OpenPrinting News Flash - cups-browsed Remote Code Execution vulnerability
Exploit of a combination of several bugs - Overhyped but not that severe - Fixes already available
...
Canonical’s security team has acted immediately to quickly apply the patches which Michael Sweet (author and maintainer of CUPS) had already prepared for CUPS, cups-browsed, libcups-filters, libppd, and cups-filters (in the time from the first report until then I was some days off and I was also on the Open Source Summit Europe, thanks, Michael Sweet, for stepping in, also thanks to Zdenek Dohnal from Red Hat) to the appropriate in all supported Ubuntu versions, so that at the time of disclosure most fixes were already in place. They also reported in an Ubuntu blog. They tell users what to do, from turning off cups-browsed or at least its legacy CUPS browsing support to updating their systems as the fixes were already available. Thanks a lot to Seth Arnold, Marc Deslauriers, Diogo Sousa, Mark Esler, Luci Stanescu, and more.
...
The X post really overhyped the vulnerability. Attacks from the internet are not very probable due to the fact that servers on the internet do not have cups-browsed and CUPS installed and CUPS/cups-browsed setups are there usually only in NAT-protected local networks with desktop machines and print servers. And the remote code execution is also rather restricted, as CUPS filters are not running as root, but as the system user “lp” which cannot even read user’s home directories. In addition, the remote code execution only happens when a user actually prints a job on the fake printer. Actually assigned scores ended up between 8.4 and 9.1.
like this
ShaunaTheDead likes this.
reshared this
Linux reshared this.
Gargantuan Black Hole Jets Are Biggest Seen Yet
like this
originalucifer and Oofnik like this.
There’s growing speculation that 13.767 billions years may be the earliest that the universe can support life, due to events like this. The universe had to expand, a lot, to get to a place where life had a chance to evolve, and not get obliterated by these types of events.
Plus our galaxy may be in a void. A really big one at that:
In 2013 Barger and two colleagues, Ryan Keenan (then at the Academia Sinica Institute of Astronomy and Astrophysics, Taiwan) and Lennox Cowie (University of Hawai‘i) counted some 35,000 galaxies from multiple surveys. What they found is that the Milky Way appears to live in a relatively empty area. Per unit volume, there’s half again as much light reaching us from galaxies 1.5 billion light-years away as there is from galaxies right around us.It’s as if we’re living in the suburbs, and the skyglow we see in our backyard comes more from distant cities than from our neighbors.
If this sparse region that we live in is a true cosmic void, then at 1.5 billion light-years in radius, it’s well above average in size, says Hoscheit. Typical voids have radii between 90 million light-years and 450 million light-years, he says. But this void would be so big, it would encompass the Laniakea Supercluster, which the Milky Way and its Local Group of galaxies call home, as well as the Tully Local Void, which Laniakea borders. “It would be the largest void known to science,” he says.
From: skyandtelescope.org/astronomy-…
So the fact that our black hole (Sagittarius A*) _hasn’t_ done this, and that we’re far away from other black holes that _have_ done this, just might be why you’re reading this reply.
Let’s toast to our existence in the backwaters of our galaxy and the KBC void! 🥂
If you haven’t been following the latest drama in the WordPress world, consider yourself free. In short, Matt Mullenweg, one of the co-founders of WordPress, has been having a very public feud with a major WordPress hosting provider, WP Engine. The reason this matters is that WordPress as a CMS powers over 40% of the web, including my little blog.
Matt’s meltdown has included an aggressive presentation at WordCamp, a public call out post pushed to every default WordPress install’s news feed, blocking WP Engine users from receiving plugin updates, and now a few days “reprieve” where WP Engine will be able to mirror code. This is bad for the ecosystem as a whole, especially the personal web I care about. There are a lot of other details in there, including a whole thing about who is doing more charitable donations (???). Josh Collinsworth wrote a good summary with what I believe is the correct solution: Mullenweg needs to step down from all of his various leadership roles, because he has now repeatedly demonstrated himself as harmful to both the communities and businesses that rely on WordPress.
Part of the mess stems from how Matt is entangled with the for-profit WordPress.com hosting and services company, the non-profit WordPress Foundation that helps promote and manage the open source project, and the WordPress.org open source project itself. It’s so confusing I probably got something wrong in just one sentence!
Why does this matter to me? While I don’t have any kind of business or livelihood dependency on WordPress, I have been using it as my blog platform here since January 2009, when I migrated off of LiveJournal (which I started using in college). Over time I’ve migrated from Yellow Dog Linux on my old B&W G3 running over Speakeasy DSL from my apartment to a Rackspace VPS with a Debian Linux install to an Amazon Lightsail instance (most recently running Amazon Linux 2023).
Today I happened to try to update a few plugins on my install and for the first time got HTTP 429 Too Many Request errors! I don’t know if this is somehow related to the blocking Matt got set up; I do know that WP Engine can use AWS so it’s possible my public IP in us-west-2 is getting swept up in some WordPress throttling rules? Hopefully I can update soon, otherwise I’ll have to look at other mirrors or something. WordPress security is of both personal and professional interest; I try to keep my plugin footprint small to reduce the chance of vulnerabilities outside of the core software.
While there are a lot of alternatives I am also lazy and would prefer to not have to overhaul my personal site! At the same time I’ve had some on and off struggles with this site’s performance despite a tiny audience. I’ve also had more concerns around WordPress’ general direction, including the big push towards subscription services via Jetpack and especially their AI content generation features.
I’m hopeful that WordPress will make some apparently very necessary changes and protect the community of users from Matt’s abuses of power. He clearly needs to go! In the mean time I’m not going to make any drastic changes to move off of the software that’s served me for over 15 years.
I made a script that configures Ubuntu (mainly its GNOME) the way I like it. I also made it work in Debian and Fedora.
