Its funny, this is another of the billions of reasons why Mullvad should be the VPN of choice. But so many fucking people can't ever get over that their favorite social media influencer/Youtuber is offering a code for 200% off of NordShark VPN, now with extra AI.
Mullvad is great for privacy. But it's blocked by pretty much every VPN block list. NordVPN at the very least bypasses all the ones I regularly encounter.
I do use Mullvad for most web browsing though. But Imgur for example is blocked on it, and it's blocked in the UK, so I need NordVPN if I want to see any images there.
Most people's VPN usage is literally just geolocation restrictions and Nord is really good at that.
System wide proxy configuration doesn’t actually always work system wide.
A VPN tends to have more success in encapsulating all application traffic (or all desired application traffic, if you’re so inclined to configure your system)
I love and use mullvad myself but I don't think they are very competitive for the average person. They mostly just care about getting around geo blocks on websites and streaming services, which mullvad puts 0 effort into facilitating.
Currently using airVPN, but ye gods, their eddie client is atrocious on linux. I wind up using wg / nmcli, but then have to block traffic going outside of the vpn with iptable rules because it leaks for some reason.
I miss mullvad dearly, and I might try proton after my 3y sub is up.
Not only Eddie, their account control panels and site in general look like something from the 90s, and it seriously hampers their business. I can't recommend them to anyone that isn't highly technical. And even then, as a technical user, why do I manually have to select one of 10-20 servers within a city or region, why am I being asked to manually load balance? Why is there no Wireguard over port 53 or 443?
It makes more sense when you know they're privacy activists first, businessmen second. But Mullvad shows you can be pro privacy and still offer great UX and a sleek site and client.
Btw, if you're managing things in CLI, you could take a look at their Hummingbird Suite. AFAIK it has a killswitch.
What sucks with Proton is that you can't share the VPN account with friends, because it is tied to your Proton account. They should create a vpn.proton.me subdomain that you can create a special managed account on that can only touch the VPN settings.
They're planning to introduce OpenVPN Data Channel Offload (DCO) support to more servers once Linux 6.18 starts becoming more mainstream.
With DCO, OpenVPN can perform almost as well as Wireguard, sometimes even better. Although with more performance overhead so not the best choice for laptops and phones.
Tangentially related but I kind of wish Wireguard looked more toward the future and had included AES as alternative to ChaCha20. At the time of development, many ARM devices didn't yet have AES acceleration which is why ChaCha20 was needed for wide hardware support, but they do since ARMv8 which became widespread in 2015. Intel and AMD have had AES acceleration for a long time. And then ChaCha20 would have been the fallback on MIPS and RISC-V.
I would just pirate at that point. You're paying for the streaming service anyways. Use mullvad to download the torrent :). I'm pretty sure they ignore dmca requests. Not that they even know their customer's names if you pay with Mullvad amazon card.
Been buying mullvad for the last 4-5 years but oftentimes I can’t even browse the fucking New York Times website due to low bandwidth, let alone stream anything. At this point, I just keep adding time to my account just in case, without using it.
Mullvad seems to care and be competent about privacy, but most average VPN users aren’t seeking the most extreme privacy. They just want something cheap that lets them do geolocation things or access the most websites.
The average VPN user is knowledge-less. At best their internet usage data is being sold to third party analytics companies. At worst third parties are routing their own bots through their local connection.
They're excited about putting the spec behind a notoriously closed paywall??
Us older nerds will remember how Microsoft corrupted the entire ISO standardization process to ram down the Office Open XML (.docx/.xlsx/etc) unto the world.
The original Office ISO standard was 6000+ pages and basically declared unreproducible outside of Microsoft themselves.
There is an entire Wikipedia article dedicated to the kafkaesque byzantine nightmare that was that standardization. [0]
Here in Germany, I'm convinced the Police simply don't care about motorcycles with modified mufflers. The sound is deafening. In the last decade the noise has gotten worse and worse.
