I thought the CCC FreeBSD jail escape exploit would be cooler than it was, but instead it's blocked by basic security hygiene when running jails I guess. I've never seen jails deployed in prod without securelevel elevated. But maybe there are a lot of completely unaware people out there. Who knows.
@piero honestly the default behavior of jails in FreeBSD should be to have securelevel=3 by default and force you to explicitly define it lower if you really need it
That's an interesting idea. But then one would either need 2 sets of /etc/defaults/rc.conf, conditionals there (ugly) or hardcoding this into startup altogether.
OK, TIMTOWTDI. At this point there is no /etc/defaults/jail.conf as opposed to rc.conf. We have got the defaults hardcoded in usr.sbin/jail/config.c. Perhaps this is a sane idea to have /etc/defaults/jail.conf with project "suggested" jail defaults or just bump the KP_SECURELEVEL to 3.
Slop drives me crazy and it feels like 95+% of bug reports, but man, AI code analysis is getting really good. There are users out there reporting bugs that don't know ANYTHING about our stack, but are great AI drivers and producing some high quality issue reports.
This person (linked below) was experiencing Ghostty crashes and took it upon themselves to use AI to write a python script that can decode our crash files, match them up with our dsym files, and analyze the codebase for attempting to find the root cause, and extracted that into an Agent Skill.
They then came into Discord, warned us they don't know Zig at all, don't know macOS dev at all, don't know terminals at all, and that they used AI, but that they thought critically about the issues and believed they were real and asked if we'd accept them. I took a look at one, was impressed, and said send them all.
This fixed 4 real crashing cases that I was able to manually verify and write a fix for from someone who -- on paper -- had no fucking clue what they were talking about. And yet, they drove an AI with expert skill.
I want to call out that in addition to driving AI with expert skill, they navigated the terrain with expert skill as well. They didn't just toss slop up on our repo. They came to Discord as a human, reached out as a human, and talked to other humans about what they've done. They were careful and thoughtful about the process.
People like this give me hope for what is possible. But it really, really depends on high quality people like this. Most today -- to continue the analogy -- are unfortunately driving like a teenager who has only driven toy go-karts.
This is the first open source story I am hearing w/ a positive results from someone using LLMs to generate bug reports.
We have been struggling in LLVM w/ low quality LLM submissions. Curl completely banned them b/c it was so bad: mastodon.social/@LukaszOlejnik…
My biggest issue is how ridiculously verbose LLM submissions can be. Even ones that don't have obvious errors are soo long that if every submission was that long it would have significant impact on throughput.
Clearly someone using it thoughtfully can do excellent work but I am seeing very little evidence this is happening much.
AI vulnerability/bug founds and reports is a huge problem. Curl has banned the use of AI-generated submissions via HackerOne because none of it made any sense, and is a waste of resources and time. "We are effectively being DDoSed. If we could, we would charge them for this waste of our time" hackerone.com/reports/3125832
Joshua Rogers sent us a *massive* list of potential issues in #curl that he found using his set of AI assisted tools. Code analyzer style nits all over. Mostly smaller bugs, but still bugs and there could be one or two actual security flaws in there. Actually truly awesome findings.
I have already landed 22(![url=https://onlycasino.legal/users/MostlyHarmless])[/url] bugfixes thanks to this, and I have over twice that amount of issues left to go through. Wade through perhaps.
Credited "Reported in Joshua's sarif data" if you want to look for yourself
@sun securelevels are something most people aren't aware of, but if you can you should even run the host OS with a higher securelevel
The kernel runs with five different security levels. Any super-user process can raise the level, but no process can lower it. The security levels are:
-1 Permanently insecure mode - always run the system in insecure mode. This is the default initial value.
0 Insecure mode - immutable and append-only flags may be turned off. All devices may be read or written subject to their permissions.
