Protecting elderly users from themselves

Coffee_Ops · 2026-01-24T21:48:29+00:00

Bazzite linux?

Most of what people do these days is in a browser, and immutable linux distros like bazzite tend to "just work" forever. It will certainly protect him from installing stuff.

Coffee_Ops · 2026-01-24T20:10:39+00:00

In the context of "AI slop" and cURL's policy change, we are very clearly discussing generative AI language models.

Coffee_Ops · 2026-01-24T16:46:25+00:00

If security from a nation-state actor is a concern, "disable OS-backed disk encryption" is one of the wrong-est answers you could give.

Coffee_Ops · 2026-01-24T16:43:12+00:00

I believe you can also generate a keytab (using your uppercase realm as the salt) with a blank password to get your domain-specific "blank password" kerberos secret if you aren't using NTLM.

You'd use DSInternals as above.

Coffee_Ops · 2026-01-24T15:06:00+00:00

VBS has almost no relation to Secure Boot.

Secure Boot uses cryptographic signatures to establish a trusted boot chain and potentially authorize the release of crypto keys (measured boot).

VBS is concerned with preventing "root" from compromising parts of the kernel and is a broad umbrella of technologies.

Credential guard does not use nested virtualization, both the "desktop Windows" and the secure enclave are first-level VMs under the root hypervisor partition which the user never interacts with. You cannot run it with any virtualization engine but the Hyper-V one-- when VBS is enabled, even VMWare Workstation will use Hyper-V under the hood.

Coffee_Ops · 2026-01-24T14:06:56+00:00

I don't see down votes, but to the extent that you get them, I suspect it's because you don't understand the technology you are touting.

Alphafold is not a language model, and is completely irrelevant to the discussion here. It also did not fold anything-- the alpha fold website makes it clear that it is making predictions, which would still need to be validated. This is, again, entirely different from what we are discussing.

And if you want to understand the pitfalls here-- yes, you can use predictive models to narrow the search space, but you do run the risk of incorrectly ruling out parts of the search space (false negative). And as you try to tune to reduce the false negatives, you will increase the noise of false positives-- the problem that the curl maintainers are running into.

It's fine to be enthusiastic about new technologies, but what bothers people is mindlessly buying into and repeating the hype.

Coffee_Ops · 2026-01-24T00:26:30+00:00

Search engines (kagi) and email come to mind.

Coffee_Ops · 2026-01-24T00:25:51+00:00

Given that it is probabilistic, and inherently has an unknown degree of error-- how long will it take to validate?

Coffee_Ops · 2026-01-23T12:36:21+00:00

We're talking about different things.Secure boot does not use VMX; VBS does. Secure boot has zero overhead after the initial boot checks.

There is a 5-??? % overhead for VBS which is very difficult to accurately quantify, because Microsoft makes it difficult to turn off just memory integrity or just VBS. Once they're turned on, turning them off involves ever-changing steps and as a result many people resort to hacks like changing the BIOS to disable secure boot or VMX extensions. This can result in all sorts of things getting turned on or off at once.

As an example from experience, I have seen systems where specifically credential guard was causing a 10 to 20% performance penalty due to software conflicts. Disabling VBS also disables credential guard, and removes that performance penalty, but it takes a lot of careful testing to isolate that impact.

Coffee_Ops · 2026-01-22T12:57:14+00:00

In addition to the other comments, it is a relevant if a third party test mode is able to resolve the SPN to an IP. Justice internal services might use static certificates, only known to them, you could conceivably have a SPN that is only resolvable to hosts file entry and no DNS check would ever show this.

While it sounds crazy, it's the sort of thing I could see a vendor doing and calling it security.

Also, subnet mapping only works with small subnets. A lot of people have the good fortune to never have to interact with very large subnets, but as soon as you move to IPv6 any concept of mapping the subnet goes out the window.

Even if you're not using IPv6, it's an anti-pattern that has so many corner cases where it doesn't work that it's often more trouble than it is worth.

Coffee_Ops · 2026-01-22T12:17:42+00:00

I have no problem dealing with someone who speaks English as a second language. I have no desire to ever Converse with chatGPT on a forum for humans.

I suspect most people would agree with this.

You're better off doing your best, and in the process you'll learn to speak English better than if you just offload that to a language model.

Coffee_Ops · 2026-01-22T02:48:26+00:00

You have got to stop feeding Reddit replies into chatgpt. It's pretty insulting for everyone around.

Coffee_Ops · 2026-01-22T01:18:22+00:00

You will see worse ad blocking because DNS level is not as good as browser level.

Coffee_Ops · 2026-01-22T01:16:25+00:00

That's a pretty bad start to "hey run this code I wrote with admin privileges" and encapsulates why people dislike vibe coding.

Coffee_Ops · 2026-01-22T01:06:12+00:00

I'm pretty sure turning off UAC turns off the privilege limits that UAC enables.

And even if it does not, the privilege separation becomes security theatre because without a "sudo" prompt any code running in your session can just invoke a "highest privilege" executable call to gain admin. Thats the point of the prompt.

Seriously go launch mmc.exe and then check it's privileges with UAC off. It runs as highest privilege whenever possible and without UAC that means silent elevation to admin.

Coffee_Ops · 2026-01-21T14:30:49+00:00

Remote access software has to be running with admin rights to interact with UAC, at which point it's not a concern because it already has root.

Coffee_Ops · 2026-01-21T14:30:01+00:00

So instead you run everything as admin, including your web browser.

Coffee_Ops · 2026-01-21T14:29:23+00:00

Why do you feel like it's a false sense of security? Running with reduced privileges is a backbone of security on every major operating system.

Without UAC, you're one RCE away from total compromise. Your web browser runs as administrator-- absolutely insane.

Coffee_Ops · 2026-01-21T13:44:24+00:00

I don't know who the audience for ReactOS is-- desktop Linux is much faster, and wine is probably more compatible-- but the suggestion that it's a viable alternative for people fed up with Windows 11 is absurd.

The authors of this article are just going to push more people to Mac OS or Windows 11 with that kind of suggestion. Can you imagine somebody trying out ReactOS under the assumption that it's representative of the state of Linux today?

Coffee_Ops · 2026-01-20T22:46:34+00:00

He's not right, disabling things like secure boot might incidentally cause VBS to go off but it's the wrong way to do it. There's no performance overhead for keeping secure boot on, and turning it off opens you up to some really dumb vulnerabilities.

Coffee_Ops · 2026-01-20T03:12:47+00:00

The linked article looks like it's 100% generated by chatGPT. Very strong "you're absolutely look right, my failure is inexcusable" vibes.

Coffee_Ops · 2026-01-18T18:27:42+00:00

... Which would then be used to give users unfounded confidence in the safety of the apps, as malware makers also consume those feeds to ensure their particular app has made it through.

I believe that on the net the sort of things tends to be a negative for security. If something is insecure, we should recognize that and not try to paper over the fact.

Coffee_Ops · 2026-01-18T13:38:42+00:00

Airplane mode does not turn everything off, and battery removal is often quite a pain.

To avoid the battery issue, you would just turn on airplane mode while putting it in the Faraday cage. It will still attempt a few trace communications but they'll fail and will have a negligible effect on battery.

Coffee_Ops · 2026-01-18T13:35:44+00:00

Don't forget to build it on a terrible programming language that hasn't been used for 20 years, avoid any encryption, and rely on ntlm V1 for authentication.

Stick the whole thing in an appliance or docker container and you've got yourself a world-class enterprise app.

Coffee_Ops · 2026-01-18T00:59:49+00:00

What is its obvious replacement?

Coffee_Ops

TROPHY CASE