yes tyre shops are often extremely busy with very long lines

You can’t get appointments at your tyre shops? I just book a slot in their agenda a few weeks before. Show up, put the car on the bridge, wait 15-20 minutes and I’m off.

with literally no other input needed

Wait, you just let them put on whatever they can get the highest margin on?!

There’s a vast difference between different tire types in terms of stopping distance, wet handling, wear, road noise, comfort, … When I walk into a tire place, you can bet I come prepared with a short list of tires that I’m willing to consider, and a pre-estimation of the price of those tires in my tire size.

Also, the tire size is literally just 3 numbers, and it’s literally there on the tire. Why wouldn’t you know that about your car?

Was thinking more paid remote services are almost always something that’d be better done locally.

But offsite storage is something that per definition can’t be done locally …

I’m not really interested in remote services out side of that - they kinda sounds like a scam

I don’t think they’re a scam. They’re just more honest: you use x amount of storage, you pay for x amount of storage and you can do with it as you like.

It’s not presented as “free” where you actually pay with your data, a dependency on the service and hidden content restrictions.

That clarification of yours is massively important

I think my mistake was assuming I was on a security related community, where this would be understood, instead of PC masterrace.

Your initial comment sounds as if there is a PoC from Canada on how to circumvent the PIN for the Bitlocker keys.

It’s a meme joke, referencing this: https://knowyourmeme.com/memes/she-goes-to-another-school

the only way they could put microSLOP at fault for that would be if they could find that microSLOP was backing up encryption keys in the recovery environment / boot files somewhere

Seems unlikely. The WRE is like 32MiB in size, and most of that consists of static binaries. Not much info is saved there, except for some log files. If the bitlocker keys were there, they would have already been found by someone else.

I mean, you’re not wrong but the problem is that the online storage that you (and most people) think of as “your storage”, is not “your storage” in the same sense as those cabinets and shelves are yours. You’re really just borrowing the storage, and have given the actual owner the right to freely snoop through it and kick you out for anything they find they don’t like.

The only storage that’s actually yours is the one on your computer. That you own. In your house.

Encrypting something with your own key before you upload it is a solution for backups, but you do lose the convenience factor of cloud storage. If you are only using Google Drive for backup, that could work.

The alternative is to use a service with built-in end-to-end encryption.

How was it lost?

Because you put it in the hands of a third party who is not accountable to you, and gave them full control over it. Whether they exercise that control via AI or a human is rather irrelevant here. There are plenty of documented cases of people losing their account in pre-AI times due to human moderation.

Second thing is, No, TPM+PIN does not help, the issue is still exploitable regardless, I asked myself this question, can it still work in a TPM+PIN environment ? Yes it does, I’m just not publishing the PoC, I think what’s out there is already bad enough.

The PoC for that goes to another school, in Canada.

Edit:

Downvoters don’t understand the nature of this exploit.

Without PIN, the windows recovery software has full access to the encryption keys in the pre-boot environment. So to crack bitlocker in this case, a hacker only needs to find a bug in the WRE to get at the keys. => That’s the Yellowkey exploit.

With a PIN, no Windows or Microsoft program has access to the bitlocker encryption keys until the PIN is provided, and it can’t be brute forced because the TPM protects against that. To exploit that, would require a attack on the TPM hardware itself, which would be absolutely massive if he could pull this off through software only and of a completely different nature than the Yellowkey exploit. It also wouldn’t have anything to do with Microsoft software, because it wouldn’t be in the loop for this.

To use an analogy: Yellowkey is like beating a bank employee (the WRE) who knows the combination to the safe with a wrench until he gives you the combination. In an attack with a PIN, the bank employee doesn’t know the combination himself, so you can beat him with a wrench as much as you like, he’s not going to give you anything useful.

Extraordinary claims require extraordinary evidence, and he has provided none. Furthermore, he has a bone to pick with Microsoft over a denied bug bounty, so he clearly has a motif to undermine trust in Microsoft products like bitlocker. All this, and knowing the typical hacker personality, leads me to believe that this is pure bluff. If he had something, he would show it.

that AI is to be boycotted

I don’t think the AI part is the relevant bit here.

I think the message should be that trusting your data to off-site storage where it is subject to third-party moderation should be boycotted. So boycott Google Drive, One Drive, icloud and keep your data on your own computers.

