glitchsoc - Link to source

We should talk about Werner Koch's response gpg.fail on the oss-security mailing list.

openwall.com/lists/oss-securit…

Yes, and actually the only serious bug from their list.


Koch either didn't watch the talk, he is in such defense of his own ego that he can't see how serious the bugs were, or he's tacitly admitting that PGP is not a serious recommendation.

Can you distinguish between these three explanations?

Could it be all of them are true?

Impact

While this may allow remote code execution (RCE), it definitively causes memory corruption.


Good research.


I think this sarcastic quip is what reveals Werner Koch's opinion about the security researchers and their work.

The rest of his email is measured (and partly responding to other mailing list participants rather than the disclosure directly).

gpg.fail

gpg.fail

mastodon - Link to source
One of my favorite "Star Sightings" was one my ex-wife had. She and her boyfriend at the time went to a Broadway show. Sitting in front of them was Patrick Stewart. My ex says to her boyfriend, that's Patrick Stewart. He replied, not it's not. At intermission Patrick Stewart turned around and said to her boyfriend in his baritone voice, "But he is."

mastodon - Link to source
I've discovered this gem only today! #Music #Hebrew #Kaveret #כוורת youtube.com/watch?v=zAaHhoNMXS…

כוורת - היא כל כך יפה

ללהיטים הגדולים של כוורת להאזנה ברצף:https://www.youtube.com/watch?v=PHxYIcFyBVwמילים: דני סנדרסוןלחן: יצחק קלפטרהיא כל כך יפה זה צובט בלב שלך, אך בכאב עצום....
YouTube
#music #hebrew #kaveret #כוורת

pleroma - Link to source
I thought the CCC FreeBSD jail escape exploit would be cooler than it was, but instead it's blocked by basic security hygiene when running jails I guess. I've never seen jails deployed in prod without securelevel elevated. But maybe there are a lot of completely unaware people out there. Who knows.
This entry was edited (9 hours ago)

mastodon - Link to source

Slop drives me crazy and it feels like 95+% of bug reports, but man, AI code analysis is getting really good. There are users out there reporting bugs that don't know ANYTHING about our stack, but are great AI drivers and producing some high quality issue reports.

This person (linked below) was experiencing Ghostty crashes and took it upon themselves to use AI to write a python script that can decode our crash files, match them up with our dsym files, and analyze the codebase for attempting to find the root cause, and extracted that into an Agent Skill.

They then came into Discord, warned us they don't know Zig at all, don't know macOS dev at all, don't know terminals at all, and that they used AI, but that they thought critically about the issues and believed they were real and asked if we'd accept them. I took a look at one, was impressed, and said send them all.

This fixed 4 real crashing cases that I was able to manually verify and write a fix for from someone who -- on paper -- had no fucking clue what they were talking about. And yet, they drove an AI with expert skill.

I want to call out that in addition to driving AI with expert skill, they navigated the terrain with expert skill as well. They didn't just toss slop up on our repo. They came to Discord as a human, reached out as a human, and talked to other humans about what they've done. They were careful and thoughtful about the process.

People like this give me hope for what is possible. But it really, really depends on high quality people like this. Most today -- to continue the analogy -- are unfortunately driving like a teenager who has only driven toy go-karts.

Examples: github.com/ghostty-org/ghostty…


ghostty-org ghostty · Discussions

Explore the GitHub Discussions forum for ghostty-org ghostty. Discuss code, ask questions & collaborate with the developer community.
GitHub
This entry was edited (10 hours ago)

reshared this

in reply to Mitchell Hashimoto

mastodon - Link to source

Shafik Yaghmour

This is the first open source story I am hearing w/ a positive results from someone using LLMs to generate bug reports.

We have been struggling in LLVM w/ low quality LLM submissions. Curl completely banned them b/c it was so bad: mastodon.social/@LukaszOlejnik…

My biggest issue is how ridiculously verbose LLM submissions can be. Even ones that don't have obvious errors are soo long that if every submission was that long it would have significant impact on throughput.

Clearly someone using it thoughtfully can do excellent work but I am seeing very little evidence this is happening much.

