That's nothing. You used to be able to grep any user's FileVault password from the page file for many years. It was a simple one-liner and worked 100% of the time.
TBH this is still possible in some scenarios, mostly when someone isn't using data protection and manually unlocked a local Keychain. It's pretty much the same as dumping LSASS memory on Windows when IOMMU isn't used, and in some cases even when IOMMU is used.
Yeah so it really depends on the local setup. Here's a wall of text if you're interested:
Say you do software development with a platform engineering and cloud flavour on top, you might be using aws-vault to keep access keys and SSO session keys in a dedicated keychain rather than in plaintext in ~/.aws/. That keychain has an ACL that only allows aws-vault to access it, and has a self-lock timeout of a few minutes. This is great, because it is pretty secure, there is nothing to 'steal' (even from an unlocked machine) and it's still extremely convenient.
However. Say you do this with an external non-TouchID keyboard, when the STS timeout expires and you need to re-authenticate, you also need to unlock the keychain for a few seconds so aws-vault can either read out the SSO session tokens or the static secret for non-SSO usage, and it has to write back the new STS session.
During that window, the keychain unlock from such a keyboard means manual password entry, which in turn means that has to be in memory for a bit. Because a legacy keychain doesn't use data protection (but if you create a new one you do have that option) it's essentially just an AES encrypted file on disk. Because humans aren't likely to remember an AES key, it's derived and wrapped so you have some KDF that uses a user-selected password, which has to be in memory for a bit while the key is unwrapped/derived. The AES key itself has to stay in memory the entire duration of the unlocked state of the keychain, because without the AES key it can't read or write secrets.
Technically, the same happens to encrypted disk images (the AES ones at least, other types I'm not 100% sure). The DEK has to stay in memory while it is in use. It's why Apple started using systems like cryptexes and SSVs so the container disk is almost irrelevant from an integrity point of view. Before that, encrypted disks were an all-or-nothing approach.
Yeah, it's a bit overloaded. There are keychains (.keychain files) and keychain items (secrets inside of them). The keychains are visible in the Keychain Access app, but also available in the 'security' command line. And then there are modern keychains, those are more like SQLite databases and those can have anything from SQLCrypt type of management to Secure Enclave DEKs.
Security is pretty difficult to get right, so many tradeoffs as well.
A filevault password is useless unless you have root/physical access. If it's mounted by the system, then filesystem ACLs will still be in effect. Otherwise you need root to read raw block devices.
You might find that strange and disagree with it with a flawed analogy but I've merely reported the official stance of the US Copyright Office and legal precedents. See, for instance, this overview with further references:
"Prompts Are Generally Insufficient to Make AI Output Copyrightable"
If you don't trust this summary, read the US Copyright Office report for yourself. The gist of the position is that prompts are not specific enough and do not lead to deterministic output.
On a side note, I find it weird that even on HN people automatically assume you're only expressing a personal opinion, yet in all fairness I should have included some references from the start.
Seen instances on Lemmy deal with it like this because they feel it’s too difficult to comply even if they could understand what compliance looks like. Total UK user bans.
as a way to coerce the UK government into changing course or are you suggesting it as some sort of punishment... i don't quite get what you mean by "solution"
Presumably to comply with the law in an expedient fashion.
Sometimes, when the law, your code of ethics and/or the license(s) you are operating under conflict, your best/only option under those given circumstances might be to not operate at all
.
In my case it is to prevent UK lawsuits or at least being able to show in court that everything was done to comply with UK laws. The products I'm working on use end-to-end encryption and I cannot afford to remove that feature just because one country doesn't allow it.
I would love to offer them to UK citizens, of course.
I have no idea what you mean. The executive branch didn't routinely ignore court orders and disregard the constraints set out in the Constitution before that date. The government broke laws, but it was a scandal when it did and people -- the perpetrators, not random civil servants doing the jobs they were hired to do -- got fired for it and sometimes jailed. Now it's just another day that ends in y.
In theory Biden could have taken the SCOTUS grant of immunity to disregard the Constitution as Musk and Trump are doing, but he didn't. Trump's taking power was a step change.
