ugh. I picked up a shitty NUC from ewaste and it had a label on it for an AI company. ahh, another startup that burnt out trying to build some silly AI project on crap hardware. I wonder what they did? I check their URL: ahh. healthcare. great, great.
when you see a gaylord stacked high with NUCs and half of them still have USB fans attached, you know these were all just yanked off a shelf. no one wiped these.
HEY FUN FACT: this was used as part of an Alexa/google home type thing! this is the "cloud" half, as in the part sitting in a warehouse somewhere. It turns out every time the customer asked for something from the smart assistant, the WAV file was sent to the cloud box
where it is still stored. and I now have eleven thousand wave files
god the logs are full of errors about assorted video streams failing. so this thing was connecting to something which had cameras. like, I can tell which room of the house failed.
now I don't think there's any video stored on this device, but keep in mind: the fools that made this thing fill up with WAV files? they also designed the video streaming part. Where are those videos stored, and how safe are they?
or maybe the fools who dumped all the NUCs from their entire "AI remote healthcare" in the recycling without yanking any drives are just somehow REALLY GOOD at knowing how to secure their s3 buckets.
jesus christ this isn't the only time THIS MONTH I've found an IoT device and checked the filesystem contents and it's got their private git repos on it
okay so the good news is that they don't just have S3 keys laying around in plain text. the other good news is that they have a secrets manager the bad news is that they rolled their own secrets manager the extra bad news is that I have the source for said secrets manager and the extra extra bad news is that it has to decrypt those keys without external input, meaning I have all the parts here to pull out their s3 keys
this thing authenticates to some of their servers (which are still up, even if the company might not be (this is unknown at the moment)) over SSH! using keys kept in the same home-rolled vault thing!
anyway I'm gonna be near their HQ on thursday. Maybe I'll stop by and ask if they're still in business, and if they are, do they know where their NUCs are?
good lord. I pulled a microSD card out of a Raspi inside an IoT product and it appears they had some developer use a raspi to develop/test some software, and then they just yanked the SD card out of that machine and duped it on to all of their deployed products.
it's got .bash_history of the development process! there's git checkouts of private repos! WHY WOULD YOU DO THIS?
I'm really not the right person to work in computer security research, but it'd be nice to have a sort of consulting job with a local one where I can just point them at some really broken shit and they investigate it and maybe give me a commission
I'm a few thousand dollars away from being able to pay my bills this month, but the most important thing I need to pay for is my health insurance: I've got meds I can't afford without it and an upcoming CT scan. If you can donate a few dollars or more, that'd really help! Thanks!
@retrotag no. I'm not making money off this, so more popularity isn't necessarily better. And I think they aren't worth it: being posted on hacker news has more negatives than positives
I shudder to think of what the AUbros and billionaire cos players on the orange site are saying there.
@jwz has a rewrite rule on his web server to goatse requests with a referrer from there. (I wonder it that still works? I have no clue what the current state of referrer headers from modern browsers is.)
is “a gaylord full” like “a fuckload” or “oodles of” or do you mean like the hotel chain but they have piles of old NUCs out in the lobby instead of warm cookies?
have you ever read the short story "Dull Drums" by Anne McCaffrey? My parents were McCaffrey fans and I read the book (Get Off the Unicorn) at an impressionable age. Without spoilers, I think the story "Dull Drums" would be interesting to you, given this thread. 😊
How are you able to take staff AWAY from ewaste? Where I live that is not allowed and the assumption in dropping stuff off is that it goes to be destroyed. If it's known that dropping stuff at ewaste means citizens could reclaim it, then your story is even more horrifying
“If you’re not not paying for the product, you’re the product, and if you are paying for the product, you’re still the product.” @pluralisticpluralistic.net/2024/08/17/hac…
It turns out Google Chrome ships a default, hidden extension that allows code on `*.google.com` access to private APIs, including your current CPU usage
You can test it out by pasting the following into your Chrome DevTools console on any Google page:
It turns out Google Chrome (via Chromium) includes a default extension which makes extra services available to code running on the `*.google.com` domains - tweeted about today [by Luca Casonato](https://twitter.
@djh I thought it was already established that Google fingerprints you via your account. I think making it private to them keeps others from using it for fingerprinting, but I apologize if I'm missing the point.
But why would Google themselves need it for fingerprint given that the control the whole browser? Or do you mean "they need it for something else but it could be used for fingerprinting by others"? @djh
Hmm, the code doesn't do anything on Cromite (github.com/uazo/cromite), perhaps the extension is removed? Because the error I get is: "VM68:1 Uncaught TypeError: Cannot read properties of undefined (reading 'sendMessage') at <anonymous>:1:16 (anonymous) @ VM68:1"
time to complain to the EU commission about their abuse of monopoly and power such that Google will force them to open access to those APIs to any site.
Not knowing how '*' is implemented, I'm concerned that it might it used on other websites matching `*.google.com`, such as my.malevolence.site/.google.co….
For what it's worth, Edge is sufficiently 'Chromed' that it does the same there too ... Although on a non-google site it offers me "Explain Console errors by using Copilot on Edge"
for real, shut down that company... Too much control of the market. They literally can do whatever they want and people are pretty much forced to go along with it, because it's way too embeded in everyday tasks.
I ain't like to speak unless I notice something is missing from a conversation. So let me say, FUCK THIS SHIT, FUCK THIS STUPID SHIT, AND FUCK THE PEOPLE WHO THOUGHT THIS WAS AN OKAY THING TO DO.