Lukasz Olejnik

2025-05-05 08:27:57

mastodon - Link to source

AI vulnerability/bug founds and reports is a huge problem. Curl has banned the use of AI-generated submissions via HackerOne because none of it made any sense, and is a waste of resources and time. "We are effectively being DDoSed. If we could, we would charge them for this waste of our time" hackerone.com/reports/3125832

curl disclosed on HackerOne: HTTP/3 Stream Dependency Cycle Exploit

**Penetration Testing Report: HTTP/3 Stream Dependency Cycle Exploit** --- # **0x00 Overview** A novel exploit leveraging stream dependency cycles in the HTTP/3 protocol stack was discovered,...
HackerOne
in reply to Shafik Yaghmour

gotosocial - Link to source

modulux

curl devs changed their mind last October iirc? mastodon.social/@bagder/115241…

daniel:// stenberg://

2025-09-21 08:03:08

mastodon - Link to source

Joshua Rogers sent us a *massive* list of potential issues in #curl that he found using his set of AI assisted tools. Code analyzer style nits all over. Mostly smaller bugs, but still bugs and there could be one or two actual security flaws in there. Actually truly awesome findings.

I have already landed 22(![url=https://onlycasino.legal/users/MostlyHarmless])[/url] bugfixes thanks to this, and I have over twice that amount of issues left to go through. Wade through perhaps.

Credited "Reported in Joshua's sarif data" if you want to look for yourself


mastodon - Link to source

My cat loves to play this "damsel in distress" game, where he runs outside in the rain and waits until he gets soaked, and then runs back in and bellows until I fluff him with a towel. Then he's in heaven. He loves it so much, that as soon as he's done, runs back outside and does it again. He LIVES for drama.

But the best part for me is saying in a German-type accent, "I am here to fluff (clap) YOU up!" But he doesn't get the reference. Because he's Gen Alpha.

mastodon - Link to source

I will most likely be picking up an electric guitar for the first time in ages soon. All my guitars are still in storage, possibly forever.

Thus, any recommendations on cool electric guitar processing plugins would be appreciated. Cheap or free would be great, since I don't really have a budget right now, but whatever.

I'll primarily be working in Reaper and Logic, both on Mac OS.

in reply to Borris

mastodon - Link to source

Scott

Other than NAM, nothing that's been mentioned so far is any good accessibility-wise. There's a JUCE-based fork of NAM that's probably the easiest to navigate, NAM Universal from WaveMind also has an accessible GUI and comes with a bunch of profiles/cabs. Seeing as you're a tweaker though, I don't know whether NAM would scratch any of your itches. Grab the free stuff from Nembrini Audio instead, decent emulations and more adjustable.

mastodon - Link to source

I really wish everyone would stop making fun of the people they don't like based on their physical appearance.

We really need to collectively grow up from this high-school bully mindset.

When you use appearance instead of ideas and behaviors to criticize someone, even someone deserving mockery, you are also shooting at everyone who might look like them, even the ones that might be incredibly good people.

There is more than enough content to talk against when it comes to the tyrants that currently surround us. Talk against their ideas, their words, and their actions. Be relentless for that. But their physical appearance is irrelevant to their moral deficiencies.

Mock their words, but not their looks.

reshared this

mastodon - Link to source

Cruising Party #flintaparty2 at #39c3 sure was an experience.

First we're way over capacity for the small conference room 6.
Relocating to a bigger conference room.
There are too many people on the escalator, escalator shuts off.
Bigger conference room is closed.
Relocate to yet another conference room.
Communists who are at that conference room are nice to switch rooms with us.

Commence gay activities.

