sylver_dragon

This could just be a really stupid format, put out by a specific application for creating PDFs, because the original authors didn’t want to pay Adobe (never attribute to malice, that which can be sufficiently explained with stupidity).

Does pdfinfo give any indication of the application used to create the document? If it chokes on the Java bit up front, can you extract just the PDF from the file and look at that? You might also dig through the PDF a bit using Dider Stevens 's Tools, looking for JavaScript or other indicators of PDF fuckery.

Does the file contain any other Java bytecode? If so, can you pass that through a decompiler?

would love it if attempts to reach the cloud could be trapped and recorded to a log file in the course of neutering the PDF.

This is possible, but it takes a bit of setup. In my own lab, I have PolarProxy running in one Virtual Machine (VM), using QEMU/KVM. That acts as a gateway between an isolated network and a network with internet access. It runs transparent TLS break and inspect on port 443/tcp and tcpdump capturing port 80/tcp. It also serves DNS using Bind.

There is then the “victim” VM which is running bog standard Windows 10. The PolarProxy root cert has been added to the Trusted Roots certificate store. The Default Gateway and DNS servers are hard coded to the PolarProxy VM. Suspicious stuff is tested on this system and all network traffic is recorded on the PolarProxy system in standard pcap format for analysis.

Personally, I don’t find Evangelical support of Trump all that surprising.
When you get down to brass tacks, this is an election between two candidates. Almost no one is going to look at those two candidates and find a perfect fit. It’s quite possible that people won’t even find a good fit. But, they have three choices, either one of the candidates or not voting at all. The latter of those choices is pointless, if one has policy preferences that they want to achieve. That only leaves picking the closest fit among the two candidates.

In may corners of Lemmy, and in this community specifically, there has been a very strong push towards the sort of “vote Blue, no matter who” message, which has been around for several cycles. And this message is not wrong. Harris’s position on the war in Gaza has a lot of detractors. But, the choice is not between Harris and someone with a better position. The race is between Harris and Trump, whose position on Gaza is likely worse for those detractors. If those detractors don’t want things to get worse, they pretty much have to accept the situation as is, vote Harris and push for changes. And I suspect a lot of folks will support Harris, some enthusiastically, in spite of that policy difference. Because they will find other policy positions that they strongly support are also supported or championed by Harris. Better a flawed candidate that one which is diametrically opposed to the policy positions which one holds most dear.

The thing which seems to be forgotten by folks who wonder “how can Evangelicals support Trump?”, is that this same problem cuts both ways. The people who hold GOP aligned policy preferences hold those beliefs just as strongly as Liberal/Progressive folks hold their own. That they would fall into a “vote Red, no matter who” mindset should not be surprising at all. And for Evangelicals, I’d argue that this mindset may be even stronger. These are folks who believe that, not only does this life hinge on their actions, they also truly believe that the here-after does as well. As much fun as we might make of people for believing in an invisible sky-wizard, they really, really believe all that stuff. And their entire self-identity will be built on the version of that belief system. And let me stress that it’s specifically “their version of that belief system”. The various versions of the Christian Bible have a lot of ambiguous and contradictory stuff in them. It’s easy enough to dig out justifications for nearly any positions one wants to take. And Trump’s messaging has been pretty well aligned with the mainstream Evangelical version of policy positions on all the major topics. Harris’s positions, on the other hand, are in direct oppositions to those positions.

Why does that matter so much? One of the deeply important policy positions to Evangelicals, for several decades now, has been overturning Roe v. Wade. And for all the shit one might say about Trump, he actually got that done. Nixon, Regan, Bush, and Bush all failed in that one, paramount goal. Trump, did it. Stop and imagine for a moment, a politician whose personal life you find distasteful, yet they managed to accomplish the one single policy goal you hold above all others, would you go vote against them? Especially when their opposition is loudly campaigning to undo that major policy win for you? Oh, and that opposition is also campaigning against just about every other social policy position you hold. Anyone saying “yes” to that question is bullshitting themselves.

Now, is Trump going to get anything else done for the Evangelicals? Who knows. But, Harris certainly isn’t and she’s actively hostile to their worldview. And Trump already got “goal number one” done. It seems like a reasonable bet that someone who already won the top line fight might win a few of the other ones as well. And all that “fascism, threat to democracy stuff”? Ya, that’s just liberals whining because they are losing. It’s Godwin’s Law in action. The lawsuits and criminal convictions, that’s just liberals weaponizing the DoJ to stop Trump, since they can’t stop him legitimately. And Trump’s past as a horrible person? A personal turnaround story of a “lost soul coming to Jesus” is damned near a foundational myth of Evangelicalism.

