Skip Navigation
Windows 10 EOL PSA
  • Absolute joke of a comment. You are assuming the browser is a holy grail completely isolating the internet from the operating system.

    First of all. The browser runs on the operating system's services. In particular, the isolation that you implicitly cite is done entirely by the kernel. (That's for example why you cannot run chrome in an unprivileged docker container - the crucial isolation-centered system calls are not available) The whole network stack is managed by the operating system. Cryptography can also partially be done OS-sided. The simplest example is CSPRNG, which is usually provided by the OS. (Advanced systems may rely on external physical generators, see Cloudflare's lava lamps).

    Secondly. Completely and utterly wrong. The linked video displays the execution of Meltdown/Spectre within a browser. Using JavaScript. This allows the attacker to gain access to any data they want on your computer simply by running some JavaScript code. Easily remotely executed via XSS on a poorly written website. You may read the full article here. Or inform yourself about Meltdown and Spectre here. How is that relevant? Combating this vulnerability was primarily done via critical OS updates. The exploits are inherit to certain CPUs and are therefore not fully fixable. Still, the combination of BIOS, Chipset, OS, and browser updates help prevent very serious attack vectors. (That's the reason why the browser's time measurement is only accurate to about the millisecond.)

    So no. Browsers aren't the magic solution to everything (sorry Ubuntu Snap). They very much depend on the OS providing the assumed security guarantees. And even assuming no direct vulnerabilities in the OS, we can never exclude side-channel attacks, like what Meltdown and Spectre were (or still are if you refuse to update your system).

  • Windows 10 EOL PSA
  • You don't need to click anything suspicious. Remote code execution has in the past been done through images, PDFs, comments on some webpage, or supposedly trustworthy games. Just recently, Minecraft would let an attacker run anything on the victim's computer due to a vulnerability in Log4j.

    If your computer is not directly exposed to the internet, you might get away with some security updates that for example fix vulnerabilities that target the system firewall. But the point is, you're constantly exposing yourself to attackers without knowing so.

    A few example vectors:

    • Cross-Site Scripting (XSS) allows an attacker to run arbitrary code on the victim's browser. All that's required is a website that doesn't validate its input properly. That is, an attacker can write executable code into a YouTube comment and when you view that comment, your computer will execute that code. Obviously YouTube is secured against that, but there are plenty of websites where this attack can be done. Therefore, modern browsers isolate the code execution to only that "browser tab", so the attacker can't access some sensitive data (unless the browser has some undiscovered vulnerability or for example the page itself contains sensitive information, say your bank account details). While modern browsers should provide sufficient protection against such attacks, the take-away point is that you don't necessarily need to click any "suspicious links". A vulnerability in a well-known website you frequent could be discovered any day.

    • An attacker can easily make your PC go to their website when typing google.com. DNS (how your computer is able to tell which web address is which computer) is not encrypted. It is incredibly easy tamper with. Why you don't get scammed everyday is because of TLS encryption. Your computer is able to tell that the website is not Google, because it doesn't have Google's cryptographic "keys". Assume that we discover a vulnerability in TLS (encryption of webpages) tomorrow and you refuse to update your operating system. Suddenly, an attacker can route any traffic they'd like back to them and you would be none the wiser. Same thing would happen if some vulnerability is discovered in X509 certificates, if ICANN's private keys are leaked, and so on.

    There are a lot of things that could go wrong. And they go wrong daily. Security updates fix vulnerabilities that we constantly find. They may be updates for your browser, your games, or indeed your operating system, depending on where that vulnerability is. The examples I gave are exaggerated, because they're meant to be simple to understand. We do not find vulnerabilities in TLS every single day. Still, weak points are being discovered and fixed constantly. One of the bigger exploits were Spectre/Meltdown (attacks on the CPU) that let an attacker read any data they want, provided they can simply run some code on your computer in some way.

    Also, obviously, if you expose yourself to the internet directly (e.g. port forwarding) or connect to an unsecure WiFi network, you'll be bombarded with automated attacks that exploit holes found in firewall and the likes. If you open a port on your computer right now, you'll get around a few hundred such knocks per day.

    There are plenty of videos online that display what happens if you for example use a Windows 95 computer, either directly exposed to the internet or not. Might be worth watching to see just how easy it is for attackers to take over in the case of such an ancient system. Same principles apply to newer systems as well, the attacks are just more complex.

  • Netflix Windows app is set to remove its downloads feature, while introducing ads
  • They don't get that their actions lose them money. They will just keep throwing more ads and higher prices at you while their profits continue to spiral down. Who would've thought that people will get pissed and drop Netflix when sharing passwords was cracked down? What do they think will happen this time.

  • Woman Stuck in Tesla For 40 Minutes With 115 Degrees Temperature During Vehicle Update
  • The button connected to the door should be a completely separate circuit which will not shut down ever. Sure, if you additionally want communication between the main computer and the doors, you can add it. But the doors should not depend on that computer. Basic redundancy and separation of concerns.

  • Woman Stuck in Tesla For 40 Minutes With 115 Degrees Temperature During Vehicle Update
  • Seriously. Reminds me of radio recordings of aspyxiated pilots. If it gets too bad, then it's already over. Pilots who unknowingly run out of oxygen just sit there zoned out not realizing that is happening and they are trained professionals!

  • Closest subway line from you, France
  • "Never" is a massive understatement. Especially in big cities, say Paris itself, it's a nightmare to drive a car compared to just using public transportation. Even outside of cities it can be much nicer to relax on a smooth train ride rather than have to focus on driving the entire time.

    Depends on where you live obviously.

  • Images leak of Valve's next game, and it's an Overwatch-style hero shooter
  • Super Hot and Beat Saber don't cause motion sickness. If you have no idea about how the different kinds of VR movement affect nausea and haven't developed any VR legs, then that's absolutely on you. Especially given that Alyx remains accessible to people prone to motion sickness by giving you the option for teleport locomotion and snap turning instead. I know my limits and while I can use smooth locomotion, I still use snap turning. Don't blame the game if you don't know your limits and it's essentially your first VR game in which you don't stay in a single spot.

  • friend sent me a review of apple's ar headset. couldn't help myself

    sure am excited to start seeing people walk like that outside..

    Review link

    32
    InitialsDiceBearhttps://github.com/dicebear/dicebearhttps://creativecommons.org/publicdomain/zero/1.0/„Initials” (https://github.com/dicebear/dicebear) by „DiceBear”, licensed under „CC0 1.0” (https://creativecommons.org/publicdomain/zero/1.0/)OP
    Opisek @lemmy.world
    Posts 1
    Comments 123