Once one of those small penis motorcycle owners saw that I was covering my three year old child's ears as he passed by, and only then did he put his bike into neutral and walked it by us.
As a biker, I hate these types of riders with a passion. All street legal bikes come out of the factory with reasonable sound levels, they have to go out of their way to specifically make it uncomfortable for everyone else. Pretty much every one of them is exactly the type of person you'd expect as well, insecure with an intelligence level comparable to a wooden spoon. Personally I tell nearly no one that I ride bikes, because the first assumption is always that you're one of those loud assholes.
Problem with motorcycles in Germany is, they are usually too fast for the police to catch with their car, and the helmet prevents usable photos of the driver. But unfortunately the laws require that the driver committing the speed/noise/redlight offense is identified and fined, fining the owner by license plate doesn't work (except if the bike was modified).
Is that why some YouTubers started to make ads for a "sue your motorcycle speeding tickets invalid" company as if this is really working, because it is?
Germany has such a specific way of making laws with holes.
I'm not so sure that's actually true, because when you get a speeding ticket, the owner absolutely is fined. He has a right to identify the driver or just take it on himself.
The owner also has the right to refuse saying anything, in which case it is on the police to prove who the driver was. For cars, that's usually easy, because they just compare the ticket photo to your drivers license photo or passport photo on file. For motorcycles, the ticket photo is usually useless, so if the owner refuses to identify himself or someone else, and the police cannot prove anything, the motorcycle owner goes unticketed.
If you Google "geblitzt anzweifeln" or something you find several companies doing exactly that. Most claim something like 50% of speeding tickets are wrong. One site claims they make 12% of their cases invalid.
I really have no idea about all that. Just some absurdity I recently noticed.
Well, no, but, you know, common things are common.
These, along with various other obnoxiously loud and/or big vehicles, are _strongly_ coded 'insecure man'. Not necessarily insecure about that in particular, of course, but insecure about something.
I definitely anal but I am curious if this applies to civil lawsuits. This is a civil antitrust lawsuit, right? We never were seeking prison time for the CEO?
Yes; presumably their appeal will not raise issues where that is likely, but as is often the case in high-stakes civil litigation where neither side got what they wanted at trial, both sides are appealing this decision, and the government’s appeal no doubt will attenpt to raise issues that would present the possibility of things being worse for Google.
People want the news now. They don't want to wait for it to be peer reviewed, or even cursorily checked. There is an infinite maw for information, and it has already consumed every single known fact.
If you want science, you'll wait a month, because it's not actually urgent. These species waited hundreds of millions of years and it'll still be there in a few weeks.
If you want entertainment, you want it right this instant. And that's what LiveScience exists to do.
So you really should have stopped reading as soon as you saw the URL.
I always thought the begging for support by critical infrastructure open source projects would eventually not be a thing. I, could, not, have, been, more, wrong.....
> It took less than 3 months of research to discover 6 separate bugs in the adsprpc driver, two of which (CVE-2024-49848 and CVE-2024-21455) were not fixed by Qualcomm under the industry standard 90-day deadline. Furthermore, at the time of writing, CVE-2024-49848 remains unfixed 145 days after it was reported. Past research has shown that chipset drivers for Android are a promising target for attackers, and this ITW exploit represents a meaningful real-world example of the negative ramifications that the current third-party vendor driver security posture poses to end-users. A system’s cybersecurity is only as strong as its weakest link, and chipset/GPU drivers represent one of the weakest links for privilege separation on Android in 2024. Improving both the consistency and quality of code and the efficiency of the third-party vendor driver patch dissemination process are crucial next steps in order to increase the difficulty of privilege escalation on Android devices.
Does this mean the vast majority of Android users (who are on Qualcomm chipsets) are vulnerable to these zero day attacks?
I also read between the lines something like "don't be surprised if we start to make our own chipsets and drivers, because current vendors can't be trusted to do a good job".