It doesn't do any crazy ricing, as I mostly focused on usability tweaks and automatic installation of my must-have extensions. (Tiling, clipboard manager, dash to dock, desktop icons)
Most notable tweaks include:
- clicking on a running app minimizes it
- clicking on a group of apps brings up their previews
- adds minimize, maximize buttons to windows
- installs flatpak, adds flathub
- install flatpak and snap plugins into gnome-software (doesn't work on Fedora)
- installs snap
- installs mtp-tools and gvfs-backends on Debian to be able to transfer files from a connected phone
- adds right click > New File
- Super + Shift + S brings up the area screenshot
- Super + E opens the file manager
- Ctrl + Alt + T opens the terminal
(Those already configured on Ubuntu don't get configured again, obviously.)
I also recorded a short showcase to prove that it works without errors youtu.be/xf739ivb9hg
GitHub - Tsu-gu/tsubuntu: Tweaks for Ubuntu 20.04 - 24.04
Tweaks for Ubuntu 20.04 - 24.04. Contribute to Tsu-gu/tsubuntu development by creating an account on GitHub.GitHub
like this
Noxious likes this.
On Ubuntu, do you also remove the Snap store and install gnome-software?
Do you add the PPAs for updated flatpak version and dependencies like bubblewrap?
Nope, I don't touch the snap-store on Ubuntus (to be fair I don't install any snap plugins for gnome software center on Debian/Fedora either). As for flatpak, it's installed via apt from the regular repos. I didn't even know there was an up to date PPA.
I know about this but that's meant for 18.04 and earlier.
Edit: these are good suggestions tho. Something to work on to improve it even more.
sudo apt install gnome-software-plugin-snap gnome-software-plugin-flatpak gnome-softwareLooks like Fedora does not have
gnome-software-plugin-snap or gnome-software-plugin-flatpak in its repos.
On Fedora is is likely just named differently ;) it for sure has at least Flatpak support.
Background is that flatpak is used directly, not through packagekit.
Have a look at packages.fedoraproject.org
I checked and Fedora dropped support for the snap plugin.
discussion.fedoraproject.org/t…
These are also the only packages related to gnome-software:
Related Packages
gnome-software-devel
gnome-software-fedora-langpacks
gnome-software-rpm-ostreeFrom what I remember, their gnome-software already has flatpak support. So all that will be missing is the GUI snap support. Could've been worse.
Interesting, thanks for the research!
Snaps are unsandboxed on Systems without AppArmor so they are not a useful cross platform technology anyways.
flathub.org/apps/io.github.vik…
Seems very user friendly and can do everything except for installing software.
Cleveland Clinic Discovers Bacterium Causing Gut Immunodeficiency
Cleveland Clinic Researchers Discover New Bacterium that Causes Gut Immunodeficiency
Findings lay the groundwork for potential new treatments for variety of diseases, including inflammatory bowel disease, Crohn’s and ulcerative colitis.Cleveland Clinic
like this
Lasslinthar, соисüѕѕэd and 𝕽𝖆𝖉𝖎𝖈𝖆𝖑 𝕽𝖊𝖇𝖊𝖑 like this.
Anyone know if the MX creative console from logitech works on Linux (and to what degree?
I kinda want to hook one up to raspberry pi for some home control, but I'm not sure if the software to configure it works on Linux (or how it even presents itself HID-device wise)
I'm sure it'll eventually be reverse engineered and have some custom drivers on github soon, but a quick google came up empty for this new device.
Edit: Oh I just realized this hasn't been released yet, I saw the "buy now" button and assumed it was.
MX Creative Console - Customizable Dial and Keypad | Logitech
Streamline your creative workflow with intuitive controls. Maximize precision with the dialpad and access countless customization through the LCD keys of the keypad.www.logitech.com
Not surprised you're not finding Linux compatibility info. It looks like it was just announced. Logitech tends to not support Linux for their customization software, but I presume Solaar will add support for this device eventually.
::: spoiler With Linux over the years, I have learned to ignore all hardware marketing as (basically) scammers. The supporting software is the important part. If the software is not open source, the product is only available to rent and likely includes or has the potential to become an extortion scam of subscription parasites. When I shop for products now, I do so by searching for the open source software first. Once I find a large project with several contributors, I git clone the repo and then I run an app called gource on the command line. Gource creates a 3d visualization of the project over time and its commit history. Have a look at the Linux kernel some time or just watch a video of someone that has uploaded the visualization:
With the actual visualization, you can zoom in and select the individuals or watch branches specifically. The trick is to get an idea of who the main contributors are in the various spaces and how consistent they are. Find who is working on what hardware and how they are working on it. Some times you'll see a person comes in and only makes a single commit or a few that contain everything for a device and then they disappear. These are often subcontracted devs that a company hires and gives a checklist. Issues, bugs, and unsupported features are unlikely to get fixed unless you see someone else that is making commits in this space. What you're really looking for is one of the main project devs that makes ongoing commits to some specific hardware over longer amounts of time and fairly recently. It means they have the device in question. That generally means the device has or will have excellent support in the long term. It also generally means the person either really liked the product or the company is smart enough to supply the dev with the device or supporting documentation.
Sorry if this seems unsolicited. It took me a long time to break out of the hardware spec shopping fallacy and all of the troubles it can cause. Prioritizing true ownership and shopping for the software first is a far more enjoyable life experience. It likely won't help in this niche, but for computers in general use: linux-hardware.org/
You will likely find that search engines attempt to obfuscate this information. Expect that. Use offline open source LLM's, ask the community, or more advance searching methods to find relevant info. Both m$ and the goo are the two biggest beneficiaries of the proprietary software ecosystem and they are the only two web crawlers that exist at relevant scale. All search engines use one or both of these sources either directly or by proxy.
I'm no stranger to DIY nor reverse engineering, so I may still buy it as a winter weekend project.
DIY is difficult because I want real buttons, as well as customizable mini displays (like the Optimus keyboard of Olde)
As long as it shows up as a normal HID keyboard, and the upload protocol is reverse engineered, I'll be happy.
Maybe I'll get one and use the return policy to find out.
It's $269.99 and has 9 programmable buttons. It's designed to control rent-seeking apps like Photoshop.
