Peanuts! My wife’s workplace has an internal photo gallery page. If your device can cope with it and you wait long enough, it’ll load about 14GB of images (so far). In practice, it will crawl along badly and eventually just crash your browser (or more), especially if you’re on a phone.
The single-line change of adding loading=lazy to the <img> elements wouldn’t fix everything, but it would make the page at least basically usable.
The value of the technique, I suppose, is that it hides a large payload a bit better. The part you can see stinks (a bunch of magic numbers and eval), but I suppose it’s still easier to overlook than a 9000-character line of hexadecimal (if still encoded or even decoded but still encrypted) or stuff mentioning Solana and Russian timezones (I just decoded and decrypted the payload out of curiosity).
But really, it still has to be injected after the fact. Even the most superficial code review should catch it.
Agreed on all those fronts. I'm just dismayed by all the comments suggesting that maintainers just merged PRs with this trojan, when the attack vector implies a more mundane form of credential compromise (and not, as the article implies, AI being used to sneak malicious changes past code review at scale).
Yeah, the attack vector seems to be stolen credentials. I would be much more interested in an attack which actually uses Invisible characters as the main vector.
I have some Sony headphones from a decade ago with a detachable cable. Noise cancellation works just fine when wired, and you get better battery life since the Bluetooth part isn’t active. The only time you can’t use noise cancellation is when it’s charging (Micro-USB, doesn’t do audio over USB in case you were wondering).
A spherical balloon 20cm in radius is displacing 41g of air. Even ignoring compression (which I don’t know enough to quantify the effects of, except that it will make the numbers more unfavourable), nitrogen’s 3.3%-lighter gives you a budget of only 1.35g for the balloon. I believe balloons hare heavier than this, so the balloon will still sink (a little more slowly than an air-filled one, but I’m not sure how noticeable the difference will be).
> which I don’t know enough to quantify the effects of
You probably do, actually! People constantly underestimate the grand utility of their basic education.
At near-atmospheric pressure and typical ambient temperatures, the ideal gas equation (PV=nRT) from introductory physics works very well and indicates that a 3% overpressure would make gases 3% more dense (linear direct proportionality). At some threshold of high pressures/ low temperatures, you'd want to switch your equation of state (EOS) from ideal gas law to something else. Peng-Robinson would be a good choice for a non-polar gas like Nitrogen, if its >10-50 atm pressure and/or < -50C temperature.
At 20 degC, 1.00atm to 3kPa gauge pressure, ideal gas law predicts nitrogen would increase in density by 2.9608%. Whereas Peng-Robinson predicts it would increase in density by ever-so-slightly more, 2.9623%. This is truly negligible, so better to use the simples EOS for explainability (which would be the ideal gas law).
Ah, just like AT Proto when it was released, introducing compatibility hazards and security vulnerabilities by putting stuff in the root rather than in .well-known. Sigh.
I never did get my pen license—they insisted on the dynamic tripod grasp, which I never could cope with (I prefer lateral quadrupod). So I and one other had to keep using pencils until the end of grade four, after which point they forgot about the matter.
My elder brother had (simplifying the story a lot) such bad handwriting that they let him type his year 12 exams, turning a possible disadvantage into a frankly unfair advantage, especially in English, where being able to output four times as fast is valuable. Wish I could have done that.
> In October 2023, Tile sent to all accountholders […] an email with the heading “Updated Terms of Service and Privacy Policy” […] to the email address provided by accountholders during registration, […] “[i]f you continue to use any of [Life360 and Tile’s] apps, or access our websites (other than to read the new terms) on or after November 26, 2023, you are agreeing to the [Oct. 2023 Terms].”
> Broad did not locate the Oct. 2023 Notice until January 2024, when she affirmatively searched for the email and found it in her spam folder. […]
> Doe “never knew that Tile sent” the Oct. 2023 Notice and so never “read any revised or updated Terms.”
> The district court held that neither Broad nor Doe assented to the Oct. 2023 Terms.
So then it was challenged, and the appeals court gets into the weeds: were the Appellees “on inquiry notice of the Oct. 2023 Terms”? (“Inquiry notice” is clearly a specific legal term, I can’t comment on its precise meaning.)
