Comments by "LoneTech" (@0LoneTech) on "Brodie Robertson" channel.

  1. ​ @Artoooooor  It's often outright malware too! FTDI, Lenovo, HP, Sony, WCH, Epson and more have released firmware and driver updates specifically to break functionality.
    13
  2. ​ @AshnSilvercorp  There are a handful of reasons. Not an exhaustive list: 1. It's cheaper not to touch it, as long as noone can bring a successful malpractice suit or equivalent. Preventing that is the primary purpose of the EULA. 2. Just in case something out there depends on some bug, it's "backwards compatible" to keep it broken. 3. As long as you can point to something broken, you can say "buy the next one, it might fix it". Never promise it does fix it.
    9
  3. Do you want to pick up Mark Thomas' project from 2004, Christoph Toshok's from 1998, or just add to the pile of overlapping names? (I'm sure there are more than these.)
    8
  4. ​ @catayloprince4772  {doc,ppt,xls}x formats ("Open XML") are not designed for interoperability. They exist so Microsoft could claim their files were standard too, not just de facto. Of particular note is how they rushed them through ISO by bribing non-participating countries to join ISO and fast track it, even while the specs were incomplete and unimplementable. This blatant corruption left ISO crippled by unresponsive new members, bringing down the participation fraction for any votes. All marketing to counter the fact that OpenDocument was being standardised. Actual interoperability of the "Open XML" formats is a side effect.
    6
  5. That's a familiar story. Happened for some major websites as well, including Microsoft's own Hotmail. (The user facing change there was IIS vs Apache, iirc.)
    4
  6. ​ @EwanMarshall  The file system is not particularly specialized; the "everything is a file" philosophy is a generalization. Allow me to translate the entry of "file" from ADB-ordboken (dictionary of computing from 1982): "A file is a database containing records of 80 characters." This traces back to 1928 IBM punch cards.
    4
  7. Why focus on where the merit in the labeling might have been when the labeling itself is a huge fabrication with real world DOS effects?
    3
  8. This "pretending to be nice" phrase is glorifying misdirected abuse. You become your habits.
    3
  9. Actually Linus: just a hobby, won't be big and professional like gnu
    3
  10. ​​ @Winnetou17  NVD is the means of distribution of the CVE, which is distracting security staff from actual issues due to score inflation that is NVD policy. There's your DDoS complete with privilege escalation.
    2
  11.  @Qyngali  The common story being they switched from free software to their own for marketing reasons, then back for stability. Which worked out to great advertisement.
    2
  12. Does HDMI have any useful patents? Last I checked the only thing they didn't copy from DP (and earlier DVI, back then they added audio muxing) was HDCP, which is purely sabotage.
    2
  13.  @edenashi  Patents and copyright are the same concept applied to invention and art. Through perversion of law, some regions have "design patents" which belong in trademarks or copyright, and copyright in practice doesn't expire because Disney. All three are aggressively abused.
    2
  14. There's a Linux driver now. They definitely have a Microsoft deal to NOT support it in Windows prior to 11, though. Seems the purpose of the function is specifically to run Windows 11 spyware.
    2
  15. And Brodie never stops making videos on this topic, always blaming the distributors for the actions of the least attentive public. Sometimes the distributor really is at fault, like the broken prerelease GCC shipped by Red Hat. Often they are not, as when users google to find the wrong bug tracker after an upstream developer intentionally sabotaged their software.
    2
  16. ​ @BrodieRobertson  It is POSIX that /bin/sh be a Bourne type shell. Debian often has dash there (Debian Almquist shell) specifically to detect if scripts are mislabeled as sh when they need bash. Bash itself also has special behaviour for POSIX compatibility when run as sh. So.. not even bash will assume you want bash if you run bash as sh.
    2
  17. Saying your program will be bad when time has passed is saying you have no confidence in ever making a solid release. That is not the distribution sucking.
    2
  18. It WAS fixed YEARS before it was published. The real denial of service here is misdirecting resources on hunting down non-issues.
    2
  19.  @AM-yk5yd  You mean Debian's reportbug, which goes into Debian's bug trackers, not upstream?
    2
  20. The test against maxBound shown at 7:35 can work because it separated the terms, only adding 1 after it confirmed to-from wasn't the one value that would overflow. As also covered, the way to reach that was to have to=maxBound and from=0, which is simply more than could actually be transferred anyhow. Of course, with the UB happy crowd, they're likely to claim the compiler is allowed to assume the overflow wouldn't occur and can therefore remove the check anyway, and we've wasted our efforts at least four times over for a complete non-issue.
    2
  21.  @BrodieRobertson  You mean wildly incorrectly and perfectly confidently, like about human digestion where they paint fat, cholesterol and salt as the big bads, when the primary problem is overdosing on carbohydrates?
    2
  22.  @BrodieRobertson  And you're very defensive about posting an essay where you decide to use technical language for the wrong things. Why are you opposed to accuracy?
    2
  23. NVD policy is to rate every undefined field as maximum. So when they don't know what an issue is, including if they don't know if it exists at all, it's automatically critical. So basically it's because they'd rather say "look how important we are" than "look how clueless we are".
    2
  24.  @alexstone691  Sure, in the disaster movie scenario where every time you lose contact it's because of an ominous attack. It's not a response plan, however. This isn't vulnerability mitigation, it's amplification.
