@hanno@mastodon.social
@hanno@mastodon.social avatar

hanno

@hanno@mastodon.social

Freelance Journalist with a focus on Climate, Energy, IT-Security. #searchable

This profile is from a federated server and may be incomplete. Browse more on the original instance.

hanno, to random
@hanno@mastodon.social avatar

Do I know anyone who knows BIMI from the technical / protocol side? I'm neither interested in the PR pitch nor in people complaining (correctly) that it's a moneymaking scheme. I have some specific questions about details about the protocol implementation that seem very odd to me.

hanno, to random
@hanno@mastodon.social avatar

Some proprietary software lobbyists are trying to spin the xz story as an "anti open source" story, and I see demands like "you shall only use opensource software if you have a contract with someone guaranteeing support and security". I'd be curious: Can I see the contract those people have with Microsoft or whatever company you never heard of that wrote the firmware in their wifi card that guarantees the same for the closed source software they're using?

hanno, to random German
@hanno@mastodon.social avatar

Ich kenn nicht zufällig irgendwen hier der schonmal mit CO2 in der Lebensmittelindustrie zu tun hatte und dazu ein paar Fragen beantworten könnte?

hanno, to random
@hanno@mastodon.social avatar

I have released a new version of badkeys that can detect xz backdoor keys https://github.com/badkeys/badkeys/releases/tag/v0.0.7 badkeys is an opensource tool I created to detect known-vulnerable cryptographic public keys. this new check is a bit unusual compared to the other things the tool does, and I was unsure whether to implement it, but well, here it is. 🧵

hanno, to random
@hanno@mastodon.social avatar

I have an electronic badge from the Nullcon security conference. It has LEDs to play tetris, I don't know if it can do anything else. I don't need it, does anyone collect such things and wants it for free?

hanno, to random German
@hanno@mastodon.social avatar

Diese ganzen Regelungen für Cannabis-Konsum, z.B. nicht in der Nähe von Schulen verkaufen, nicht in Gegenwart von Kindern und Jugendlichen konsumieren etc., können wir das für Zigaretten und Alkohol auch haben?

hanno, to random
@hanno@mastodon.social avatar

In case anyone from @1password is reading this, you may want to get in touch with me. I have reported a security vulnerability via their bugbounty program, and bugcrowd's staff thinks it's "not applicable", in my view clearly misinterpreting the program's rules. I am pretty sure it's something they want to address. I may consider other means of disclosure if this is "not applicable" for their bugbounty program..

hanno, to random German
@hanno@mastodon.social avatar

Zu den grotesken auswüchsen des Wasserstoff-Hypes gehört es, dass es sowohl startups gibt, die aus biomethan wasserstoff machen, als auch solche, die aus grünem wasserstoff e-methan machen. Beides macht in aller Regel sehr wenig Sinn, außer man hat ein absurdes Fördersystem in dem alles wo Wasserstoff draufsteht fördergelder erhalten kann. https://www.fr.de/wirtschaft/in-deutschland-mit-treibstoff-versorgen-energiewende-neue-technologie-kann-den-gesamten-busverkehr-zr-92984712.html

hanno, to random
@hanno@mastodon.social avatar

Ich würde ja denken das ist eine positive nachricht (also besonders der teil mit dem kiffen statt komasaufern), aber ich glaube der meint das garnicht so. (Quelle/paywalled https://www.spiegel.de/panorama/bildung/legalisierung-von-cannabis-wir-werden-wahrscheinlich-mehr-gescheiterte-schulkarrieren-haben-a-a6875d24-5cf1-4765-bf9f-4e6153d171fb )

hanno, to random
@hanno@mastodon.social avatar

I recently needed a script to convert mbox files to maildir, and to my surprise this was a nontrivial problem. I only found one written in perl that didn't work with my mbox files. As I don't speak perl, rather than trying to fix it I wrote one in python. It's very simple, as python's standard library already brings all the functionality, in case anyone needs it: https://github.com/hannob/mbox2maildir

hanno, to random
@hanno@mastodon.social avatar

Wenn es für "deutsche Kryptotechnik" ein Problem ist dass ein Laptop mit selbiger einem Geheimdienst in die Hände fällt dann ist das Problem übrigens in erster Linie die deutsche Kryptotechnik. Dass das Das das @bsi sowas immer noch macht, obwohl man damit schon oft auf die Nase gefallen ist... https://www.spiegel.de/politik/ex-wirecard-manager-jan-marsalek-lieferte-geheim-laptop-an-russische-agenten-a-de9e43d6-77df-4f2c-9b74-483ff14d1174

hanno, to random
@hanno@mastodon.social avatar

Given that I see calls for better support for those random opensource devs that happen to maintain some of the most important pieces of software on the planet: a good friend of mine is maintaining expat - possibly the most important+popular xml library out there - and he has a message in his latest changelog that you may want to read: https://github.com/libexpat/libexpat/blob/R_2_6_2/expat/Changes

hanno,
@hanno@mastodon.social avatar

corresponding blogpost: https://blog.hartwork.org/posts/expat-2-6-2-released/

hanno, to random
@hanno@mastodon.social avatar

I have a story to tell that is relevant to the xz-utils thing that just happened. I'll probably write this up properly later, but I'm in pre-vacation mode so it may take a while . We have a problem with the way we develop and then distribute FOSS software, and both stories show that. A while ago I looked at the testcases of a widely used library implementing a widely used data format. There was one file that was... strange. 🧵

hanno,
@hanno@mastodon.social avatar

That file was named similar to the other testcases, but it was not used in any test. And if you fed that file into anything using that library, it would either crash or cause enormous CPU spikes. And most interestingly: This file was nowhere to be found in the project's git repository. It was only in the tarball.

