That’s just misinformation. I put some shows onto a Jellyfin instance and not a single one has disappeared. Not even an email about something being dropped soon. So that’s a core part of the Netflix experience you’re just not getting with Jellyfin.

Heck, it doesn’t even randomly force me to watch in 1080p or 720p despite being on the 4K plan and the show/movie being available in 4K. It’s like Jellyfin isn’t even trying.

Mind you, stealing the internet worked because they effectively had the sum total of human knowledge as a training set. I don’t think that there’s nearly as much detailed data on the minutiae of running a business.

You don’t need a double-blind study to determine if acoustic emissions are the culprit. You just need to measure specifically for infrasound (and ultrasound, for that matter). It’s an unusual form of pollution but very much measurable if you know to look for it.

Unlike the things you mentioned, infrasound is understood to be a thing these days and is sometimes considered in construction. It’s not exactly witchcraft; most equipment (including decibel meters) just isn’t built to account for very low frequencies.

If the data center does put out noise at very low frequencies that’s probably some kind of unintended resonance that they’ll have to stop. It might be as simple as slightly changing the RPMs of some cooling fans or installing sound proofing in specific places.

Yes, infrasound is a fairly well understood phenomenon. Loud noise at frequencies below 10 Hz isn’t commonly picked up by recording equipment but can induce things like anxiety, nausea, and sleep problems. While recently wind power plants have sometimes been accused of generating it, it’s also been caused by industrial fans and even resonance in a building’s ductwork.

It wouldn’t surprise me if a data center’s AC caused enough noise at frequencies not normally monitored to become an issue.

Nothing beyond shipping laptops with NPUs, which isn’t unusual since that’s what Intel’s and AMD’s laptop CPUs come with these days.

In my comment, '“cracking” referred to finding a password that matches the hash. That’s common nomenclature. The found password doesn’t have to be the original password but it’s rather likely at the string lengths involved, especially since Kaspersky used a dictionary to back the attack.

Also, you wouldn’t use a hashing function where a large number of inputs of a usual password length turn into the same hash. That would just make all passwords weaker. The point of hashing a password is to store something that (ideally) uniquely matches the correct password but can’t be used to easily derive the password.

The factor of 1000 I gave was a very rough ballpark number. I couldn’t find any good comparison between the actual throughput of MD5 and bcrypt or Argon2. And yes, a single round of SHA256 would be cracked quickly; it’s much less work-intensive than Argon2 and even has dedicated hardware acceleration in modern CPUs. Argon2 with a high work factor is vastly more resistant than MD5 and SHA256.

Also, salting doesn’t protect against brute force and enhanced dictionary attacks. The salt is stored with the password so the attacker knows it. It only protects against rainbow tables. Pepper protects against offline cracking.

The difference in speed between MD5 and something like bcrypt or Argon2 is massive. We’re talking orders of magnitude. That adds a layer of security – if hashing takes e.g. 1000 times longer than with md5, the 20 minutes to crack the least secure passwords suddenly turns into 14 days. Still not astronomical but a lot slower. The more secure algorithms also require more memory to run, leading to less effective parallelization.

Besides, MD5 is prone to collisions, which reduce the number of attacks needed. The attacker doesn’t need the real password, just one that hashes to the correct value.

While they did do a more sophisticated dictionary attack, they also talk about rainbow tables, which only work if the hashes are unsalted. A more modern approach with salted passwords is immune to rainbow table attacks. An actually modern approach with salted and peppered Argon2 hashes makes the kind of offline attack Kaspersky did unfeasible in the first place.

For some reason Kaspersky never bothered to point this out. I’d expect a reputable cybersecurity company like them to at least include one line that urges developers to make use of a modern approach and gives pointers as to what that might be. But I suppose “we recommend passwords to be salted, peppered, and hashed with Argon2i or Argon2id with a sufficiently high work factor” wouldn’t fit their narrative.

(I also just noticed that the advice part of Kaspersky’s article is littered with references to the password manager they sell. Yep, it’s an underhanded ad that just happens to contain some good security advice.)

I’d use at least one more: The one that unlocks your device shouldn’t be the one that unlocks your password manager. Other than that, yes. Use a password manager, let it generate per-service passwords for you, and make sure you have a backup plan.

For example, I use a KeePass database shared across my devices via a self-hosted NextCloud. Each of my devices plus the server effectively holds a backup copy so I’d have to lose all of my devices plus the server before my password database becomes inaccessible. Since the server lives in a datacenter it also serves as a remote backup.

