glitchsoc - Link to source

We should talk about Werner Koch's response gpg.fail on the oss-security mailing list.

openwall.com/lists/oss-securit…

Yes, and actually the only serious bug from their list.


Koch either didn't watch the talk, he is in such defense of his own ego that he can't see how serious the bugs were, or he's tacitly admitting that PGP is not a serious recommendation.

Can you distinguish between these three explanations?

Could it be all of them are true?

Impact

While this may allow remote code execution (RCE), it definitively causes memory corruption.


Good research.


I think this sarcastic quip is what reveals Werner Koch's opinion about the security researchers and their work.

The rest of his email is measured (and partly responding to other mailing list participants rather than the disclosure directly).

gpg.fail

gpg.fail
in reply to Soatok Dreamseeker

mastodon - Link to source

adb

what I don't get is why you take this opportunity to attack #pgp in general, like taking the opportunity to push for some agenda, the site is called gpg.fail, GPG not PGP, most of the problems are related to gpg or some C code implementation bug, or using gpg and others in the command line and getting tricked by some ansi printing in the terminal, how that translates to "let's kill pgp"? ex. none of the listed problems affect #DeltaChat at all

(I was present in the gpg.fail talk btw)

#pgp #deltachat
This entry was edited (11 minutes ago)

mastodon - Link to source
I've discovered this gem only today! #Music #Hebrew #Kaveret #כוורת youtube.com/watch?v=zAaHhoNMXS…

כוורת - היא כל כך יפה

ללהיטים הגדולים של כוורת להאזנה ברצף:https://www.youtube.com/watch?v=PHxYIcFyBVwמילים: דני סנדרסוןלחן: יצחק קלפטרהיא כל כך יפה זה צובט בלב שלך, אך בכאב עצום....
YouTube
#music #hebrew #kaveret #כוורת

pleroma - Link to source
I thought the CCC FreeBSD jail escape exploit would be cooler than it was, but instead it's blocked by basic security hygiene when running jails I guess. I've never seen jails deployed in prod without securelevel elevated. But maybe there are a lot of completely unaware people out there. Who knows.
This entry was edited (26 minutes ago)

mastodon - Link to source

Slop drives me crazy and it feels like 95+% of bug reports, but man, AI code analysis is getting really good. There are users out there reporting bugs that don't know ANYTHING about our stack, but are great AI drivers and producing some high quality issue reports.

This person (linked below) was experiencing Ghostty crashes and took it upon themselves to use AI to write a python script that can decode our crash files, match them up with our dsym files, and analyze the codebase for attempting to find the root cause, and extracted that into an Agent Skill.

They then came into Discord, warned us they don't know Zig at all, don't know macOS dev at all, don't know terminals at all, and that they used AI, but that they thought critically about the issues and believed they were real and asked if we'd accept them. I took a look at one, was impressed, and said send them all.

This fixed 4 real crashing cases that I was able to manually verify and write a fix for from someone who -- on paper -- had no fucking clue what they were talking about. And yet, they drove an AI with expert skill.

I want to call out that in addition to driving AI with expert skill, they navigated the terrain with expert skill as well. They didn't just toss slop up on our repo. They came to Discord as a human, reached out as a human, and talked to other humans about what they've done. They were careful and thoughtful about the process.

People like this give me hope for what is possible. But it really, really depends on high quality people like this. Most today -- to continue the analogy -- are unfortunately driving like a teenager who has only driven toy go-karts.

Examples: github.com/ghostty-org/ghostty…


ghostty-org ghostty · Discussions

Explore the GitHub Discussions forum for ghostty-org ghostty. Discuss code, ask questions & collaborate with the developer community.
GitHub
This entry was edited (41 minutes ago)
in reply to Blurry Moon

pleroma - Link to source

feld

@sun securelevels are something most people aren't aware of, but if you can you should even run the host OS with a higher securelevel

The kernel runs with five different security levels. Any super-user
process can raise the level, but no process can lower it. The security
levels are:

-1 Permanently insecure mode - always run the system in insecure mode.
This is the default initial value.

0 Insecure mode - immutable and append-only flags may be turned off.
All devices may be read or written subject to their permissions.