The Streamdeck XL costs $200 and has 32 programmable buttons. I'm using it to control my dorm room through Home-Assistant, and my robot camera through Bitfocus Companion.
Logitech does not support Linux.
Most of the current compatibility of Logitech devices comes from, Linux devs reverse engineering their software, USB standards or from default programing stored in the device.
like this
originalucifer, Talaraine and ShaunaTheDead like this.
I'm not familiar with the specific install/upgrade process on Gentoo so maybe I'm missing something, but what's wrong with forcing new installations to use time64 and then forcing existing installs to do some kind of offline migration from a live disk a decade or so down the line? I feel like it's probably somewhat uncommon for an installation of any distro to be used continuously for that amount of time (at least in a desktop context), and if anyone could be expected to be able to handle a manual intervention like this, it's long-time Gentoo users.
The bonus of this would be that it wouldn't be necessary to introduce a new lib* folder - the entire system either uses time64 or it doesn't. Maybe this still wouldn't be possible though depending on how source packages are distributed; like I said I dont really know Gentoo.
I imagine the "update from another system" path runs in troubles with more complex gentoo installs than just the base system. For a full update from the live disk it will have to include lots and lots of (often exotic) tools that might be used in the building process (document generators like doxgen, lexer, testing frameworks, several build systems and make-likes. programming languages...) in addition to being able to build against the already installed updates for packages while not accidental building against packages that are not updated yet.
Or you go the simpler way and only do a base update from the live-system...only update the base build system and package management of the gentoo system and afterwards boot in a "broken" system in which only the basics works and rebuild it from there.
For be both those options sound less desirable than what is suggested in the blog.
This seems overblown, we've faced these things before.
The straightforward path is adding new calls and structs and leaving the old code in place, then having tests that return -1 for time32_t and seeing what breaks.
It's not pretty, but this is life in the new epoch, gentoo doesn't have it harder than anyone else except when they're trying to rebuild while the transition is happening.
I know nobody wants 2 apis, 1 deprecated, but this is an ancient design decision we have to live with, this is how we live with them.
Ah, the joys of requiring non-standard library calls for apps to function.
The problem is that this approach breaks the C standard library API, which is one of the few things that are actually pretty universal and expected to work on any platform. You don't want to force app developers to support your snowflake OS that doesn't support C.
The current way forward accepted by every other distro is to just recompile everything against the new 64-bit libraries. Unless the compiled software makes weird hardcoded assumptions about sizes of structs (hand-coded assembly might be one somewhat legitimate reason for that, but other distros have been migrating to 64-bit time_t for long enough that this should have been caught already), this fixes the problem entirely for software that can be recompiled.
That leaves just the proprietary software, for which you can either have a separate library path with 32-bit time_t dependencies, or use containers to effectively do the same.
Sneaky edit: why not add new 64-bit APIs to C? Because the C standard never said anything about how to represent time_t. If the chosen implementation is insufficient, it's purely on the platform to fix it. The C17 standard:
The range and precision of times representable in clock_t and time_t are implementation-defined.
Your argument is to have 2 subtly incompatible abis and one day binaries magically break.
You're right it breaks c stdlib, but that's literally the point, libc is broken by design, this is the fix.
No program with time32_t will ever work after 2038, so any compiled that way are broken from compilation.
You're right that the length isn't specified though, the issue is changing types for triplets silently has unfortunate side effects.
If you really want to be clever, mangle the symbols for the functions that handle time so they encode time64 as appropriate, but doing it silently is begging for trouble.
Your argument is to have 2 subtly incompatible abis and one day binaries magically break.
Whereas your argument seems to be to have a special C variant for 32bit Linux - there's no reason to have a special time64_t anywhere else.
No program with time32_t will ever work after 2038, so any compiled that way are broken from compilation.
Yeah, so what will breaking the ABI do? Break it a bit more?
If you really want to be clever, mangle the symbols for the functions that handle time so they encode time64 as appropriate
That's what MUSL libc does, and the result is two subtly incompatible ABIs - statically linked programs are fine, but if a dynamically linked library exports any function with time_t parameter or return value, it will use whatever size was configured at build time and it becomes a part of its ABI. So fixing this properly would require every library that wants to pass time_t values in its API to implement its own name mangling. That's not a reasonable request for a barely used platform (remember, this is just 32bit userland, 64bit was always unaffected).
I think this is a reasonable assumption, but my experience suggests it will absolutely not be true for a lot of proprietary software.
That being said, that stuff will only be supported on rhel which will bend over backwards to keep it sort of working somehow.
One thing people reading this should remember is that you cannot guarantee all packages on a Gentoo system will be updated simultaneously. It just can't be done. Because several of the arches affected by this are old, slow, and less-used (32-bit PowerPC, anyone?), it's also impossible to test all combinations of USE flags for all arches in advance, so sooner or later someone will have something break in mid-compile. For this change, that could result in an unbootable system, or a badly broken one that can't continue the upgrade because, for example, Python is broken and so portage can't run.
The situation really is much more complicated than it would be on a binary distro whose package updates are atomic. Not intractable, but complicated.
That being said, even a completely borked update would not make the system unrecoverable—you boot from live media, copy a known-good toolchain from the install media for that architecture over the borked install, chroot in, and try again (possibly with USE flag tweaks) until you can get at least emerge --emptytree system or similar to run to completion. It's a major, major pain in the ass, though, and I can understand why the developers want to reduce the number of systems that have to be handled in that way to as few as possible.
Mandelbrot Viewer: a cool program that renders the Mandelbrot Fractal
Hello everyone! This is a small program I made yesterday to render the Mandelbrot Fractal with beautiful colors!
It isn't as fast as other programs (e.g. XaoS) but it is the first good program I have made using OpenGL. I may update it to render some other fractals too in the future (e.g. The Burning Ship).
I hope you like it!
GitHub - Vitaspiros/mandelbrotViewer: A program written in C++ and GLSL that can render the Mandelbrot Fractal using OpenGL.