hanno,
@hanno@mastodon.social avatar

I contacted the responsible project, but I never got an answer and never really got to the bottom of this. But here's what I think happened: This was a proof of concept file for a yet unfixed and undisclosed vulnerability. It appears the developer already had a testcase for that bug in his local copy of the source tree. And then created the tarball from that source tree. And by doing that leaked a PoC for a zeroday. FWIW, it was "only" a DoS bug. But still.

hanno,
@hanno@mastodon.social avatar

I wanted to disclose this eventually, but then a new version of that library came out and fixed the bug. And plenty of others, and well, people crash parsers for data formats from hell all the time. And I had some concerns that it would sound like I wanted to ridicule the dev, which wasn't my intention at all. But I already thought there's a deeper story here than someone accidentally leaking a PoC for an unfixed vuln. Why can this even happen?

hanno,
@hanno@mastodon.social avatar

Pretty much everyone develops code using Git these days, or some other SCM (some don't, there's this mail server, but I disgress). But people distribute code in tarballs. How does a Git repo become a tarball? The answer may disturb you. It's basically "every dev has some process, maybe some script, maybe some commands they remember". Nothing is reproducible, nothing is verifiable.

hanno,
@hanno@mastodon.social avatar

This creates a situation where even when the "many eyes" principle works, i.e. people are actually looking at the code, and at code changes and commits, you still have a path to a compromised package. Because noone checks how this git repo turns into a tarball. Because noone can, as nothing is standardized or reproducible. I can tell noone does for one of the most important libraries to parse one of the most important data formats, because of the story I just told you.

hanno,
@hanno@mastodon.social avatar

There were some substantial efforts to create "reproducible builds" in some areas. This is closely related, but not exactly the same thing. Even if we have reproducible builds, we don't have "reproducible source distribution". We should have that. Git already has some cryptographic integrity, and as much as it has some flaws (sha1...), it's a lot better than nothing at all. But we don't connect any of that to the actual source tarballs.

hanno,
@hanno@mastodon.social avatar

I think the same issue is true for most package managers out there. I don't think there's any mechanism that ties e.g. what's on pypi to what is in any git repo. (Anyone knows if any package manager does that?)

hanno,
@hanno@mastodon.social avatar

Anyway, what we should have is that every release of a software is tied to a git commit hash. And there should be a verifiable, automated process that checks it. It's more complicated than it sounds, as particularly in "C land" we have autotools, and what's in the source tarball is not just a snapshot of what's in the source repo, but contains all kinds of generated stuff. EIther those need to be reproducible, or we need to just stop doing that. It's solvable, but there are some obstacles. /fin

hanno, to random
@hanno@mastodon.social avatar

I have given a talk at the Nullcon security conference about HSTS, why we have it in the first place, and an HSTS bypass vulnerability in Mozilla Firefox. Unfortunately, it seems something went wrong with the recording. I'd like to give the talk again so it gets recorded. Any recommendations for events that might like to have that talk? Preferrably: In or near Berlin, not too far in the future, and of course with a reliable setup to record talks.

hanno, to random German
@hanno@mastodon.social avatar

Es findet im Grunde seit Jahren ein schleichender Rückbau des ÖPNV in Berlin statt, und dass das kaum ein Thema ist, ist schon erstaunlich. Es werden halt nicht offiziell Linien gestrichen oder eingeschränkt, aber dann gibt es jahrelang "Baustellenfahrpläne". https://umweltzoneberlin.de/2024/03/11/bvg-im-diskreten-kuerzungsmodus/

hanno, to random
@hanno@mastodon.social avatar

In 2004, a documentary movie was published (Supersize Me) where the filmmaker Morgan Spurlock eat nothing but mcdonalds food for 30 days. Like probably many, I saw that movie back then and liked it. I had read before that there were some doubts about some of the things described in the movie. What I didn't know until now was that very likely, some key parts of that movie are false and some of the health effects he described likely due to alcohol consumption 🧵

hanno,
@hanno@mastodon.social avatar

Spurlock talks to multiple doctors before and after his experiment, and in one of the "before" scenes in the movie says he does not consume alcohol. But this was probably a lie. Due to the "metoo" movement, Spurlock admitted sexual misconduct in several cases. In that admission, he also talks about an acohol problem and: "I haven’t been sober for more than a week in 30 years.” If that claim is true, it appears very likely that some of the health problems in the film may be due to alcohol abuse.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • JUstTest
  • kavyap
  • thenastyranch
  • ethstaker
  • osvaldo12
  • mdbf
  • DreamBathrooms
  • InstantRegret
  • magazineikmin
  • Youngstown
  • ngwrru68w68
  • slotface
  • GTA5RPClips
  • rosin
  • megavids
  • cubers
  • everett
  • cisconetworking
  • tacticalgear
  • anitta
  • khanakhh
  • normalnudes
  • Durango
  • modclub
  • tester
  • provamag3
  • Leos
  • lostlight
  • All magazines
    •