djm

djm, 1 month ago to random

Here's my 2c on the xz incident.

This is the nearest of near-misses. Anyone who suggests this was any kind of success is a fool. No system caught this, it was luck and individual heroics. That's not acceptable when unauthorised access to ~every server on the internet is on the table. We need to find a way to do better.

1/n

kissane, 1 month ago to random

A few weeks back I encountered a FOSS guy here explaining that when he sees open source devs ask for money, he blocks them and then stops using their code because they're morally wrong and he only wants to work with tools made by people who are doing the work for the right reasons. (I'm paraphrasing to avoid indexing the post.)

I've resisted writing about it because I'm slammed, but the question I can't shake is: Who benefits from the ideology of "pure" volunteerism?

dalias, 2 months ago to random

Heads-up FOSS maintainers!

There is a person sending bulk patches/PRs to FOSS projects for supposed issues "Found by RASU JSC" (not sure if that's a static analysis tool itself, or some org).

The patches I've received are all very, VERY wrong formulatic changes, maybe even LLM-generated, doing things as stupid as replacing sprintf(s, fmt, ...) with snprintf(s, sizeof s, fmt, ...) where s has pointer type.

If you've accepted any such patches, review carefully & possibly revert!

djm, 5 months ago to random

OpenSSH 9.6 has just been released: https://openssh.com/releasenotes.html#9.6

Among other things, this release contains a fix for the so-called Terrapin Attack (https://terrapin-attack.com/)

djm, 2 months ago to random

Bless the Maker and His water. Bless the coming and going of Him. May His passage cleanse the world

djm, 10 months ago to random

We've just made an OpenSSH release to fix a remotely exploitable RCE vulnerability in ssh-agent's PKCS#11 support (CVE-2023-38408). Details at https://openssh.com/releasenotes.html#9.3p2

Thanks to the Qualys Security Advisory Team for finding and reporting this bug.

djm, 5 months ago to random

The "robustness principle" is the most destructive concept in protocol design and implementation of all time. We should be embracing its inverse: strict, explicit state-machines with model-checked proofs

djm, 8 months ago to random

We quietly released the code a little while ago but this is the official announcement of Capslock, our contribution to the supply-chain security conversation.

https://security.googleblog.com/2023/09/capslock-what-is-your-code-really.html

Capslock is a tool for understanding at high level what a given piece of (Golang) code is capable of and for detecting when an update to a library changes this capability set, to give users a chance to catch supply-chain attacks in progress.

1/2

gsuberland, 27 days ago to random

I wish more people knew that light curtain sensors are cheaply available and easy to integrate into an e-stop for automated machinery. you can protect a 3.0m by 0.5m region against ingress for under 70€.

if you're building hobbyist CNC stuff (milling, XY tables, robot arms, etc.) without a full-coverage interlocked enclosure they're a very affordable way to save you from serious injury.

djm, 9 months ago to random

I'm happy to announce that #OpenSSH 9.4 has been released.

This release fixes a few bugs and adds a few small features. Full release notes at https://www.openssh.com/releasenotes.html#9.4p1

djm, 7 months ago to random

OpenSSH 9.5 has just been released. https://www.openssh.com/releasenotes.html#9.5

This release fixes some bugs and adds keystroke timing analysis countermeasures.

djm, 4 months ago to random

OpenSSH has just announced the plan and timeline to remove DSA support (already disabled since 2015) https://lists.mindrot.org/pipermail/openssh-unix-announce/2024-January/000156.html

djm, 10 months ago to random

did hell freeze over too? https://sourceware.org/git/?p=glibc.git;a=commit;h=454a20c8756c9c1d55419153255fc7692b3d2199

djm, 5 months ago to random

Nice to see ... basically everyone adopt OpenSSH's mitigation to the Terrapin attack https://www.openwall.com/lists/oss-security/2023/12/19/5

djm, 1 month ago to random

Nightmare stuff - still more auth bypass functionality being found in the xz backdoor
https://nitter.poast.org/bl4sty/status/1776691497506623562

gsuberland, 3 months ago to random

I wonder how long it's going to be until fast GaN-on-Si processes are cheap enough to be able to stick 400MHz+ DC-DC converters inside addressable LEDs for super high efficiency conversion from higher supply voltages. the embedded inductance can be just a few nH at that switching frequency so it's not even that hard from a packaging perspective.

mcc, 3 months ago to random

Also by the way, I'm just going to say this, when your stated reason is disliking Bluesky is "because it's run by Jack Dorsey" it makes me think you're not really trying to be convincing because that's only going to work until the first time you encounter someone who replies "it is not run by Jack Dorsey". They will have an easier time proving their statement than you will yours. Maybe find some other way of framing your objection

robpike, 4 months ago to random

My day of woe continues.

I am trying to install graphviz on my mac, for probably the fifth time in history. I caved and tried to install MacPorts to enable this, as recommended at graphviz.org, but the installer for MacPorts itself is just hanging at the "Running package scripts" stage, for like 30 minutes, showing it to be perhaps as troublesome as homebrew, which corrupted my disk some years ago.

Is MacPorts doing some protracted thing, or is it just broken? Thanks.

danderson, 3 months ago to random

A weird facet of this new hobby I accidentally purchased, is that I'm picking up some books for learning and for reference material, and many of the "definitive" ones are written by people who died before I was born.

More modern books also exist, but they're all about the CNC and the 5-axis and the computers that make things spin at 30,000rpm, not so much the "industrial revolution perfected" machines that hobbyists use.

danderson, 1 month ago to random

dangit, my inner data structure has a structural fault because of rust ownership semantics.

Conceptually, the inner struct is a binary tree where inner nodes can carry a value, and leaves can carry a value or a child tree. If you need a leaf to hold both a child and a value, you store the child and move the value to the child's root node.

Conceptually again, lookups walk down this tree-of-trees looking for the node representing the lookup key, and nearest self-or-parent value is the result.

djm, 1 month ago to random

Piñata proposal for a model of trusted open-source without placing more onus/load on maintainers.

1. Maintainers keep doing what they do with no new mandates, but with encouragement and support to adopt good practices like commit and release signing, repository hygiene, CI/CD, fuzzing, etc.

1/n

djm, 1 month ago to random

I just woke up from a long night's sleep. Anything interesting happening?