X_Cli boosted
Boost if you get anxious if a new minor kernel version has been out for a whole 30 minutes and you still haven't rebooted your server(s) yet.

Yet another nail in that coffin: DoS of because of a weak implementation and weak OpenPGP specifications.


Also, because the fun does not stop here:


X_Cli boosted

@alicia Web of trust is an interesting idea.

Unfortunately, it does not really work in practice. People almost never configure the signature verification level (datatracker.ietf.org/doc/html/) and use the default level. This corrupts the web-of-trust because people performing stringent verification have the same weight that people doing next to no verification.

I don't say this lightly; I wrote a few years ago a OpenPGP parser in Ocaml and parsed all keys published in key servers and did some stats on them. My employer never published those stats, so there is no public trace of that work. Only the parser was published github.com/picty/parsifal

Also, most keys are only self-signed, and the strong set is relatively small.

Finally, the web of trust is basically "dead" since key servers were brought down following the disclosure of an unpatchable design issue.
Key servers are not per se mandatory for the web of trust to work, but without them, trust signatures are a lot more difficult to propagate to interested parties.

signature spoofing via status line injection


How many nails does that coffin need?

I recommend using minisign, ssh or [^NaCl] for content signing.

[^NaCl]: pkg.go.dev/golang.org/x/crypto

X_Cli boosted

I’m writing an article that expands my microblog entry on stylometric fingerprinting to give more comprehensive advice. I am partially walking back on my recommendation not to use machine translation and adding information about reading levels, among other things. Would anybody familiar with #stylometry, or with a #linguistics background experienced with close-reading, be up for reviewing a rough draft next week?

I’d also be interested in how people may describe my own stylometric fingerprint (signature phrases, grammar quirks, etc), to use as an example.

Boosts appreciated.

Linux quotas need to be revisited by sysadmins. They used to be pretty shitty a while back, but I find that today implementations are very usable, as long as you don't go too far into the rabbit hole like I do (e.g. trying to do the syscall myself instead of using standard shell tools).

This is the question I am currently trying to answer, by the way :) Much fun :)

Show thread

New favorite interview question:

On a ext4 filesystem, I open(2) a file with O_TMPFILE in a directory with EXT4_INODE_PROJINHERIT set. The project quota is full.
What happens? You cannot run code to answer the question. You have one hour. Go.

X_Cli boosted


I've put together a survey about the Small Internet (#gopher, #gemini, individual webpages, small community sites) and I would love your input. If you are a small internet user, please spend a few minutes and fill in your thoughts. I'm especially interested in the open response questions. This will help inform an upcoming conference talk I'll be giving at mch2022.org

Also, please boost this on fedi as much as possible and feel free to re-share on other social networks and in other communities. The more responses the better.

#smallweb #smallinternet

Astuces pour les jeunes en recherche d'emploi : si on vous met la pression pour signer rapidement :

* ce n'est pas une bonne opportunité ; on essaie juste de vous empêcher d'aller le découvrir ailleurs ;
* une signature ne veut pas dire qu'il faut arrêter les recherches ; une signature, ça se dénonce ! Vous avez juste à renoncer ou au pire vous cassez votre période d'essai le premier jour.

N'ayez pas honte de faire ce genre de choses ; vous n'êtes PAS en position de faiblesse ; on vous recrute et VOUS, vous sélectionnez le meilleur emploi.

X_Cli boosted

Aggression sexuelle, Léo Grasset 

En vrai, je suis un peu gavé par les commentaires "Mais, purée, j'en étais sûr·e ; ça se voyait que le mec est un détraqué".

Il y a plus d'une demi-douzaine de plaignantes qui ont mis des années à capter le problème, à le vivre, et à avoir fréquenté et échangé avec Léo Grasset.

Soit vous avez des putains de skill de *profiler* et il est urgent de les mettre à la dispo des forces de l'ordre ; soit, c'est peut-être un peu facile d'analyser **après** la révélation et le travail d'enquête, et ce type de commentaires ne fait que participer à signifier aux plaignantes qu'elles sont un peu connes de ne pas avoir vu les *red flags*.

X_Cli boosted

@jerry Having a kill switch for broken plugins is a very good idea. Having self-updating code controlled from a central server that overrides admin preferences is begging for a supply chain attack turning millions of Wordpress instances into a botnet in an instant. Also this violates the W^X security principle.

X_Cli boosted

@x_cli @Seirdy I think voting systems are flawed and they should be removed in favor of randomized sorting of posts and comments in online forums.

More details on microblog.ayushnix.com/voting-


Being ban from a community for respectfully disagreeing with an admin (not even a mod): ✅

How I love moderation in the fediverse (not). Even more unfair than some silos because there are no appeal procedure nor a comity of ethics. Just small dictators.

Quite happy about @jerry approach to moderation, though. infosec.exchange feels like home :)

One should really hide the scores on . Scores are toxic.

People downvotes instead of explaining their disagreement, which means you just get a bad feeling and nobody will try and tell you why they think you are wrong.

And upvotes are just an ego thing, where you will check on your counters to see how well you did. You don't need social validation.

X_Cli boosted

✨ The curse of strong typing

It's been decided. "Only Rust from here on out!"

I'm livid. I haven't seen that many type errors since I texted my 7yo niece. How in the world am I going to get anything done?


X_Cli boosted

About the vs devs drama:


Athens, an alternative free self-hosted Go proxy, has a rate-limiting support (although GitHub-specific and the code is horrible). This means GitHub can rate-limit aggressive Go proxies. If GitHub does it, why would SourceHut not?

Show older
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.