A program written in C++ and GLSL that can render the Mandelbrot Fractal using OpenGL. - Vitaspiros/mandelbrotViewerGitHub
reshared this
Tech Cyborg reshared this.
Nutidens thinner eller GHB är lustgas. Det är en större klimatbov än bilar utropar ETC i en rubrik. Vilket naturligtvis är trams. I alla fall om vi pratar om lustgas som berusningsmedel. Visserligen är kväveoxider (som lustgas är) kraftiga växthusgaser, betydligt potentare än koldioxid.
Systemd Looking At A Future With More Varlink & Less D-Bus For IPC
Systemd Looking At A Future With More Varlink & Less D-Bus For IPC
Taking place this week in Berlin was systemd's annual 'All Systems Go' developer conferencewww.phoronix.com
like this
massive_bereavement and ShaunaTheDead like this.
reshared this
Tech Cyborg reshared this.
Someone a short ELI ? I read the article and the comments... But I have no idea what this is about.
Maybe someone has an article that explains for someone not being educated as computer scientist ?
DBus is a system-wide messaging system. It's for stuff like notifications and system-wide events, ...or so do I think. But the aim is to allow all programs, running system-wide, to announce anything for others programs to react to.
This post requests people to use Varlink instead.
This is similar to the PulseAudio versus Pipewire and X11 versus Wayland situations.
The main reason is that Dbus is not available during early stages of boot. There are many others.
Varlink seems to be better or the same compared to dbus in all except two things:
- json doesn't handle 64bit integers, it handles 52bit (or 54bit?) (size of mantissa for floats)
- you cannot (yet) list all things connected to the bus
Details here:
Thank you :)) ! I have the same question as @umbrella if your have any other insights to share !
how is varlink better than dbus to justify that change?
I'm unfortunately not aware.
What I do know is that D-Bus (and not "DBus") apparently doesn't work with MIME types directly. I may have been misinformed here - but this is some information I have received.
Essentially, the data sent cannot be assigned a type or format.
On the web, all data sent by a server has a MIME type ("text/html", "image/png", "video/mp4").
Android's system for inter-process ("running program") communication, intents, does include.
...Even Windows does, with its whatever complicated APIs.
D-Bus doesn't, so Tuxes too, don't. ...Yet.
D-Bus is apparently also not secure enough. Probably not as bad as X11, but not good enough.
So far, KDE and GNOME have had their own " wrapper" systems to allow using D-Bus through a layer of their code to cover little inconveniences like this.
The only argument I see in favour of varlink is the ease of debugging, and this should never being an argument in a technical decision.
When your stuff is running in "prod", your " ease of debugging" is thrown away, but the system continue to suffer.
Json for IPC is a terrible idea.
This has always been the whole point behind the Trojan Horse that is systemd. Now that Poettering/Red Hat control the entire userspace across virtually all distros, he/they can use it as a vehicle to force all of them to adopt whatever bullshit
he thinks of next.
This is what the Linux ecosystem gave away when they tossed their simple init system to adopt the admittedly convenient solution that is systemd. But in reality, the best solution was always to drop init, and instead replace it with an alternative that was still simple to replace if the need should arise. But now that everyone is stuck on systemd, they're all at the mercy of Poettering's Next Stupid Idea.
Convenience comes at a price. systemd is the Google Chrome of Linux userspace. Get out while you can.
Ebba Busch åkallar djävulen. Kristdemokraternas partiledare Ebba Busch med ett förflutet i evangeliska kristna kretsar besökte ett bröllop fullt med med fascister och nazister. Jimmie Åkessons bröllop. Där poserade hon bland annat på en bild ihop med Marcus Öhrn, som är sångare i Åkessons band Bedårande barn. Han är bland annat dömd för narkotikabrott och grov rattfylla. Dessutom för sexuellt ofredande efter att antastat två tonårsflickor i en kö på Gröna Lund i Stockholm.
The CUPS explout is here: GitHub - RickdeJager/cupshax
I hope this goes without saying but please do not run this on machines you don't own.
The good news:
- the exploit seems to require user action
The bad news:
- Device Firewalls are ineffective against this
- if someone created a malicious printer on a local network like a library they could create serious issues
- it is hard to patch without breaking printing
- it is very easy to create printers that look legit
- even if you don't hit print the cups user agent can reveal lots of information. This may be blocked at the Firewall
TLDR: you should be careful hitting print
GitHub - RickdeJager/cupshax
Contribute to RickdeJager/cupshax development by creating an account on GitHub.GitHub
like this
NataliaTheDrowned2, echomap, KaRunChiy and ShaunaTheDead like this.
reshared this
Tech Cyborg reshared this.
I think this would likely be most troublesome on some of the OG internet users that got a whole freaking /8, /10, or /12 or something like AT&T or universities. Up until very recently, and possibly even to the present, these organizations had such large IPv4 space, that there was no need to do NAT, and each device had a publicly addressable IP.
There is currently no fix available
Edit: I'm mistaken
The questionable commit:
{
// Add the first line of localized text...
cupsFilePrintf(fp, "*%s.%s %s/", lang->language, ppd_option, ppd_choice);
while (*text && *text != '\n')
{
// Escape ":" and "<"...
if (*text == ':' || *text == '<')
cupsFilePrintf(fp, "<%02X>", *text);
else
cupsFilePutChar(fp, *text);
text ++;
}
cupsFilePuts(fp, ": \"\"\n");
}Can someone explain to me how this allows arbitrary code execution? As far as I can see, all it does iterate through a string and markup some special characters.
Edit: Okay, after reading the blog post, and this fantastic bug report, it sounds like to print to a CUPS server, you send it a message on port 631 using an IPP (some print protocol) server. CUPS then requests attributes of the IPP server, one of which being the print filter command to run ("Foomatic-rip") to use to convert a PS or PDF into native print code. By requesting attributes, an exploit involving string escaping through the use of unexpected spaces or quotes can override the Foomatic print command. Arbitrary text can be supplanted, which will then be executed by the CUPS server.
