That article has a more technical lens. It focuses primarily on the size and detection evasion methods of Kimwolf, rather than some notable (and definitely not unique) method of spreading.
Without looking too deeply, I'm going to assume that this is a successful botnet because it managed to get into product supply lines at big box stores and in app store games, rather than some clever virus that is spreading across the world.
Regular people don't need a "secure network". Phones and computers are, by default, secure against malicious networks.
Just don't run code you download from the internet or put your passwords to important accounts into cheap devices and you'll be fine. Normally people don't the the former, but sometimes do the latter.
edit: To be clear: the bitterness in this comment comes from how many developers assume loopback is secure. However, most website are allowed to send requests to local ports on your computer (IIRC) so that assumption is basically completely false. This is forgivable, except in a world where every developer runs tons of extensions/scripts/open-source apps, and have next-to-zero blast-radius-reduction methods, it makes me sad.
Regular people download shit all the time though? Especially now with GPT, everyone is a programmer pasting code into command line. And how many people have IoT devices that they have to connect to WiFi? That’s total blind trust.
Every time I ask this question nobody is able to give me a solid answer :/
Based on the :/ emoticon, I now understand that you were asking this question for yourself. In that case, I will express anger at the article. I believe that it was vague and leaned into fear mongering. This explains the vagueness of your question (emphasis mind):
> I know this may seem trivial for many here but how can regular people easily check and debug their network for stuff like this?
"Stuff like this" is very vague.
- If there is a device on your network that is occasionally sending requests to the internet, then it generally isn't hurting you. That's why security is weak here, because the person buying the device is not harmed.
- If you're worried about the device sniffing your local network, then "normal people" are typically safe. Computers that you use are typically safe from malicious devices on the network, and you're in no more danger than working at a coffee shop, hotel, or university network.
- If you're knowledgeable enough to be a danger to yourself, and need the local network to be safe to protect yourself, then there is definitely a longer conversation to be had.
Responding point by point (before I realized that you were asking for yourself, and not the average person):
> Regular people download shit all the time though?
This is fair, though on macOS, most people download apps from the App Store (macOS makes it difficult to run apps downloaded from the internet and not signed by a registered developer).
> Especially now with GPT, everyone is a programmer pasting code into command line.
I am trying to reference a group of "regular people" who definitely do not fit this description---something like "the average citizen in the developed world". My parents definitely are not writing code with AI and pasting it into the command line. Although this was not crystal clear in this comment chain.
> And how many people have IoT devices that they have to connect to WiFi? That’s total blind trust.
My point was these devices do not endanger things that regular people care about. Their computers are still just as secure as when they visit a coffee shop or connect to their university wifi.
> Every time I ask this question nobody is able to give me a solid answer :/
Sure they can send requests but they can't receive them unless you've got misconfigured CORS. I guess there's DNS rebinding but like, idk, attack surface seems pretty small. This sort of stuff isn't really worth worrying about unless you're an idiot or likely to be the victim of a targeted attack. I happily run code off the internet all the time and it seems fine. If there's one thing that really seems like a mind virus it's the paranoia all security people get, I can't imagine living life like that. I'm ok getting pwned every few decades if the tradeoff is never worrying about this shit.
Maybe I've just gotten lucky?
(i will say putting a device not running open source software/firmware or something very locked down like a phone on your LAN is insanity, i could never)
When you run VS Code, it spins up a local language server that is capable of making code changes. That is how refactoring python works in many editors (including VS Code).
A website that you're browsing could potentially send requests to this server asking for code to be inserted that fully compromises your device. What keeps us safe?
- maybe the website is only allowed to send GET requests, not PUT requests, and maybe the language servers that you're using are all "hardened" so that they will never permit mutations via any get requests, and never have a misconfigured CORS header
- the website has to guess the correct port and the correct language server with a known vulnerability
- any website doing this on a large scale would likely get the language server patched and the website on a block list
- there might be other safeguards that I'm not familiar with. For example, I believe that Chrome disallows this by default
So now, here's my frustration: these two statements seem hugely at odds with each other:
> I'm ok getting pwned every few decades if the tradeoff is never worrying about this shit.
