation in the first place, and a 30 minute hack can make your domain completely unusable.

skullgiver, 1 day ago

The only bit of data I could find:

However, I got a bit of a nasty surprise when I looked into how much traffic this had consumed - a single roughly ~3KB POST to Mastodon caused servers to pull a bit of HTML and… fuck, an image. In total, 114.7 MB of data was requested from my site in just under five minutes - making for a traffic amplification of 36704:1.

That’s peak activity of about 30mbps for five minutes. If the server has a gigabit connection, this should take about a second of data transmission at full speed. Of course, there’s TCP slow start to deal with, and I doubt many Fediverse clients do requests in the form of HTTP/3 by default, but this doesn’t seem all that high? I don’t know what the nornal “background” traffic of random clients visiting looks like, but mathematically this seems like it shouldn’t take more than a second or two with a RAM cache.

If this were some random independent website that avoids services like Cloudflare because of their status as the gatekeeper of the internet, I would sympathise, but they already use Cloudflare. Their website, like many on the internet, just isn’t ready for bursts of visitors, it seems.

This could also be a bug in Ghost CMS, of course.

In theory, content like this could be federated directly; a Fediverse Article could be offered to the wider Fediverse and servers would distribute the content rather than a link with preview. However, this would also prevent ads from showing up, trackers from collecting visitor information, and Mastodon has chosen not to implement more than microblogging objects either. I also don’t think Lemmy supports that kind of post, but it’d be a solution in theory.

skullgiver, 1 day ago

I doubt they actually want people to stop sharing their content on Mastodon, as they share the content on Mastodon themselves. I think they want to get more attention for this issue.

Nobody seems to have done so, but it’d be trivial to use ActivityPub as an amplification factor for attacking small publications. Just register free accounts with a couple hundred servers, post links to articles (with unique garbage added to the end of the URL to bust basic server side caching), and tag a couple dozen random users from other servers. Every server, as well as every server whose user was tagged, will fetch the page, and if present, a header image. You can easily send out dozens of links per second to thousands of servers, enough to overwhelm any site that doesn’t have their content gatekept by internet giants like Cloudflare.

If the website is hosted on a server with expensive egress fees (“serverless”, Amazon, GCloud, Azure, hosters that don’t disconnect your server when you hit your bandwidth limit) you can run up a bill of tens of thousands. If the hoster does apply an egress cap, you can shut down a website for a couple of days at the very least.

I don’t have a workable solution to this problem, but the way the Fediverse seems to be built with the rather naïve idea that every request that passes the signature requirement is done in good faith has major implications on the wider internet. If we don’t find a solution to this problem, I expect websites to start blocking Fediverse user agents when the first DDoS waves start.

skullgiver, 5 hours ago

Admittedly, the 100MB isn’t that bad, though at 100MB per post with several posts per day such a website does need to deal well with caching. I certainly would take my blog down if every time I posted something I needed to pay 15 cents for the privilege on top of my existing hosting costs.

However, an orchestrated attack could do thousands times more damage. A small group of Japanese middle schoolers managed to overwhelm all moderation tools the Fediverse had available to them with a quick script, and that attack only stopped because the police got involved. I can think of several ways to abuse the presumptions of friendliness that’s present within most Fediverse software.

Having 18000 servers download a couple hundred pages per hour is enough to take down most small websites, especially thanks to the geographically distributed nature of the Fediverse that requires every CDN node to be fully populated (and likely populated with spam), and that’s not hard to pull off with a handful of small domains and maybe a couple of Amazon IP addresses.

I’m not so worried about the traffic caused accidentally (though there is a separate thundering horde problem with many ActivityPub implementations) but the potential for abuse is there and it needs to be solved before it someone malicious finds out.

skullgiver, 1 day ago

You can’t spoof phone numbers on competent telco networks. It’s not that difficult to filter out faked display headers and refuse to set up the call if your outgoing phone number doesn’t match any number on your account, the same way an ISP could filter out outgoing traffic that isn’t sourced from one of their subscribers to block DDoS.