We still have laws, but the executive branch under Musk/Trump regards them as mere words on a page. They bind others, not them.
In my opinion, Ukraine should be supported as long as they are willing and able to fight, allowing whatever strategies and tactics they consider necessary.
That's because I believe there is a moral and (geo-)political duty to support Ukraine, also in order to make future territorial wars less likely, and Ukraine is a sovereign country with democratically elected leaders and parliament.
Fully agree. Ukraine should be given the means to defend itself on equal footing. No nation, regardless of size or power, should operate under the assumption that it can violate another country's sovereignty without consequences.
NATO must always act as a cohesive unit so any direct confrontation significantly increases the risks.
Western countries including my own have demilitarize heavily since the 1990s + rebuilt armies for counter terrorism, so sending more weapons to a land war isn't straightforward at all (as we've seen).
Western power is mostly centered around air and sea power and you can't easily transfer that to a 3rd party...especially three years late.
If neither Biden or now Trump is going to promise mass Tomahawks and IFVs galore then all we're left with is perpetuating a stalemate, not recovering sovereign land nor sufficiently punishing Russia. A couple more Storm Shadows and Leopard tanks from dwindling supplies aren't going to cut it.
> In order to do that they need to have a defined leader, not twenty some people each one pursuing their own interests
I mean on paper that's not really true. The US or whichever leader can't tell Poland to send troops, warships, or pilots into Ukraine because if Russia then sends a cruise missile into Warsaw it violates the NATO treaty which would require them all to react. There's no minor conflict exception, it moves as a unit. So the only option on the table is full NATO vs Russia, or status quo proxy war where weapons are funneled through it.
For Europe to properly defend Ukraine's sovereignty on their own they would have to break NATO commitments. Because I don't see continued supply of weapons from their small pool as sufficient to make a big difference... only to extend the war for a few more years, after which a very similar DMZ will be established.
To fight this war you need real military power: on the ground logistics, protected supply lines, large troop reserves to support offensive operations, etc. Weapons only get you so far.
I think the heart of the matter that I haven’t seen discussed yet is: Who’s going to pay for it? The current administration is cutting expenses across the board. There’s a lot of talk about the deficit and defense spending. I don’t see much appetite in the US to keep sending blank checks to Ukraine. Hence, the minerals deal: this was to recoup costs.
Of course, it would be great if defending democracy was free. However, with politicians already talking about cutting Medicaid spending, it was only a matter of time until defense spending came under scrutiny
Sending money to Ukraine saves US money. The equipment that Russia is losing means the US does not need to maintain as much military as before and fpr the cost of 90B US can permanently save maybe 30% of its mil budget going forward, especially is Russia clearly looses. One more year of support to Ikrain would destroy most of gerund Russian equipment and set it back for years.
If we apply this reasoning universally, should any sovereign nation engaged in war receive indefinite support as long as they are willing to fight?
Historical cases, such as the U.S. in Vietnam or the Soviet Union in Afghanistan, suggest that prolonged external backing can lead to drawn out conflicts with high costs and unintended consequences.
Is there a point at which the costs/economic, political, or humanitarian of indefinite support outweigh the intended benefits? How do you think such a threshold be determined?
I think one should _at least_ consider alternatives pathways to achieve a resolution.
That is the current path (at least until today's meeting).
Maybe we get lucky and Putin dies or is deposed (and the successor is less hard-line). That's a lot of rolls that have to come down the right way.
More likely, Ukraine continues to bleed men until they can't defend Kyiv, then Russia takes all of Ukraine anyway except you've lost a lot of soldiers and weapons.
No matter what EU leaders say, I think they are beginning to realize that Ukraine will not win this war and time is not on their side. The EU may or may not continue to support Ukraine with weapons, but it will be half-hearted at best.
The EU will pressure Ukraine to freeze the conflict, but without any hard guarantees. In a few years, Russia will then begin the attack again and probably take Kyiv then.
It will be near-impossible to end this conflict with all of Ukrainian territory in Ukrainian hands while Putin is still in power. It would be a massive loss of face and power for Putin and he'll do anything to prevent it.
A successor (even a dictator and/or hard-liner) has a lot more manoeuvring space here, at least initially, because he can just blame it all on Putin.
