gave a very impromptu lightning talk "How the Linux Mobile" at the #GNOME 46 release party over the weekend . Sorry there's no recording available, but there were only 4 slides and im sure you can guess how the rest of them looked
2 days ago I reported about a #security patch having been applied to the IzzyOnDroid F-Droid repo aka #IzzySoftRepo – but I didn't give much details. After it was tested now at the IoD test & staging area, and running smoothly for two days for the public one, I reported back to its author @obfusk that all seems smooth, and she decided to make POC & patch public. You can find the full details at github.com/obfusk/fdroid-fakes… & openwall.com/lists/oss-securit… now. @fdroidorg @eighthave be welcome using it!
> […] As a result, it is trivial to bypass the AllowedAPKSigningKeys certificate pinning, as we can make fdroidserver see whatever certificate we want instead of the one Android/apksigner does. Note that we don't need a valid signature for the APK (we really only need a copy of the DER certificate, though having another APK signed with the certificate we want to use makes things easy).
you just published this wide open, yet before, you wouldn't even send us the POC code that you had? I think you two need to learn what #ResponsibleDisclosure means.
PS: Had that issue not been wide in the open for almost a year, giving the impression to be not important, we had of course approached @fdroidorg with a confidential issue first. But that signaled it would be ignored as well. As is gitlab.com/fdroid/fdroidserver… opened 10/2022, POC available (& linked there) since 1/2023. Affecting reproducible builds. A lot of evil stuff could be injected that way, as was outlined, also in my latest articles. So please don't call *US* irresponsible @obfusk
Part of the bug was known 11 months ago. The new proof-of-concept shows key details that were not previously known nor reported in the issue. Those were just dumped to the public. We asked for that yesterday, and you didn't send it to us, but withheld it to now publicly dump it. That code was posted to GitHub yesterday: github.com/obfusk/fdroid-fakes…
You could have just sent us that link yesterday before tooting it, that would have been better.
If you manipulate an APK's Signing Block to have e.g. duplicate v2 Signature Blocks, Android and apksigner will only see the first, but androguard will only see the last (since it uses the ID as a ...
I totally get it that you're not happy with the current situation (for what it's worth, we haven't been for years). But now going to "dig up things" about @obfusk trying to put the blame on her after having ignored her and her advice for so long is not a nice thing to do. Please stop that. This is not about doing dirty laundry in public but about getting long standing issues solved. @fdroidorg
All I'm asking is for #ResponsibleDisclosure. The tone you sense was my panic as I scrambled to figure out the proof-of-concept to ensure that #FDroid users are kept safe. Signature verification is a key part of that. I cleared my schedule this morning to deal with this.
Thanks to @obfusk to doing the hard work of the proof-of-concept and the patch. I posted my preliminary analysis of the issue on gitlab.com/fdroid/fdroidserver…
I hold no grudge against you, just in case you sensed something like that in my tone. But after being ignored for so long, we needed to be sure it finally gets done. So thanks for addressing those issues now! @obfusk @fdroidorg
I'm happy to see @obfusk continuing with the very important work on #APK signature analysis and the related tooling. I was worried she had stopped working on it after quitting F-Droid. That work is bigger than F-Droid, it is otherwise missing in the Android ecosystem.
and I am *very* happy having @obfusk and @SylvieLorxu supporting me and the #IzzySoftRepo – I couldn't think of anyone better. And haven't heard of anyone better known in the area of this and also of reproducible builds than Fay, or anyone who can hold a candle to Sylvia. Yes, both mostly worked in the background – but I guess you already got a clue what F-Droid lost having them leave.
If a binary repo maintainer is not careful about where they get their APKs and relies completely on AllowedAPKSigningKeys to verify the APKs, then this is an important issue.