1 Secure mode - the system immutable and system append-only flags may
not be turned off; disks for mounted file systems, /dev/mem and
/dev/kmem may not be opened for writing; /dev/io (if your platform
has it) may not be opened at all; kernel modules (see kld(4)) may
not be loaded or unloaded. The kernel debugger may not be entered
using the debug.kdb.enter sysctl unless a MAC(9) policy grants
access, for example using mac_ddb(4). A panic or trap cannot be
forced using the debug.kdb.panic, debug.kdb.panic_str and other
sysctl's.

2 Highly secure mode - same as secure mode, plus disks may not be
opened for writing (except by mount(2)) whether mounted or not.
This level precludes tampering with file systems by unmounting
them, but also inhibits running newfs(8) while the system is multi-
user.

In addition, kernel time changes are restricted to less than or
equal to one second. Attempts to change the time by more than this
will log the message “Time adjustment clamped to +1 second”.

3 Network secure mode - same as highly secure mode, plus IP packet
filter rules (see ipfw(8), ipfirewall(4) and pfctl(8)) cannot be
changed and dummynet(4) or pf(4) configuration cannot be adjusted.

@Blurry Moon

mastodon - Link to source

My cat loves to play this "damsel in distress" game, where he runs outside in the rain and waits until he gets soaked, and then runs back in and bellows until I fluff him with a towel. Then he's in heaven. He loves it so much, that as soon as he's done, runs back outside and does it again. He LIVES for drama.

But the best part for me is saying in a German-type accent, "I am here to fluff (clap) YOU up!" But he doesn't get the reference. Because he's Gen Alpha.

mastodon - Link to source

I will most likely be picking up an electric guitar for the first time in ages soon. All my guitars are still in storage, possibly forever.

Thus, any recommendations on cool electric guitar processing plugins would be appreciated. Cheap or free would be great, since I don't really have a budget right now, but whatever.

I'll primarily be working in Reaper and Logic, both on Mac OS.

mastodon - Link to source

I really wish everyone would stop making fun of the people they don't like based on their physical appearance.

We really need to collectively grow up from this high-school bully mindset.

When you use appearance instead of ideas and behaviors to criticize someone, even someone deserving mockery, you are also shooting at everyone who might look like them, even the ones that might be incredibly good people.

There is more than enough content to talk against when it comes to the tyrants that currently surround us. Talk against their ideas, their words, and their actions. Be relentless for that. But their physical appearance is irrelevant to their moral deficiencies.

Mock their words, but not their looks.

reshared this

mastodon - Link to source

Cruising Party #flintaparty2 at #39c3 sure was an experience.

First we're way over capacity for the small conference room 6.
Relocating to a bigger conference room.
There are too many people on the escalator, escalator shuts off.
Bigger conference room is closed.
Relocate to yet another conference room.
Communists who are at that conference room are nice to switch rooms with us.

Commence gay activities.

#39c3 #flintaparty2

mastodon - Link to source
So out of the blue I got a request for access to a 10 year old Google Docs file. This request also came from someone who actually might be interested in that file, so I contacted him. Turns out he was making **exercise schedules** and had asked Google Gemini for help, and Gemini decided it needed access to my document on a new government law (from 2015). So be careful out there!
in reply to Micr0byte

mastodon - Link to source

André Polykanine

It depends. On the web an alt text must be concise. Everything that is important, makes sense, is mentioned somewhere in the text, is to be conveyed. but conciseness is first.
Here on social networks, I'd say, completeness is the first and even more important than conciseness. For instance, if you post a meme, describe it even if it's super lengthy. Like: "Three panels from left to right, on the first panel there is a man..." and on and on you go. It's important because *the image* is the unique thing you share, I have to laugh, to think, to be angry or emotional about *the image* itself, without any context basically.
Ask further questions, I'm glad to answer everything.
in reply to ∴7700e6 `Violet`

mastodon - Link to source

André Polykanine

@0x7700e6 Because if you are reading an article, you generally don't want a huge alt text that would distract you from your reading. Even less you want it for images like logos, avatars, social network badges and so on. Also, both in and out of social networks avoid phrasing like "This is an image depicting..." (I know it's an image, my screen reader tells me about it); "This is the avatar of Jane Doe" ("Jane Doe" is enough).
@∴7700e6 `Violet`
in reply to 🌈☔🌦️🍄🌱🍉 6664@39c3

mastodon - Link to source

Delta Chat (39c3)

@wmd there are many computer people pretty happy with #deltachat ... who value precisely that they can use it with their families and friends easily, though.