Discover RSS-Parrot: Your Fediverse-Friendly RSS Reader
Looking for a simple way to stay up-to-date with the latest news, blogs, and podcasts across the web and the fediverse? Check out RSS-Parrot, an easy-to-use RSS reader built with #Fediverse users in mind. Whether you're following your favorite Mastodon accounts or tracking blog updates, RSS-Parrot makes it effortless to manage your feeds in one place.
Key Features:
Fediverse Integration: Keep up with Mastodon, Lemmy, and other fediverse platforms via #RSS.
Streamlined Feed Management: Add, organize, and categorize your feeds from across the web and fediverse.
Customizable Layout: Adjust the reading view to suit your style for a more personalized experience.
Real-Time Updates: Get the latest content as it's published from your favorite sources, including fediverse-based communities.
Accessible Everywhere: Use it on any device with an internet connection for easy feed access on the go.
If you're part of the fediverse or just a fan of #RSSFeeds, give RSS-Parrot a try! It’s a great tool to keep your content organized and up-to-date across platforms.
RSS Parrot
Home of RSS Parrot, a free Fediverse service that lets you turn Mastodon into an RSS or Atom feed reader.rss-parrot.net
Having not yet used this service, I can't comment on the service itself. What I will say is that it sounds interesting, until I realized one VERY important detail.....
Content.
This service is designed to bring you all the content that you feed data locations to pull from. Ok, that's all well and good, but the problem is, there's such a lack of content on the fediverse that it's not overwhelming right now to just log into Lemmy, see the 3-10 replies per day. Log into Mastodon, realize you're following like 6 accounts and 5 of them are bots, with the 6th one barely posting.
This service is like a very useful water pump to pull water out of a body of water, and distribute it to a more convienent tank........and then you place it's input in the middle of the Nevada desert. Doesn't mean the water pump is faulty, or not expertly designed. Just means it needs water to pull from.
That seems to be my frustration with the fediverse. There are very few content CREATORS, who don't revolve around a few basic topics. Politics, Technology........and that's it. And yes, I'm lumping video games, linux, computers, all that into technology. If it's something you need a screen for, or connects to something with a screen, that's lumped into technology.
I mildly care about politics. Under normal circumstances I don't care at all. I usually say "let other people worry about it." But these last 8 years have been just a constant barrage of bullshit, that it becomes necissary to care, as everybody is going to get fucked over otherwise.
Technology I have moderate interest in. I wouldn't call it the most important thing to me, but I wouldn't say I have zero interest either.
But then what......
Sports talk among locals is practically non-existant here (except for the Baltimore Oriols, who have a surprisingly strong community).
There's a pro-wrestling community which seemingly has 4 active commentors, including mods, and 2-3 other people who pop in from time to time.
So I try to do my part to write at LEAST one entertaining post per day. Some days I write more. Most days I have half a dozen smaller bite size posts as little jokes or whatever. And then I try to post SOMETHING that people are going to disagree with. I feel like THIS post is that post for the day. Mostly because nobody likes to take responsibility for a community, and nobody likes being called out as being just a consumer, and not a producer of content.
And PeerTube is pathetic. Lemmy at least has some degree of variety. It's not much, but it tries. Peertube on the otherhand is "EVERYTHING IS A LINUX VIDEO!!! ONLY LINUX EXISTS ON THIS PLATFORM!!!"
I can't say I produce any video content, but with a linux only content platform, I can't say I even consume either. It's a service I want to like, but they make it so damned hard.
And Lemmy is easy to keep track of everything, and I run out of content usually within an hour. Even though I log in several times a day. It's like drinking water from a shotglass when you want a galllon.
So I don't see much use for this new thing. Not because it's not a well made product, again, I have no usage experience, but because the sources it's pulling from are barron dry.
GE-Proton9-15 Released
Hotfix build:
Proton:
- Updated wine to latest bleeding edge -- fixes regression in video playback from 9-14
- Updated dxvk to latest git -- fixes regression which causes black textures and stuttering on NVIDIA cards.
- Updated vkd3d-proton to latest git
- import upstream changes for lsteamclient
- update xalia to 0.4.4
Protonfixes:
- Remove deprecated workaround for Total War Rome 2
Drinking 3 cups of coffee linked to preventing multiple diseases
WASHINGTON — A new study suggests that your morning brew might be doing more than just perking you up — it could be protecting you from a range of serious heart conditions. Researchers working with the Endocrine Society have found that drinking a moderate amount of coffee is associated with a lower risk of developing multiple cardiometabolic diseases. In simpler terms, your daily cup of coffee (or three) might help ward off conditions like Type 2 diabetes, heart disease, and stroke.“Consuming three cups of coffee, or 200-300 mg caffeine, per day might help to reduce the risk of developing cardiometabolic multimorbidity in individuals without any cardiometabolic disease,” says Dr. Chaofu Ke, the lead author of the study from Suzhou Medical College in China, in a media release.
Source: studyfinds.org/3-cups-of-coffe…
like this
ShaunaTheDead likes this.
Mathematically it works out to half the ~~cancer~~ type 2 diabetes and stroke.
Edit: Fixed the disease
Direct link: academic.oup.com/jcem/advance-…
tl;dr: Cardiometabolic multimorbidity is the co-occurrence of two or three cardiometabolic diseases, including diabetes, heart disease, and stroke. This study found that habitual coffee or caffeine intake, especially at a moderate level, was associated with a lower risk of new-onset CM.
Seems like a bit of a reach. Habitual caffeine intake means that you won't get both diabetes and a stroke? I'm not convinced this is useful information.
like this
ignirtoq likes this.
like this
ignirtoq likes this.
like this
Chozo likes this.
A problem with the older studies that seemed to indicate that alcohol had health benefits was also that their control group, the people who didn’t drink, turned out largely not to do so because they already had severe medical problems. They weren’t allowed to drink because of them.
Compared to them it looked like the people who did drink were more healthy on average. So they concluded there must be health benefits to drinking alcohol.