If you KNOW how to do this, you KNOW why it's important that you don't. Your boss tells you do this shit, ... maybe you see what happens if you let it rot in the backlog a bit 😇
Default extensions are a place where Google has done some real damage to the web, and those of us working on platform have been grumpy for more than a decade that this and the Docs Offline nonsense continues to persist.
In both cases, it fell to other teams (not the Hangouts or Docs peeps) to build replacement APIs; e.g.:
@mitch You know how we spent years building Service Workers and Background Sync and Periodic Background Sync and fixing storage quotas for large-volume offline data?
Um, yeah. About that (latest dev channel, fresh profile):
@mitch On by default, works only on Google properties, and "works around" the limits of the web platform *that we put in place to meaningfully safeguard user battery and storage and bandwidth*. At least it's not buried in `chrome://system` like the CPU monitoring extension is, but no less self-preferencing for it.
@mitch The tragedy in both instances is that the teams that dropped turds in Chrome have faced no pressure to move to open, interoperable APIs, meaning other browsers (including other Chromium ecosystem browsers) feel forced to include them to make sure that Google's very popular web properties "work right".
This also keeps web APIs from advancing because teams that would push them forward already have theirs, Jack. It's not Android levels of bad, but it's bad.
Soooooo.... anyone still think that this was a good idea that browser companies all dumped their own engines and that all modern browsers nowadays use the same engine? Asking for a friend.
@rredball that's really weird! I tried sharing that just now on my own account and it didn't block it, maybe it didn't like that it was a reply with a URL but no text?
from what I've heard on the Xitter, this is mostly used to debug performance issues. What's scummy is that they only enable it on their domain, which comes off as anti-competitive.
I imagine they'll get in trouble with the court for this, because it's clearly giving them an unfair advantage.
@alh @Vivaldi It is already possible to turn this off in Vivaldi. Go to Settings > Privacy & Security and uncheck "Meet (was Hangouts)" under Google Extensions. You will need to restart the browser for the change to take effect.
Why people use Chrome is just baffling. It's not even good apart from great raw numbers in JS benchmarks and that's it. You don't need Chrome to be logged into all their services at once as some seem to believe.
Huh. Having worked on a product that was in many ways a YouTube competitor, I can say that this would have been modestly useful. This seems relevant: americanbar.org/content/dam/ab…
Hmm, my Chromium 126 does not even allow me to access the `chrome.runtime` API from any page. It is also mentioned that this API is for extensions and content scripts, aka not for plain pages.
If I disable this in Brave settings it removes the fingerprinting for that profile? The settings language in Brave suggests it might break sharing in other tools like Zoom (web only?) or Teams (web only?). Thanks! Many of clients use Google products like Drive and Chat. So, sort of stuck often time. It's really too bad because many google products are useful that they have to muck it all up with their trust (as in confidence in and faith in) breaking practices.
friendly reminder that you need root access to fully remove Google from many android phones and tablets and that root access generally voids your warranty. That said, most warranties don't last longer than a couple years so if you've had your phone for 2 or more years then you likely have little to lose by ripping your *.google.com applications out and replacing them with much more secure applications.
If you don't want to do that, the paid version of #netguard can at least lock down your phone's network traffic app by app and web address by web address.
@FediThing it's a product of only being noticed in the tech industry by achieving massive success. That's how you get an air-conditioner that takes photos of your fridge's contents and generates recipes. It's also how you get said recipe requiring octopus, oranges and 500 lbs of cherries.
@WiseWoman That one was over a week ago (possibly shouldn't have been in the list). It was shared in a bunch of places, but I didn't keep a link.
It reflects my experience quite well: Copilot is great at writing code that looks right. I spent more time chasing a single issue where it had flipped a 0 and a 1 in two bitfield constructions than it has saved me in typing in total over several months.
All of the things where I've seen claims that it increases productivity have been from people saying 'look it lets me generate this boilerplate fast' and the problem is that boilerplate wouldn't exist in a well-designed API, so it's really just saying 'look, it lets me accumulate technical debt more quickly'.
I've heard from one person that they're using Copilot to spot missing abstractions. If Copilot is able to autocomplete a non-trivial chunk in their codebase, it tells them that there's a good chance that they've exposed things at the wrong level of abstraction and they need to build helpers. I can see that having some value. It's also reasonably good at telling me when I've named things inconsistently because it will autocomplete the wrong name (this is less reliable, but it's a good pause-and-think moment in API design).
My boss just ask me last week "Are we doing anything with generative AI?" And I know he heard it in a meeting. The nice thing about Goldman is that they have an inexplicably good reputation at the altitude where the most hot air currents can be found.
Some EU officials know nothing about how technology works but know what they want. And they're on the verge forcing technology companies to make everyone much less safe by destroying strong encryption and eviscerating personal privacy.
The planned chat control makes the world less secure and more authoritarian, as it is directed against private and encrypted communication. Proponents are using disinformation, lies, and sleight of hand to push through the project.
our hero is standing in the office staring out of the window in frustration, looking out over the city towards the harbour … in the distance, a naval radar is just peeking over the roofline
when the tide is high, it lifts the ship enough for the radar to get line of sight to the office, so it can interfere with the wifi!
@bsdphk There’s an older story (which a quick Google search did not turn up) of a computer repair guy who was troubleshooting a mainframe, and commented on how frequently a particular yacht was in the harbor. "No, it's only rarely here.” “But it’s been here every time I've come to troubleshoot your weird intermittent hardware issue…”
Public request for comments: #ASN1js has historically been like this, I have received a very nice PR on Github to make it more like the usual tree view with ⊕, it can be tested here. I like that, but it's a huge change to the website historical look&feel #UX. What do you think about it? Better? Worse? Can be further improved?