No, Evangelicals supporting Trump is neither surprising, nor unexpected. And you can bet they will latch right onto the next GOP candidate to come along. And it’s not all that hard to understand. If you have ever bought into any version of “vote Blue, no matter who”, then you are intimately familiar with the same logic. From their perspective, the US is in the grips of an existential crisis which is being perpetrated by Democrats. The very foundations of their self are “under attack” as society moves further and further away from their central truths. And, from my own perspective, I don’t see that there is really any way to convince those folks otherwise. Trump isn’t the Devil in the desert tempting Jesus. To them, he’s the flawed man who is going to save their version of the US the only way he can. He’s a vigilante, bending or breaking the rules, because the rules are stacked against “the righteous”. That’s the mindset you are up against.

Ya, in fairness to MS, Windows XP was a good release (post SP1, like most “good” MS releases). But, the fact is that MS is going to push the latest version, regardless of how ready it is for use. MS was hot for folks to switch to Windows ME. And holy fuck was that a terrible OS. MS also did everything short of bribery to get folks to switch to Vista (anyone remember Windows Mojave?). The “upgrade, or else” mantra has always been their way. Not that I blame them too much, it does need to happen. It just sucks when the reason for the new OS is more intrusive ads and user tracking.

Many years ago, I attended a Windows XP launch event. The Microsoft presenter had the perfect line to describe how MS views this:
“Why should you upgrade to Windows XP? Because we’re going to stop supporting Windows 98!”

This was said completely unironically and with the expectation that people would just do what MS wanted them to do. That attitude hasn’t changed in the years since. Win 10 is going to be left behind. You will either upgrade or be vulnerable. Also, MS doesn’t care about the home users, they care about the businesses and the money to be had. And businesses will upgrade. They will invariably wait to the last minute and then scramble to get it done. But, whether because they actually give a shit about security or they have to comply with security frameworks (SOX, HIPAA, etc.), they will upgrade. Sure, they will insist on GPOs to disable 90% of the Ads and tracking shit, but they will upgrade.

I’d argue that the main reason you see more anime is the target audience.

Western animation is usually aimed at young children. For as much as I may have loved Disney’s Gummi Bears as a young child (decades later and I can still hear the theme song on my head), it’s now pretty painful to watch. Some shows have aged pretty well and some newer shows aren’t quite so bad. But, the target audience still seems to be younger children for much of it. There are exceptions, and several of those are pretty well known. For example, The Simpsons and Futurama are both popular animated shows, and both are not aimed at children.

Anime, by contrast is often aimed at teenagers. This means that it’s part of the audience’s formative years. People form bonds with the shows and carry some of those bonds into adulthood. And while the writing often falls into cringe inducing melodrama, there’s enough of it that is passable fun, usually simple hero stories. The shows can be like a comfy blanket that doesn’t insult the audience’s intelligence too much.

I’d also note that anime’s appeal goes back further than the 2000’s. My own introduction was Robotech, back in the 80’s. While it was a bastardized version of Macross, with some pretty awful writing (not that Macross’s writing is going to win awards any time soon) and a couple other shows, it was certainly a step above what most western studios were putting on for Saturday Morning cartoons. And that created a lifelong soft spot for anime. Heck, my desktop background is currently a Veritech Fighter. I still love the idea of Robotech, even if I only watch it in my memory through very heavily rose tinted glasses. And I imagine I’m not alone. The show may be different, but I suspect a lot of folks graduated from Disney and Hanna-Barbera cartoons to some type of anime as they got older and that anime was stuck with them.

Probably worth noting that, if you are using an employer owned system to watch said porn, they likely have software on the endpoint which will let them see what porn you are watching, regardless of HTTPS/VPN/Tor. Depending on how much your employer cares about such things, that may or may not come back to bite you. I’ve worked at places where we regularly reported on users watching porn on work computers, and I’ve worked at places where we only reported on users getting malware while browsing porn at work. But, never assume your activity isn’t being monitored on employer owned systems.

writes Nestler. “We want to hear from you when you think Reddit is making decisions that are not in your communities’ best interests. But if a protest crosses the line into harming redditors and Reddit, we’ll step in.”

Translation: We don’t really give a shit what you think. Now shut up and generate that content for us to sell to AI companies.