The entire thing seems to hinge on whether appropriate notice was given: it seems to be accepted by all parties and case law that “continuing to use after such-and-such a date implies consent” is okay. (This is explored at the end of the document: simply using the app is treated as “unambiguously manifesting assent”, presuming inquiry notice.)
The court decides: yes, it was sent in the appropriate way and clearly marked and described. And
> Although the email did not say specifically that the arbitration agreement would be updated, reasonable notice does not require the email to discuss every revision.
They do say
> Tile could have done more to ensure that all its users were on inquiry notice of the Oct. 2023 Terms. Tile could, for example, have interrupted users’ next visit to the Tile App with a clickwrap pop-up notice. […] Because Tile should have known that at least some of its users do not closely monitor email, […] and Tile should have furnished additional notices, this factor weighs against finding inquiry notice.
They conclude: two factors for, one against, and thus determine that inquiry notice was received, although Tile didn’t handle things properly themselves, and should have done more.
But they avoid setting this as universal precedent:
> Evaluating whether inquiry notice has been established is, however, always a “fact-intensive analysis,” […] and we do not hold that notice by mass email establishes inquiry notice in every case.
—⁂—
This is my interpretation from a brief read of this interesting-sounding document. I’m neither a lawyer nor American. My understanding is almost certainly incomplete. I think I have avoided inserting any interpretation of my own, others can do that.
The argument seems to be that for Broad, there was clear receipt of the email, even if it was delayed by being in the spam folder - we know she found it eventually.
Doe is a bit more interesting, since she re-downloaded the app, and they're saying that in-and-of-itself is sufficiently clear intent/consent to the current Terms of Service
("Doe unambiguously manifested assent to the Oct. 2023 Terms by
downloading the Tile App in March 2024 and using the Scan and Secure feature in
attempting to locate her alleged stalker’s Tile Tracker.")
> Idle Always Free compute instances may be reclaimed by Oracle. Oracle will deem virtual machine and bare metal compute instances as idle if, during a 7-day period, the following are true:
> • CPU utilization for the 95th percentile is less than 20%
> • Network utilization is less than 20%
> • Memory utilization is less than 20% (applies to A1 shapes only)
The stupid but presumably effective solution is to waste resources to keep above those limits.
Another solution is offered by the email multiple sources cite they send when they reclaim (or warn they will reclaim? not clear) an instance:
> You can keep idle compute instances from being stopped by converting your account to Pay As You Go (PAYG). With PAYG, you will not be charged as long as your usage for all OCI resources remains within the Always Free limits.
They warn they will reclaim. I had two accounts, one processing data for a free weather service I volunteer for, so it's not idle and has had no issues for a couple of years now. The other for personal projects, so at times it stays idle for a while and I would get these email warnings which made me switched it to paid. I have not paid a cent, again for a couple of years now.
I run Firefox Nightly, and occasionally a little Chromium stable. Both are running under Wayland, which I believe is still not considered stable in either. In the last year of Firefox, I had one full crash (the first in maybe three years), and about four tab crashes. Plus duplicates from deliberately reproducing issues. All but one (which I’m not certain about) were Nightly-only, fixed long before reaching stable. Were I running stable, I suspect I would not have had more than three crashes of any kind in the past five years.
I can’t say the same for Chromium. Despite barely using it, I had at least one tab or iframe crash last year, and there’s a moderate chance (I’ll suggest 15%) on any given day of leaving it open that it will just spontaneously die while I’m not paying attention to it (my wild guess, based on observations about Inkscape if it’s executing something CPU-bound for too long: it’s not responding in a timely fashion to the compositor, and is either getting killed or killing itself, not sure which that would be).
Frankly, from a crashing perspective, both are very reliable these days. Chromium is still far more prone to misrendering and other misbehaviour—they prefer to ship half-baked implementations and fix them later; Firefox, on the other hand, moves slower but has fewer issues in what they do ship.
The single-line change of adding loading=lazy to the <img> elements wouldn’t fix everything, but it would make the page at least basically usable.
reply