Remember this all started with "we'll conquer all of Ukraine real quick, back in a jiffy". Putin pivoted to "no, we just wanted the eastern provinces" but everyone knew that was complete bollocks. The entire war is already a massive loss of face for Putin.
It's not warmongering to allow a country that has been invaded to determine how and how long they defend their country and which approaches they take towards peace.
Is it possible that you haven't been raised in a free democratic country? That would explain your patronizing attitude towards elected governments and other countries. Otherwise, I don't know what to say. It's really about sovereignty.
On a side note, it is never a good idea to allow your judgments to get clouded by anecdotal "evidence", let alone videos on social media. Use statistical data instead.
I merely have an intact and uncorrupted sense of justice. I believe that any country illegally attacked by another country should be helped and the people of that country (if it is democratic) should decide on their own how to defend themselves.
The USSR never acted even half as hostile as Russia is acting towards the whole world, including the US and UK right now. Maybe you're not aware of that but Russian state TV routinely discusses the nuclear annihilation of the UK and the US, not just that of Europe. Current rhetoric from the Kremlin is way more hostile than it ever was during Cold War.
You better put a stop to that by showing strength. Unless you want ignore history, that is.
The claim you're making is ludicrous. We don't show strength by giving away all of our resources on pointless conflicts that don't involve us. Even if the USSR was as nice as you pretend, Ukraine was also part of the USSR, and is being just as hostile to American interests.
That's literally what we're doing. Zelensky came to beg for more money, and we're shutting up. I don't really care if Europeans want to go die pointlessly on the frontlines for some reason.
oh, that’s nice. tell me what country was the only one who invoked article 5 of the nato treaty? and which countries helped them? and now the the situation has reversed what does that country do?
"Ukraine was also part of the USSR, and is being just as hostile to American interests."
What does that even mean ... ?
The former Soviet Bloc was under the yoke of the central committee in Moscow. The people involved had no say in the politics of the central committee, they were coerced. But once its power failed, the newly free countries mostly turned their backs on Russia in a hurry. Only Belarus stayed in the orbit.
Contemporary Ukraine (or Lithuania, or Georgia) is not hostile to the US in any meaningful sense.
Reliable estimates put our total spend (over 3+ years) as $120-$180bn.
The annual US military budget, $820bn (13% of the total government budget) or more like $2.4 trillion during that timespan.
But even that purported $100-$200bn spend perhaps overstates the cost. Some was cash, some was equipment. The equipment sent their way was already bought and paid for. Much of it was later in its lifespan. And the US military obviously buys American whenever feasible, so money spent replacing that equipment stays in America. So the amount of money "spent" by America on this venture is highly debatable, with the real number being lower than those $100-$200bn totals.
We don't show strength by blah blah blah
Really? Because Russia looked weak as hell there, unable to conquer a small country that is using a fraction of our old stuff (and a hell of a lot of heart and ingenuity) that was gathering dust in warehouses. It certainly made it clear that in conventional warfare the distance between our two countries is rather vast.
pointless conflicts that don't involve us
I mean, people definitely said that when Germany invaded Poland. We shouldn't get involved in every conflict but we also should not ignore every conflict.
I don't think Russia is trying to conquer Europe, but they are the single largest power and they have proven to be a highly destabilizing force.
We're not giving away all our resources lmao. Support for Ukraine is a relatively small part of our budget and gdp. In return for this we get to significantly weaken and discourage our enemies. For every dollar that we pour in, Russia is losing many more. Iran and China's imperialist ambitions are crushed. And none of our people even needed to die for it. You're either a fool or an enemy if you don't see why we should support Ukraine.
For every dollar that we pour in, Russia is losing many more
It also can't be stated enough when dollar amounts are talked about...
Much of the value sent to Ukraine was equipment that was already purchased and was warehoused. In a sense, that cost us nothing. Some of that equipment was already slated for replacement. The equipment that will need to be repurchased is primarily purchased from American companies.
So it burns me up when people talk about how we sent $XYZ billion dollars of aid to Ukraine without understanding that the real cost to America was far far far less.
reply