1 Secure mode - the system immutable and system append-only flags may not be turned off; disks for mounted file systems, /dev/mem and /dev/kmem may not be opened for writing; /dev/io (if your platform has it) may not be opened at all; kernel modules (see kld(4)) may not be loaded or unloaded. The kernel debugger may not be entered using the debug.kdb.enter sysctl unless a MAC(9) policy grants access, for example using mac_ddb(4). A panic or trap cannot be forced using the debug.kdb.panic, debug.kdb.panic_str and other sysctl's.
2 Highly secure mode - same as secure mode, plus disks may not be opened for writing (except by mount(2)) whether mounted or not. This level precludes tampering with file systems by unmounting them, but also inhibits running newfs(8) while the system is multi- user.
In addition, kernel time changes are restricted to less than or equal to one second. Attempts to change the time by more than this will log the message “Time adjustment clamped to +1 second”.
3 Network secure mode - same as highly secure mode, plus IP packet filter rules (see ipfw(8), ipfirewall(4) and pfctl(8)) cannot be changed and dummynet(4) or pf(4) configuration cannot be adjusted.
My cat loves to play this "damsel in distress" game, where he runs outside in the rain and waits until he gets soaked, and then runs back in and bellows until I fluff him with a towel. Then he's in heaven. He loves it so much, that as soon as he's done, runs back outside and does it again. He LIVES for drama.
But the best part for me is saying in a German-type accent, "I am here to fluff (clap) YOU up!" But he doesn't get the reference. Because he's Gen Alpha.
Sorry dude, nothing personal, it’s just that I really dislike you, personally, like respectfully I think you’re a really bad person and I have zero respect for you.
I will most likely be picking up an electric guitar for the first time in ages soon. All my guitars are still in storage, possibly forever.
Thus, any recommendations on cool electric guitar processing plugins would be appreciated. Cheap or free would be great, since I don't really have a budget right now, but whatever.
I'll primarily be working in Reaper and Logic, both on Mac OS.
Logic itself has some stuff you can try. Neural DSP is expensive but you can have 14 day trials. The free NAM thing is open source and there are good amp captures around for it.
Other than NAM, nothing that's been mentioned so far is any good accessibility-wise. There's a JUCE-based fork of NAM that's probably the easiest to navigate, NAM Universal from WaveMind also has an accessible GUI and comes with a bunch of profiles/cabs. Seeing as you're a tweaker though, I don't know whether NAM would scratch any of your itches. Grab the free stuff from Nembrini Audio instead, decent emulations and more adjustable.
I really wish everyone would stop making fun of the people they don't like based on their physical appearance.
We really need to collectively grow up from this high-school bully mindset.
When you use appearance instead of ideas and behaviors to criticize someone, even someone deserving mockery, you are also shooting at everyone who might look like them, even the ones that might be incredibly good people.
There is more than enough content to talk against when it comes to the tyrants that currently surround us. Talk against their ideas, their words, and their actions. Be relentless for that. But their physical appearance is irrelevant to their moral deficiencies.
Our download stats visualization just received an update, with focus on usability and accessibility. You will certainly enjoy finally seeing the names of the apps!
@hisold "unknown" usually just means "not an F-Droid client" – so web browsers, crawlers, and the likes. While those could certainly simply download the APKs from Github & Co, it seems they also appreciate our extra screening 😉
by communist meetup standards we had a really big turnout at the communist meetup! but yeah, the fabulous flinta cruising part was like way way way bigger!
First we're way over capacity for the small conference room 6. Relocating to a bigger conference room. There are too many people on the escalator, escalator shuts off. Bigger conference room is closed. Relocate to yet another conference room. Communists who are at that conference room are nice to switch rooms with us.
So out of the blue I got a request for access to a 10 year old Google Docs file. This request also came from someone who actually might be interested in that file, so I contacted him. Turns out he was making **exercise schedules** and had asked Google Gemini for help, and Gemini decided it needed access to my document on a new government law (from 2015). So be careful out there!
