Could you expand on this? I haven't seen anything on your company website that suggests detection of this kind of stuff. Also, could you explain how this could be detected? Through another eBPF program?

>Hackers appear to have targeted a US location tracking firm Gravy Analytics. It collects information through smartphones, including peoples' precise movements, and then provides it to other companies or governments.

So... those companies sold their customers' data to Gravy Analytics? You know, Cambridge Analytica style? And these hackers just siphooned data from this tracking company?

>He also told Sky News the apps named in the leak weren't necessarily working with Gravy Analytics.

>Instead, he said, software development kits used in the apps appeared to be sending off users' location data.

So... those companies used SDKs from Gravy Analytics which secretly phoned home users' data to this tracking company?

Not sure what's worse, but if this is really the case, it highlights deep flaws in the way major companies evaluate their "software supply chain".

Also, from a more technical standpoint, single API calls following an established specification (assuming that's what those SDK actually do) should be favored over SDKs. If you send a POST containing certain data, there's no way the destination gets other data from you, unless your HTTP client is vulnerable and can somehow be attacked by the company who owns those APIs.

>Either that incident or the continuing hostilities in Ukraine (which are likely to last another year at least) will cause the economy to tank again, screwing up the markets to a fair degree.

I'm not an economist or a diplomat, but I would argue that a serious Taiwan incident may be worse than continuing hostilities in Ukraine from an economic standpoint.

First, because the surprise effect is probably relevant. We have been dealing with the situation in Ukraine for a while. We know trades with Russia are very limited, European countries know they can't get reliable gas supply from Ukraine, and so on. Yes, things may get worse, and Western countries might send more (or less) money and aid to Ukraine, but at least we have already covered our bases. When it comes to Taiwan, if something significant happens, it will probably affect the semiconductor business, which goes from CPUs and GPUs to photovoltaics, all things that are highly relevant to our economy.

Also, China itself is much richer than Russia, so a prolonged China-Taiwan conflict may last for a really long time.

I wonder if this mindset is also applied, for example, to the rest of the military. Does the Army regularly practice land navigation? I know they get at least one landnav class, but it is a perishable skill. If you don't practice, you'll soon forget about it.

I guess this could also be useful to civilians. Being able to do stuff without relying too much on electronics.

We do tip, but occasionally, only if we believe something about that meal was really great, and there's no set percentage.

Also, there are no tip jars. What happens is the server brings the check to you, and you can tip the server by giving money directly to them. Of course, this doesn't mean the owner cannot pocket the tips, but it does give a feeling that the tip is more likely to reach the servers only.

You reuse connections with a connection pool, but you accidentally reuse connections with different privileges and scopes. As a result, sometimes you get to read some data you shouldn't read and sometimes you don't.

Or, concurrency bugs.

You don't properly serialize transactions and sometimes two transactions overlap in time leading to conflicts.

We get the general trend, but we don't know if that peak is 10%, 20%, 100% or something else.

Assuming this is true, and tips are not actually taken by the owners, there are two interpretations of this:

1) customer pays more than what their lunch or dinner actually costs, to intentionally signal that there was something special about it (good service,...), or

2) customer pays more than what their lunch or dinner actually costs, because they know employees are underpaid and they want to compensate for that. It's essentially a form of charity.

While I have nothing against charity, charity that is "institutionalized" (big word, I know) by the employees (a tip jar) and very strongly encouraged does seem like a nice way for employers to justify a lower pay. And even if that is not the actual reason why tips exist, an employer who knows most of its customers tip can use this to pay less its employees.

Everything is possible, I know, but the amount of hacks related to S3 misconfigurations (https://github.com/nagwww/s3-leaks), including major companies, still makes me wonder.

If this assumption is true, it begs the question. Why do people act like public cloud storage is more secure than "private", on prem storage?

Do users expect safe defaults (as in, "default deny")?

Is it just a matter of attitude, where people think public cloud is more secure because it's not managed by (potentially short-staffed) corporate IT teams, even if it's not completely managed by the cloud provider?

Or is there something else?

With ChatGPT and similar platforms, trained on SE answers (and open Github repos,...), people will eventually skip Stack Exchange and directly go to ChatGPT.

First off, there are a lot of ways to bring someone to "the dark side". Maybe it's blackmail. Maybe it's ideology ("the greater good"). Maybe it's just pumping their ego. Or maybe it's money, but not that much, and extra money can be helpful. There is a long history of people spying against their country or hacking for a variety of reasons, even if they had a job and a steady paycheck. You can't just pay people and expect them to be 100% honest for the rest of their life.

Second, most (known) vulnerabilities are not backdoors. As any software developer knows, it's easy to make mistakes. This also goes for vulnerabilities. Even as a paid software developer, uou can definitely mess up a function (or method) and accidentally introduce an off-by-one vulnerability, or forget to properly validate inputs, or reuse a supposedly one-time cryptographic quantity.