@aru @Ruben Schade :runbsd:🇦🇺🇸🇬 I've heard people use SyncThing and Nextcloud for it - I often use SSHFS to mount the directory containing the password vault
@silverwizard @Ruben Schade :runbsd:🇦🇺🇸🇬 @aru I store the password database on NextCloud through the synchronization client on Windows, and the password database has my NextCloud password in it. I'm retrieving the database using the iOS NextCloud app and open it using KeePassium.
I also store all my TOTP seeds in the database using the TOTP plugin in KeePassXC and it's a native feature in KeePassium.
Convert DER or PEM encoded ASN.1 structures to an equivalent textual description compatible with OpenSSL's ASN1_generate_nconf(3) function - wllm-rbnt/asn1template
Corollaria Branch by Nervous System at MIT. photo credit: Emily Katrencik In the end of January, we traveled to MIT to teach a workshop for undergraduates hosted by MIT’s Morningside Academy …
When -I- was a fledgling, trees were made of wood and leaves! But I guess we have to move with the times, and nest in these metal trees now. At least they are louse proof!
Is the sculpture permanently installed? I’ll be on campus at the end of May and would love to see it in person, if you can share what building it’s near.
@amanda it’s in the interior courtyard of N52. It’s a little tricky to access the courtyard but it can be seen from the windows of the undergrad design shops on the third floor
Corollaria Branch by Nervous System at MIT. photo credit: Emily Katrencik In the end of January, we traveled to MIT to teach a workshop for undergraduates hosted by MIT’s Morningside Academy …
offf, this story about how Google made google search into a pile of seagull shit hits me hard:
wheresyoured.at/the-men-who-ki… Around the time of this story, I was living through a similar situation in my work life (on a much smaller scope, of course, WordPress.com first, Tumblr later).
Back in 2019, working on WordPress, I started finding myself, almost weekly, arguing against people who wanted to take the product we were working at and made it worse if that mean they could squeeze 0.1% more revenue from it
The 0.1% figure is not even a random number: I remember this speciffic A/B test on WordPress.com that was declared a success and shipped to 100% of the users because it increased the free-to-paid conversion by 0.1%. Soon after it was released, I found out that as a side effect, it increased the churn of free users by 20 something %,so I called for an urgent rollback and removal of the change. So I was promptly explained that we didn't care about free-users churn, because finance had calculated the average long-term value of the free users to be something like $2 per year, and the increase in conversion was bigger than what we could get from them.
Everything became about growth hacking. Everything became thinly-veiled dark patterns. In our private dev slack channels, we joked that since it was impossible to make it smaller or less conspicuous, the next thing the growth team was going to ask us to do was to make the 'free plan' button flee away from the mouse pointer when the user tried to click it. We kept making our product worse, we kept consciously crippling the cheaper versions so we could force people to move to the more expensive options.
Back then I was the lead of one of the two dev divisions working on WordPress.com, so my job was mainly to discuss what we were going to be doing, when and how. And I was getting drained by a constant state of fight against a constant wave of shit they wanted us to build. So much than by the end of 2020, the CEO quietly told me to follow the growth team plans and shut up or step down.
So I requested to move to tumblr, because I thought the pastures were greener over there. But it was all the same: Adding login walls to what we were pretending to be "the last bastion of the free internet", cramping in embarrasingly obvious money-making schemes disguised as features, and making them silently opt-out instead of opt-in so the less people the possible would deactivate them, having to fend off the pressure from the CEO to make everything algorithmic timelines because, you know, tiktok makes a lot of money and why aren't we, etc etc.
I found myself in a place where building something good that people enjoy using was no longer a priority, but tricking people into generating more money for the company was. And when I looked around me, I could see that happening everywhere else, not only in my company. Experiencing the start of the enshittification years from inside wasn't easy.
And, as in the article, the people who decided to turn the shit-metter up to 200%, have a name, in every case. And these people, no matter if they are called Sundar and Prabhakar or Matt and Mark, are destroying the internet. These people are milllionaires, or billionaries, and are destroying our shared, common spaces to squeeze some extra cash from us.
That's why the fediverse and its principles are important. Because that's how we take back internet from their dirty hands. That's how we make internet resilient against them. That's how we build the commons.
This is the story of how Google Search died, and the people responsible for killing it.
The story begins on February 5th 2019, when Ben Gomes, Google’s head of search, had a problem.
Introducing USBKVM! A keyboard, screen and mouse that all fit in your the palm of your hand!
It's built around the MS2109 HDMI to USB capture chip and its I²C interface connected to an STM32 MCU that takes care of the keyboard and mouse emulation.
While the hardware is fully functional, firmware and software are in a proof-of-concept stage. Stay tuned…
What'd be really neat and handy for me is a KVM system that works more like a VM.
Like, you have a USB device that captures video and also has a USB plug for keyboard mouse. The connected machine appears as a window on the main PC.
MS9288C eval board, aka really cheap VGA to HDMI converter box has arrived and works as advertised. Pinout appears to be similar, though not identical to the MS9288A, for which I found several sources.
What's strange is that none of the VGA pins needed for EDID or legacy ID are connected, yet two laptops detected it as monitor.
But how? Are the 75 Ohm RGB termination resistors sufficient for detection?
Assembled the second revision of USBKVM Pro with the proper footprint for the MS9288C and published the design files and firmware/client changes: github.com/carrotIndustries/us…
USBKVM Pro was also a good opportunity to implement warm white status LEDs. Now that blue LEDs are mostly gone for good, I'm starting to grow a bit tired of cold white and monochromatic LEDs on devices. Warm white is just so much more comfy ✨
The client app also got an update: It can now convert ASCII text to USB keycodes on a US keyboard, so you don't have to manually type out ssh keys and the like.