It depends. On the web an alt text must be concise. Everything that is important, makes sense, is mentioned somewhere in the text, is to be conveyed. but conciseness is first. Here on social networks, I'd say, completeness is the first and even more important than conciseness. For instance, if you post a meme, describe it even if it's super lengthy. Like: "Three panels from left to right, on the first panel there is a man..." and on and on you go. It's important because *the image* is the unique thing you share, I have to laugh, to think, to be angry or emotional about *the image* itself, without any context basically. Ask further questions, I'm glad to answer everything.
Unfortunately, sometimes the important information is only in the image, not in the text. In such cases, it would need to be in the alt text. (Or the page needs an editor to get the important information back into the text.)
@0x7700e6 Because if you are reading an article, you generally don't want a huge alt text that would distract you from your reading. Even less you want it for images like logos, avatars, social network badges and so on. Also, both in and out of social networks avoid phrasing like "This is an image depicting..." (I know it's an image, my screen reader tells me about it); "This is the avatar of Jane Doe" ("Jane Doe" is enough).
@menelion If I post a well-known meme, is it OK to just say, for example "the Drake meme, with X then Y" or should I be doing "a four panel meme. On the first row left panel a man reacts negatively to the panel on the right showing X, then on the next row he reacts positively to the panel on the right showing Y". @0x7700e6 @micr0
@stib @0x7700e6 I'd do the second, sorry to bother you with that. Because we blindies are kinda... behind the graphic memes. You could probably possibly put a link to a description but rather don't because different clients and different browsers don't allow clicking links in alt, it would be plain text so... unfortunately probably you have to describe, at least for the first time.
@menelion @stib @0x7700e6 I did not know links didn’t always work, thanks for that. On mastodon, does the alt for videos work? It doesn’t for me using the web interface, but maybe screen readers are a little better in that regard? And come to think of it, is an alt description on video helpful?
@avuko @stib @0x7700e6 It's helpful for the deaf, at least a rough description so they could probably send the video to a software for captions (I'm not sure but I imagine this is possible). For us blindies it's helpful when the video is super visual, like only music and kitties playing, for example, or a guy/girl is assembling, drawing, painting, knitting something etc., where there are no words.
@avuko @stib @0x7700e6 For example, my sighted wife likes to watch videos where a Japanese guy shows small apartments in Japan. He never speaks, only sometimes he adds some subtitles in very simple English, as my wife has just said. Maybe he is ashamed of his English pronunciation, maybe he's simply a shy person, I don't know, but he does amazing videos, but super visual. There ideally audio description or at least a decent alt text would work, especially if you share it for a reason (for example, you liked a particular apartment he was showing).
Oh! Thank you for this: I (wrongly) thought that conciseness on social media would be preferred, except where maybe the post contains only an image, of the image is particularly detailed.
I sometimes also might add a commentary or a quip in my alt text - perhaps in response to the post's text, or to add context, or my own reaction. Is this poor practice, though, do you think?
@menelion @0x7700e6 There are dozens of sites where you can overlay your text on popular images to create memes without having to use an image editing program, I wonder if there are any that come with #AltText pre-generated. Eg. in the "Drake meme" format it would supply the image description and substitute your text for X and Y. If not there's my next billion dollar startup, ready to go.
the flinta cruising party was super cute, and we where very happy to trade rooms so they would have more space, but we we're actually surprised how many people came to the communist meetup, we where expecting a much smaller group, lot's of communists and commie curious foks at #39c3, see you all next year.
very much reminds me of the first commie-curious session I did in 2017 (#34c3). We booked the smallest room we could find because we thought it would be a small group; it ended up more crowded than a sauna at Vabali during Aufguss
It's true: the more technical background and pre-conceptions you have, the more more likely you run into trouble with #deltachat 😂 Don't think so much! 😉
@wmd there are many computer people pretty happy with #deltachat ... who value precisely that they can use it with their families and friends easily, though.
