While I agree with your point about understanding, I think there's also an issue of self-image. "What? Me? Influenced by some ad? Get outta here! I make my own decisions!"
I'm firmly in the camp of "I'm not influenced by ads (or so I think)" / "not convinced that ads are actually a net positive". But even so, I don't fully agree with your take.
I think that it's very possible to think we aren't influenced, yet still be. My reasoning is that basically no one admits to being influenced. Yet you can definitely see the effects of ads on people: whenever there's a strong campaign for something, little after you'll see everyone buying it. Maybe they just try to "follow trends" or whatever, but that's just a form of advertising, isn't it? I only very rarely watch TV and have ad blockers everywhere, yet I can still detect when all of a sudden everybody has the same bag or same jacket or whatever. My bags last years and years. I doubt it's simply a coincidence and they all needed new bags right at the same time.
> Ads are extremely overblown as a threat to society; you only need to look as far as eye-tracking studies of web browsers and the prevalence of ad blockers to see pretty good proof that people do just ignore them most of the time.
I think that many people don't know about ad-blockers and try to ignore the ads while reading a website or scrolling some app. But that doesn't imply they aren't influenced. In my case, I'm fairly convinced that I'm not influenced by my instagram's feed's ads, since they try to sell me pregnant women's garments, of which I have 0 use as a single, childless male. But there can be other factors of which I don't have conscience, like seeing people use the same brand camera or whatever. Call it advertising-by-proxy.
However, take a look at people's screens when taking the metro or whatever. Many do watch the ads instead of just scrolling past. This is what I actually have a hard time understanding: people would spend a comparable amount of time on what looks like ads and what looks like their friends' stuff, as if it was the same thing. Which, granted, isn't a very long time. In my case, I only follow photographers and would spend a fair amount of time on people's pictures but scroll right through anything that looks like an ad (text or video of any kind).
What's wrong with those? I don't have a single screen which does 120 Hz + HDR, but I'm typing this on a 120 Hz laptop, with variable refresh rate, at 125% scaling, and everything works great with Plasma (haven't tried anything else). I also have an external HDR screen, but it only does 60 Hz. It works great, too, doing HDR on it but not on the laptop screen (running at the same time, of course). They also run at different scaling (125% and 100%).
Now I don't know how to confirm that VRR is actually doing anything, but I can tell there's a difference between setting the monitor to 60 and to 120 Hz. HDR on the other screen also produces a clear difference.
This is all running from integrated intel graphics, maybe with other GPUs it's more of a crapshoot, no idea.
I admit I love the mbp hardware, but I can't stand macos anymore. So when my work computer was up for replacement, I didn't think twice and went with a PC, the latest thinkpad p14s. Everything works out of the box on Linux.
Is it as nice as a mac? No, especially the plastic case doesn't feel as nice under the hands as a mac's aluminum, the touchpad is quite good but worse than a mac's, and there are some gaps around the display hinge. But the display itself is quite nice (similar resolution, oled, although not as bright as a mac's), it's silent and it's plenty fast for what I do. I didn't pay for it, so I don't directly care about this point in this situation, but it also cost around half of what an equivalent mbp would have cost.
I also haven't tried the battery life yet, but it should hold at least as well as my 5-yo hp elitebook, which still held for around 5 hours last year. I basically never use it for more than an hour unplugged, so battery life is low on my priorities.
I'm fine with homebrew not supporting whatever versions they choose.
I think GP's issue is forcing the use of homebrew for what seems like a rather trivial install. Just make the binary easily downloadable. It's not like you can't open the curled script to see what it fetches and do it yourself. It's just that having to jump through this useless hoop is annoying.
My mac is running the latest version of Tahoe but I never liked homebrew. You can bet I won't install it just for one app.
Homebrew really helps when you want to install more than one app... And you want to keep them updated... And you want to easily delete some of them at some point.
Managing the install lifecycle with one set of commands for multiple apps is why I love Homebrew
If you don't trust the http client to not do something stupid, this all applies for https, too. Plus, they can also bork on the ssl verification phase, or skip it altogether.
TLS stacks are generally significantly harder targets than HTTP ones. It's absolutely possible to use one incorrectly, but then we should also count all the ways you can misuse a HTTP, there are a lot more of those.
This statement makes no sense, TLS is a complicated protocol with implementations having had massive fun and quite public security issues, while HTTPS means you have both and need to deal with a TLS server feeing you malicious HTTP responses.
Having to harden two protocol implementations, vs. hardening just one of those.
(Having set up letsencrypt to get a valid certificate does not mean that the server is not malicious.)
TLS may be complicated for some people. But unlike HTTP, it has even formally proven correct implementations. You can't say the same about HTTP, PGP and Apt.