Seems like a super obvious feature, but I've never seen it on any KVM-over-IP console.
so as for *why* the PuTTY P-521 bug happened: they wrote the implementation in September 2001, which is a month before Windows XP was released. Win9x had no good random number generator APIs, so they came up with an alternative trick using SHA512 to generate deterministic but non-predictable nonces. but, of course, SHA512 outputs are 512 bits long, not 521 bits, and they just left the other 9 bits at zero, which resulted in this problem. the code was not reviewed since, so it never got fixed.
without digging into the full details of how the determinism stuff interplays with the protocol stack, their solution actually might have worked out ok if they had generated a second hash to fill the last 9 bits.
if they had happened to write this implementation just a month or two later, they could've written it to use CryptGenRandom on XP or later, and fallen back to the deterministic approach on Win9x, and this bug would've been avoided.
@iximeow it *sounds* bad but remember we're talking "janky nonce gen because it's 2001 and the OS doesn't have a CSPRNG" grade solutions, and it'd *still* hold up today despite MD5 being horrendously broken :P
@foone yup. and after thinking about it, their weird deterministic solution definitely would've worked if they had extended the hash to the full 521 bits, since it doesn't count as nonce reuse if it's the exact same message and key (you're basically just doing the same computation again, so the result is no different). such a tiny oversight - nine bits! but unfortunately with ECDSA any bias in k is catastrophic.
@foone This is one of the things I like about curve25519.
It's deterministic but all the design work is done for you so there's no need to provide any randomness or design your own hash or whatever. They went out of their way to avoid footguns.
@foone As a non-cryptographer, I always reach for curve25519 + AES-GCM because this pairing seems to be the hardest to make catastrophic mistakes with.
If you’re reading this wondering if you should stop using AES-GCM in some standard protocol (TLS 1.3), the short answer is “No, you’re fine”. I specialize in secure implemen…
@foone Yes, that's a calculated risk to some extent.
But it's also something that has widespread hardware acceleration support (important in embedded). And decent hardware RNGs are now fairly widely available on micros that have hardware AES.
@foone in fact their solution is SHA512 ( SHA512(key) || SHA1(msg) ) so it's not like another SHA1 call to fill the last 9 bits would've been comparatively expensive.
after thinking about this some more: yeah, if they had extended the hash (e.g. second SHA512 call with some constant appended to the input) to fill out the other 9 bits, it would've been absolutely fine. the signature determinism isn't a problem because it only occurs with the exact same key and message, so you're just redoing the same maths.
slight correction: they wrote the DSA implementation in 2001, then reused it for ECDSA about 15 years later (so about 7 years ago), but missed that the 512<521 discrepancy is a critical problem for ECDSA whereas with DSA it didn't really matter because they never used keys that big. so it's the same deal but just a slightly different timeline.
Where did 521 bits as the field length come from? I have to admit if I saw it in a document, I would assume it was just a typo that had accidentally transposed 512 because it's such an uncommon magic number.
@jwz I feel bad for Lasse Collin. Needed help, was taken advantage of, but still stepped up to deal with the fallout. We should all appreciate that dedication🙏
Credit where credit is due! I'd really like to take a minute and thank Jia Tan how they helped us to finally get sd_notify() support merged into OpenSSH upstream!
Presentation about an NSA's fictitious ORCHESTRA program by Poul_henning Kamp at FOSDEM 2014 involving startups, FON (friends of NSA), and SFON (special frie...
An incredibly technically complex #backdoor in xz (potentially also in libarchive and elsewhere) was just discovered. This backdoor has been quietly implemented over years, with the assistance of a wide array of subtly interconnected accounts:
Updates the vendored version of xz to be 5.6.1. Also updates the
vendor script to support the addition of SPDX-License-Identifier
headers into some files.
I really hope that this causes an industry-wide reckoning with the common practice of letting your entire goddamn product rest on the shoulders of one overworked person having a slow mental health crisis without financially or operationally supporting them whatsoever. I want everyone who has an open source dependency to read this message mail-archive.com/xz-devel@tuka…
"I never thought a sophisticated APT would backdoor *my* volunteer-maintained infrastructure that I got for free" sobs entire industry who voted for the "volunteer-maintained infrastructure that I get for free with no defense against sophisticated APTs" party
@glyph please note that we are ALSO no fans of the "subsume free software into capitalism" solution that corporate and statist rhetoric has been pushing for a couple years now
@irenes @glyph It's tricky to avoid the challenge that arises from the problem that (1) producing free software is work and (2) the workers live in a capitalist society and (3) the workers therefore need to pay for food and shelter.
Verily, there is no ethical consumption under capitalism.
@krans @glyph sure. well, so the reason we personally call the thing we do "free software" is precisely to highlight the point that our own goal in publishing stuff without charge is very much to work towards a world without that problem, by creating something that exists as far outside it as we can manage (not all the way - obviously we have the free time to do that because of our other privileges)
@krans@me.uk @glyph It's free like freedom, not like beer, and I can relate. I'm not dependent on donations for my livelyhood, but I put like ~5-10 hours into this today, it costed me $5.30 in hosting fees, and not one of the 35000 viewers donated. That's ok, I didn't have donations till recently, but this is what happens in the FOSS community. People like to be paid for their work, that just doesn't always happen. The fact people put free stuff out doesn't mean they don't want funding.