This “Science VS” episode is about that (and has a bunch of citations in its transcript): gimletmedia.com/shows/science-…
Which would not be a great headline.
like this
Chozo likes this.
Yes yes, studies show this, studies show that. And they all contradict each other, especially if you just wait a few years for things to come full circle.
It's gotten to a point where I just don't believe them any more.
Maybe coffee does in some circumstances with some people have a link to preventing diseases. Or maybe not.
We've seen, and will continue to see, well researched scientific studies that argue both sides of this, until the end of history.
Believe whatever makes you feel better, that's all you can do, really.
And i can drink coffee and or sugary caffinated drinks right before i go to bed and be asleep in 10 minutes ad sleep like a rock, undisturbable by anything short of 4 alarms up to 12 hours later.
Sugar and caffeine actually make me sleepy.
But thats not how it is for everyone else.
Maybe. But i dont need to have caffeine in order to need multiple alarms to wake up.
I think it's more out of habit.
Like i said, caffeine makes me sleepy. Thats common amongst people with ADHD.
That's the journalists' fault. They have no business going through studies like this, that are not meant for them to make conclusions.
Believe whatever makes you feel better, that's all you can do, really.
Just stop spreading this bs, and stop reading news like these. Believe what accredited sources tell you, like your doctor or other professionals
DO whatever makes you feel better is not bad advice. Some of these studies have overarching trends that I do believe - caffeine and Adderall are protective to your brain, a little bit of speed keeps the brain healthy.
Alcohol and Benadryl are risky over time, so a habit of downers is detrimental to the brain over time.
Logically this makes sense. I think to some extent it's just metabolism/weight, staying lean is healthier all round but there does seem to be a pattern of results showing a habit of doing a little bit of stimulants is good for you.
Almost all science and logic in the history of the world is based on correlation. Discovering the causal link comes later, or more often than not never.
Your glib comment seems smart to people on the internet, but what it actually demonstrates is a complete lack of understand of both words.
Per day***
The headline makes it seem like it's per lifetime or something.
like this
fistac0rpse likes this.
Caffeine is toxic at around 10 grams, which is 80-100 cups of coffee. I'd you're defining "toxin" as triggering adverse effects at any dosage, then you need to include water, oxygen, and every other substance in existence.
Alcohol is a biological toxin at any dosage. I find that people who argue this point aren't doing it from an academic standpoint but to justify their own behavior.
Hm, didn't think of it that way.
I find that people who argue this point aren't doing it from an academic standpoint but to justify their own behavior.
I'm drinking maybe all 2 - 3 weeks a glass wine...
I was talking about toxins in general in reaction to yout toxin comment. I think it's logical to research the possibility of alcohol having some beneficial effects, the world is not black and white.
When it comes to studies of health risks/benefits of alcohol, they unfortunately seem to suffer from the same shortcomings as other health studies: lots of important factors are often ignored, like the type of alcoholic beverage consumed, lifestyle connected to the type or amount of alcohol, previous history of alcohol use... I can, of course, give you a link to a study that finds benefits to moderate alcohol use (although they are far from recomending it). Here's one example from 2023
Personally, I think alcohol probably does more damage than benefit even in moderate dosing, but the truth is we still don't really know and we need much more in-depth studies to find out.
I know you’re hair splitting but there are benefits to other elements in alcoholic beverages.
ncbi.nlm.nih.gov/pmc/articles/…
No need to get sour that occasionally recreational use crosses over into medical use. We don’t make these rules.
There's unsubstantiated and nonsensical assumptions in your comment starting with assuming that anyone who doesn't ingest alcohol does it to avoid exacerbating current health conditions, leading to those that drink moderately being healthier than those who don't drink. That's absurd.
I'll make an assumption of my own. A significant portion of your identify and social life is in "moderate" drinking and you're very keen to justify that as "healthy."
No it wasn’t that long ago
ncbi.nlm.nih.gov/pmc/articles/…
And it’s been cited in more recent blue zone study as well.
This isn’t a ticket for an alcoholic to go off drinking, they’d probably be best off still abstaining as the benefits would be obliterated by the negatives.
There's nothing wrong with polarization. Some things are clear cut enough to remain clear cut.
Let me put it differently, how much poop do you want in your drinking water?
Because I personally don’t want to eat 80 grapes. Besides the sugar content of 80 grapes is not healthy.
That's just wrong, sorry. Demonizing fruits is one of the most dangerous "health trends" on the face of the planet. Right up there with antivaxxers.
And, again you can eat leaves which don't have sugar and have lots of other great nutrients and fiber, while having less water volume.
No one is forcing you to drink it.
You just haven't encountered that kind of peer pressure yet.
“ You just haven’t encountered that kind of peer pressure yet.”
You invited yourself here.
“Demonizing fruit”
Fuck off troll.
than just perking you up
It doesn't, if you're a regular drinker. Rather, you get withdrawal symptoms at morning.
Considering that coffee is probably the highest source of antioxidants in a person's diet, there will be some health benefits. Just dont add dairy milk to it, or it will blunt absorption. Soy milk is fine.
But if you're an overweight, overworked, stress filled couch potato who doesn't exercise and eats poorly, then you're health is screwed regardless of how much coffee you drink 😂
You'd need to explore the topic in further detail, as I'm sure the answer is there.
It may be dose dependent, but it may also be that a "splash" of milk might not impair absorption by much, but would anyone use just a splash of milk?
I was curious about why all of the authors of a study from Oxford University seem to have Chinese names. I didn't find any of their names in a search of Oxford's staff, either.
I have no idea what this means, but maybe the study was actually conducted elsewhere using data from the UK? Maybe there are just a ton of graduate students from China at Oxford in their life sciences program? I'm not insinuating any sinister, it just seems odd and I was trying to understand why.
The study isn't from Oxford. It's from a team of Chinese scientists (likely in China) who used a large dataset collected in the UK.
The study is published in The Journal of Clinical Endocrinology & Metabolism, which the Oxford Academic collects and reproduces for their academic press.