> Having to harden two protocol implementations, vs. hardening just one of those.
We're speaking of a MITM here. In that case no, you don't have to harden both. (Even if you did have to, ain't nobody taking on OpenSSL before all the rest, it's not worth the effort.)
I find it kind-of weird that you can't understand that if all a MITM can tamper with is the TLS then it's irrefutably a significantly smaller surface than HTTP+PGP+Apt.
1. When it comes to injecting invalid packets to break a parser, you can MITM TLS without problem. This is identical to the types of attack you claimed were relevant to HTTP-only, feeding invalid data that would be rejected by authentication of the signature.
2. Any server owning a domain name can have a valid TLS certificate, creating "trusted" connections, no MITM necessary. Any server in your existing mirrorlist can go rogue, any website you randomly visit might be evil. They can send you both signed but evil TLS packets, and malicious HTTP payloads.
3. Even if the server is good, it's feeding you externally obtained data that too could be evil.
There is no threat model here where you do not rely 100% on the validity of the HTTP stack and file signature checking. TLS only adds another attack surface, by running more exploitable code on your machine, without taking away any vulnerabilities in what it protects.
No, you want to move goalposts, but we're not speaking of some arbitrary "total attack surface". The article itself is also about a potential MITM. Then you list three cherry-picked cases, none of which actually touch upon the concerns that a plaintext connection introduces or exposes. Please stop, it's silly.
There is fundamentally no reasonable threat model where a plaintext connection (involving all these previously listed protocols) is safer against a MITM than an encrypted and authenticated one.
You don't call it "cherry-picking" when a person lists fundamental flaws in your argument.
Constantly ignoring all the flaws outlined and just reiterating your initial opinion with no basis whatsoever is at best ignorance, at worst trolling.
HTTP with signed packages is by definition a protocol with authenticated payloads, and encryption exclusively provides privacy. And no, we're not singeling out the least likely attack vector for the convenience of your argument - we're looking at the whole stack.
I do call it cherry-picking because you chose scenarios that either apply to it also without TLS or the scenarios are just (intentionally) extremely narrow in scope.
You have repeatedly ignored that we're speaking about protections against a MITM, not malicious endpoints. Because of that your desperate attempt at talking about the "whole stack" talk is also nonsense. Even if you include it, a modern TLS stack is a very difficult target. The additional surface added that hasn't been inspected with a fine-toothed comb is microscopic.
As such you've excluded the core of the problem - how an unprotected connection means that you have to simultaneously ensure that your HTTP, PGP and Apt code has to be bulletproof. This is an unavoidable result, signatures or no signatures, all that surface is exposed.
You've provided no proof or proper arguments that all three of those can achieve the same level of protection against a MITM. You've not addressed how the minuscule surface added by the TLS stack is not worth it considering the enormous surface of HTTP+PGP+Apt that gets protected against a MITM.
TLS also provides more than just privacy, I recommend you familiarize yourself with the Wikipedia page of TLS.
> It could also be that factors surrounding the culture of construction workers (lots of alcohol to wind down) are huge contributing factors in of themselves.
Terrible food, too. I'm not in construction but I do have to tour worksites for my job somewhat regularly, and pretty much everybody is eating some combination of greasy kebabs and mcdonald's.
I like me a juicy kebab as much as the next guy, but eating just that for days on end can't be good for you.
Now they're certainly more active than a keyboard warrior like yours truly, but there seems to be a consensus around not being able to outrun / out-train a bad diet.
> which puts the RAM sticks in the smack middle of the airflow
They're usually perpendicular to the air flow. Bonus points for there being a beefy ATX connector in front.
So maybe the first stick gets some air, but all the others are hidden behind it and don't get much. I think that's the theory why many heatsinks on ricing sticks tend to have a comb design.
Just get the logitech competition. I've had multiple G series mice, they all have on-board memory. I have a cooler master which behaves the same.
You can program them from a VM, then toss that away and the mouse remembers its settings, even multiple "profiles". You don't have to put up with electron slop-ware or whatever the crap dev platform du jour is. They just work.
Maybe. But then again, as someone who dual boots, I see one of the OS crashing and giving an alround worse experience then the other, on the same exact hardware, while the other just chugs along.
Now, I'm not someone good at maths or physics, so maybe, somehow, it's actually more likely than not that the worse OS gets to run when there's worse solar activity going on or whatever else has en effect on my hardware, which also doesn't seem to affect memtest for some reason.
It could easily be flakey hardware and different drivers. Not necessarily better or worse, but one driver cause the hardware to ocassionaly fail in exciting ways, like DMA to the wrong address if jusy the right access patterns happen.
If you've got an IO-MMU and everything aligns properly, devices can't DMA to the wrong place anymore, which might make it easier to track things down.
reply