• 4 Posts
  • 16 Comments
Joined 1 year ago
cake
Cake day: July 22nd, 2023

help-circle





  • Not fishy at all! It’s like a lockpicking fan asking about locksport.

    If you’re looking for examples, GitHub has a lot of CVE proof-of-concepts and there are lots of payload git repos across git hosts in general, but if you’re looking for a one-stop-shop “Steal all credentials,” or “Work on all OSes/architectures just by switching the compile target,” then you’ll have a harder time. (A do-one-thing-well approach is more maintainable after all.)

    If you want to make something yourself that still tries to pull off the take-as-much-as-you-can, you should just search up how different apps store data and whether it’s easy to grab. Like, where browsers store their cookies, or the implications of X11’s security model (Linux-specific), or where Windows/Windows apps’ credentials and hashes are stored. Of course, there’s only much a payload can do without a vulnerability exploit to partner with (e.g. Is privilege escalated? Are we still in userland? is this just a run-of-the-mill Trojan?).

    Apologies if my answer is too general.



  • Obligatory Linux comment (Lemmy moment):

    Windows is used often for its compatibility and defaultness but Linux is interesting in the sense that everything is patchable, everything is tinkerable and configurable. The low resistance to tinkering makes lots of Linux users tinkerers – including tinkering via code.

    I’m not saying wipe your hard drive or even dual-boot. Maybe an older computer or VM could help, depending on what you have. But just in the past week I’ve screwed around in low-to-medium-difficulty Linux projects that configured my lockscreen with C, that implemented mildly usable desktop GUIs with TypeScript, among others – just not-too-committal stuff that has a return value I literally see every time I lock my computer.

    Windows equivalent projects can be harsher on the beginning-to-intermediate curve (back when I first tried out Linux Mint, I’d been struggling to make a bookmark inspector in Visual Studio – ended up Pythoning it instead) – not to say that Windows fun is by any means out-of-reach.


  • My friends Leetcoded and Codeforced quite a lot. Advent of Code is up there too, with the interesting caveat that Advent of Code also teaches you refactoring (due to the two-part nature of every problem).

    However, when I was younger I had contempt for the whiteboard-problem-esque appearances of these, but everyone is different.

    If you look hard enough there is always a project at medium difficulty – not way too hard, like a huge project you feel won’t give you returns – not way too easy, like some cowsay clone. Ever tried making a blog? You can host for free on most Git pages implementations (codeberg, github, gitlab…).

    As for programming books, consider trying security books like Art of Exploitation – in the same strain, CTFs can use a decent amount of code, and they’re fun in terms of raw problem-solving. I started with the Bandit wargame, which does Linux problem solving from any machine that has SSH.

    I’m not by any means a l33t hax3r but I found them pretty fun in my learning journey.



  • According to tab autocomplete…

    $ git
    zsh: do you wish to see all 141 possibilities (141 lines)?
    

    But what about the sub options?

    $ git clone https://github.com/git/git
    $ cd git/builtin
    # looking through source, options seem to be declared by OPT
    # except for if statements, OPT_END, bug checks, etc.
    $ grep -R OPT_ | grep --invert-match --count -E \
    "OPT_END|BUG_ON_OPT|if |PARSE_OPT|;$|struct|#define"
    1517
    

    Maybe 1500 or so?

    edit: Indeed, maybe this number is too low. git show has a huge amount of possibilities on its own, though some may be duplicates and rewords of others.

    $ git show --
    zsh: do you wish to see all 489 possibilities (163 lines)?
    $ man git-show | col -b | grep -E "^       -" --count
    98
    

    An attempt at naively parsing the manpages gives a larger number.

    $ man $(find /usr/share/man -name "git*") \
    | col -b | grep -E "^       -" -c 
    1849
    

    Numbers all over the place. I dunno.


  • Huh, TIL.

    To be fair, git switch was also derived from the features of git checkout in >2.23, but like git restore, the manual page warns that behavior may change, and neither are in my muscle memory (lmao).

    I’ll probably keep using checkout since it takes less kb in my head. Besides, we still have to use checkout for checking out a previous commit, even if I learn the more ergonomically appropriate switch and restore. No deprecation here so…

    edit: maybe I got that java 8 mindset

    edit 2: Correction – git switch --detach checks out previous commits. Git checkout may only be there for old scripts’ sake, since all of its features have been split off into those two new functions… so there’s nothing really keeping me from switch.