Pardon me? Not done yet with blaming? Now it's sloppy security on my end? "relies completely": did you ignore all my messages to you the past weeks? Including the blog posts at Kuketz and especially android.izzysoft.de/articles/n… outlining what security measures were just put into place at my repo *ADDITIONALLY* to those already in effect for years – which are still mostly missing at your end? So my key takeaway again is you don't listen, as so often in the past, sorry. @obfusk @fdroidorg
Nachdem der Library-Scanner nun seit mehreren Jahren im IzzyOnDroid Repo im Einsatz ist war es an der Zeit, einige zusätzliche APK-Prüfungen zu etablieren.
Ah – in that case, apologies. Yes, it was the context – and the idea sounded too absurd TBH, especially with AllowedAPKSigningKeys not even existing that long (and I doubt except for @fdroidorg and IoD, any repo uses it at all. @obfusk
Official Live Video for Sultans Of Swing. Taken from Dire Straits – Alchemy: Dire Straits Live.Dire Straits – Live 1978-1992' is out now (UK/ROW). Out Januar...
This is a repository of apps to be used with F-Droid. Applications in this repository are official binaries built by the original application developers, taken from their resp. repositories (mostly Github, GitLab, Codeberg).
The tablet has corners instead of a curved display, with the USB Type-C port and speaker positioned at the bottom center and right, respectively. On the top
REMASTERED IN HD!Official Music Video for The Gambler performed by Kenny Rogers.Follow Kenny Twitter: https://twitter.com/_kennyrogersFacebook: https://www.f...
Tohle je můj top, jinak jezdim #MTB +- 18 na tomhle profilu - v podstatě rovina.
Asi bych byl spokojenej, kdyby se mi povedlo tenhle průměr jezdit normálně bez toho, abych se pak v cíli musel vybrečet a nebyla za mnou spocená čára, ale z toho asi nic nekouká - byť by těch 35 minut do práce / z práce namísto 45 bylo fakt milý :D
I'm on an unrestricted variable electricity tarrif. My price per kwh is about to go negative for 3 hours*
I can get my oven and air con unit to fight each other, and be paid for it!
*it's so windy that there's nowhere to put all the energy the turbines are generating, so they pay (mostly industry) to use it up. The price shoots up in the evening when everyone starts putting their heating on and cooking dinner. People on a fixed price tarriff are paying ~25p/kWh all day in the UK right now.
Alza na to jde rafinovaně. Má ocenění udržitelný e-shop, před pár dny zavedla Alzabox asi 200 m od baráku. I když člověk nemá rád jejího maskota, tak nakonec tam ještě rád nakoupí. Vlastně nemám důvod si stěžovat a nakupuju tam čím dál více. Cenu mi navíc vlastně vždycky srovnali na úroveň konkurence.
neviem čo majú všetci proti maskotovi, mne sa páči. Topka m.youtube.com/watch?v=SSaCo5Lm… Vtedy som sedel a to bola teda vlna nenávisti na túto reklamu. Ja vtedy počas reklamy:
I updated my AutoHotkey Doom Launcher Script. It adds co-op as an option. Unfortunately I didn't get to actually test it with co-op, but it does run.
The zip file ccontains both the executable, .exe and the source code, .ahk.
All of the other components have been tested and they do work. The only thing I'm not quite sure about is the co-op option, but I know the hosting part of it actually opens things so that someone can join.
If you want to use the script, place it in your TobyAccessibilityMod_Version7-0 folder and run the .exe. It will spawn a menu which you can navigate with the arrow keys to select an option.
@SuspiciousDuck Moje maminka dělala fazolový salát. Bílé fazole přes noc namočit. Uvařit a po vychladnutí ochutit olejem, octem či majonézou a nebo místo octa s citrónem. Opepřit.
no jasné do faz. polievky sa hodí trochu octu, ocot sa dá (nie vždy) nahradiť citrónom a v polievke by to asi šlo. Šalát môže byť dobrý, s trochou údeného kolena.