@irenes @glyph I thought it was called "free software" because users are allowed to do whatever they want to with it including modifications, not because it's provided free of charge.
The founders of the Free Software movement were Libertarians, not Socialists (unfortunately).
I guess we were talking at cross purposes — sorry.
@krans @glyph we're very proactive-death-of-the-author about this. the FSF has failed to provide ideological leadership due to RMS's top-down style, but many of the ideals are good ones and it's the job of the current generation to renew the movement if we want our children to be able to enjoy its fruits the way we did
@krans @glyph but you're right, of course, it's a valid point. we just don't think trying to coin a new term would be useful, if anything it would be a distraction from the cultural work that matters
@krans @glyph we see it as important that our work be free-as-in-speech, yes, but it is also very much free as in we absolutely refuse to ever ask for or accept money for it (outside the scope of our day job)
@krans @glyph yes, we are speaking for ourselves (just Irenes, not you). as we already clarified up-thread, in our display name, and in our bio, we are plural.
@glyph Yeah, Mastodon has it's own embeds but I wanted it to fit in with the site. It's DIY and very hastily banged together: github.com/boehs/site/commit/a…
@glyph Very cool! Any chance you might be willing to share that particular snippet - even just the HTML structure - under a less restrictive license than AGPL? It seems like the kind of thing I would love to use or adapt on my own site, but I don't want to (and probably legally can't) share my site and all the services it uses under that license.
@glyph I'm frustrated that big tech's efforts to increase core library security are "your project is too popular, you must use 2FA" and "the best reverse engineers in the world will find your bugs and put you on a 90 day disclosure deadline" and not "here is $100K/year and benefits to keep doing what you're doing at your own pace."
@geofft > I'm frustrated that big tech's efforts to increase core library security are […] not "here is $100K/year and benefits to keep doing what you're doing at your own pace."
Have you *met* big tech? They're very far down my list of people that I want empowered to make such decisions.
Yes, there are workers I want to get that salary to keep doing demonstrated good work at their own pace.
But you propose Microsoft or Google or Amazon should choose who gets that? Please no!
@bignose @geofft @glyph I think the argument is that if big tech is profiting immensely off the backs of free software developers, those developers should be compensated fairly
> if big tech is profiting immensely off the backs of free software developers
There you get closer to where I think the problem is.
I definitely don't want any private for-profit big tech firms deciding who gets compensated (and, necessarily, who does not get fair compensation) for work that benefits us all.
@geofft @glyph I'm certainly not disputing that it's a real problem that that doesn't happen more often, but isn't there some precedent for big tech companies hiring people to work on specific open source projects? So it's not totally unheard of
@diazona @geofft @glyph there’s a lot of precedent for hiring maintainers of top-level programs whose brand (for lack of a better term) has reached the level of awareness of a C-level with a hiring budget. Collectively pooling money to help the projects C-levels have never heard of… has a much weaker track record. We’ve been trying to tackle it at Tidelift for a while and suffice to say I’ve definitely had a lot of “but it can’t happen to me” conversations.
@luis_in_brief @diazona @glyph Yeah that resonates with my experience. People like GvR get hired (which is great!) but there's a whole dependency stack underneath. Their maintainers often have a strong résumé to get hired for a normal big tech job at a company that uses the language/ecosystem/etc. but not necessarily for maintaining the project as their job. Sometimes the job is even "build something similar for an internal non-OSS ecosystem."
@geofft @luis_in_brief @diazona there are layers and layers to this. Famous maintainers get hired more than critical maintainers. And maintenance is important but how do you pay for the commons of *new* projects? The tidelift model gets us part of the way there, because these costs need to be aggregated and there needs to be some kind of oversight, but even if they were universally adopted (and that is far from true) there are so many missing pieces
I am way overdue in finishing and publishing my negative review of Eghbal's "Working in Public" but one of my critiques is that she basically concludes that maintainers need to become famous and use Substack/Patreon to crowdfund (from individual donors) in order to sustain their work. Which really doesn't fit what we have found in critical FLOSS infrastructure IMO.
@benwis @brainwane @luis_in_brief @glyph @geofft @diazona @djc there’s some website (I forget what it is) that basically you pay x amount of dollars and it audits your entire dependency tree and attempts to pay maintainers proportionally. Unfortunately iirc it was kinda flawed but I think it’s a solid idea
@luis_in_brief @benwis @brainwane @glyph @geofft @diazona @djc oh that’s sick, it’s so funny that you never know who you’re speaking to on here lol. Congrats on how successful tidelift has been :)
I really hope that this causes an industry-wide reckoning with the common practice of letting your entire goddamn product rest on the shoulders of one overworked person having a slow mental health crisis without financially or operationally supporting them whatsoever. I want everyone who has an open source dependency to read this message mail-archive.com/xz-devel@tuka…
so is there any evidence that "Jigar Kumar" is a real person? He certainly doesn't hold back from laying on the guilt tripping mail-archive.com/xz-devel@tuka…
I kinda doubt Dennis Ens is either. He initially opened the thread, likely to plant the idea that xz needs a new maintainer. He then came back to guilt trip "I am sorry about your mental health issues, but...the community desires more"
EDIT: I initially misread "desires" as "deserves". I think my point still stands though
great work on this timeline. Here's Jai Tan's account trying to get xz 5.6.1 into ubuntu lts 24.04 yesterday. Beta freeze is on Monday. bugs.launchpad.net/bugs/205941…
Please sync xz-utils 5.6.1-1 (main) from Debian unstable (main)
Hello! I am one of the upstream maintainers for XZ Utils. Version 5.6.1
was recently released and uploaded to Debian as a bugfix only release.
comment on the libarchive PR is incorrect. The change does do what it says, in addition to changing safe_fprintf to fprintf. It added a strerror(errno) to the output, to address github.com/libarchive/libarchi…
~ ❯❯❯ find bin bin bin/test.c ~ ❯❯❯ tar cf test.tar bin ~ ❯❯❯ tar xf test.tar -C / bin/: Can't restore time bin/test.c: Can't create 'bin/test.c' tar: Error exit delayed from previous errors. It wo...