With a lot of alternative software, the complaint is that it is only usable by specialists. We are pretty happy that in our case it is more the specialists who need to work harder and read the FAQ to understand that some lines of traditional thinking about eg email and pgp do not apply delta.chat/en/help


Delta Chat: FAQ

What is Delta Chat? Delta Chat is a reliable, decentralized and secure instant messaging app, available for mobile and desktop platforms. Instant creation of private chat profiles with secure and i...
delta.chat
#deltachat @🌈☔🌦️🍄🌱🍉 6664@39c3
in reply to 🌈☔🌦️🍄🌱🍉 6664@39c3

mastodon - Link to source

holga

I don't understand why combining delta with Thunderbird (a client mostly for cleartext mail), or importing some cryptographic key is required to value delta's architectures. Do you hack a different cryptographic key into your signal database, and otherwise don't feel confident to recommend it?
This entry was edited (1 hour ago)
in reply to holga

mastodon - Link to source

🌈☔🌦️🍄🌱🍉 6664@39c3

@hpk I think as mailclients go, thunderbird is one that gets combined most with pgp?
Some people value their trust chains and have very well checked keys, or they want to generate their custom key. Because you can, you get "closer to the metal". Signal doesn't offer it, so it might be a loss or just not considered. That deltachat uses pgp invites people to think im their typical pgo ways/workflows. 🤷🏼‍♀️
@holga
in reply to 🌈☔🌦️🍄🌱🍉 6664@39c3

mastodon - Link to source

Delta Chat (39c3)

@wmd @hpk one of the biggest problems with pgp has traditionally been the high flexibility in hash algorithms, key types, key structures etc.

modern cryptographic systems like signal don't allow such flexibility, and delta also doesn't delta.chat/en/help#importkey

It's part of the reason why delta pretty persistently is not vulnerable against the many successful attacks against pgp implementations like gpg.


Delta Chat: FAQ

What is Delta Chat? Delta Chat is a reliable, decentralized and secure instant messaging app, available for mobile and desktop platforms. Instant creation of private chat profiles with secure and i...
delta.chat
@🌈☔🌦️🍄🌱🍉 6664@39c3 @holga
in reply to 🌈☔🌦️🍄🌱🍉 6664@39c3

mastodon - Link to source

Delta Chat (39c3)

we are aware of the confusion (it was the whole point of the top level post after all) and doing our best to explain things, and the history of decisions. You seemed to suggest we should make sure to accommodate gpg and Thunderbird users because they are key multipliers, but frankly, we don't think the current state of these tools provides good examples or guidance for secure group messaging ala signal.
This entry was edited (1 hour ago)
in reply to Delta Chat (39c3)

mastodon - Link to source

🌈☔🌦️🍄🌱🍉 6664@39c3

@hpk 1) I was part explaining as hpk said they didn't understand. 2) I don't think you need to facilitate thunderbird+gpg users, just that as deltachat is advertised a lot as being based on mail+pgp, it's good to be aware there is a key audience that can get confused by it.

If you tell me something is based on ssh, but I can't do the usual ssh features/flow I'll also be confused if not frustrated. 🤷🏼‍♀️

@holga
in reply to 🌈☔🌦️🍄🌱🍉 6664@39c3

mastodon - Link to source

Delta Chat (39c3)

@wmd @hpk we are not advertising mail+pgp in the app, and also not in the web site or app stores of today. It's true that until April 2024 we emphasized mail+pgp more towards users and that's probably the background you remember and argue from. Today, we use email and openpgp for interoperability, and to benefit from a massive ecosystem of software and established understandings and code. But the goal is that users can stay pretty unaware about these underpinnings.
@🌈☔🌦️🍄🌱🍉 6664@39c3 @holga

mastodon - Link to source

Important talk by @Mer__edith and Udbhav Tiwari on the immediate and serious threat to privacy and data security posed by "Agentic AI" like MS Copilot and similar.

media.ccc.de/v/39c3-ai-agent-a…

#39c3


AI Agent, AI Spy

Agentic AI is the catch-all term for AI-enabled systems that propose to complete more or less complex tasks on their own, without stoppin...
media.ccc.de
#39c3 @Meredith Whittaker