varx @varx@infosec.exchange

I'm opening a new social alt: @varx

When i.write.codethat.sucks was collapsing in on itself, I moved all my follows and posting to infosec.exchange, which I had been using for mostly tech stuff.

But now I'm going to try separating my stuff out again a little. We'll see how it goes!

I'm starting a Social Media Design community on Dreamwidth for longer-form, more persistent discussion of what we want in social media systems:

https://social-media-design.dreamwidth.org/

Anyone who's interested in talking out new approaches, getting feedback on designs, analyzing current systems, or just plain brainstorming on how to Make Stuff Better is encouraged to join and participate.

Aw man, my UPS seems to have bitten the dust.[1] It started complaining about "battery overload" by making a continuous tone (and devices on the battery backup side lost power! not very uninterruptible) but seemed fine after a power cycle. Couple days later, did it again, but weaker tone.

Now it's just making these glitchy chirps and clicks and won't battery at all. :-/

10+ years, I guess it had a good run?

[1] "I'll take 'Idioms That Sound Weird When You Change the Verb Tense' for 500, Alex"

url: (23) Failed writing bodcurl: (23) Failed wriy (2612 != 7502)

I know that feeling too, curl.

yesssss

ccurl: (2u8r)l :R e(2sol8v)i nRge stolvimiendg otuitm eadfter 2519 mil out afterl i2s5e2c1o nmidlsliseconds

There is a long-awaited API v2 that will probably take care of some of these problems, but NFSN runs on a shoestring (hence the "nearly free"!) and doesn't exactly have an enormous development staff to work on that, so I don't have any idea when that will be ready.

Fun fact: The ToS prohibits me from creating multiple "memberships" (user accounts). Only one natural person per membership, and vice versa. So I can't even segregate API key access by site by putting them on different memberships. D-:

I've generally been pretty happy with NearlyFreeSpeech.net (NFSN) as a web host (+ DNS provider & domain registrar) but their API support is a little troubling.

Like, I'm glad they have an API! But I had to file a ticket to get an API key, and they *emailed* the key to me, and the key is capable of doing basically anything to any of my sites on any of my accounts. (Can't scope it down to e.g. "DNS on site foo".) So now I have to protect this thing with my life.

Aw yeah, concurrency:

curl: (2cu8rl: (28) ) OOppeerraattiioonn ttiimmeedd oouutt aafftteerr 22000000 mmiilllliisseeccoonnddss wwiitthh 00 bbyytteess rreecceeiivveedd

Feel like ImageMagick doesn't have enough vulnerabilities?

Now introducing: ImageMoreMagick

Hot damn, I got ANTLR goin' fast. I set `parser.getInterpreter().setPredictionMode(PredictionMode.SLL)` and it's down to 30 µs.

...I'm still not really sure what SLL is, but the parse results haven't appreciably changed on a corpus of 3 million real inputs, so maybe that's fine.

If Coordinated Disclosure isn't working out so well, may I recommend Competitive Disclosure instead? It works like this:

0. Find a vulnerability
1. Announce on social media that you've found one in product or company X
2. Contestants (of any hat color or alliance) publicly guess what component is vulnerable
3. You respond with "hotter"/"colder" (GOTO 2 with more specific questions)
4. Whichever side finds and patches/exploits the vulnerability first, wins!

At least it won't be a dull day!

The direction browsers are going, locking down what is possible for extensions to do, reminds me of Newspeak from Orwell's 1984.

Our collective imagination of "what can you do with and in a browser" is being shaved down into a neat little package that is convenient for the browser vendors (and in the case of Chrome, the adtech company that sponsors development.)

Firesheep was the extension that gave us an HTTPS web. You couldn't make Firesheep in today's browsers.