With a lot of alternative software, the complaint is that it is only usable by specialists. We are pretty happy that in our case it is more the specialists who need to work harder and read the FAQ to understand that some lines of traditional thinking about eg email and pgp do not apply delta.chat/en/help
What is Delta Chat? Delta Chat is a reliable, decentralized and secure instant messaging app, available for mobile and desktop platforms. Instant creation of private chat profiles with secure and i...
I don't understand why combining delta with Thunderbird (a client mostly for cleartext mail), or importing some cryptographic key is required to value delta's architectures. Do you hack a different cryptographic key into your signal database, and otherwise don't feel confident to recommend it?
@hpk I think as mailclients go, thunderbird is one that gets combined most with pgp? Some people value their trust chains and have very well checked keys, or they want to generate their custom key. Because you can, you get "closer to the metal". Signal doesn't offer it, so it might be a loss or just not considered. That deltachat uses pgp invites people to think im their typical pgo ways/workflows. 🤷🏼♀️
What is Delta Chat? Delta Chat is a reliable, decentralized and secure instant messaging app, available for mobile and desktop platforms. Instant creation of private chat profiles with secure and i...
we are aware of the confusion (it was the whole point of the top level post after all) and doing our best to explain things, and the history of decisions. You seemed to suggest we should make sure to accommodate gpg and Thunderbird users because they are key multipliers, but frankly, we don't think the current state of these tools provides good examples or guidance for secure group messaging ala signal.
@hpk 1) I was part explaining as hpk said they didn't understand. 2) I don't think you need to facilitate thunderbird+gpg users, just that as deltachat is advertised a lot as being based on mail+pgp, it's good to be aware there is a key audience that can get confused by it.
If you tell me something is based on ssh, but I can't do the usual ssh features/flow I'll also be confused if not frustrated. 🤷🏼♀️
@wmd @hpk we are not advertising mail+pgp in the app, and also not in the web site or app stores of today. It's true that until April 2024 we emphasized mail+pgp more towards users and that's probably the background you remember and argue from. Today, we use email and openpgp for interoperability, and to benefit from a massive ecosystem of software and established understandings and code. But the goal is that users can stay pretty unaware about these underpinnings.
@wmd @hpk luckily, the vast majority of today's users don't have the historical baggage, and quite a few read our posts and docs of the last 20 months where we repetitively try to convey and clarify what we are doing and why :) it's still going to haunt us, obviously :)
Important talk by @Mer__edith and Udbhav Tiwari on the immediate and serious threat to privacy and data security posed by "Agentic AI" like MS Copilot and similar.
I'm not sure if I've damaged my laptop's keyboard, but I just noticed that I cannot type e and follow it with t in rapid succession, or only the e will register. But I'll be back home soon and back to primarily using an external keyboard, so it won't matter as much anymore.
So, how was someone able to hack these documents, undoing the redactions that the DOJ of all people had put in place, and reveal the information for all to see? I hope you are sitting down, because it’s going to knock your socks off: “I simply highlighted the text, copied it, and pasted it in a document,” Krassenstein said.
An anonymous reader shares a report: The French government on Dec 30 postponed a ban on plastic throwaway cups by four years to 2030 because of difficulties finding alternatives. The ban was meant to start on Jan 1.
I am blind. Seeing people who think I'm not worth the effort fill my timeline with AltBot generated AI stuff that isn't even accurate in lots of cases.
Human alt text is always better, because it doesn´t focus on ocular seeing. Seeing people think, and AltBot was designed around that notion, that blind people must compensate for missing "eye-seeing", but that's not the case. I am interested in the meaning of an image to you, its maker or publisher.
Again, human alt text is better, also because it strengthens reciprocity between seeing and blind people. AltBot doesn't but it makes seeing people believe they have done their bit for accessibility. In actuality, the reverse is often true.
