Threads for christianscott

  1. 3

    Gotta confess that a lot of this flew over my head a bit, but:

    The system is tamper-resistant and constantly updated, meaning that should a strict MDM policy be in place, extracting documents from a system without authorization could be potentially extraordinarily difficult to impossible.

    Am I missing something or is this kinda overlooking my ability to take pictures of the screen with a phone?

    1. 2

      How long would it take you to exfiltrate a 2mb text file by taking pictures of the screen?

      1. 4

        So document exfiltration via pictures is proooobably not a threat model that Pluton is seriously meant to address but this is a question that’s actually way cooler than expected.

        Way back when Android was new and cool, me and an ex-colleague from uni wrote a program that did more or less that, mostly as an exercise in how pointless DRM is and to learn how to use the camera API. 2 MB of ASCII text are 1048 xterm‘s@80x25 worth of text. Factoring in redraw slowness, plus the low frame rate of early Android phones, we found we could reliably extract about 3 of those per second, so it would take about 6 minutes to get the whole thing out. 3 per second doesn’t need a paging method smarter than “have someone press page down but not too quickly”.

        Nowadays, factoring in the higher frame rate of a phone, but also the inherent flicker (the camera’s 60 fps sounds amazing but the screen is still 60 Hz) and the fact that text isn’t instantly redrawn on the screen, I think you can get to 10-15 “pages”/second so you could get it all out in less than two minutes. Getting that kind of paging speed is trickier though. But, with paging via Page Down and a good keyboard, you could probably get to 5-6 pages, so about three minutes, which still isn’t bad. We didn’t really care about OCR back then but I don’t think it would be a problem today.

        That’s assuming it’s all ASCII text, of course – 2 MB PDFs sometimes turn out to be like 100 pages. Based on my experience skipping classes and learning from other people’s notes, I can tell you it took me about two minutes to exfiltrate 100 written pages with a handheld camera :-P.

        It’s worth noting that in corporate-ish environments the exfiltration story is also approached from another angle. Sensible documents are often extracted by people who otherwise have access to them for as much as they need, but are barred from sharing them with the outside world. More often than not they don’t actually need to exfiltrate the whole document, they only need to snap pictures of the relevant parts. They can also snap two or three photos a day.

        1. 1

          You kid (I think) but I would love to read an in-depth blog post about this. Big screen + scroll quickly + take a video + OCR = ???

          Would be fascinating because it would touch things like

          1. How fast/slow do I need to scroll to show all of the text? I.e. to make sure that some text is not lost between frames
          2. Can you should a full new block of text every frame or does there need to be some overlap between blocks?
          3. Does it matter that frames by the screen & the frames captured by the camera will be out of sync?

          etc

          1. 3

            Depends on the software, but if you set the view to single page, you just have to hold the phone and press page down at a steady rhythm while taking a video and that should do the trick, I recon.

      1. 14

        I am happy using most of the default unix tools (vi/vim are fine, grep is fine, awk is great, etc), but using bash/zsh really hurts now that I’ve spent a few years with fish. find as well– fd is so much better.

        1. 4

          Yep, love fd. Also rg (ripgrep).

          I’ve been using one variety of BSD or Linux or another almost 30 years, and out of the batch of new trendy tools those are two that have really made a big difference to me.

          1. 3

            Been using Linux for 23 years and there are a few programs that have changed the way I interact with a computer. Among those, you’ll find some old, usual suspects like Emacs, awk, and git, but in the past couple of years, fd and rg have changed some of my own habits. I went from a model where I tried to very precisely organize (usually, unsuccessfully) data to a model where I put everything in a big heap and search for what I need.

          2. 2

            What is in fish that would make one want to switch? I use ansible and bash for most scripting. For non-trivial scripting, I use Node or Python. I’m currently on zsh (bash compatible) with starship.rs.

            1. 2

              I love fish as a shell because of its nice defaults and embedded features.

              However, I would not want to use it for scripting, especially if these scripts are going to be shared. Stick with whatever is available in your server/containers/teammate’s computer.

              1. 1

                I use it as my shell. I don’t really use it for scripting, except for setting up aliases and the like. Syntax highlighting and the magical autocomplete are the things I really miss when I use a different shell.

            1. 4

              This would be really cool to see, but… C? Lambdas? Did I miss something?

              1. 3

                This paper builds on the assumption that at least simple lambdas are integrated into C23

                1. 2

                  ah. I guess I did miss something :)

              1. 3

                Typescript – would love a typescript that performs well at scale. I don’t think I’d ever finish if I tried it though, the scope of the project is quite vast now (language features, editor integrations, refactoring, etc).

                I have not thought about this deeply but I have a feeling that some of the things that make typescript great (e.g. the ability to incrementally port a javascript codebase) are the things that make it slow. For example, being able to omit the return type of a function likely forces a lot of things to happen in series that could otherwise happen in parallel.

                Those tradeoffs makes sense in a world that’s mostly JavaScript, but do they still make sense in a world that’s mostly TypeScript? I think not. Since there has been a culture shift towards static typing, the constraints on the tool have also shifted.

                1. 2

                  Why not C# ? As far I can see that’s a fast language that TypeScript was very much influenced by.

                  It’s obviously not compatible with JS, but anything that is won’t be fast. JS can be fast in some cases with heroic JITs, but it will always have slow cases due to its semantics, which can’t be changed without breaking the language. (This was the motivation behind Dart too.)

                  1. 3

                    Ah, I didn’t make myself very clear. I was talking about the performance of the compiler rather than the output of the compiler. Though it would be nice if that was faster too :)