Caffeine gives me brain-destroying headaches if I just drink a single cup a day for a month or two. Inevitably. I've tried to be a coffee drinker a half-dozen times in the past few years because I love the pep I get from caffeine, and every single time, eventually I end up slowly pacing in a dark, quiet room - because even sitting down makes the pain unbearable - wishing the world would end so my head would stop throbbing.
I guess I just wasn't drinking enough?
Israel’s assassination of Hasan Nasrallah, the secretary general of Hizballah, in an apocalyptic bombing attack on Beirut’s southern suburb on Friday is likely, at least in the short term, to cause enormous shock, despair and demoralization among supporters of the resistance to Zionism in Lebanon and across the region.
That is exactly what it is intended to do.
Confirmed by Hizballah on Saturday, Nasrallah’s killing comes after a series of tactical successes in the early stages of Israel’s unfolding full-scale attack on Lebanon, an open-ended assault that may well equal in barbarity Tel Aviv’s ongoing genocide in Gaza.
These are terrible and difficult thoughts to absorb after almost a year of genocide.
First there were the pager and walkie-talkie attacks, followed by a series of assassinations of Hizballah’s senior leaders, and now the head of the organization itself.
As Nasrallah himself admitted in his final speech, the organization suffered a severe blow with the pager attacks. Even worse was to come. Clearly there were serious breaches in security.
Nasrallah’s stature as a tactical and strategic thinker, as the most prominent and trusted leader of the Axis of Resistance, and as a personality capable of inspiring and reassuring supporters even in the worst of times, cannot be overstated.
The euphoria in Israel, Washington and some Arab capitals, will be exceeded only by the grief of Nasrallah’s supporters, who are far more numerous.
And there is no doubt that the loss is real and great from the perspective of a resistance that faces not only Israel’s formidable arsenal, but all the resources of the United States and the collective West.
Israel’s ability to carry out this series of attacks in quick succession will shake the confidence of many in Hizballah’s legendary prowess and operational security.
The attacks will go some way to restoring the prestige Tel Aviv has lost among its Western and Arab backers after a year of military failure in Gaza, and its failure to prevent the Hamas military offensive that wiped out the Gaza division of Israel’s army on 7 October 2023.
And although Hizballah has been hammering Israeli military assets and settlements in the north of historic Palestine with rockets, many in the region are asking why the resistance group’s response to Israel’s escalating aggression has not been harder and harsher – even as Israel intensifies its bombardment of civilians across Lebanon and within its capital.
Another question on many lips is why Iran, which vowed retaliation after Israel’s murder of Hamas leader Ismail Haniyeh in Tehran in July, has acted with such restraint. There is a growing perception that its lack of response only encouraged Israel’s ever more brazen violence.
“Shock and awe” is not victory
Amid the rapidly changing situation and the torrent of emotions after a year of livestreamed genocide in Gaza, now being extended by Israel to Lebanon, it is hard to maintain a long view. But doing so is essential for sound analysis.
It is worth remembering this: In almost any asymmetrical war, when the strongest side – the invader or colonizer – goes on the offensive, it often appears to achieve quick and stunning success.
Indeed “shock and awe” is the name of a Western, specifically American, military doctrine, developed in the 1990s and explicitly touted when the US invaded Iraq in 2003.
Also called “rapid dominance,” its aim is to demoralize and paralyze the adversary with the use of overwhelming and spectacular displays of violence.
The goal according to the doctrine’s authors, is to so “overload an adversary’s perceptions and understanding of events that the enemy would be incapable of resistance at the tactical and strategic levels.”
We’ve seen this time and again in recent decades and we’re witnessing it now.
Just weeks after the 11 September 2001 attacks, the United States attacked Afghanistan, quickly toppling the Taliban government under the pretext that it had sheltered Osama bin Laden.
American confidence following this swift apparent success undoubtedly spurred Washington to go on to its next project: the March 2003 invasion of Iraq.
With the government of Saddam Hussein quickly overthrown and American tanks in control of Baghdad, President George W. Bush gave his infamous “Mission Accomplished” speech on 1 May of that year – words that came to haunt him as the United States became bogged down in a war of attrition against resistance in both Afghanistan and Iraq.
These rapid victories, or so they appeared, sparked real fears at the time that the American forces would roll onwards towards Damascus and Tehran, or perhaps other “rogue states” on America’s hit list.
We know now, from the so-called Afghanistan Papers, that the warmongers in Washington recognized all along that they had lost the war, but lied to the American public for almost two decades that they were winning.
And when the American withdrawal from Afghanistan came in August 2021, the humiliating departure from Kabul airport was widely compared to the chaotic scenes of the defeated Americans evacuating in helicopters from the roof of the US embassy in Saigon, Vietnam.
With respect to Israel too, this pattern has been evident. When Israel invaded Lebanon in 1982 – an assault it dubbed “Operation Peace for Galilee” – its forces quickly swept north to Beirut, besieging and occupying an Arab capital for the first time in the Zionist settler state’s history.
Israel murdered tens of thousands of Lebanese and Palestinian civilians and expelled the Palestine Liberation Organization. But success, from Tel Aviv’s perspective, quickly turned to failure.
During a long occupation, resistance to Israel grew, especially from Hizballah, which did not even exist at the time of the Israeli invasion.
Hizballah and other resistance groups bled Israeli occupation forces for two decades in a grueling war of attrition, until Israel withdrew from occupied southern Lebanon in defeat in May 2000.
Even in the context of the American-backed Israeli genocide in Gaza, Israel’s constant professions that it has placed this or that part of Gaza under its total control, quickly crumble. The fact is that the resistance continues to fight in every part of Gaza.
So far every Israeli-American “day after” plan, in which a defeated Hamas would be replaced by an Arab-backed Palestinian collaborator force, has collapsed.
Distracting from an exhausted Israel’s ongoing failure in Gaza, is perhaps one of the factors spurring Israel to seek spectacular “success” in Lebanon.