Honestly this constant back and forth is the only thing I'd think about in this case. I understand if you feel exhausted working on this alone, or if you don't get enough donations or anything. But this tool has helped many, and rather AI description than no description. Some sighted don't bother and that won't change just because, idk, that person thinks they'll feel more guilty when no AI produces the description for them. I'll lose information most of the time. I can still decide whether I want to generate or read the description. But let's say it's just a generic text, or poster, or dashboard, someone just didn't bother describing. Right I could ask them, but would the original poster actually bother adding the alt text afterward? In the least cases. Yeah maybe some nice other sighted person will describe it. But then the difference is not too big anymore, if you get what I mean. Don't let these little comments from all sides get so close to your acting. That's just my take, and I probably don't have a lot room to talk here.
To clarify, I don't completely disagree with the original post's opinion, but that doesn't mean that altbot is useless. And if they don't want to see the descriptions, you know happy block or mute button.
@jonathan859 blocking the bot doesn’t block its descriptions when people copy them into the alt text. There is no opt-out, whereas there’s an opt-in on your own device: you can use your screen reader’s machine learning translation feature.
Saw the Fediverse described as where elder millennial, Gen X and boomers go to retire from the internet, and immediately felt the peace that passes all understanding wash over me. None of us have to struggle any longer. We completed our time.
Since the last time I checked, it seems that Keycron has been fully integrated into QMK. They have their own folder and layout files and everything. I want to modify my V1. The problem is that it's been years since I made a new layout in QMK and flashed a keyboard. I don't remember quite how I did it last time, and I've moved to a new laptop since then.
J'ai ouvert le flux du hashtag #BrigitteBardot. Tant de haine, tant de joie de sa mort… Absolument dégoûtant. Oui, c'était une femme ayant des propos controversés (par contre, je suis d'accord avec certains de ses propos quand-même), mais c'était une icône du cinéma, une légende internationale, une femme avec beaucoup de talent.
@helenasteinhaus auf dem #39c3 über Bürgergeld, Bezahlkarte, lügende Politiker und ekelhafte Flegel. Retrööten und Reply: Furchbar gern, eigner Upload irgendwo: never ever! #sketchnotes #graphicrecording
I'm a communist. I respect not everyone on the left is a communist or has to be a communist. There are many people of good will and honesty and so on who are not, and might never become, communists.
But the way some people will disclaim "I'm not a communist" as soon as possible, that does make me nervous. Don't want to be a communist, fine, don't be one; but making it sound like it's a cult or a disease or a crime? That's slightly alarming.
Does anyone have the manual for the old Sable audio RPG maker? Specifically looking for inspiration to make the Godot tilemap editor accessible and reading its manual might help.
Alternately, are there any good and documented accessible tilemap editors whose docs I can look to for inspiration?
Vous avez entendu les AI bros dire qu'il fallait mettre des datacenters dans l'espace ? Bah c'est une immense connerie. "The short version: this is an absolutely terrible idea, and really makes zero sense whatsoever. There are multiple reasons for this, but they all amount to saying that the kind of electronics needed to make a datacenter work, particularly a datacenter deploying AI capacity in the form of GPUs and TPUs, is exactly the opposite of what works in space." taranis.ie/datacenters-in-spac…
I have disabled every fucking piece of AI bullshit I can find from Firefox and DESPITE THAT today I got ambushed by a new ASK AN AI CHATBOT line in a fucking image context menu
Every year around this time, I make my “This year really could have been an email” joke, but this year really couldn’t have been. There was just too much 2025.
A large amount of insulin was found at #39C3. Anyone who can describe how it is packaged and where it was probably lost can pick it up from us at CERT.
Blind math students, how do you organize substitutions? Examples include double u-sub and maybe dimensional analysis. I need help. My brain falls apart after so many lines. Informed comments/advice/suggestions only please
I obviously haven't done this in a few years, but I used to work with a two-editor workflow, where one editor was the entire solution, the other was the most important lines / results that I knew I'd need to recall in the future.