#39c3 #flintaparty2

mastodon - Link to source
So out of the blue I got a request for access to a 10 year old Google Docs file. This request also came from someone who actually might be interested in that file, so I contacted him. Turns out he was making **exercise schedules** and had asked Google Gemini for help, and Gemini decided it needed access to my document on a new government law (from 2015). So be careful out there!
in reply to Micr0byte

mastodon - Link to source

André Polykanine

It depends. On the web an alt text must be concise. Everything that is important, makes sense, is mentioned somewhere in the text, is to be conveyed. but conciseness is first.
Here on social networks, I'd say, completeness is the first and even more important than conciseness. For instance, if you post a meme, describe it even if it's super lengthy. Like: "Three panels from left to right, on the first panel there is a man..." and on and on you go. It's important because *the image* is the unique thing you share, I have to laugh, to think, to be angry or emotional about *the image* itself, without any context basically.
Ask further questions, I'm glad to answer everything.
in reply to ∴7700e6 `Violet`

mastodon - Link to source

André Polykanine

@0x7700e6 Because if you are reading an article, you generally don't want a huge alt text that would distract you from your reading. Even less you want it for images like logos, avatars, social network badges and so on. Also, both in and out of social networks avoid phrasing like "This is an image depicting..." (I know it's an image, my screen reader tells me about it); "This is the avatar of Jane Doe" ("Jane Doe" is enough).
@∴7700e6 `Violet`
in reply to André Polykanine

mastodon - Link to source

stib

@menelion
If I post a well-known meme, is it OK to just say, for example "the Drake meme, with X then Y" or should I be doing "a four panel meme. On the first row left panel a man reacts negatively to the panel on the right showing X, then on the next row he reacts positively to the panel on the right showing Y".
@0x7700e6 @micr0
@André Polykanine @Micr0byte @∴7700e6 `Violet`
in reply to stib

mastodon - Link to source

André Polykanine

@stib @0x7700e6 I'd do the second, sorry to bother you with that. Because we blindies are kinda... behind the graphic memes. You could probably possibly put a link to a description but rather don't because different clients and different browsers don't allow clicking links in alt, it would be plain text so... unfortunately probably you have to describe, at least for the first time.
@stib @∴7700e6 `Violet`
in reply to ⠠⠵ avuko

mastodon - Link to source

André Polykanine

@avuko @stib @0x7700e6 It's helpful for the deaf, at least a rough description so they could probably send the video to a software for captions (I'm not sure but I imagine this is possible). For us blindies it's helpful when the video is super visual, like only music and kitties playing, for example, or a guy/girl is assembling, drawing, painting, knitting something etc., where there are no words.
@⠠⠵ avuko @stib @∴7700e6 `Violet`
in reply to ⠠⠵ avuko

mastodon - Link to source

André Polykanine

@avuko @stib @0x7700e6 For example, my sighted wife likes to watch videos where a Japanese guy shows small apartments in Japan. He never speaks, only sometimes he adds some subtitles in very simple English, as my wife has just said. Maybe he is ashamed of his English pronunciation, maybe he's simply a shy person, I don't know, but he does amazing videos, but super visual. There ideally audio description or at least a decent alt text would work, especially if you share it for a reason (for example, you liked a particular apartment he was showing).
@⠠⠵ avuko @stib @∴7700e6 `Violet`
in reply to André Polykanine

mastodon - Link to source

Joan, but festive 🎅🏼🎄

Oh! Thank you for this: I (wrongly) thought that conciseness on social media would be preferred, except where maybe the post contains only an image, of the image is particularly detailed.

I sometimes also might add a commentary or a quip in my alt text - perhaps in response to the post's text, or to add context, or my own reaction. Is this poor practice, though, do you think?

@stib @0x7700e6 @micr0

@stib @Micr0byte @∴7700e6 `Violet`
in reply to André Polykanine

mastodon - Link to source

stib

@menelion @0x7700e6 There are dozens of sites where you can overlay your text on popular images to create memes without having to use an image editing program, I wonder if there are any that come with #AltText pre-generated. Eg. in the "Drake meme" format it would supply the image description and substitute your text for X and Y. If not there's my next billion dollar startup, ready to go.
#AltText @André Polykanine @∴7700e6 `Violet`
in reply to 🌈☔🌦️🍄🌱🍉

mastodon - Link to source

Delta Chat (39c3)

@wmd there are many computer people pretty happy with #deltachat ... who value precisely that they can use it with their families and friends easily, though.