While I don’t agree with the criminalization of marijuana, it’s really rough when it comes to a prosecutor and a law they may not like. Step back and ask the question, “should an Attorney General (AG) be allowed to not prosecute laws they don’t agree with?” You might be willing to say, “yes” for laws you also don’t agree with; but, what happens when it starts to cover laws you want to see enforced? Should “prosecutorial discretion” effectively allow an AG a complete veto power over the laws as passed by the State and Federal legislatures?

As much as it may suck for the person in that position, it would be really bad for democracy to allow that sort of power. We empower an AG to enforce the law as written. But, we also expect that they will enforce the law as written. So ya, I would expect that Harris (or her office), as AG, prosecuted marijuana cases. That’s really what the whole “rule of law” thing means. It means the laws, as written, being enforced on all people. And it’s up to us, the people, through our representatives to get that law changed.

And hopefully, this will work out to be more than an empty campaign promise. Though, I don’t plan to hold my breath.

the filibuster bound Senate will never convict.

The filibuster doesn’t really enter into it. Article I, Section 3 of the Constitution requires a 2/3 majority to convict:

The Senate shall have the sole Power to try all Impeachments. When sitting for that Purpose, they shall be on Oath or Affirmation. When the President of the United States is tried, the Chief Justice shall preside: And no Person shall be convicted without the Concurrence of two thirds of the Members present.

The only positive fact about Thomas’s tenure is that the guy is 76 years old. The actuary tables look worse and worse for him every year.

The fact that the OS is replaceable sealed the deal for me.

And the default OS isn’t locked down and doesn’t try to prevent you from doing other stuff with it. What you want to do isn’t in the Steam interface? Switch over to desktop mode and you have full access to the underlying OS.

My only complaint with the Steamdeck is that I find using the touchpad on the right side for long gaming sessions hurts my hands. I 3d printed some grips which help; but, I think my hands just don’t like the orientation. Still love my deck though.

Been using the beta for a while and I gotta say, it’s pretty awesome. I just hope they have the purchasing as sorted as they claim. I’ve had so many issues in the past letting my kids purchase games.

I would assume they have some basic stuff running 24x7. I can’t imagine a network which doesn’t have Endpoint Detection and Response (EDR) running 24x7 these days. There’s also things like firewall logs, which are almost certainly being captured (or at least netflow). Stuff like screen recording and mouse monitoring is probably saved for extreme cases. That said, my own experience has been pretty close to:

We’re not going to look over your shoulder while you watch YouTube videos but if we notice you’re watching a lot of or you start visiting porn sites, we’re going to start monitoring you.

Quite frankly, no one’s got time for that shit. I work at an organization with a bit north of 25,000 employees, and we have less than a dozen security analysts. While I could run a search against our firewall logs and see evidence of folks dicking around. I have much better things to do, like running down abnormal processes and writing up reports on users who got their systems infected while dicking around. And that’s really the way it comes to our attention, most of the time. Someone is out trying to download movies or software on their work laptop (you’d think people would know better…) and they pickup malware. We get an alert and start investigating. While trying to determine the source, we pull browser history and see the user out on “SketchyMovieSite[.]xyz”. And then their dicking around becomes our problem, mostly because the site had a malicious redirect, which is where the infection came from.

So ya, they may not be looking, but I’d always bet they are recording. Logging isn’t useful if it isn’t recording at the time of the compromise.

Remote work and pay. I was already interested in getting a remote gig when COVID hit. We went to a hybrid schedule and I realized that I really liked working from home. Also that my job was pretty much built for it. While many of the folks I used to work with are still hybrid, fully remote was never an option. I worked with Classified systems and I could never convince them to put a SIPR drop in my home. I guess you need to get elected President for that.

As the world was opening back up, many companies saw remote work as a carrot to offer cybersecurity folks and I started to see a lot more job postings with it as an option. So, I put my LinkedIn profile to “looking for work” and started getting recruiters messaging me on a regular basis. One hit me up with “REMOTE WORK OPPORTUNITY” (yes, all in caps) as the lead for an offer. What followed that sounded interesting and I started talking with him. A few week later, I put in my notice and started working in the private sector. Got a pay bump in the move as well.

My time in the FedGov space was overall a positive thing. I learned a lot and got to see systems locked down in a way that actually mattered (I never thought I would miss STIGs). At the same time, I don’t see myself ever going back. The bureaucratic nature of everything is soul crushing. And sitting in an OSS all day long sucks. It especially sucks when you’re the only one in the container and need to go out and take a piss. Clear the room, arm the alarm, spin the lock, sign the sheet, go piss. Open the lock, sign the sheet, disarm the alarm, get back to wishing for the sweet, sweet embrace of death.