#39c3 .ending .. quite an enjoyable blast, and thanks to all the wonderful people just dropping by to say "thank you, it all works very nice for us"! 🥰 Certainly raised team spirits :)
This year around, apart from one #chatmail relay setup workshop we didn't do any registered events at congress. Pushing out releases, Illnesses and engagements in various other organizing prevented more public sessions. Next ones will be around #fosdem2026 where also several of us will be around. Cheers!
Well, I saw on slovak local donating organization some adult NSFW content in the footer of the page. It was not visible, it was just read by screenreaders.
@ondrosik TeamTalk's homepage had one of those as well. Apparently the link itself was tiny such that people couldn't see it, but it was probably used to get more clicks on the site or something. In that case it was a compromised wordpress installation I think. I see the Amazon thing as well.
Many people redact PDF content by covering it up with a black or white rectangle, forgetting that, unlike in purely visual formats, that operation does basically nothing in PDF. The content is still there, the renderer is just instructed to draw a white rectangle which occupies the same position and covers it visually.
Sometimes, you can also find sloppy employees leaving notes to other people working on the PDF, especially if the documents are only intended for print, and the electronic version is only given out in special circumstances.
@miki Thanks, you reminded me to post about the Epstine files which can be "hacked" via this "method" (the hacking method being you read them normally in your browser)
@miki @pitermach @ondrosik If you are playing Codenames in a browser, you can cheat by hitting insert+f on the hidden card. Nine times out of ten it will tell you the color.
Add support for UTF-8 barcodes
Add duplicate option to main screen and reorder options slightly
Fix column count setting not being applied to group card list
Remove theme colour support
Reduce max ...
This is also the first release using Jetpack Compose, Google's "new" UI toolkit. It is only used in the About activity for now but the plan is to eventually use this in all activities instead of the old Android XML layout engine, which Google is definitely giving less priority for bugfixes and features.
I would like to specifically thank @theimpulson and @Iamlooker for helping me out so much while I was trying to wrap my head around it, your help has been amazing.
Every day I scroll through my feed and I see proud announcements like:
“First Alpha Relase of HyperTurboWidget available"
or
“Version 2.7.1 now with improved glorb handlers!”
or
“Flux Capacitor version 4.5 is out”
… and I sit there wondering if I should be excited, terrified, or calling a licensed electrician.
Don’t get me wrong, I love open source. I just have no idea what three quarters of these projects actually do. Are we talking about a web server? A file system? A middleware thingy that keeps the flux from overflowing into the space–time continuum?
So, dear OSS developers of the world: When you announce a new release, please give us (your adoring but slightly confused audience) just a tiny bit of context.
Tell us what your software does.
Tell us why this release is cool.
Tell us what it requires to work.
Example:
We are proud to announce Flux Capacitor version 4.5 is now avalaible. While it creates a nice wormhole to 1955, it requires an underlying gigawatt stack 1.21 to work reliably.
Because nobody wants to cheer enthusiastically for “v2.7.1” while secretly Googling “what is a glorb and why does it need handling”.
Fair reminder to remind me to remind people what Catima is in the release announcements.
Catima stands for **Ca**rd and **ti**cket **ma**nager, it's a little app to store store discount cards, event tickets, plane tickets, etc in. Basically anything with a barcode :)
the #communist meetup at #39c3 was incredible. Great moment whan we switched rooms with the #FLINTA cruising group to give them more space, and got a round of applause. Very sweet.
Piotr Smyrak
in reply to feld • • •feld
in reply to Piotr Smyrak • • •Piotr Smyrak
in reply to feld • • •feld
in reply to Piotr Smyrak • • •@piero does it? I don't mean the host, I mean the jail securelevel
jailname {
... stuff ...
securelevel = 3;
}
Piotr Smyrak
in reply to feld • • •feld likes this.
feld
in reply to Piotr Smyrak • • •