It's interesting that JiaT75 commits are logged with +0800 timezone, but their actual Github interactions appear to have been almost completely between 12.00 UTC and 18.00 UTC:
@berdario I've received tips about an associated linkedin account where the perpetrator claims to live in california. I've debated about if I feel comfortable publishing this, but I think i will.
This requires liblzma >= 5.6.0. The LZMA2 options are set with the assumption that the RISC-V C extension is in use.
I have submitted the RISC-V filter to Linux. It's in the -mm mm-nonmm-unstable b...
@endrift This is interesting. I've also heard the absolutely crazy theory this is all Lasse's doing given the timezones roughly match up and I mean I guess it's possible you could orchistrate all this conversation yourself. Would be criminal mastermind level stuff if so, but I want to give them the benefit of the doubt.
@endrift the only thing Lasse would gain out of that is that they'll likely continue to be maintainer now that this has been discovered. I don't think that's close to enough reason for them to orchistrate all the conversations, so I'm not buying that theory tbh
It seems more likely that Lasse got bought out (or convinced) by Jia, after Jia gained his trust
That said, the most likely explanation imo is that Lasse was telling the truth in the PR description and wanted RISC-V filter 1/2
“As I have hinted in earlier emails, Jia Tan may have a bigger role in the project in the future. He has been helping a lot off-list and is practically a co-maintainer already. :-)”
The poor original maintainer of xz is on it now, and has already found another "fun" thing: git.tukaani.org/?p=xz.git;a=co… . The configure check for enabling the Landlock sandboxing facility was subtly broken, so that Landlock support would never get enabled. The original malicious commit landed around the same timeframe as the main backdoor, also at an abnormal time of day compared to the new maintainer's historical activity pattern.
it would be useful to replace the commit links with non-Github ones given the Github repo was shut down. The URLs are like this: git.tukaani.org/?p=xz.git;a=co…
what's really surprising is the same thing not happening more often. Or we are all just very unaware since the pay off to do these kinds of things is so huge specially for state sponsored attacks or others with enough money and effort to put into it.
I understand why somebody is trying to get in touch with them, and also I'm not sure it's appropriate. The GitHub account is already suspended. The damage has already been done. Now they are being pulled back into something they clearly don't want to engage with
@james @trespaul “somebody” in this case appears to be CISA, and like… that’s a federal agency, there is likely to be a law enforcement consequence or potentially national security response here. I feel very sympathetic to a burnt-out maintainer who had this dropped in their lap but there is an overriding public interest at this point.
People who are just curious should for sure steer clear though, this is likely to be a complete nightmare for everyone involved without extra emails
@glyph @james @trespaul No I get that, it just sucks. Also mind that "national security" should mean nothing because the author is finnish. I hope the US government kindly asks "what do you know" and then leaves them alone, but we all know that ain't happening
love how it was buried in m4, a macro language that looks like jibberish on a good day — only well understood by three people that work on Autoconf (everyone else just copypastas), maybe someone in a basement hyper-tuning their sendmail config, and apparently whoever this guy is.
I released a 'next' version of #ASN1js on npm which drops any AMD/UMD boilerplate and only uses ES6 modules.
I'm waiting for the forthcoming #NodeJSsync require(esm) in order to release that as a default version, because it seems unreasonable to force library users to do everything async.
é un assaggio del potere della sorveglianza elettronica con cui dovremo fare i conti sempre più spesso. Ha già i connotati distopici questo dispositivo contro la pirateria, figuriamoci le soluzioni tecniche pensate proprio per il controllo della popolazione.
Con la Delibera 61/24/CONS di AgCom si inizia un percorso per portare in Italia uno strumento dedicato alla verifica dell'età degli utenti su Internet. Negli Stati Uniti questi strumenti sono già stati adottati, non sempre con ottimi esiti.
It looks like "Control Vectors" might be the next big feature for self-hosted LLMs - and support for them has just been added to Llama.cpp!
For LLMs, they're probably closer to realising what LoRAs are for text-to-image.
"Control vectors are an easy-to-train (~60s on a 4090 for a 7B parameter model) way to modify the behavior of an LLM without finetuning or inference-time prompting..."
Many thanks to Nous Research, whose support and collaboration made this work possible!
This PR introduces a new activations hacking technique, control vectors (also known as steering vectors, conce...
Maxim Dounin as one of the longtime core developers of the Nginx web server announced the creation today of a new fork of the project called Freenginx.
Google announced that starting in June 2024, ad blockers such as uBlock Origin #uBOwill be disabled in Chrome 127 and later with the rollout of Manifest V3 (#Mv3).
The new #Chrome manifest will prevent using custom filters and stops on demand updates of blocklist. Only #Google authorized updates to browser extension will be allowed in the future, which mean an automatic win for Google in their battle to stop YouTube #AdBlockers .
#ManifestV3 is deceitful and threatening to your privacy, and now is a good time to switch to #Firefox (@mozilla) and/or #TorBrowser (@torproject) if you haven't done so already!
EDIT for clarification: MV3 in Chrome will still allow some ad blocking extensions, but will severely limit their blocking ability and even restricts pre-set filters to 50 MAX.