Turning point
This sobering moment is a turning point in the long regional war for liberation from racist, Western-backed settler-colonial Zionism. But after a century of Zionism’s depredations and horrors, neither the people of Lebanon nor Palestine have surrendered, and there’s no reason to believe they will now.
On the contrary, after the initial shock, the determination of the resistance will only increase, and its circle will expand, as it has in every phase of the liberation struggle.
Nor does the assassination of Nasrallah, with American bombs and American warplanes, and perhaps other assistance from Washington, change the trajectory of the downward decline of US global power – the power on which Israel relies for its survival.
Let’s recall too that the Zionists have always used assassination as a primary tactic. However, their war is not against individual leaders, but against entire peoples whose determination cannot be so easily snuffed out.
Nasrallah himself assumed the leadership of Hizballah after Israel murdered his predecessor Abbas al-Musawi in 1992. Nasrallah grew the organization to unprecedented strength.
That strength is not based on the will of one individual, but on a base of support deeply committed to the cause and willing – as Nasrallah himself never failed to point out – to make enormous sacrifices on the road to liberation.
If the Israeli army has admitted Hamas cannot be destroyed because “Hamas is an idea, Hamas is a party,” then what about Hizballah?
What is most sobering is that the war to liberate Palestine and the region from Zionism will be no less brutal on the people of the region than the wars to liberate Algeria, Vietnam, South Africa and so many other places targeted by the Euro-American empire.
After all, the occupiers and colonizers are the same countries, and the genocidal hatred their ruling classes bear towards the people whose land and rights they seek to usurp has never dimmed.
Like others before him, Nasrallah gave his life on the road to liberate Palestine, and that struggle did not end today.
Ali Abunimah is executive director of The Electronic Intifada.
Source: Electronic Intifada
abolitionmedia.noblogs.org/pos…
#alAqsaFlood #hezbollah #lebanon #palestine #repression #westAsia
“On the night following Marcellus Khalifah Williams’s martyrdom at the hands of the state, we went to the walls of the Orleans Parish Prison along I-10 in New Orleans, under a waning crescent moon, and scrawled a message:
“America is a prison! Abolition now!”
To symbolize the extension of the genocidal, fascist carceral systems that permeate every facet of modern america, we wanted to remind commuters that fascism is not some looming specter on the horizon, but material reality right now for so many occupied communities. The orgy of surveillance, the disappearance of unhoused people in the lead-up to the Super Bowl, the social death of the poor as we struggle to afford basic necessities under an ongoing pandemic, the hollow spectacle of electoral politics.
The cages extend into schools, hospitals, mental health facilities, treatment centers, “low-income” housing, into the way we interact and police each other and ourselves.
We wish to remind people of the infinite possibilities for collective resistance against colonialism, of the world-making that continues ongoing in the face of fascism here in the US, in Palestine, and across the globe.
We remain vigilant in attending to Marcellus Khalifah Williams’s collective remembrance: his spirit lives on in our struggle and resistance.
As the genocide in Palestine rages on, we urge folks to escalate against the Zionist entities, and to reconfirm their commitments to decolonial struggles within their communities, collectives, affinity groups, etc.
Destroying Zionism, white supremacy, and capitalism is the only path toward liberatory modes of living, of being free.”
26 September 2024 – Anonymous communique – New Orleans:
Telorand
in reply to pnutzh4x0r • • •Yep. While simple to prepare, this will affect almost nobody, as it requires the user to perform an increasingly rare action in a world that's often going paperless.
Also, the likelihood that a regular user will expose port 631 to the internet is probably close to zero. There's several uncommon pieces that have to be in place for this to work, to the point that it's not a simple matter to execute this exploit.
sweng
in reply to Telorand • • •Is that really true? From evilsocket.net/2024/09/26/Atta…
Strit
in reply to sweng • • •Telorand
in reply to sweng • • •The very next sentence:
They said they were getting duplicates and non-*nix hits with that 300k number, which doesn't help them (i.e. the hundreds of thousands of hits was artificially inflated). So yes, the threat is overblown.
Coupled with the fact that patches are already out, and it's easily mitigated by closing 631, and I don't expect this will be much of a problem for most people.
sweng
in reply to Telorand • • •Telorand
in reply to sweng • • •How's that? If I'm running a Windows machine, how would a CUPS exploit affect me?
I'm not asking maliciously, but I genuinely don't grasp how that could be a viable attack vector.
sweng
in reply to Telorand • • •sweng
in reply to Telorand • • •serenissi
in reply to Telorand • • •Telorand
in reply to serenissi • • •serenissi
in reply to Telorand • • •Say I host a malicious server with ipv6 only. You visit the site without NAT. I get your ip and ip:631 is open (unless firewall and listen is restricted to prefix). Usual attack afterwards.
Edit: You need to have ipv6, for example many mobile networks.
Laser
in reply to serenissi • • •I have full IPv6, none of my ports that I haven't explicitly whitelisted in the firewall can be accessed from the Internet. I can open a host completely, but it's not default. This is on the most common brand of consumer routers here.
Just because it's not NATted doesn't mean there's no firewall in place.
serenissi
in reply to Laser • • •Yeah ofcourse firewall is the good idea here. I personally have firewall on on every device so that I can manage what can connect and from where.
The point is though often people just disable firewalls (some distros do not install/enable by default too) to workarround certain issues quickly like kdeconnect not connecting, bridge not working and such.
That's how I think the whole 'ipv4 NAT is the best (consumer) firewall' concept came popular.
mlg
in reply to pnutzh4x0r • • •I don't know why the guy just assumed every linux and BSD machine runs cups-browsed by default?
It took me literally 5 seconds to check that it's disabled on Fedora by default.
Then he wrote a whole paragraph about how no one should use CUPS for printing because based off of his own analysis, it's some insanely crappy and insecure system.
Which is actually stupid because the only alternative is windows?????????? Which is universally known for printer driver and spooler vulnerabilities.
Then he got mad the the maintainer for patching before his disclosure.....