vanderbilt

vanderbilt, 27 days ago

A company made me an offer last year when I was looking for startups, but they required me to move to Austin. Austin is a nice place, but it’s unfortunately surrounded by Texas. Fast forward to today and they are moving out of Texas because it’s too expensive and they are having trouble retaining talent. The incentives the city has been offering to foster their own Silicon Valley are stalling because it’s not much cheaper and the state legislature is a Barnum circus of inhumanity.

vanderbilt, 26 days ago

Something I appreciate about Lemmy is that garbage links get downvoted into oblivion like they observe. Unlike the alien site where people don’t even open the link and just argue about the headline.

vanderbilt, 1 month ago

Laughs in RHCSA exam.

vanderbilt, 1 month ago

Good. Stop locking game content behind increasingly high paywalls. It used to be when you paid $60 for a game you got something that could stand on its own. Now if you aren’t getting the GOTY you’re getting half a product.

vanderbilt, 1 month ago

Man I wish FreeBSD hadn’t fallen to the wayside. It’s really cohesive and feels put together in a way not Linux distro ever has.

vanderbilt, 1 month ago

Honestly it isn’t. Support for anything front-end related is way more sparse compared to Linux.

vanderbilt, 27 days ago

“hello system” is pretty nice to look at, and has some Mac-isms I find helpful. FreeBSD has a new release recently, so maybe Nomad or GhostBSD could be worth trying. You’ll find FreeBSD is a lot more “consistent” compared to Linux, but be prepared for random hardware to not work.

vanderbilt, 1 month ago

I use Claude to write plenty of the code we use, but it comes with the huge caveat that you can’t blindly accept what it says. Ever hear newscasters talk about some hacker thing and wonder how they get it so wrong? Same thing with AI code sometimes. If you can code you can tell what it does wrong.

vanderbilt, 1 month ago

Welcome to the armpit of the internet

vanderbilt, 1 month ago

One man’s “investments” are another man’s “unfair competition”. The U.S. does the same thing with steel to prop up domestic steel companies. Try to import steel from Vietnam and they tax the hell out of it.

vanderbilt, 1 month ago

WinAPIs are rife with weirdness like this that has stuck around for backward compatibility reasons. The day MS finally kills win32 will be the day Windows’ security improves tenfold.

vanderbilt, 1 month ago

There isn’t a snowball’s chance in hell they’ll be allowed to that’s why. In the Texas panhandle is the Pantex plant, which services the military’s nuclear warheads. You saw what Uncle Sam did to the people who touched his boats, now try touching his nukes.

vanderbilt, 1 month ago

I mean it’s a giant rodent so maybe visit the pet store and you’ll know 🥴

vanderbilt, 1 month ago

Haha Mint was my first distro! I wiped Windows 7 and installed Mint, then quickly learned that a tarball is in fact more work than an exe. Good times and a great learning experience! Back then it was the only thing not slow, ugly, or wildly unfamiliar.

vanderbilt, 1 month ago

True that. There have been so many wins in just a few years.

vanderbilt, 1 month ago

Can you recommend any IRC channels for techies please? I like infosec, Linux, and Mac topics but I can’t find any communities that aren’t turbo-clicky or dead. Most channels I’ve found are like ham radio: a bunch of old grumpy people ragchewing. I’d like an actual conversation I can contribute to.

vanderbilt, 1 month ago

And MD5 for package integrity checking, and not using per-package PKI signatures.

vanderbilt, 1 month ago

Did they ever make good on this plan?

RPM must accept SHA-1 hashes and DSA keys for Fedora 38, ideally with a deprecation warning that it will be disabled in F39.

vanderbilt, 1 month ago

The use of MD5 becomes a bigger issue when paired with the lack of package signatures. You can inject code into a package and find a colliding digest absurdly fast. I and a friend from Threatlocker created a Metasploit module to use Deb packages for local privesc based on the concept. If it touches the filesystem outside of the APT cache it becomes a vector.

vanderbilt, 1 month ago

In theory (whitepaper is still being written), if you MITM the connection to the APT mirror it’s using you can also carry out the attack over the network by injecting it into the package on the fly. Cert pinning might be a blocker, but local (LAN) package mirrors might still be valid attack targets. Enterprises often use MITM certs for things like DLP and packet inspection we might be able to leverage at least.

vanderbilt, 1 month ago

To save you some effort, they do not consider it a priority to fix. Code was attempted to merge that would make package signatures the default, but it was removed because it “was a waste of cpu cycles” when “md5 and the https was just as good”. I’m not kidding, you can find the whole conversation in the Debian mailing archives. So instead I’m going to make it known how dumb it is, and encourage people to use something else.

vanderbilt, 1 month ago

I admire your gusto! I think it’s doable, and you can definitely pull it off if you want to. To replace MD5 and implement signatures you need to do the following, as a high level overview:

Extend dpkg to know what SHA2 is, and reliably detect it. (maybe measure hash length or specifying a new version using the control file?)

dpkg must also know what a signature is. More on that below.

Providing automatic/mandatory signing will require code to handle PKI as well as a place to store the signing information. I would do it by signing the two archives found within Deb packages, then placing information about the signing in the top-level of the package. Existing tools need to be able to ignore or handle whatever you implement as a rule of thumb.

Note that this is just my approach and maybe you can do better.

I also recommended looking into lists.debian.org/debian-dpkg/…/msg00024.html. This is the thread I mentioned earlier, in which package signatures were discussed and ultimately turned down. Maybe the easiest approach is to re-implement what the contributor was trying to do back then, but with modern code and standards? If you want more resources, including my presentation on the topic to HackCFL and CitrusSec, let me know. I am here for whatever technical assistance or industry contacts I can provide. The white paper might be done in a month, minus peer review. I’m very busy and so is he. Good luck in any case!

vanderbilt, 1 month ago

日本にもう子供はいません。

It`s not as bad as Korea, but this is no surprise. Things will get worse as the population of elderly people grows. Housing isn’t expensive like in the west, so that’s not the cause, but rather jobs are hard work and the yen is becoming less valuable. I have some hope in the さとり generation to break the toxic work cycle, but that won’t solve the affordability issues.