- yea when it's DoH or DoT I don't think you can re-route the DNS request inflight. (where the device thinks it's talking to 8.8.8.8 but it's not).
You can block access to other resolvers though which usually works.
Eventually devices might just start using hardcoded IPs...
- I've explored that! Couldn't figure it out but it certainly sounds possible. And even easier solution is just to block all DNS resolvers except your chosen one. When 8.8.8.8 doesn't work GDevices will fallback to the DHCP assigned resolver (usually your gateway)
- Also the XSS exploit would have been dead in the water for any sites using CSP headers. Coinbase certainly uses CSP. With this in place an XSS vuln can't inject arbitrary JS.
- This is a great example of why a Content-Security-Policy (CSP Header) should be considered mandatory for high risk sites. With it you can effectively tell the browser what JS is allowed to run, meaning that any JS injected via XSS won't work.
I suspect Coinbase and others already use CSP.
- Besides what others have said, another dead simple option is to use Nextdns: https://nextdns.io
Doesn't require running anything locally and supports various block rules and lists and allows you to enable full log retention if you want. I recommend it to non-techies as the easiest way to get something like pi-hole/dnscrypt-proxy. (but of course not being self-hosted has downsides)
edit: For Roku, DNS blocking like this only works if Roku doesn't use its own resolver. If it's like some Google devices it'll use 8.8.8.8 for DNS resolution ignoring your gateway/DHCP provided DNS server.
- Is there any evidence this murder was related to the professor's work?
- > seems like you would have a poor argument that you can’t collect and analyze images of a public space
Absolutely agree... but the CA law is clear that tracking license plates get special treatment! It being public space doesn't matter. It's wild to me that how you analyze the video is regulated. Also that no similar regulation for the regular public doing facial recognition exists. Just ALPR.
I wonder how I'm supposed to comply with the law if I were to take a public webcam feed, like one from a highway[0], and run ALPR on it myself. I obviously can't post any notices there. And I'm not the camera operator so can't comply with anything related to that. But I would be doing ALPR which does require I follow rules. ¯\_(ツ)_/¯
Will be interesting to see what happens to the law. It feels outdated, but I'm doubtful any CA politician is going to expend karma making ALPR more permissive. So I bet it'll stay on the books and just go largely unenforced.
- If you're in CA, I learned recently that any use of automatic license plate recognition here is regulated and has a bunch of rules. Technically just turning on the ALPR feature in your consumer level camera is illegal if you don't also do things like post a public notice with your usage and privacy policy.
The law is a bit old and seems like it was written under the assumption that normal people wouldn't have access to ALPR tech for their homes. I suspect it gets very little enforcement.
https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml...
- Agreed. Though for reference, Apple's private relay has an architecture that makes it much more privacy preserving than most VPNs.
Traffic is sent through two independent relays: Apple sees your IP but not the destination, while a 3rd party egress partner sees the destination but not your IP, with encryption preventing either side from correlating both ends. It's some of the benefits of Tor. But of course you still need to put a lot of faith in Apple's implementation, which is the hardest part.
- What is the economic value of all these AI chat logs? I can see it useful for developing advertising profile. But I wonder if it's also just sold as training data for people try to build their own models?
- This analogy happens a lot, and it might be true, but it's not clear to me that they're comparable.
The Industrial Revolution mostly ate mechanical labor and created more 'thinking' and knowledge worker jobs closer to the top of the stack. AGI goes after the information / decision-making layer itself. And it's unclear how much remains once those are automated.
- If full AGI dreams are achieved and 80% of jobs disappear, leading to mass unemployment, then we need to do something to support the huge numbers of people that no longer have any income. Taxes to support a UBI program seem one solution. Or maybe the labor market can shift to find opportunities for humans that AI can't replace and we'd avoid the mass unemployment.
But feels like we're a long way from that right now.
- If the VPN IP and the last ~4 hops in the traceroute just ignored ICMP pings, or just all inbound traffic, it sounds like that'd make your detection harder?
I've found that this isn't even that uncommon. One of the example VPN IP's on the article had the last 3 hops in traceroute ignoring ICMP. (though TCP traceroute worked). The VPN IP itself didn't, but it easily could!
(feel free to ignore lest we not give bad actors ideas)
- Lots of people already have Apple TVs and the Tailscale integration is pretty good and can serve as an always online exit node. So no new hardware required. Could even remotely walk a non-techie through the process without too much effort.
personally, I've just upgraded my family's wifi to Ubiquiti and can then use Tailscale Wireguard running on the gateway as a proxy! (with their permission)
- You could vary the additional latency based on the location of the IP you're replying to? Or just hash the requesting IP and use that as a seed to generate that particular IP's random extra latency that always stays the same for that IP. Which feels like enough to make triangulation hard. Though I'm just spitballing.
- Interesting to learn you can identify the real country/area of origin using probe latency. Though could this be simulated? Like what if the VPN IP just added 100ms-300ms of latency to all of its outgoing traffic? Ideally vary the latency based on the requesting IP's location. And also just ignore typical probe requests like ICMP (ping). And ideally all the IPs near the end of the traceroute would do all this too.
To use an example, 74.118.126.204 claims to be a Somalian IP address, but ipinfo.io identifies it as being from London based on latency. Compare `curl ipinfo.io/74.118.126.204/json` vs `curl ipwhois.app/json/74.118.126.204` to see. If that IP ignored pings and added latency to all outgoing packets, I wonder if that would stymie ipinfo's ability to identify its true origin.
- How did they get leak them? Just someone getting into your personal Claude Code logs? I'm surprised that if it was just that Google would even be aware they're leaked.
- If I recall, the AIME answers are always 4 digits numbers. And most of the problems are of the type where if you have a candidate number it's reasonable to validate its correctness. So easy to brute force all 4 digit ints with code.
tl;dr; humans would do much better too if they could use programming tools :)
- Dupe of https://www.hackerneue.com/item?id=46234788
paging @dang for merging
To get access to "all" TV content legally would be hundreds of dollars a month. And for many movies you must buy/rent each individually. And legal TV and movies are much more encumbered by DRM and lock in, limiting the way you can view them. (like many streaming apps removing AirPlay support, or limiting you to 720p in some browsers)
I think Spotify wins over pirating because of its relatively low cost and convenience. Pirating TV/Movies have increased as the cost to access them has.