In practice, very few telcos seem to care. This seems to be particularly problematic in the USA from what I can tell. However, this is all because of a lack of implementation of basic features for whoever is providing outbound calls, the same way DNS amplification attacks are possible because ISPs don’t bother doing basic traffic filtering.

skullgiver, 1 day ago

no two people have the same phone number

You can share SIMs between multiple phones quite easily, actually. You can also have entire call centers behind one single phone number. The only unique identifier for a handset carrying a particular call would be its IMEI (though multi SIM phones have multiple IMEIs) and even that is just a number that can be faked on some modems.

You can also trivially spoof your phone number in most countries through basic SIP configuration. Someone with basic knowledge of phone numbers can call you with your own number as the calling party and there’s very little you can do to stop them.

skullgiver, 1 day ago

You have some misconceptions about how phone numbers actually work. I’d say the closest thing to a phone number computers have is a domain name.

IPv4 used to hand out uniquely addressable IP addresses to every computer. Then IPv4 ran out of address space too fast, because it was too successful and blocks of millions of IP addresses were sold off in the first few years to big companies, and IPv6 was invented. Unfortunately, early IPv6 lacked a lot of features and NAT trash become the norm instead.

With IPv6, every household can have a couple billion IP addresses. It’s very hard to run out of IPv6 addresses. With modern IPv6 privacy enhancements, you typically have multiple addresses (a static one for receiving traffic and a bunch of random ones for outgoing traffic so you can’t get tracked as easily) with at least one derived from your network adapter’s MAC address.

Computer connected to cell networks (embedded LTE modems and such) actually have phone numbers. Most of the time they’re just administrative numbers that don’t do anything, but they’re still there.

You do seem to have some misconceptions about phone numbers, though. They can be spoofed easily, for one. They can also be shared between hundreds of people (your average call center) or exist but be unroutable. They’re not tied to your SIM at all, they’re actually tied to your current session (which is derived from identifiers such as IMEI and IMSI, the latter of which can be dynamic, the former of which can be spoofed). You also don’t own a phone number; your carrier does, and many offer portability, but you don’t own the number yourself.

In theory they can even be duplicate: phone numbers in two countries can be exactly the same. You’d say “but there’s a country code prefix”, but the prefix you need to add in front of a phone number is different for every country. In most of the world, prepending a call with “00” (aka “+”, in the +12223334445 phone numbers) followed by a country code will make an international number, but in some countries, you would dial the American number “222 333 4445” by calling “810 1 222 333 4445” while in most of the world that’d be “00 1 222 333 4445”. This makes international phone numbers variable, depending on where the other party is calling from, and introduces potential conflicts. Consider a country where the IDD is 810: someone could theoretically have a local phone number “00 1 222 333 4445”, which looks like an North American international phone number, but isn’t!

Most web developers assume the IDD is always +/00 and that’s wrong. An international phone number is not always reachable through a 00 prefix and if you write a dialer, you’ll end up calling different people depending on what country you run your dialer in.

You also don’t need a phone number to call another phone in internet telephony. Sending a couple of SIP packets to the right IP address can set up a call to many home lines without paying a dime to any carrier, for instance. To do so, you need to know the IP address and SIP user of the remote party (typically a “land-line” modem) and the remote side needs to not have firewalled off their SIP port, but there are many cases in which you can enter steve1234@1.2.3.4 into dialer software and call someone without even having a phone number of your own.

As for your edits:

• the privacy nightmare still exists in IPv6 without privacy extensions
• dynamic phone numbers are completely possible, just not common
• MAC addresses are more akin to IMEI numbers. IP addresses are more akin to IMSI numbers

The closest thing to a phone number for computers is probably a domain name: something someone can reserve, gets routed to the right session (IMSI), and can be shared, non-existent, and spoofed. It’s registered with a service provider for routability (whoever sets up DNS servers) just like with phone numbers (phones don’t have DNS, but SS7 access will allow you to make a phone number reachable even if you don’t own it!).