    2
  25. ​ @gljames24  It's more that the idea of what to do with multiple monitors changed after X11 was designed. X11 has multiple screens in one display, but people expected them to work like one, so hacks like twinview were added, then the Xinerama protocol to manage those.
    2
  26. They did port Office long ago. But they only sold it for Solaris, IIRC.
    2
  27. .deb files are packages installed using the dpkg package manager, so installing them is not bypassing the package manager. However, it may have distro specific or broken dependency metadata, which could make it impractical on Debian. Debian's (contrib) packages have steam-libs for dependencies and steam-installer which installs Steam in ~/.steam/debian-installation. Being a kind of package manager itself, complete with self updating, Steam requires a user writable location.
    2
  28. Fiddled with it a bit today. There's a Linux driver now, though it uses some firmware blobs. But getting any tool to actually develop for it - or even just information on what the instruction set is capable of, let alone how it's encoded - is far less clear. So, it's useless but testable, which is a step above Windows 10 where it's just ignored because Microsoft said so.
    2
  29. It's not necessarily that simple. With too low a voltage, not only do you get increased resistance in the transistors that are supposed to be on, you may get the opposing ones to never switch off fully. And that's static power draw that won't go away with clock gating and will be at its worst exactly where the weakest links are. "May damage your hardware" is quite literal.
    2
  30. ​ @excidium666  It's not just the false positives. Every one of the reports will be overly verbose, speculative and off topic like this one, which will train responders to skim reports - and eventually lose significant details.
    2
  31. Technically it's avarice. They do not care if you are hurt, they merely want your stuff.
    1
  32. ​​​​ @jamesflames6987  It doesn't overflow to 0 on common machines. You'd need a machine where the the number of values a long may take is a multiple of 1000 for that. You could get subsecond values like 704 or 384 milliseconds. The hypothetical service would also be the one with the remote vulnerability, not curl. The issue was severely mislabeled. The I:H label, for instance, was pure fabrication. NVD is the DDOS attack vector here. Their policy is the equivalent of every missed call being classified as a bomb threat.
    1
  33. ​​​ @EwanMarshall  Sure there is! In this case, they quite obviously took the easy way of rating everything at maximum for AV, C, I and A with no regard for truth. If that's their best effort, I think their reputation should be affected. It has been confirmed since (see Stenberg's third blog update) that this fabricated scoring is NVD policy. This leaves it in the air whether MITRE or NVD did the inflation, but it's insane either way.
    1
  34. ​ @Braiam I'd suggest Debian testing, but we do have our levels. Including experimental.
    1
  35. ​ @framegrace1 Stable is not immutable. We do fixes. That's what support is about.
    1
  36. The hardware is actually reasonably interesting. Microsoft's goals with it are just abhorrent.
    1
  37. This isn't about security patches. This is a time bomb hostile message designed to evade testing.
    1
  38. ​ @EwanMarshall  And NVD assigned 9.8 critical based on not hearing from MITRE.
    1
  39. ​ @NiceMicroTV GPL explicitly specifies "on a durable physical medium customarily used for software interchange". Printed toilet paper would not qualify.
    1
  40. False positive is NVD's specifically stated policy. Once there's an issue number, if they have no information it's their policy to declare it's the worst case - even if that's implausible or impossible.
    1
  41. So Microsoft's take on licensing is "we're rich, we can get away with it."
    1
  42. Is that the excuse for the amd driver selecting the worst available pixel format on hdmi? It's hardcoded with a little comment nearby saying it shouldn't be.
    1
  43. An integer overflow could lead to incorrect memory accesses if it occurs in the wrong logic, e.g. causes an allocation routine to think something fits when it doesn't. This probably isn't such a case, and in any case the speculation was unfounded; just excuses to toss at the wall, distracting from the real issue that there's junk in the issue tracker.
    1
  44. ​ @EwanMarshall  Turns out it's NVD policy to rate stuff they have no information about as critical. It's not clear if MITRE fabricated the severity, but it is clear NVD would if MITRE didn't.
    1
  45. An honest effort at such a security tool would have it generate a proof of concept test case. I.e. it would have traced back to that file size. Meanwhile, in the real world, the glorified chatbot is even worse than your average programmer at understanding what the range of a variable is.
    1
  46. ​​ @BrodieRobertson  That's an astonishingly ignorant statement, actually. Undervolting doesn't even necessarily reduce power and is by definition out of spec (because it may cause malfunction, including permanent). Power limiting is perfectly normal, typically done to balance demands on battery life, heat production, and different categories of compute (e.g. graphics). The phawx has demonstrated these pretty well if you want to learn. This is a bit like saying the only way to reduce fuel consumption in a car is to dilute your fuel.
    1
  47. 0install did this long before nix or appimage, with signature checks, and supporting other OSes.
    1
  48. The processor is not for people developing AI tools. It's for running them, specifically the background spyware of Windows 11.
    1
  49. Dropbox is a famous site that installs unwanted malicious software on visitors' computers. Specifically, Firefox downloads and runs a broken "Widevine" binary without asking - after being specifically instructed not to (DRM antifunctionality disabled in settings).
    1
  50. Quite obviously was gaming the score. There's absolutely no excuse for the Integrity:High marking.
    1