When I worked as a US FedGov contractor, I was greeted with a long warning banner every time I logged into my computer. The tl;dr version of it is “fuck your privacy”. Being that I was part of cybersecurity for the site I was working at, I was one of the people doing the fucking. While we didn’t read everything from everyone all the time, we were logging it and could pull it up, if we were performing an investigation. We also had some automated stuff scanning for patterns and keywords on a regular basis, which could trigger an investigation.

While I’m no longer in the FedGov space (thank the gods), I still assume that everything I do on my work system or with work accounts is being logged. Also, I’m still working in cybersecurity and am often still the one doing the privacy fucking. Yes, everything is being logged. We may not look at it today, we may not look at it tomorrow. But, when HR and Legal ask us about a user’s activity, we can usually be pretty detailed. Act accordingly.

It is now functionally impossible to detect anything about the traffic or the Wi-Fi router without some serious or illegal methods.

You should really spend some time learning about WiFi signals. Tracking down rogue Access Points is a pretty common thing and having the SSID turned off does fuck all to prevent it. On the easy end, many enterprise wireless network controllers have rogue AP detection built right in and will show you a map of the location of the rogue AP. Harder, but still entirely possible, is running around with a setup just detecting the signal and triangulating it.

But they pinky promised that only the “good guys” would use the “front doors”. /s

Welcome to AI:

Re-read what I wrote, but hop down off your high horse first, it’s obvious you weren’t able to read it clearly from up there. I’m neither promoting nor defending piracy. Quite the contrary, I’m praising the legitimate services (and Steam in particular) for understanding that competition with piracy isn’t all about money, it’s often about the quality of service. Funny enough, your own comments are actually a point in favor of this:

You ever wonder why these companies don’t operate in countries that don’t have strict piracy laws and can’t shut down sites with court orders? Because it’s still easier to pirate than face criminal charges.

Yet somehow, with a lot of time, money and effort put into shutting down piracy, the pirates were able to provide a better service. Seriously, step back from the whole “napster bad” for a moment and think about the dissonance of the situation. Large companies, pulling in millions of dollars a year, with no need to worry about law enforcement or monied interests coming after them, somehow failed to create anything resembling a functional digital marketplace. They were stuck in the physical distribution paradigm and fought tooth and nail to avoid digital distribution. At the same time, a few kids, with little money, and law enforcement trying to shut them down created a pretty good user experience. Sure, some of that is not having to worry about licensing. But, a large part of it is understanding what the users want and giving it to them.

It wasn’t until Apple came along and basically created “Napster, but legitimate” that music piracy really fell off. Netflix pulled off something similar with video (though that is rebuilding some rough edges at the moment) and Steam did it for games. Sure, piracy still exists, and it will always be a problem. But, a lot of piracy can be tamped down by having a good service available.

One thing that we have learned is that piracy is not a pricing issue. It’s a service issue. The easiest way to stop piracy is not by putting antipiracy technology to work. It’s by giving those people a service that’s better than what they’re receiving from the pirates. – Gabe Newell, 2011

Time and again, digital distribution platforms have proved this. Apple Music became a dominant music distribution platform at the height of Napster, LimeWire and other peer to peer sharing apps. They did it, because it was easier to just buy the tracks/albums you wanted than to dig through trackers and websites which may or may not actually have what you want. Netflix became the de-facto source for streaming movies at a time when BitTorrent was common and well known. Again, they made it easy and convenient, while not charging an arm and a leg. Steam also faced competition from BitTorrent piracy. But again, Steam made buying, downloading and running games easier than the pirates. And people are willing to pay for that convenience and not dealing with the crap which floats around the high seas.

And, so long as Steam continues to treat it’s customers right, those customers will keep coming back. And that’s the problem with Pitchford’s whole premise. Developers will go where the customers are. Sure, you’ll get the odd case of a publisher/developer doing an exclusivity deal. But even then, it’s probably limited, because the customers are on Steam. If another storefront wants to draw customers, they need to start with treating customers well. They will still face headwinds, as Steam has a large “first mover” advantage. But, success is going to start with making customers want to come back.

There may also be a (very weak) reason around bounds checking and avoiding buffer overflows. By rejecting anything longer that 20 characters, the developer can be sure that there will be nothing longer sent to the back end code. While they should still be doing bounds checking in the rest of the code, if the team making the UI is not the same as the team making the back end code, the UI team may see it as a reasonable restriction to prevent a screw up, further down the stack, from being exploited. Again, it’s a very weak argument, but I can see such an argument being made in a large organization with lots of teams who don’t talk to each other. Or worse yet, different contractors standing up the front end and back end.