Unlike phone networks, computers don’t need domain names to address each other. We’ve mostly skipped the “paying money to register a name” part of computer networks because we didn’t need to. For some applications, like email, XMPP/Matrix, and the Fediverse, this was very much necessary; for machine to machine interaction, it apparently wasn’t.

skullgiver, 14 hours ago

With the phone spoofing though, does that mean two factor with a phone number is basically useless?

Spoofing is mostly done outbound. Anyone with enough money to buy SS7 line access can redirect almost any phone line in the world, though. It’s not cheap to get access to a network like that, but it’s also far from impossible. SIM jacking is a lot cheaper and just as effective, though.

Phone 2FA is better than nothing, but worse than almost all other options. Turn it on if it’s the only 2FA method, better leave it off if you can use TOTP or another 2FA mechanism.

skullgiver, 1 day ago

Bluetooth and QR code passkeys are built around CTAP, but that’s judt an implementation detail.

You don’t have to use Apple, Google, or Microsoft, though. 1Password and Bitwarden also support passkeys, though you’ll need platform support for them to work as well as the native implementations do; for instance only Android 14 and up can have an arbitrary app act as a passkey provider, older versions will have to deal with Google’s fallback implementation.

In theory these independently provided passkey can even be exported, though I haven’t tried this myself.

skullgiver, 1 day ago

If 1Password becomes annoying, you might want to consider Bitwarden, which, if worst comes to worst, you can host yourself. Unlike Keepass you don’t need to manually sync a password blob. However, that also means that if Bitwarden’s/your server is down, synchronising will be impossible.

skullgiver, 1 day ago

Looks like Gnome (the software that handles the GUI) died. The installer (which other people reported issues for) is still up and running, funnily enough.

If you have Nvidia hardware, this could be related to the Nvidia drivers being unstable; they could become more stable after installation of the proprietary ones once Ubuntu is on your main hard drive.

I doubt this is a motherboard issue. However, the drive and the GPU malfunctioning could be a sign of a faulty power supply (happened to me!). You could also check for software updates for your motherboard: I’ve seen similarly confusing errors when someone managed to boot their PC with a CPU that was officially only supported several motherboard updates later; updating the firmware fixed everything in that case.

If the PSU is fine and there are no updates, I would recommend checking Ubuntu 23.10 (if you think the problem will be solved within a few months) or 22.04 (if you think your problem will be solved within 8 years) instead.

skullgiver, 1 day ago

NTFS can handle Linux permissions perfectly. In fact, many Linux filesystems lack the kind of permissions that NTFS does support, not the other way around. FAT doesn’t do permissions, but NTFS has supported decent (“extended” for Linux filesystems) permissions since the mid 90s, i believe even since before Linux even existed.

The NTFS driver on Linux isn’t very good or fast, so I’d avoid NTFS for a system drive for sure, but as a filesystem, NTFS is fine. It also doesn’t help that many distros don’t ship the modern NTFS driver in the kernel, so booting off NTFS doesn’t work in many cases.

skullgiver, 23 hours ago

I can’t really take Rossman seriously when it comes to this app.

He makes good points about how terrible Youtube as a platform is, but his “solution” is some kind it proprietary video player that just plays Youtube videos.

He’s setting himself up for a lawsuit he can’t win that’ll cost him and his supporters a huge amount of money. “We can pirate because we’re making a new Invidious app” won’t hold up in court and he knows.

Luckily for him, Youtube’s legal team tends to send empty threats for a while before they take actual legal action. I seriously doubt anyone looked I to his app for more than a minute before sending these letters. If their app does gain significant market share, it’ll be shut down quickly.

As for his “muh freedom” shtick: while I agree that we should have the freedom to download videos, I doubt he doesn’t know that attempts to popularise alternative downloads will only lead to Google taking actual action against these apps. It really wouldn’t that hard for Youtube to block his app, they just haven’t bothered telling some random Youtube dev to out effort into it.

This will only end in an arms race that will make Youtube worse for people who don’t pay for Youtube content. Expect more DRM, more log-in requirements, fewer resolutions available for free, more fingerprinting, strict remote attestation, you name it. Google hasn’t even scratched the surface of what they can do against third party clients on a technical level, probably because making some intern in Legal send out a template letter is effective enough and doesn’t cost as much as putting in effort.

