But what about monster HDMI cables?

my pp gets hard

The way a lot of them are, they probably wish it still did that.

Yep, evolution always ends in crabs.

If you are already there, why bother?

Note that could prove you have it, but failure to execute does not prove yourself secure.

For example, someone reported to me that their RHEL9 system was not vulnerable based on this result. But it was because python was 3.9 and didn’t have os.splice, so the demonstrator failed, but the actual issue was there.

Similarly, if ‘/usr/bin/su’ isn’t exactly there (maybe it’s in /bin/su, or in /sbin/su, or /usr/sbin/su, or not there at all), the demonstrator will fail, but the kernel may still have the vulnerability, you just have to select a different victim utility (or change the cache for some other data other than an executable for other effects).

Looking at the binary blob, it’s a payload to assume privileges as possible and exec sh. So replace su with that and the binary gets to use su’s filesystem privileges without needing access to actually write it.

The vulnerability part is when the door opens to replace any file’s read cache with arbitrary content. The binary payload is just an obvious example of the sort of payload that could do a ton of damage.

Note that this is a rather narrow view of the scope of things.

Yes, the demonstrator is a python script that opens up ‘su’ and uses splice+this vulnerability to change it to ‘just assume all privileges and become sh’.

However, it’s that any process in any namespace can leverage a certain socket type and splice to effectively modify any filesystem content they want. It’s easy to see how this could be part of a chained attack to, for example, replace a protected service that is firewalled off with a shell. An RCE in a service permits rewriting nginx in an entirely different container and replaces it with a shell backend of your choosing.

That ‘flatpak’ application on your single user system that is guarded from touching your files that aren’t related? That isolation doesn’t mean anything if this issue is in play.

In terms of shared systems, while it should be avoided if possible, practically speaking there’s a lot of shared resources.

I don’t get why I’ve seen so many people saying “ehh, no big deal, privilege escalation is just a fact of life”.

Is a bit hyperbole at the moment, where the concrete lawd are basically “os asks user for age on honor system and relays that to websites”. Linux distros can add that without much real controversy.

Proven is some are seeking laws that require the os to actually verify age, which in practice means locking things behind something like a Google account and having an online account vendor process your real identity and really validate your age. Under such a regime, Linux desktop as it exists today becomes infeasible. Also Microsoft can say they absolutely cannot allow local accounts anymore by law and force Microsoft accounts…

Zombie processes do not use resources, well, a little, it’s basically an entry describing how it exited.

The parent process is the thing keeping the zombie entry open. Killing it’s parent should work if they bother you.

Don’t have a Framework, but I think it’s due to the whole ‘modern standby’ approach where the firmware doesn’t implement ‘standby’ anymore and just let’s the OS put everything into as low power state as possible, component by component.

It doesn’t work well for Windows either, which is why a Windows laptop I have will ‘standby’ for maybe 15 minutes before shutting itself down for ‘hibernate’. I figure they decided that NVME means resume from hibernate is ‘good enough’ and modern standby is such a power hog that they can’t pull it off.

Problem in Linux is that they view SecureBoot as a promise they cannot keep if they resume from disk, so they block hibernate if SecureBoot is enabled, making it hard to bank on as a reliable recourse.

To be fair, this may be about as well as a run would go for me if I tried.

Makes sense, but what about your shoes?

Problem is that is what the insider traders are counting on. They know it is going to happen, it’s planned to happen and the odds reflect that. So a few million folks toss in a couple of bucks and the insiders cash in.

Outsiders can’t be 100% sure that it’s a planned event so they don’t take the terrible odds and the insiders don’t have to split things.

Yep, when I was a kid I remember people grousing about how stuff used to last forever and now it doesn’t. 20 years later, I got to hear people talk about how stuff made when I was a kid used to last forever but now it doesn’t. Now I get to hear how stuff made 20 years ago used to last forever but now it doesn’t.

Every time something breaks, someone points to something 20 years old that didn’t break and forget all the stuff that did break.

Of course, the practice of repair was different when the appliance costed relatively a lot more.

E.g. a TV was more likely to be repaired, but also costed about 10x as much relatively speaking.

So if it would have cost you 25% of the price of a TV to get it repaired, you would have got it repaired. If it’s just as easy to repair now, then the repair would still be over twice the price of just buying new.

It said right in your quote that people do work that “no one volunteers to do”. If they aren’t volunteering, then something is providing the impetus.

Broadly the writing avoids the more difficult nuance of how the community gets unplesant work to be “shared” when no one volunteers. This suggests enforcement one way or another.

At small scale of a commune, some pretty human interactions can probably serve to drive this in a pretty reasonable way, by instilling sense of duty and comradery and potentially shame inherent to everyone knowing everyone else in a nuanced way. As you scale up, when inevitably people start losing track of each other, those soft mechanisms deteriorate, and the systems start to develop cracks for exploitation. Capitalism breaks in some ways, other systems break down in others. Fundamentally human behavior when interaction becomes diluted at scale tends to suck.

allocating a few days a month to all fit members of a community to do work which no one volunteers to do.

Ok, this basically sums up the answer: the community forces labor one way or another. What is the enforcement, carrot vs. stick for making people do their fair share. How do you reward people for doing unwanted work? How do you deal with someone refusing to do it, or “maliciously complying” and doing it terribly to make the job easier and/or get out of doing it again in the future?

So the agreement is that there is work that needs some external impetus to happen, because not every job has enough people intrinsically interested or civic minded to make it happen. The question becomes which solutions manage to be more fair than others? For unskilled and unwanted jobs, the current answer has a lower class overworked because they are the most desperate, and that’s bad. A forced labor system might manage to distribute the burden more fairly, though thanks to people being crap it’s likely for a system set up to do that to be abused to overwork some demonized demographic, ending in a similar outcome a different way.

Whatever the case is, it’s not as rosy as “people freely work on wikipedia and programming, therefore people will freely work on anything society may want or need”

This is unfortunately a bit naive, that for every problem no one wants to do there’s a solution that people both want and can create.

If you want to dismiss excessive waste as a failing of society, we can speak of work like line men who repair power infrastructure. It’s not super engaging work.

Problem being the jobs that don’t inspire passion, curiosity, and purpose, but we still need them to get done.

Alternative motivation may be viable and in fact drive better results when feasible. You find the right person with the right passion who wants to do the job.

Problem is not every sort of job can pull that off. You aren’t going to find enough sewage treatment enthusiasts to handle that demand. You aren’t going to have enough line men to keep the grid going reliably and safely.

Now let’s discuss all the people eager to volunteer to work sewage treatment plants.

The proportion of people with more innate motivation versus need for a job to be done varies wildly between jobs.

But when someone approaches work with innate motivation, amazingly better stuff happens compared to people in it just for the paycheck.