Get the people-first browser that’s backed by a non-profit.
It’s a new era in tech. Don’t settle for a browser produced by giant, profit-driven, data-hoarding tech companies.
The second paragraph is of particular importance since that also explains why AdGuard is supporting it (see Google's announcement) and the "wider ad blocking community" (i.e., all the bullshit that's not the one true blocker aka uBO) is okay with it. They sell ad blockers and lists as a product. They're okay with not blocking everything (like YT), especially if noone else can do it anymore because the competition (uBO) is sidelined.
This push is not against ad blockers actually, it's against effective ad blockers, particularly uBO.
@ljrk This business model reminds me of Adblock Plus with their "acceptable ads". The difference here is of course that Google owns major ads companies and those will be the "acceptable" ads.
Clever product managers, very clever! Now, you all had your moment - let's all use Firefox/Brave :)
their CEO has a history of being anti-lgbtq, brave heavily supports crypto shit, and they've previously had "scandals" with whitelisting facebook trackers, as well as injecting affiliate links into the url bar
Do I understand this correctly when I believe that this will affect all chromium based browsers (@Vivaldi ) or does it only reveal my lack of technical knowledge?
Close-up view of a sunspot the size of Earth on the surface of the Sun filmed by the Swedish 1-m Solar Telescope. Sunspots are regions of reduced surface temperature caused by intense magnetic fields.
TL;DR: NASA's Ingenuity helicopter on Mars has had an accident on its last flight, breaking one of its blades and ending its mission. The helicopter, which was an experimental mission to test powered flight on another planet, has flown a total of 72 flights and spent over two hours in the Martian air. Despite its premature end, Ingenuity's contributions to space exploration will be remembered.
John Lassetter, the Animation Director of "Toy Story" also drew the earliest (and most popular) renditions of the BSD Daemon logo jacobelder.com/2024/01/17/dire…
John Lassetter, the Animation Director of "Toy Story" also drew the earliest (and most popular) renditions of the BSD Daemon logo jacobelder.com/2024/01/17/dire…
accurate time underpins pretty much all important security measures. we now take it for granted that we can have sub-1-second time sync but that sure wasn't the case.
@paul_ipv6 @adamshostack For those who did not know, or know of, David Mills, he devised a time-keeping protocol that was ultimately based on very high-precision clocks, but had a nice, distributed way for other machines to learn from them. His scheme was based on solid mathematics (the RFC describing it was the first non-ASCII RFC, since it was too painful to write those equations that way…). But you had to use the Internet before NTP to understand how important it was.
@adamshostack @paul_ipv6 DNS as a concept is slightly older, though I think that the protocol was stable before NTP was. But back in the mists of time, it was hard to use DNS on an intranet, while NTP could be used anywhere you had a decent radio clock as your stratum 0.
@SteveBellovin @paul_ipv6 @adamshostack And he had a rather unique way of speaking, his own jargon that didn't sound like the usual techspeak, with the falsetickers and truechimers and all the rest. But fundamentally grounded in control theory, not marketing psychology.
@SteveBellovin David Mills. Pioneer of the Internet from the early days, LSI-11/RT-11 fuzzball routers, INTELPOST, SATNET, TCP, HELLO, GGP, EGP and NTP. All this while he was legally blind. Articulate with a great sense of humor. RIP.
If this is what's happening in heavily-regulated, carefully (and publicly) measured industries when PE takes over, what's happening to all of the other PE "investments" and the people who work for and depend upon them?
On February 1st 2024, AWS will start charging for IPv4 addresses. This will cost $0.005 per hour -- around $4 month
This is a very nice idea, and finally happening on a global scale.
Hetzner started charging IPv4 addresses (or rather, allowing a discount if you do without: the total price is the same it was before) since a few years and I guess that's working fine for them.
Paul Copplestone, co-founder of Supabase, writing in a blog post: On February 1st 2024, AWS will start charging for IPv4 addresses. This will cost $0.005 per hour -- around $4 month.
SAG-AFTRA has signed a deal with Replica Studios to enable the use of AI voice actors in games. The deal standardizes the compensation process for licensing an actor's voice to be cloned by AI.
Many top voice actors for video games are upset by their union about this deal.
Personally, I think this trend is inevitable and it's good that SAG-AFTRA formalized the process for compensation and actor rights versus game studios just doing it anyway.
) bull time is over, it's bear time now. 
Foone🏳️⚧️
in reply to Foone🏳️⚧️ • • •Foone🏳️⚧️
in reply to Foone🏳️⚧️ • • •but given the state of them when they arrived at ewaste?
no they did not
Foone🏳️⚧️
in reply to Foone🏳️⚧️ • • •no one wiped these.
Foone🏳️⚧️
in reply to Foone🏳️⚧️ • • •I have now stuck the hard drive in my imaging box
it turns out it was in service as of June.
and this one has log errors about the sensors in the bathroom and bedroom. this was used. fuck.
Foone🏳️⚧️
in reply to Foone🏳️⚧️ • • •HEY FUN FACT: this was used as part of an Alexa/google home type thing! this is the "cloud" half, as in the part sitting in a warehouse somewhere.
It turns out every time the customer asked for something from the smart assistant, the WAV file was sent to the cloud box
where it is still stored. and I now have eleven thousand wave files
Foone🏳️⚧️
in reply to Foone🏳️⚧️ • • •god the logs are full of errors about assorted video streams failing.
so this thing was connecting to something which had cameras. like, I can tell which room of the house failed.
now I don't think there's any video stored on this device, but keep in mind: the fools that made this thing fill up with WAV files? they also designed the video streaming part. Where are those videos stored, and how safe are they?