With a lot of alternative software, the complaint is that it is only usable by specialists. We are pretty happy that in our case it is more the specialists who need to work harder and read the FAQ to understand that some lines of traditional thinking about eg email and pgp do not apply delta.chat/en/help


Delta Chat: FAQ

What is Delta Chat? Delta Chat is a reliable, decentralized and secure instant messaging app, available for mobile and desktop platforms. Instant creation of private chat profiles with secure and i...
delta.chat
#deltachat @🌈☔🌦️🍄🌱🍉
in reply to holga

mastodon - Link to source

🌈☔🌦️🍄🌱🍉

@hpk I think as mailclients go, thunderbird is one that gets combined most with pgp?
Some people value their trust chains and have very well checked keys, or they want to generate their custom key. Because you can, you get "closer to the metal". Signal doesn't offer it, so it might be a loss or just not considered. That deltachat uses pgp invites people to think im their typical pgo ways/workflows. 🤷🏼‍♀️
@holga
in reply to 🌈☔🌦️🍄🌱🍉

mastodon - Link to source

Delta Chat (39c3)

@wmd @hpk one of the biggest problems with pgp has traditionally been the high flexibility in hash algorithms, key types, key structures etc.

modern cryptographic systems like signal don't allow such flexibility, and delta also doesn't delta.chat/en/help#importkey

It's part of the reason why delta pretty persistently is not vulnerable against the many successful attacks against pgp implementations like gpg.


Delta Chat: FAQ

What is Delta Chat? Delta Chat is a reliable, decentralized and secure instant messaging app, available for mobile and desktop platforms. Instant creation of private chat profiles with secure and i...
delta.chat
@🌈☔🌦️🍄🌱🍉 @holga
in reply to 🌈☔🌦️🍄🌱🍉

mastodon - Link to source

Delta Chat (39c3)

we are aware of the confusion (it was the whole point of the top level post after all) and doing our best to explain things, and the history of decisions. You seemed to suggest we should make sure to accommodate gpg and Thunderbird users because they are key multipliers, but frankly, we don't think the current state of these tools provides good examples or guidance for secure group messaging ala signal.
This entry was edited (10 hours ago)
in reply to Delta Chat (39c3)

mastodon - Link to source

🌈☔🌦️🍄🌱🍉

@hpk 1) I was part explaining as hpk said they didn't understand. 2) I don't think you need to facilitate thunderbird+gpg users, just that as deltachat is advertised a lot as being based on mail+pgp, it's good to be aware there is a key audience that can get confused by it.

If you tell me something is based on ssh, but I can't do the usual ssh features/flow I'll also be confused if not frustrated. 🤷🏼‍♀️

@holga
in reply to 🌈☔🌦️🍄🌱🍉

mastodon - Link to source

Delta Chat (39c3)

@wmd @hpk we are not advertising mail+pgp in the app, and also not in the web site or app stores of today. It's true that until April 2024 we emphasized mail+pgp more towards users and that's probably the background you remember and argue from. Today, we use email and openpgp for interoperability, and to benefit from a massive ecosystem of software and established understandings and code. But the goal is that users can stay pretty unaware about these underpinnings.
@🌈☔🌦️🍄🌱🍉 @holga

mastodon - Link to source

Important talk by @Mer__edith and Udbhav Tiwari on the immediate and serious threat to privacy and data security posed by "Agentic AI" like MS Copilot and similar.

media.ccc.de/v/39c3-ai-agent-a…

#39c3


AI Agent, AI Spy

Agentic AI is the catch-all term for AI-enabled systems that propose to complete more or less complex tasks on their own, without stoppin...
media.ccc.de
#39c3 @Meredith Whittaker

mastodon - Link to source

If you're blind, you can really stick it to the Trump Administration by "hacking" the Epstein files, AKA reading them normally.

forbes.com/sites/daveywinder/2…

So, how was someone able to hack these documents, undoing the redactions that the DOJ of all people had put in place, and reveal the information for all to see? I hope you are sitting down, because it’s going to knock your socks off: “I simply highlighted the text, copied it, and pasted it in a document,” Krassenstein said.
This entry was edited (11 hours ago)

mastodon - Link to source

i turned off altbot for now.

a conversation happened that i need to sit with and that i want others to read and also to consider: ieji.de/@anantagd/115804706509…

#BlindAltBot

2025-12-29 20:19:49

mastodon - Link to source

I am blind. Seeing people who think I'm not worth the effort fill my timeline with AltBot generated AI stuff that isn't even accurate in lots of cases.