  • It probably is, but I think their main point is the protest against the age-old delineation into “GUI vs CLI” camps. I’m not saying that you’re elitist, even if your statement might be interpreted as such (it’s hard to communicate tone online but the quotations around “their workflow” could appear mocking), but regarding the structure of your statement, I had a “Windows users are all button-presser noobs” phase and would’ve typed something similar about the Git CLI if time was decently rewound (sans the kindness of a “use what you like” statement). They could be interpreting your statement as a propagation of the anti-GUI stereotyping.

    Evidently they prefer GUI but can effectively use the CLI – no one disagrees that the CLI is more functional.


  • Click to view diffs is super ergonomic; on the other hand, I actually have a story about the Git CLI trumping the GUI (spoiler: reflog).

    In high school we had gotten the funding to build a robot, and one of the adults in charge – guy was brilliant – was using GitHub Desktop to conduct a feature merge with the student who served as team lead. The thing was, he was used to older codebases, so all of his experience was with CVS instead of Git – so when the two slightly messed up the git merge, they discussed recloning everything instead of wasting time plumbing the error (relevant xkcd).

    That was one of the earliest times I had the cajones to walk up to a superior and say “No, you’re doing this totally wrong. You don’t have to do that.”

    He looked at me and nodded. “What would you do instead?”

    “Reflog.”

    “Reflog? I’ve never heard of it before. Can you show us?”

    I hopped onto the laptop and clicked around GitHub Desktop, but couldn’t manage to find any buttons related to reflog… so I went straight to cmd.exe instead.

    git reflog
    git reset --hard "HEAD@{7}"
    

    “Done. We can continue rebasing.”

    And after that, the advisor complimented me for using the command line tool!

    “Lots of GUI apps are just limited frontends to the real meat and potatoes, the command line. Nice job!”

    I felt like a wizard! And so I became the team’s Git-inator.

    edit: pruned story







  • At a level that the user doesn’t have much control over, I fear both stock systems are about the same in terms of privacy.

    According to an analysis by Köllnig et al. (2021) on 500k+ free Google Play/App Store apps, tracker libraries such as Google Play Services/Apple’s SKAdNetwork/cross-platform libraries are used in about equal percentages on both app stores’ free apps. These free apps’ trackers are generally not configured to follow GDPR data-minimization practices, even for kids’ apps, but it’s to be noted that Android has a disadvantage in that advertising ID is more used in Android apps than Apple apps. However, Apple has disadvantage too: the researchers noted that Android’s intent system and different permission model makes apps seem “more privileged” than Apple’s, but Apple makes accurate analysis of their apps’ reach difficult, judging by the larger failure rate in app decompilation as well as the more opaque approach to permission disclosure. Although the paper might imply Apple has improved over time, since it mentions Apple’s implementation of opt-in tracking in 2021, after the study, as a limitation, keep in mind Apple’s new movement towards advertising as a form of revenue, as discussed by Apple Insider (Owen, 2022) and Bloomberg (Gurman, 2022).

    Of course, Köllnig’s study only reflects tracking in “curated apps” for either platform. It does not discuss hardware/firmware/system app-level privacy, which users have little control over (Leith, 2021 – easier reading with TomsGuide). Leith found that either OS phones home (lol) every ~4.5 minutes, and even though Google may send more data (even from the clock app!), Apple profiles your social network via MAC addresses on your Wi-Fi as well as location geotagging, which the TomsGuide article called “quality vs. quantity”. This builds on the idea that Apple might seem more private, but only ostensibly so, judging by these more particular looks at their data collection and the trend of their increasingly data-focused business model.

    Does that mean the choices between stock OS don’t matter? Well, no – as for me, who can’t afford a Pixel anytime soon, I’ve chosen Android on account of freedom outside of curated app stores. Yes, PrivacyGuides may not recommend F-Droid, but the opportunity cost in security there may be negligible compared to the convenient and easily-handled privacy received in exchange*, at least for typical less-savvy threat models like my own. (This favorability is illustrated in a forum debate here (Lukas, 2023), though in a context less relevant to stock OS comparisons.) Ignoring the facet of freedom with stock Android, the possibility of large privacy advantage one way or the other, strictly in terms of stock Android and stock iOS operating systems, is marginal if it even exists.