You've all heard the "joke" about the programmer/engineer who keeps a loaded gun by his printer in case it makes an unexpected noise and he needs to shoot... Tagged: sex blogging, handmaids, ovulation tracker, patriarchy
I assume that people who need to know this would already know it, but I am not such a person and did not know it, so I will pass this on from a correspondent who wishes to remain nameless: There's a FOSS menstrual cycle and fertility tracking app named "drip." created by feminist female developers with privacy at its foundation. I'm not qualified to opine about its safety or security but developers say everything stays on your device: f-droid.org/packages/com.drip/
The Vatican has just reaffirmed its hostility toward so-called "gender ideology." I recently wrote in the magazine of the pope's Jesuit order that this posture is a dangerous failure of imagination: americamagazine.org/faith/2023…
@Tzipporah with their Eighth Generation "Two Spirit" wool blanket by Two Spirit artist Ryan Young (Lac du Flambeau Band of Lake Superior Chippewa) that calls out to their community's traditional story about crows.
Native American designed Wool Blankets by Eighth Generation. Wool Blanket design features contemporary Ojibwe crow art by Native American two spirit artist Ryan Young. Native American & Indian Wool Blankets for Men, Women & Home.
Calling all #LibreOffice users: Power up ⚡ and become a LibreOffice contributor, like Adam Seskunas! Learn new skills, build a portfolio of experience, and have fun on the way: blog.documentfoundation.org/bl… #foss #OpenSource
Tell us a bit about yourself! My name is Adam Seskunas and I currently live in San Diego, California. In my free time I enjoy outdoor activities, hiking, backpacking in the Sierra, rock climbing and surfing with my daughter Sofia.
As with other overlays, it makes WCAG/ADA promises, fails to fix stuff, replicates platform features (poorly) in CSS, and introduces WCAG violations just by adding it to a site.
From Introducing WebAbility.io: Ultimate Web Accessibility Widget for ADA & WCAG Compliance, a press release from Techyweb Solutions INC.:
WebAbility.io offers easy, comprehensive solutions for we...
Just because a court made a ruling doesn’t mean they’ll actually do it. When this much money is involved, I’d imagine you’d need to back this up with credible threats of state intervention, forced nationalisation, and violence directed at the top executives.
"I don’t take it. I don’t want it." Speaking to an INN Boston member yesterday, Rep. Jim McGovern said he rejects AIPAC and its toxic influence in Congress, as it prolongs the massacre in Gaza.
We need your help to get every Democratic candidate on record whether they will stand with humanity or reject AIPAC’s dangerous agenda of endless war and apartheid.
Twice in the past week I've read scholars who should know better repeat the urban legend that the QWERTY keyboard was designed to slow down typing, and thus, jamming, on early typewriters.
That'd be cool if it were true, but it's not, and the the truth is even cooler. The QWERTY keyboard evolved over time, shaped by two forces: (1) since the early machines were used by telegraph operators, the keys were arranged to avoid common transcription errors; and (2) competing patents of the typewriter slightly arranged the keyboard layout in order to qualify as new (and therefore patentable) designs.
I guess the urban legend is popular among people who struggled to learn to type. Steven Levy, one of many who propagated the legend, wrote in his book _Insanely Great_: "My own high-school instruction in typing was nightmarish. So fumble-fingered was I that after my mistakes were deducted from my word totals, my scores on the speed drills were usually gauged in negative numbers." FWIW, I can't relate; typing came naturally to me. But I started much earlier.
On Android, fseeko is defined as is (I omitted other functions for clarity):
/* See https://android.googlesource.com/platform/bionic/+/master/docs/32-bit-abi.md */
#if defined(__USE_FILE_OFFSET64)
...
Global Accessibility Awareness Day 2024 is the perfect excuse for you to shape up your organisation's digital accessibility skills. We have some ideas for you!
On April 6, 1992, Windows 3.1 was released to manufacturing. 32 years later, it has been recognized as a major addition to Microsoft's Windows operating system lineup and paved the way for Windows 95.
Sonny
in reply to kcxt @ 39c3 • • •