Foone🏳️⚧️
in reply to Foone🏳️⚧️ • • •Foone🏳️⚧️
in reply to Foone🏳️⚧️ • • •Foone🏳️⚧️
in reply to Foone🏳️⚧️ • • •Foone🏳️⚧️
in reply to Foone🏳️⚧️ • • •and now I can email the lead developer.
or just commit to their git repo, I guess.
Foone🏳️⚧️
in reply to Foone🏳️⚧️ • • •the other good news is that they have a secrets manager
the bad news is that they rolled their own secrets manager
the extra bad news is that I have the source for said secrets manager
and the extra extra bad news is that it has to decrypt those keys without external input, meaning I have all the parts here to pull out their s3 keys
reshared this
CatSalad🐈🥗 (D.Burch) reshared this.
Foone🏳️⚧️
in reply to Foone🏳️⚧️ • • •oh hey!
this thing authenticates to some of their servers (which are still up, even if the company might not be (this is unknown at the moment)) over SSH! using keys kept in the same home-rolled vault thing!
so I can SSH into their servers now!
Foone🏳️⚧️
in reply to Foone🏳️⚧️ • • •oh god this thing sends email from gmail
please tell me they didn't embed the google login into this device
Foone🏳️⚧️
in reply to Foone🏳️⚧️ • • •Foone🏳️⚧️
in reply to Foone🏳️⚧️ • • •Foone🏳️⚧️
in reply to Foone🏳️⚧️ • • •Foone🏳️⚧️
in reply to Foone🏳️⚧️ • • •reshared this
CatSalad🐈🥗 (D.Burch) reshared this.
Foone🏳️⚧️
in reply to Foone🏳️⚧️ • • •and test sets the server to... FOOBAR.EGG
Foone🏳️⚧️
in reply to Foone🏳️⚧️ • • •Foone🏳️⚧️
in reply to Foone🏳️⚧️ • • •and in case anyone is getting deja-vu:
This is a completely different company than the other one I found like 3 weeks ago:
digipres.club/@foone/112817523…
Foone🏳️⚧️
2024-07-20 06:59:50
CatSalad🐈🥗 (D.Burch) reshared this.
Foone🏳️⚧️
in reply to Foone🏳️⚧️ • • •Foone🏳️⚧️
in reply to Foone🏳️⚧️ • • •Foone🏳️⚧️
in reply to Foone🏳️⚧️ • • •Why the fuck is this on hacker news? ugh. I'm gonna need to run my own mastodon instance, aren't I?
If you found this on hacker news, you owe me 5$:
digipres.club/@foone/112929955…
Foone🏳️⚧️
2024-08-09 03:32:46
retrotag
in reply to Foone🏳️⚧️ • • •Foone🏳️⚧️
in reply to retrotag • • •yoo kagh -> yyz
in reply to Foone🏳️⚧️ • • •Foone🏳️⚧️
in reply to yoo kagh -> yyz • • •AI6YR Ben
in reply to Foone🏳️⚧️ • • •bigiain
in reply to Foone🏳️⚧️ • • •I shudder to think of what the AUbros and billionaire cos players on the orange site are saying there.
@jwz has a rewrite rule on his web server to goatse requests with a referrer from there. (I wonder it that still works? I have no clue what the current state of referrer headers from modern browsers is.)
overflow
in reply to Foone🏳️⚧️ • • •Foone🏳️⚧️
in reply to overflow • • •Foone🏳️⚧️
in reply to Foone🏳️⚧️ • • •remember how I said there was a gaylord full of NUCs?
yeah. I took one. of like, a hundred.
Foone🏳️⚧️
in reply to Foone🏳️⚧️ • • •I haven't exploited their git repos.
I haven't misused their leaked AWS credentials
I haven't gone to the media to try and expose this company.
but I took only one of NUCs. The same content is on all the rest of them, I assume
lp0 on fire
in reply to Foone🏳️⚧️ • • •Foone🏳️⚧️
in reply to lp0 on fire • • •Don Whiteside
in reply to Foone🏳️⚧️ • • •Jess
in reply to Foone🏳️⚧️ • • •Phyxis
in reply to Foone🏳️⚧️ • • •Foone🏳️⚧️
in reply to Phyxis • • •abcderian
in reply to Foone🏳️⚧️ • • •For reference: packagewarehouse.com/boxes/car…
Gaylord Boxes | Package Warehouse
www.packagewarehouse.comCrystal Huff (they/them)
in reply to Foone🏳️⚧️ • • •SeanOMik
in reply to Foone🏳️⚧️ • • •Foone🏳️⚧️
in reply to SeanOMik • • •CatSalad🐈🥗 (D.Burch)
in reply to Foone🏳️⚧️ • • •Viss
in reply to CatSalad🐈🥗 (D.Burch) • • •CatSalad🐈🥗 (D.Burch) reshared this.
pettter
in reply to Foone🏳️⚧️ • • •Chuck
in reply to Foone🏳️⚧️ • • •Mx. Eddie R
in reply to Foone🏳️⚧️ • • •Foone🏳️⚧️
in reply to Mx. Eddie R • • •Blue Witch Gwen
in reply to Foone🏳️⚧️ • • •Jocelynephiliac
in reply to Foone🏳️⚧️ • • •Jeremy
in reply to Foone🏳️⚧️ • • •Dave Copeland
in reply to Foone🏳️⚧️ • • •Marcos Dione
in reply to Foone🏳️⚧️ • • •