Human alt text is always better, because it doesn´t focus on ocular seeing. Seeing people think, and AltBot was designed around that notion, that blind people must compensate for missing "eye-seeing", but that's not the case. I am interested in the meaning of an image to you, its maker or publisher.

Again, human alt text is better, also because it strengthens reciprocity between seeing and blind people. AltBot doesn't but it makes seeing people believe they have done their bit for accessibility. In actuality, the reverse is often true.

!!!!!!!!!


in reply to Micr0byte

mastodon - Link to source

Jonathan

Honestly this constant back and forth is the only thing I'd think about in this case. I understand if you feel exhausted working on this alone, or if you don't get enough donations or anything. But this tool has helped many, and rather AI description than no description. Some sighted don't bother and that won't change just because, idk, that person thinks they'll feel more guilty when no AI produces the description for them. I'll lose information most of the time. I can still decide whether I want to generate or read the description. But let's say it's just a generic text, or poster, or dashboard, someone just didn't bother describing. Right I could ask them, but would the original poster actually bother adding the alt text afterward? In the least cases. Yeah maybe some nice other sighted person will describe it. But then the difference is not too big anymore, if you get what I mean. Don't let these little comments from all sides get so close to your acting. That's just my take, and I probably don't have a lot room to talk here.
This entry was edited (12 hours ago)

mastodon - Link to source
Since the last time I checked, it seems that Keycron has been fully integrated into QMK. They have their own folder and layout files and everything. I want to modify my V1. The problem is that it's been years since I made a new layout in QMK and flashed a keyboard. I don't remember quite how I did it last time, and I've moved to a new laptop since then.

gotosocial - Link to source
politics, leftist anti-communism

Sensitive content

mastodon - Link to source
Vous avez entendu les AI bros dire qu'il fallait mettre des datacenters dans l'espace ? Bah c'est une immense connerie. "The short version: this is an absolutely terrible idea, and really makes zero sense whatsoever. There are multiple reasons for this, but they all amount to saying that the kind of electronics needed to make a datacenter work, particularly a datacenter deploying AI capacity in the form of GPUs and TPUs, is exactly the opposite of what works in space." taranis.ie/datacenters-in-spac…

Datacenters in space are a terrible, horrible, no good idea.

There is a rush for AI companies to team up with space launch/satellite companies to build datacenters in space. TL;DR: It's not going to work.
Taranis

mastodon - Link to source

I have disabled every fucking piece of AI bullshit I can find from Firefox and DESPITE THAT today I got ambushed by a new ASK AN AI CHATBOT line in a fucking image context menu

jesus FUCKING CHRIST @mozilla

STOP.

FUCKING.

PUSHING.

THIS.

SHIT.

ON.

US.

(I know the account's abandoned. Don't care. Best I've got. Fucking Mozilla.)

#mozilla #firefox #ai #FuckAI #FuckChatbots

#firefox #mozilla #AI #fuckai #fuckchatbots @Mozilla

mastodon - Link to source

RE: chaos.social/@c3cert/115809417…

This is the kind of place where you can reasonably wonder if someone built/brought an insulin making setup:

C3 CERT (@c3cert@chaos.social)

A large amount of insulin was found at #39C3. Anyone who can describe how it is packaged and where it was probably lost can pick it up from us at CERT.
C3 CERT (chaos.social)

mastodon - Link to source

#39c3 .ending .. quite an enjoyable blast, and thanks to all the wonderful people just dropping by to say "thank you, it all works very nice for us"! 🥰 Certainly raised team spirits :)

This year around, apart from one #chatmail relay setup workshop we didn't do any registered events at congress. Pushing out releases, Illnesses and engagements in various other organizing prevented more public sessions. Next ones will be around #fosdem2026 where also several of us will be around. Cheers!

Picture of the congress rocket in various laser colors. Taken from https://woof.tech/@Purple/115809359193169798
#chatmail #39c3 #fosdem2026

ArcaneChat reshared this.