Any good pirate knows that you need many people to pay for the stuff they pirate, or the stuff they pirate will stop being made. If everyone took this stuff for free, there would be no stuff to take. Directly undermining Youtube’s business model with an app of your own is the direct opposite of that, unless you know your app will never make a significant dent into the bottom line of the people you’re taking content from.

There’s only one thing that can make Youtube better, and it’s competition. Unfortunately, nobody wants to pay for online stuff, either with money or through ads, so it won’t happen. Youtube’s free model doesn’t make any business sense, which is why it’s the only platform that works like Youtube, except maybe for Billibilly because the CCP blocked Youtube. We, the internet consumers, have all played ourselves by demanding everything to always be free. We’re almost doing fucking around, and moving quickly into the “finding out” stage.

Either Rossman knows his app will never take off, he’s trying to get sued into the ground to prove a point, or he’s willing to accept Youtube becoming worse for everyone. I miss when he was mostly concerned about right to repair, at least his approach on that subject had some merit.

skullgiver, 23 hours ago

Last time I checked my router’s statistics, IPv6 destinations were a bit over 50%. That included torrents, though, actual website traffic is much better.

The only website I can think of that I can’t reach over IPv6 is Github.

skullgiver, 21 hours ago

Hmm, didn’t know IMDB and StackOverflow were still stuck on IPv4. Not surprised Paypal and Twitter are still shit, but I rarely interact with them.

I can’t say I use the other domains.

skullgiver, 2 days ago

Modlog calls it “spam”. I guess they didn’t like one of the comics?

skullgiver, 3 days ago

I don’t think we need exact neuron emulation to simulate human consciousness. We just need to work out the information theory behind it.

We currently have a good idea about how neurons behave, but to simulate them properly we also need to know how they work. I’m sure we can figure that stuff out, eventually. Give it a couple of decades or centuries and we’ll know enough to properly simulate neurons, if not just for finding cures to diseases. From that point on it’s just a matter of reducing the complexity and scaling the simulation.

We’ve figured out how to make robots walk by first making exact copies of animals and people, and then once we got that to work we reduced the whole thing down to a relatively simple machine that’s getting better by the year. I’m sure we’ll be able to apply the same pattern to neurons once we figure them out.

Scientists are already working on simulating the complete brain of a small insect with a miniscule brain. It takes just about a supercomputer to run that thing in real-time, but it’s not finished yet.

With the way technology is headed, I do wonder whether we’ll get a cyborg singularity before or after we manage to simulate consciousness. Either seem possible, so I think it just comes down to what kind of technology gets invented first. With Musk still paralysing monkeys in his lab, I don’t think we’re close to either option today.

skullgiver, 3 days ago

Not really, there’s no practical difference between google.com and google.de for instance. At most, companies seem to change their default language based on what TLD you’re using to visit. Plus this “old stuff” was two years back in the 90s. Their old URLs have been dead for decades. There was no reason not to switch to .int, especially given the state of the internet back then.

With .org being open to anyone, and .int only to a select few organisation, I would’ve expected un.int to be their default, as it’s much more legitimate than .org. It looks like they use .int exclusively for missions and .org for general information.

skullgiver, 3 days ago

AI companies are currently blatantly ignoring copyright. Furthermore, content without a specific license is already protected under copyright, provided they are creative enough for licensing and copyright to make sense.

The question currently being fought in courts is: do AI companies need permission and licenses to train AI on copyrighted content? If so, no creative unlicensed comments will be usable for AI in the first place. If they’re not, these licenses don’t really apply.

However: you, as a random internet person, do get additional rights. You are bound by copyright law, and copyright law says you can’t just take someone else’s movie/picture/meme/poem/book/comment and post is elsewhere. With the CC license, you are able to do so, provided you follow the requirements described in the license.

Certain websites, like StackOverflow, apply these licenses on user generated content by default. Without such a license, copy/pasting from StackOverflow could be a copyright violation in some cases, which it now isn’t!