• 0 Posts
  • 19 Comments
Joined 13 days ago
Cake day: January 6th, 2026
  • kumi@feddit.onlinetoPrivacy@lemmy.mlI found this app can bypass Mocked Location on Android.English
    7·
    3 days ago

    Phone. And Location 🙃

    One example of how permissions UI on Android is too coarse. Arguably mocking location is a questionable use but this pattern crops up everywhere. I think users must have more fine-grained control over what apps can access regardless of what devs put in their mainfests. It’s reasonable that a user wants an app to have access to GPS coordinates and network access but not cell or wifi info.

    In general GrapheneOS gives more flexibility and power to the user than stock but I’m not sure if they go far enough to support what you want to do.

  • kumi@feddit.onlinetoPrivacy@lemmy.mlI don't understand how Moxie Marlinspike's Confer "Private LLM" worksEnglish
    12·
    4 days ago

    Possibly oversimplifying and didn’t have a proper read yet: If you trust the hardware and supply-chain security of Intel but not the operational security of Cloudflare or AWS, this would allow you to exchange messages with the LLM without TLS-encryption-stripping infrastructure operators being able to read the messages in cleartext.

    This is a form of Confidential Computing based on Trusted Execution Environments. IMO the real compelling use of TEEs is Verifiable Computing. If you have three servers all with chips and TEEs from different vendors, you can run the same execution on all of them and compare results, which should always agree. You will be safe from the compromise of any single one of them. For Confidential Computing, any single one being compromised means the communication is compromised. The random nature of LLM applications makes Verifiable Computing non-trivial and I’m not sure what the state-of-art is there.

    And yes it does look like it has overhead.

    This seems impossible from a scalability perspective, as even small LLMs require huge quantities of RAM and compute. Did I miss something fundamental here?

    Well isn’t it the other way around? If the per-user resources are high, the additional sublinear overhead of isolating gets relatively smaller. It costs more to run 1000 VMs with 32MB RAM each vs 2 VMs with 16GB RAM each.

    However I guess this might get in the way of batching and sharing resources between users? Is this mentioned?

  • kumi@feddit.onlinetoTechnology@lemmy.worldNever-before-seen Linux malware is “far more advanced than typical”English
    4·
    5 days ago

    If you feel overwhelmed by this, an easy rule of thumb is sticking to distro packages of a trusted dist. Ideally ones with long track record, centralized packaging and tiered rollouts.

    Roughly,

    • High community trust: Debian, SUSE, Fedora, Ubuntu

    • Depends on the package but at least everything is transparent with some form of process, contributors vetted, and a centralized namespace: Arch, Alpine, Nixpkgs

    • Anything and anyone goes, you are one typo away from malware but hey, at least things get taken down when folks complain: AUR, GitHub, NPM, DockerHub, adding third-party ppa/copr

    • IDGAF: curl | sh

  • kumi@feddit.onlinetoPrivacy@lemmy.mlI believe DDG search sells data to IG.English
    9·
    7 days ago

    Some things that happen when I go to duckduckgo.com that also go against that:

    • Harvesting the third-party cookies it can (example: github.com)
    • Attempting to enumerate browser extensions
    • Attempting to enumerate crypto wallet addresses from extension wallets like MetaMask

    It’s extremely nosy. They used to do canvas fingerprinting until browsers started prompting about it.

    IDK about the claim of directly selling searches to IG and likely it’s a bit more convoluted than that (or OP has malware) but it’s a more believable idea than that of DDG actually being respectful of user privacy. There is absolutely no legitimate reason for DDG to gather this data for the purpose of providing their search service, yet they do.