aard @ aard @kyu.de

Posts

5

Comments

493

Joined

2 yr. ago

At least in the EU Apple app store is considered a monopoly, and Apple is expected to allow third party stores during next year.

Problem is that it not really is "just a store". By using the google store you get access to the google play APIs, which are upgraded separately from the device OS - which is sensible from a security perspective, but they also were created by google specifically for regaining control over what goes on on Android devices.

A lot of applications are needlessly tied to play APIs - either because that way is a bit easier, or just because google is good at marketing them, and the developer didn't think twice about it. Some relatively basic APIs are part of google play - for example maps, which needlessly is tied to google maps. Unlike Android itself the play APIs are not opensource.

Yandex tried about a decade ago to re-implement the play APIs to keep such applications working without the play store, by utilizing other services providing the same functionality, and tried to get other companies to join them. I've visited the Yandex office in Saint Petersburg a few times to discuss that back then (just checked, most of that seems to have been 2014 - that year Yandex was sponsoring my Russian visa). The effort failed for various reasons, unfortunately - the big one being that doing this required reverse engineering API changes on every play update google was pushing to stay compatible. There's the microG project around now, but it seems to be less ambitious than what Yandex was trying to do back then.

My point is, as long as at least the API for play services isn't maintained in a way that allows full open source reimplementations - or better, google releases parts as open source where we can plug different backends in - "use a different store" is not really a possible solution for many.

Problem nowadays is that changing partition tables is so rare that parted changes their commands between uses, and I never remember if fdisk nowadays has all the GPT related issues that made me try parted in the first place ironed out. Plus I can't remeber the new GPT commands and partition IDs.

I still mostly just read the help text every time because nothing else is installed - but from the speed I might be a bit faster with a well designed GUI nowadays if it is about modifying GPT disks. MBR disks I still can do with fdisk in my sleep.

Emacs grep lets you run grep, and formats the results in a buffer from where you can then easily visit the files at the match location.

Almost a decade ago there was a discussion how to draw into display buffers for Wayland. Everybody agreed on using Mesa GBM, nvidia wasn't really interested, but said they'd do EGLstreams.

As nvidia wasn't interested, and generally is a dick to everybody anyway Wayland development just progressed ignoring nvidia, and now they have to catch up to where all the other graphics driver were at already years ago. While ignoring most of the things those others learned, because they want to keep their own tiny proprietary island.

Just avoid supporting nvidias dickish behaviour by not giving them money, and eventually they might learn and change.

Easiest and most affordable is probably a security key like the Nitrokey or the https://www.yubico.com/. I personally don't like the company behind yubikey much, but if you want something small you can always leave in the device that's pretty much your only option.

For "cheaper, but a bit more effort" would be just getting a smartcard blank, a card reader (if you're not lucky enough to have a notebook or computer with one built in), and then either write your own applet, or use one of the available opensource ones, and upload it to the card. A variant of that would be the Fidesmo card, where you get a card and their applet.

Or you just use the TPM you may have in your system - though you'll need to be careful with that: Typically one reason for using a hardware token is to make sure keys can't get extracted, while TPMs often do allow key extraction. Software to make that work would be opencryptoki.

Generally you'd use PKCS#11 to have the various components talk to each other. On your average Linux pretty much everything but GnuPG place nice. with PKCS#11. Typically you end up with pcscd to interface with the smartcard (the above USB tokens are technically also just USB smartcards), OpenSC as layer to provide PKCS#11 on top, and software (like OpenSSH) then talks to that.

All of that should be available as packages in any Linux distribution nowadays - and typically will also provide p11-kit configured to use a proxy library to make multiple token sources easily available, and avoid blocking on concurrent access.

ssh-add supports adding keys from pkcs#11 providers to the SSH agent (search pkcs11 in ssh-add manpage), with some distribution (like RedHat) also carrying patches allowing you to only select individual tokens for adding.

If you're also using GnuPG it gets more complicated - you pretty much have two options: Stick with PKCS#11, in which case you'd replace GPGs own smartcard agent with gnupg-pkcs11-scd, or you use GPGs own card implementation, in which case you can forget pretty much everything I wrote above, and just follow the security key manual for setting up a GPG card, enable SSH agent support in the GPG agent, and just use that for SSH authentication.

A surprising amount of services (including Azure last I tried) can only handle RSA keys, so after trying ecdsa only for a while I ended up adding a RSA key again.

With that said - it's 2023, in almost all cases you should have your keys in a hardware module nowadays, in which case you'd use a different command for keygeneration.

Enterprise SSDs are certified to retain data without power for 3 months. That's extremely conservative - but I wouldn't push it to more than about two years.

For workstation there hasn't been a need to use VMWare for over a decade now, if you're on Linux. Server side, if you needed live migration you had a reason to stick with VMWare - but that also should've been solved about a decade ago. Pretty much the only two excuses for still using VMWare infrastructure are "it's old infra, and we don't really have the time to migrate away from it" or "our ops team is too incompetent to handle anything else"

At least my kid remembers quite a few things from that time. She sometimes goes "remember when I was crying so much.." following by an increasingly detailed description of a situation until I do remember. And then she tells me what the issue was back then, which she didn't have the ability to explain yet back then.

How do you handle encryption? Best provided option with client side encryption I'm aware of still leaks filenames.

It did, but note that the linked picture is the full resolution of the camera. Also, the phone had very limited storage space, and the display was in no way suitable for displaying the pictures taken, so you just hoped for the best until you managed to check them on your computer.

The S55 got lost eventually, but the camera module should still be around here somewhere.

A Siemens S55. After that I moved to a Treo 270, and stayed with Palm until Nokia gave me an N900

I guess we can give GIMP a pass to be a bit slower in migrating to new versions of the _G_IMP _T_ool_K_it than others...

In IT contracting (at least the fields I'm around) it's quite common that "being able to acquire new skills quickly" is one of the skills you get paid for, and the time needed for you to do that is accounted for in the project planning.

The whole reader series is just such an un-Sony thing, it's almost a miracle it survived as long as it did. You'd never expect Sony to have an easy to use device, without forcing DRM or custom software, utilizing open standards, while also being easily repairable by the user. Or if it existed you'd think it was a fluke, and will be "fixed" in the next iteration.

Battery replacement on the old Sony readers is trivial.

I relatively recently checked out some other ebook readers, mainly as the Sony isn't too responsive with a big library on it, and I prefer just having everything on there - but turns out neither Kindle nor Kobo perform that well with a big library either. The UI of the old Sony reader is still way better than any of the other ebook readers I've tried.

I'm currently carrying a kindle in flight mode, filled via calibre - in the night the backlight is nicer than the clip on light I've been using with the Sony, but I still keep the Sony charged and use now and then.

And if the code was merged into Nvidia’s database after “extensive edits and feedback loops by other employees,” then Valeo says it’s “unrealistic” to think it could ever be fully removed.

This also is the reason why people should be careful with copilot or similar code assistance systems until the first major AI copyright lawsuits are settled. If those don't swing in favour of AI people using those tools risk losing their codebase.

Yeah, but x86 was relatively cheap. Alpha and Itanium were in a similar price range.

At that time Alpha belonged to Compaq - and they stopped Alpha development (and canned quite a few good designs which were pretty much ready to go), expecting they'll be able to replace it with Itanium.

Pretty much everybody pushing fingerprints as a sensible thing for accessing a device is fucking up. It is way too easy to obtain a persons fingerprints suitable for device unlocking without them knowing - and that's ignoring that using fingerprints enables device unlocking with a persons finger against their will.