Especially since memory training on DDR5 can take upwards of a minute.

Just FYI: most bioses have a setting to save the memory training, so it doesn’t have to be re-done each boot. On an Asus board it’s called “Memory Context Restore”.

You don’t need Iran to prove that. Women’s rights have already been rolled back in the US, it’s a mistake to assume it will stop here.

In many cases there’s no extra wear

You can’t change physics. More HP = more torque = more wear on the whole drive train. Also more boost = more stress on the turbo = it will fail sooner.

Also, back then, cars with the higher specced variant of the “same” engine almost always had mechanical upgrades compared to the lower specced engine: usually bigger brakes, a stronger clutch, and various other drive train components.

So while in many cases you could chip your car without much immediate harm, you were definitely cutting into various safety margins determined by automotive engineers who know much better than you and me.

Guys this content was by boomers for boomers

Tom’s Hardware sold out looong ago, sold in 2007 to some faceless consortium. The original “Tom”, Thomas Pabst, who is GenX and not a boomer btw, has had nothing to do with the site since.

The editor of this article looks to be a millennial btw.

DNS does nothing for youtube.

I think the problem stems from how LLMs are marketed to, and perceived by the public. They are not marketed as: this is a specific application of this-or-that AI or ML technology. They are marketed as “WE HAVE AI NOW!”, and the general public who is not familiar with AI/ML technologies equates this to AGI, because that’s what they know from the movies. The promotional imagery that some of these companies put out, with humanoid robots that look like they came straight out of Ex Machina doesn’t help either.

And sure enough, upon first contact, an LLM looks like a duck and quacks like a duck … so people assume it is a duck, but they don’t realize that it’s a cardboard model of a duck with a taperecorder inside that plays back quacking sounds.

LLMs are decent with coding tasks if you know what you’re doing

Only if the thing you are trying to do is commonly used and well documented, but in that case you could just read the documentation instead and learn a thing yourself, right?

The other day I tried to get some instructions on how to do something specific in a rather obscure and rather opaquely documented cli tool that I need for work. I couldn’t quite make sense of the documentation, and I found the program’s behavior a bit erratic, so that’s why I turned to AI. It cheerfully and confidently told me (I’m paraphrasing): oh to do “this specific thing” you have to use the --something-specific switch, and then it gave some command line examples using that switch that looked like they made complete sense.

So I thought: oh, did I overlook that switch? Could it be that easy? So I looked in the documentation and sure enough… the AI had been bullshitting me and that switch didn’t exist.

Then there was the time when I asked it to generate an ARM template (again, poorly documented bullshit) to create some service in Azure with some specific parameters. It gave me something that looked like an ARM template, but sure as hell wasn’t a valid one. This one wasn’t completely useless though, at least I was able to cross reference with an existing template and with some trial-and-error, I was able to copy over some of the elements that I needed.

That’s another option, but it’s a bit more cumbersome having to cherrypick which exact backports you need for your specific hardware. Also, if you then for some reason don’t upgrade to the next stable release when it comes out, backports get abandoned after 1 year instead of the customary 3 years for the rest of the oldstable release.

From my experience, running trixie/testing the past year or so on a minipc with hardware that was a bit too recent for bookworm, I can say that the cadence of security patches has been about the same between bookworm and testing.

And let’s be honest, on a desktop system your main attack surface is going to be the software you go online with, i.e. the browser. So if you make sure that is kept up to date (flatpak, vendor repo, …) that already goes a long way.

the ctrl-super-alt is completely different

It’s not “completely different” … and that’s the problem. Completely different I can handle. I can manage knowing vim keybindings, readline keybindings and standard windows keybindings at the same time. What I can’t handle is: having to use command + C on one Mac and control + C on Windows to copy, but then in some cases you do use “control” on both OS-es, and sometimes control and alt are switched … It’s because they are similar but different that it’s such a mess trying to get proficient in both at the same time.

Eh. Windows has its share of annoyances, but once I have set it up to my liking my desktop workflow is very similar to my KDE setup, and WSL + Windows Terminal gives me a functional Linux shell environment.

And at least on Windows I don’t have to deal with cmd/control/alt switcharoo messing up my muscle memory.