Even Apple failed at that, despite having bought out Intel's modem division and there being no other company coming even close to Apple's demand of hoarding knowledge in-house.
The problem is multifold:
- RF of any kind is extremely complex
- RF of any kind that is to be certified in virtually all countries on this rock, with providers with infrastructure from 2G shit that never got upgraded since the 90s to hyper-modern OpenRAN is even more complex simply due to all the cert and testing effort required
- making that RF stuff power efficient is the utter end game
- mobile communications standards on their own are a horrid, horrid mess to implement, not made easier by some of the specs being decades old and never intended to coexist in a world where a single device can run 30 gigabit a second...
- patents, so many patents, because of course it's a global standard that a) isn't open and b) everyone and their dog wants to profit off of
- on top of that come legal aspects: not just the certification requirements, but also lawful intercept and stealth ping stuff, or having to secure the device so that enterprising hackers can't readily turn it into an SDR, jammer or sniffer...
> - patents, so many patents, because of course it's a global standard that a) isn't open and b) everyone and their dog wants to profit off of
This is the only real problem. The other problems are challenging but surmountable engineering issues (which Apple already had solutions to, thanks to their Intel-modem acquisition).
There are plenty of Chinese basebands that work (code quality and security aside), because the CCP told Qualcomm to get bent in 2015.
All of the issue you described are specific to basebands, not all "chipsets and drivers", and this article is talking about exploits in DSPs, not basebands. Moreover, AFAIK the baseband (or more specifically the modem) is separated from the application processor on both iPhones and Pixels, so a baseband 0day allowing you to take over the entire phone is already unlikely.
For what it's worth, the DSP this driver talks to is the same type of DSP used in Qualcomm basebands.
However, there's actually no strong relevance to DSPs at all here; it's just a broken DMA/ION-shared-memory driver that happens to be the one that talks to a DSP. There are lots of these in most Android board support packages.
> separated from the application processor on both iPhones and Pixels
Across an interface with drivers! Quite a few baseband drivers are exploitable from both sides of the interface.
> so a baseband 0day allowing you to take over the entire phone is already unlikely.
The baseband has to talk with the main SoC though by some way, and wherever there are interfaces, so are drivers and associated bugs. And usually you get the baseband and main SoC from the same company, so same engineering culture. It's not like shoddy development isn't just happening on the baseband BSP side.
> All of the issue you described are specific to basebands, not all "chipsets and drivers", and this article is talking about exploits in DSPs, not basebands.
Power efficiency, patents and legal compliance crap also impact the main SoC/chipset side.
> Even Apple failed at that, despite having bought out Intel's modem division and there being no other company coming even close to Apple's demand of hoarding knowledge in-house.
The upcoming SE going on sale in 2025 is set to have the Apple modem.
For compute offload, Google has indeed done that - the Tensor chips have Google's TPUs instead of Qualcomm DSPs.
Both on these TPUs as well as on pre-Tensor hardware that had Qualcomm DSPs, Pixels would not allow apps access to the kernel interfaces. Access would be blocked or mediated via a separate service process ('binderized HAL').
(Some) OEMs have repeatedly opened access to these kernel interfaces in order to trade security for performance.
> Does this mean the vast majority of Android users (who are on Qualcomm chipsets) are vulnerable to these zero day attacks?
If not these precise ones, related ones yes. Certain chip vendors are notorious for not providing fixes of this kind to the manufacturers to roll out (maybe doing so selectively based on who they're extra special buddies with), if they ever even made them at all before moving on to the next shiny SoC.
The other side of this is Google never met a security problem that isn't solved by further coupling the system to their cloud, especially for updates. Coincidence?
> Certain chip vendors are notorious for not providing fixes of this kind to the manufacturers to roll out (maybe doing so selectively based on who they're extra special buddies with), if they ever even made them at all before moving on to the next shiny SoC.
Never heard that before. Chipset vendors are under maintenance contracts with their customers, so they are actually PAID to provide fixes especially for CVE's.
