Pup Biru

not entirely true. if the file downloaded, windows does a bunch of “helpful” things with files… these are almost certainly benign (eg rendering thumbnails, getting metadata about certain file types) but almost anything is potentially exploitable (eg overflow in thumbnail generation code could lead to code execution just from browsing a website and then opening your downloads folder in explorer)

drive-by attacks don’t just effect the browser

with that said, it’d be a huge deal if this was the reality of the situation… it’s highly unlikely, but zero days exist, and the possibility is always real

i say this because this has been exploited in the past with exactly the same scenario: preview generation

buys you a little extra time to move to linux

this entire thread is about the STG petition, and thus about the theoretical possibility of how laws could change

mandatory minimum warranties are also not relatively minimal effort and yet we have laws that require those… most consumer protection standards aren’t minimal effort: that doesn’t mean we don’t make laws to ensure consumers get what they are expecting when they hand over money

why shouldn’t handing over source code to a game that’s being shut down (and apparently that nobody finds any value in since it wasn’t even bought in bankruptcy auction) be mandated as a last resort?

literally what STG is about

and the law is able to make license conditions illegal/unenforceable (like non-compete clauses in employment contracts)

usually in bankruptcy the game gets sold in order to help pay debts… whoever buys the game assumes the responsibility of contributing to run the online services, or provide options for others to… in the case that nobody buys the game (im not entirely sure what happens to the IP in that case) but it’s relatively minimal effort to release server source code or documentation OR even just remove the online parts that’s usually just for DRM which is now pretty irrelevant because you’re shutting it down anyway so why would anyone care if someone pirates it?!

not to mention whose recent valuations have basically been about selling their data to train models which will be used to make AI slop

Having a unique password per device is best practices.

yup that’s all i’m getting at… this vacuum has unprotected access to ADB, which another user likened to root access, and i just think that in circumstances that are root-like, even physical access shouldn’t grant unprotected root

they’re not going to go after the robot vacuum when the thermostat, tablets, computers, TV, router, access point, etc are right there.

… and all of those things should be equally protected

they’re going to go for the easiest thing to extract information or escalate

since they have root they can add a password themselves!

the most absurd thing is assuming that an end-user is going do add a root password to a serial interface

i’m not saying end users shouldn’t be able to gain root somehow, simply that it shouldn’t be wide open by default… there should be some process, perhaps involving a unique password per device

doesn’t mean it can’t do damage - like fox news

you’re on programming.dev so i assume you know that secrets is a generic term to cover things like your cloud account login (whatever form that may take - a password, token, api key, etc) for the robot vacuum service and you’re being intentionally obtuse

it’s a realistic attack scenario for some people - think celebrities etc, who might be being targeted… if someone knows what type of vacuum you have, it’s not “carefully take apart” - it’d take 30s, and then you have local network access which is an escalation that can lead to significantly more surveillance like security cameras, and devices with unsecured local access

just because it doesn’t apply to you doesn’t mean it doesn’t apply to anyone… unsecured or default password root access, even with physical access, is considered a security issue

yes and no… i agree with the sentiment, but with root you can extract wifi credentials and various other secrets… you shouldn’t be able to get these things even when you have physical access to the device… the root access itself isn’t the problem

you will never be upset with the hue ecosystem… they aren’t cheap, but they’re reliable as hell and have a lot more than just the lights if you ever want to go all in (eg the hue sync - for tv backlighting, light strips, most kinds of lighting fixture you can think of, etc)

oh and the quality of the light itself is top notch, which i think is super important

i think they need to use smaller words for themself because that is not the correct way to use that one

totally; and i think that’s very fair for the large majority of use-cases… most people don’t need different browser settings: they just need different local storage

profiles also allow different addons and addon configurations, default fonts, browser config, etc… it’s kinda like having a whole other user account or a whole other copy of the browser, rather than just cookie and storage isolation

which they handled about as well as you can: prompt and clear notification without trying to pass the buck

the potential of a data breach is just a fact of life with any SAAS product - bugs happen… and it’s exactly the SAAS part of the product that makes the invites/login/aggregation of servers so smooth

there are some admin endpoints that are authenticated using any local IP, but the method they use allows spoofing the IP so those endpoints become accessible essentially without authentication

there were some other issues to do with unauthenticated enumeration and playback of content i believe too

i’m not likely to wrangle installing and maintaining wireguard on my mums cheap smart tv

and if that’s the solution, as i said you get plex local playback so that’s free still anyway