I've seen a lot of hot takes this weekend about the #xz hack. Most are about how it was a long effort and how it's a supply chain problem, etc... Many are god takes. But...
One thing I haven't seen a single time is: why is a compression library able to hook in to incoming SSH connections?
Is there not a system to sandbox linked libraries? And if not, wouldn't this be worth investigating?
@luis_in_brief@teleclimber Also I believe that the actual dangerous part of the attack wasn't the technical implementation but the amount of social engineering that was put into it. And no level of sandboxing can solve that.
The Unicode SHY (soft hyphen) debate came up again and this feels like a good time to remind folks that hyphenation is extremely hostile to accessibility by non-native readers, folks with visual/tracking impairments or perceptual issues, etc. and is pure nostalgic typography nerd wankery.
@dalias utf8/16, fontrendering and terminal escape codes are my candidates for the next big security issues. They are widely considered simple and non-issues but are in fact complex beasts.
i uh spend a lot of time thinking about whether various surprising software design choices are
a) intrinsic to the problem domain ("it turns out it DOES make sense!”)
b) made sense historically ("this made sense in 1992, but it didn't age well”)
c) just a typo/mistake (the "Referer" header)
d) related to budget/time constraints (“well, prototyping with shell scripts is fast!”)
e) cultural/organizational (“well, Google is the main funder for this project, and…”)
f) something else
Ich suche einen schönen Rucksack für 1-2 15,4" Laptops.
Der Rucksack sollte wahlweise nach "Ich studiere Grundschullehramt und lecke gerne an Fliegenpilzen 🍄🧚" oder "Woher wusstest du, dass ich früher Snakebites hatte 🖤"-Vibes abgeben.
Jemand einen Tipp abseits von traurigen bürobeige Vaude/Osprey/Deuter, in dem Laptops trotzdem gut geschützt sind?
i don’t think i’ll ever understand monads even though I literally spent years studying category theory in grad school but I really liked this paper “What we talk about when we talk about monads” https://tomasp.net/academic/papers/monads/monads-programming.pdf
I love that it talks about cases where monads have been misapplied and the social aspects of how they’re used
(please do not try to explain monads to me and please no links to your favourite monad explanation)
Nächstes Jahr stürze ich mich auch wieder ins Chaos :fairydust: - dieses Jahr brauch ich zum Jahresende einfach eine sichere Höhle und gelegentlich ein paar Snacks. Wünsche euch ganz viel Spaß auf dem #37c3, seid lieb zu den Engeln und denkt an 6-2-1 Regel. :blahaj:
#Rant
I'm just trying to restore a web project for which the production server got accidentally deleted.
As I have to do it on an available replacement server, some things are change and I have to read up on stuff. One thing I come across in many tutorials is
chown -R www-data.www-data PATH_TO_WEB_PRESENCE
(often followed by a chmod 66x)
And I think this is WRONG!!!
The directories and the data should NOT be owned by the user of the webserver. Vor security reasons the webserver should only have READ access to the stuff!!
Please correct me if I'm wrong or are overlooking something.
(and yes I understand that with this ownership you avoid permission problems)
just checked a major review site and not a single smart TV was released in the past two years without integrated ads that you can't opt out from or disable. that's depressing.
started asking people to follow some very basic rules in the replies to my posts on here (like “no starting arguments" and “no unsolicited advice/explanations”) and it's going really well so far, everyone is really nice about it
Mastodon started off being much worse than twitter for me (at first I got a LOT of unsolicited advice that was not helpful to me). It's gotten way better and I really like it here now, but I think it could be even better