> (i will say putting a device not running open source software/firmware or something very locked down like a phone on your LAN is insanity, i could never)
I'm ok with a person who makes either statement. I'm also ok with a person who makes the first statement, and also wants their LAN locked down. However, I do not feel as though the a LAN ever needs to be locked down unless a person in running a server on the LAN network. Personal devices (like laptops and phones) are plenty capable of resisting malicious networks by default (coffee shops, university wifi, etc). What else is on a LAN?
> mind virus it's the paranoia all security people get
I generally agree with you, but I feel as though I am the one who has accepted that personal laptops need to handle malicious networks, and I'm generally comfortable with that. I don't worry too much about putting IoT devices on the same network as my personal laptop, nor about connecting to coffee shop wifis.
That's such a strange interpretation that disagrees with my intuition.
If the Yankees hit a practice ball out of their stadium and into my house, causing bodily harm to a loved one, I wouldn't be satisfied with any of the reasoning in your comment.
More generally, people are allowed to take on risk as per their own appetite, but legal liability allows risk-hungry individuals to be incentive-aligned with everyone else.
I don't actually find it a particularly strange interpretation.
Here's another lens:
I install cabinets in your kitchen. Your loved one trips, hits the cabinets, breaks their neck and dies.
Should I be liable in this case as well? I did a thing that was involved in harming your loved one... if the cabinet hadn't been there, they might not have died.
---
In both cases, it's pretty clear that there's no intent to harm your loved one. At best you're arguing that it was "foreseeable" that hitting a baseball might harm someone, and that it wasn't "foreseeable" that installing cabinets would harm someone.
But clearly that's ALSO wrong, because we know people have been hurt hitting cabinets before.
So clarify how you'd assign blame in this case, and why it's different from the baseball case?
Basically - your stance is that risk is always a decision someone has made, but I find disagrees with my intuition. Risk is an inherent part of life.
(Notwithstanding that this is a joke) Maybe it's just me, but I read this as a solution that would be implemented internally at a large company to distribute pain/accountability/tech-debt across time to a team which might have high turnover. i.e., a way to align incentives by punishing teams with bombs (via their metrics) in their code, before the bomb actually detonates.
FYI “cope” is closer to “delusion used to help you cope with reality” rather than “superficial fix”
Also, I think that some strategies, such as “comfort asking a parent for help navigating a situation” are timeless defenses against strategies like blackmail. There are probably some street smarts that change and some that stay the same.
Why wouldn’t your eye lens focus LIDAR photons from the same source onto a small region of your retina in the same way that a phone camera lens focuses same-origin photos to a few pixels?
Sorry if this is a silly question, I honestly don’t have the greatest understanding of EM.
It's incredibly important to understand that eyes and glass have different optical properties at these wavelengths. It's hard to conceptualize because to us clear is clear, but that's only at visible light. The same way that x-rays and infrared and other spectra can show things human eyes can't see, or can't see things visible light can see, it's a 2 dimensional problem. The medium and the wavelength are both at play. So, when you have the eye which is known to absorb such light, and artificial optics which are known to pass it without much obstruction, they're going to behave like opposites. Imagine if the glass/plastic they used in the car blocked the light. Wouldn't really work.
There is a flip side to this though. Quick searches show that the safety of being absorbed and then dissipated by the water in the eye also makes that wavelength perform worse in rain and fog. I think a scarier concept is a laser that can penetrate through water (remember humans are mostly bags of salt water) which could, maybe, potentially, cause bad effects.