Manufacturers on the other hand have little to no recurring revenue from a device which could finance to implement, test and rollout each patch.
Care to provide a concrete example for your claim?, especially for this "extra special buddies" suggestion which insinuates that a chipset vendor developed a patch and still doesn't provide it to all its customers...?
If the chipset vendors never provide fixes except to customers that ask, and the customers never ask because it costs reimbursed money to do something with them, from the point of view of the end consumer, the chipset vendors haven't provided the fixes.
In PC hardware, the expectation is that most drivers are available both from the manufacturer of the device, and directly from the chipset vendors. Some chipset vendors don't play that way, but most do. In mobile, the expectation is that drivers only come from the device manufacturer and if there's no updates, it's hard to figure out who's at fault because there's no transparency.
For like 2 years per chipset. That's not very long. Also since every customer has its own kernel branch, not all of them get the fix just because it was made in one branch.
As an aside: Why can't DSL modems be a single USB dongle?
Those of us with DSL connections must suffer either an extremely limited selection of DSL modem/routers that can run Linux/OpenWRT, or have to suffer running a Linux/OpenWRT router behind a DSL modem (that often has proprietary and out of date firmware).
I'm just about to cancel my DSL, but when you run the modem in bridge mode, and run PPPoE on your actual NAT gateway if needed (which is sadly often the case), the modem firmware doesn't matter very much.
I put together some stuff so I could transfer PPPoE sessions to a backup system and then I could reboot the NAT boxes for upgrates with minimal downtime. Sometimes, it even worked ;)
When I last used DSL, I was using AT&T uverse (which is/was VDSL with multicast video layered in).
I configured the provided gateway/router-widget to provide a "DMZ Plus" mode for my router (a custom box running Tomato or OpenWRT or something), and I called to get ports 25 and 80 unblocked. And then, plus-or-minus some completely-surmountable difficulty with making dynamic DNS behave properly it all worked fine.
For years.
I never connected anything other than my router to the ISP-provided device.
There's probably some corner cases where this configuration falls flat, but I never ran into them.
What might be some practical advantages of what you suggest?
A device runs on electricity and performs a function. It consumes power at a rate of x.
You're telling me that a device that performs the same function will consume power at a rate of precisely x/2 simply by virtue of being plugged into USB?
There are fiber PON/ONU/UT/$JARGON in shape of an SFP module, though most customers don't appreciate such offering and therefore it'll be an upsell.
As for why not USB specifically, probably because such a device is inherently much faster and responsive in upload to the Internet than downloads, and therefore it makes less sense.
> As an aside: Why can't DSL modems be a single USB dongle?
They definitely existed in the UK for a time and were often supplied by ISPs. IIRC they were only supported in Windows XP, and drivers were never provided for Vista.
I tried for years to do similar when I lived in Australia. Though with a PCI/PCI-E card
ZyXEL if I remember correctly did make an ADSL2+ at the time PCI-E card. Literally just a DSL modem wired to a Realtek 8139 NIC. You could slap it in a Linux (or BSD, or Windows) PC and just use PPPoE to connect to the internet
Naturally it was impossible to order the damn thing and I never got to realize my dream of an "all-in-one" DSL Linux router.
After moving to DOCSIS (Cable) internet I ran into the same confusing problem. "Thankfully" with Fiber everything is just ethernet (more or less) now. But it was an infuriating time in the 2010's
How an entire article about rotary mixers fails to mention Rane or their legendary MP2016 mixer is wild.
It became one of the most commonly available rotary mixers, was the house mixer for many NYC clubs, and one of the mixers commonly found on tech riders of DJs who were the last to transition to CDJs.
Random bit of trivia: if you see old school photos or videos of rotary mixers in American clubs, sometimes it wasn't actually the Rane MP2016, but the Phazon SDX 3700: https://www.integralsound.com/sdx-3700-mixer It was the house mixer for Tunnel/Limelight.