If your password manager is SaaS, you might want to investigate how to protect yourself from scenarios like the service being down or you losing access to the account.

I think Gunner means a biometrically unlocked second factor like a Yubikey or a smartphone’s user attestation. Given how badly written the entire article is, I wouldn’t be confused if that’s what he originally said before they condensed his statement beyond comprehension.

So Kaspersky found out that MD5 passwords are unsafe. That’s literally 20 year old news. Actually, Kaspersky found out that brute-forcing MD5 on consumer-grade hardware has become slightly faster than two years ago, which makes me wonder if Captain Obvious’s secret identity is that of a Kaspersky cybersecurity expert.

El Reg concludes from this that we should ditch passwords, which they back up with the opinion of a second expert. This expert immediately tells them they’re wrong, that passwords are perfectly fine if used with MFA, and that a lack of public knowledge about basic cybersecurity is the real issue. They somehow treat this as him agreeing with them.

Actual technological alternatives to traditional password use (such as passkeys or password managers with per-site passwords) are mentioned only as an aside or not at all. It never occurred to El Reg or Kaspersky to mention that MD5 has been considered obsolete since the days of Internet Explorer 7 and that more secure hashes like bcrypt have been around since the late 90s. For that matter, the Kaspersky source talks about rainbow tables without using the word “salt” even once.

Finally they conclude with a call to action to “improve that user security stack”, arguing that passwords are inherently unsafe due to their “complex requirements and hashed storage”. That’s so deep into la-la land that I’m not even sure what it is they’re trying to say or who they’re even talking to.

That’s an amazingly badly written article.

What impresses me the most is that the Kaspersky article they’re talking about is just as asinine as El Reg’s confused stammering. The most sense I can make out of it is that they’re making a bad faith argument (“we can brute-force MD5’d passwords with a 5090 so you should use MFA”) because they’re trying to get nontechnical people to do the right thing and hope they can scare them into compliance if they bullshit hard enough.

Edit: I just noticed how often Kaspersky’s article refers to the own password manager they sell. So their bad faith argument is really just in service of an ad that happens to contain some decent security advice.

The staff ate it later.

Of course the real trick lies in figuring out which decade is your last one.

In theory:

Player: “Copilot, give me a list of all orifices I can fuck xXx_360noscope_xXx’s mom in. Assume I have an extremely small penis.”

Copilot: “You exclusively play the multiplayer mode of AAA games so that’s already assumed. Here’s your list…”

In practice:

Player: “Copilot, give me a list of all orifices I can fuck xXx_360noscope_xXx’s mom in. Assume I have an extremely small penis.”

Copilot: “I can’t help you with that but did you know you can subscribe to Microsoft® 365™ Copilot® for as little as $19.99, getting access to the industry standard in office productivity tools? Certainly xXx_360noscope_xXx will be impressed by your professional Outlook® presentations and seamless integration with Teams®.”

Player: “My penis isn’t that small and neither is his.”

xXx_360noscope_xXx: “Yeah, dude. That was uncalled for.”

I think the first Shantae was a bit more difficult than the later instalments; it might or might not feel frustrating.

I’d also recommend Super Metroid and Metroid Zero Mission. SM does little in the way of active hand-holding but I think it’s designed well enough to feel fair. MZM is an improved remake of the original Metroid and actually gives you pointers on where to go next.

Of course if those two work out there’s also Metroid Fusion but I’d play the other two first.

Though, to be fair, Framework laptops can’t charge from all of their ports. The 16 can charge from one port each per side; not sure about the 13 and 12.

Nope, still perfectly legal. Proprietary charging ports are allowed but have to be accompanied by a USB PD port that supports the same wattage (or 240 W if the device needs more than that).

So basically the law says “devices must support USB PD”, not “devices must only support USB PD”.

They can.

USB-C goes up to 240 W now and the law has been amended to acknowledge the new USB PD spec. Devices are also allowed to have proprietary charging ports but must include a USB-C port capable of showing the full power draw of the device (or 240 W of they need more than that).

So a big gaming laptop might have a USB PD-capable port that supports 240 W and a barrel jack that supports 350 W.

Interesting. So only the fast distros were done patching by time of disclosure. The ones you wouldn’t run a server on. Because only the kernel devs better informed. That’s… pretty amateurish from the guys who discovered CopyFail.

Most distros delivered patched kernels well before the vulnerability was publicly disclosed. Not sure if Ubuntu did but they had ample time to do so.

Döpfner’s publications have never reported on what’s actually happening before; why should they start now?