Depends on the wavelength of lidar. Near IR lidars (850 nm to 940 nm, like Ouster, Waymo, Hesai) will be focused to your retina whereas 1550 nm lidars (like Luminar, Seyond) will not be focused and have trouble penetrating water, but they are a lot more powerful so they instead heat up your cornea. To quote my other comment [1]:
> If you have many lidars around, the beams from each 905 nm lidar will be focused to a different spot on your retina, and you are no worse off than if there was a single lidar. But if there are many 1550 nm lidars around, their beams will have a cumulative effect at heating up your cornea, potentially exceeding the safety threshold.
Follow up question that you might know: would multiple LIDAR sensor actually be additive like that? If you can stand a foot away from a car's LIDAR sensor and be unharmed, then can't you have:
x^2 sensors at x feet from you and have the same total energy delivered? If sensors are actually safe to look at from 6in or 3in, then multiple the above table by 4 or 16.
It seems like, due to the inverse square law, the main issue is how close you can get your eye to a LIDAR sensor under normal operation, not how many sensors are scattered across the environment. The one exception I can think of is a car that puts multiple LIDAR arrays next to each other (within a foot or two). But maybe I'm misunderstanding something!
Do you if there has been any work how lasers affect other animals and insects?
Am I being catastrophically pessimistic to think that in addition to swatting insects as it moves forward, the cars lidar is blinding insects in a several hundred meter path ?
I’m very optimistic about automated cars being better than most humans but wonder about side effects.
If we have automated anti-mosquito vehicles just roaming around, the world would be a better place. There might be some second order effects from removing mosquitoes that we haven't predicted, but fuck mosquitoes.
Unfortunately not all insects are mosquitoes, and one reason we have many fewer birds in (e.g.) the UK than when I was young, is the decline of insect life.
GP is slightly wrong. IIRC those problematic LIDARs are operating at higher power than traditionally allowed, with the justification that the wavelength being used is significantly less efficient at damaging human eyes, therefore it's safe enough at those powers, which is likely true enough. But it turned out that camera lenses are generally more transparent than our eyes and therefore the justification don't apply to them.
Amusingly the lenses are worse than silicon at transmitting that wavelength.
1550nm might be worse for sensors because a good portion of the light is only being dumped into the metal layers - pure silicon is mostly transparent to 1550nm. Not sure how doped silicon would work. I can tell you that 1070nm barely works on an IQ3 Achromatic back…
A point source in the visual field will create a point image on the retina. The "sensor area" you're referring is what's necessary to capture the entire visual field simultaneously.
My understanding is that this non-reciprocity is why international law often feels so permissive of seemingly bad actions. It generally aims to forbid only strategies that are the highly destructive and non-effective at winning wars. The idea is that such actions are not necessary in warfare in any circumstance, rather than a coordinated and mutual choice to leave effective strategies on the proverbial table.
This non-reciprocity is also why many such laws come with large conditional statements. For example, hospitals are typically illegal targets. However, you cannot label a military outpost a hospital as a loophole. There is a gray area in between, where the law is generally more permissive than a layperson might expect.
It is unclear if these laws accomplish this goal in all circumstances. A smaller, modern army attempting to hide might not be able to find non-civilian concealment (e.g., the jungle in the Vietnam war), and there is probably a conversation about the (unfortunate) effectiveness of inflecting civilian damage on an enemy's will to fight and economic output. However, the above is my best understanding of what international law sets out to do.
Disclaimer: I asked AI to evaluate the above comment before posting, and it made the following (paraphrased) criticisms that you might want to consider:
- The primary purpose of IHL (international humanitarian law) is to distinguish civilian from military, not to only ban what doesn't work. Hence, the banning of chemical weapons and landmines.
- The hospital example is better framed as a requirement to distinguish between a civilian hospital and a military target
- Non-reciprocity has the advantage of being simpler to obey (the legal analysis does not depend on the enemy's past actions)
I've heard that releasing these sorts of data sets help competitors do market research, and thus mitigates "winner takes all" forces. NYC also tends to be fairly pro-public-datasets: https://data.cityofnewyork.us/browse?%3BsortBy=most_accessed...
reply