one of the most common security reports we get in #curl is claims of various CRLF injections where a user injects a CRLF into their own command lines and that's apparently "an attack".
We have documented this risk if you pass in junk in curl options but that doesn't stop the reporters from reporting this to us. Over and over.
this isn't even novel; it's a repeat of SMTP Smuggling from 2023: sec-consult.com/blog/detail/sm… (though this researcher blames the messenger rather than the faulty receiver)
I found that if I pass the URL of a website to curl, and the website contains private information, it prints private data to my terminal, which is clearly a GDPR violation!
StreetComplete is a really fun and accessible way to contribute to OpenStreetMap from an Android device - walk around in your local neighbourhood (or anywhere really) and solve 'quests' by answering questions about the things around you!
You don't need to learn anything about mapping conventions, or infrastructure, or about the more complex mapping tools that exist for OpenStreetMap. The app will explain everything to you that you need to know, when you need to know it, and ask easily understandable questions with reference pictures for the answers.
The only setup needed is to make an OSM account and log into it from the app, so that it can upload your answers - and you can also do that at any later time, after trying out the app without an account for a while first. You can just install it and go outside right away!
The app doesn't need any cellular internet connection; it can work offline and synchronize your answers once you reach a place with eg. WiFi. It's also quite performant, and should run well even on lower-end phones. There is also a 'multiplayer' option that lets you split up in teams and each tackle different quests in the area.
Part of the reason I’m so against LLM coding assistants is that it seems like it can do nothing but suck all of the joy and fulfilment out of work.
Like, for any task that requires skill, there’s some pleasure in using that skill and succeeding at it. Why would I want to automate it?
It’s like the thing of “automating my hobbies so I can spend more time doing the laundry”.
And obviously, yes, I do realise that my job doesn’t simply exist for the sake of me having fun. I don’t actually expect that to be a persuasive argument from a business perspective. But what makes the whole thing completely inexplicable to me is that this automation doesn’t even do a good job or speed things up at all.
All the code I’ve seen from LLMs has been total garbage. At best, it’s eventually come out with something as good as a human could do, except no faster, and through a process that’s far more annoying and unpleasant than simply doing the work manually.
There’s literally nothing in it for anybody (except the LLM companies, who get a subscription fee for doing something you could have easily done yourself, and who, when you complain that the results are bad, invent nonsense like “you have to have multiple LLMs all checking each other’s output” to wring more money out of you).
I see what you mean. In my case, one thing I found it useful for is unbearably boring and fiddly code that I can't bring myself to write (I know because I needed it for years and I didn't write it).
Specific example:
coqtop used to have a "Show Script" command that would let you see the proof script (the list of tactics nicely formatted) before you wrote Qed and defined them. But they removed it, making it much harder for me to write my proofs into a file, (most people use IDEs but their a11y is bad).
So I got an agent to code me a python tool that sits between me and coqtop, collects my input, splits it into tactics, checks which ones succeed, writes them into a log for me, and even unwinds if I use Undo or Restart or whatever.
This is very parsing-heavy code, reasonably brittle. But, it's easy to test.
Which is something LLMs seemingly can benefit from.
I have a very strong suspicion the code for the tool is less than optimal and clean. I also couldn't give a shit, so long as it works, which it does.
And the whole thing of parsing IO and trying different things, looking at strings byte by byte, etc, it's such an incredibly tedious and annoying thing I'd never have written this for myself. As a result I spent years not using Coq. Now I am using it again.
@modulux My baseline assumption is that if an LLM is a useful tool for any particular task, then it indicates some underlying problem. In many cases I think there are better solutions to those problems — but I don’t pretend to be able to claim that there are always better solutions.
For example people mention ‘boilerplate’ a lot. But we had ways of automating boilerplate before LLMs were widely available (templating, editor integrations, etc). And, on some other level, boilerplate suggests that the language/library is badly designed, and so could be fixed at that point too.
I can imagine there are cases where the tool developers are unresponsive enough that fixing it at the user level is required, but the boilerplate is of such complexity that automating it is impractical. In those cases I could imagine that an LLM makes sense. But a lot has to go wrong for that to be the case.
Right, I admit it's not a typical situation. I don't think I've found very many sataisfactory uses for coding agents either (though if I had to work professionally on code I don't care about, maybe this would happen more, I don't know).
It's interesting to think of the sort of projects they can work for though: highly testable, highly unpleasant to write, lots of edge cases and branching and detailed context that's hard to hold in a human mind.
@fastfinge I've never heard of the third option. If it can output via proper OS live region semantics like OSARA and Paperback do, rather than holding onto this antiquated notion of using screen reader specific libraries primarily, I would probably use it.
@jscholes Yes. And spoon-feeding text to a screen reader should not be what developers primarily think of when they think of accessibility. The actual GUi should be made accessible through platform APIs. I know you know this, of course; I'm just stating it for the benefit of anyone watching who is outside the cottage industry of apps developed specifically for and usually by blind people.
If only platform apis were actually reliable in the real world. If only toolkits like unity and others supported them. The days of the screen reader api are far from over.
@fastfinge @jscholes This is where AccessKit (accesskit.dev/) might help. Yeah, plugging a project I started. We did a proof of concept retrofitting it onto an old version of Unity a few years ago. github.com/AccessKit/the-inter… This was a mod to an existing open-source demo game; the Unity version was old even when we did it. And it was very hacky, as we had no cooperation from the engine. We haven't revisited this lately with modern Unity.
My understanding is that I also need to be comfortable in rust. I’m not. 99 percent of the time these apis are the only thing allowing medium skilled programmers like myself to plug accessibility holes.
@fastfinge @jscholes AccessKit does have a C API now. Someone could probably do a convenience library on top specifically for creating a hidden live region, though.
@fastfinge @jscholes But our Unity proof-of-concept actually exposed an accessibility tree for the whole window, with focus, so you could use NVDA object navigation or the like to review it.
@fastfinge @jscholes I'd like to see the various game mods for retrofitting accessibility follow in our footsteps on this. I don't have time to work on those things myself though.
So would I. But the various game mods are developed by people mostly like me: hobbyists with jobs, and who are just skilled enough to find solutions and get things done. But without clear documentation and an easy to call API we can plug in, we're stuck. So I wouldn't expect this any time soon. All of the output systems in the above pole require one, maybe as many as three, lines of code to use.
@fastfinge @jscholes Sigh, yes, we need to fully document AccessKit, write bindings for more languages, and make sure the documentation is available for users of all the bindings. Unfortunately, my current funding for working on AccessKit doesn't cover either documentation or bindings.
@fastfinge @matt In this case by "OS semantics", I specifically meant live regions and have updated my previous response accordingly. To my knowledge, OSARA outputs a great deal of screen reader specific text without using a single screen reader library on Windows and it works perfectly.
It's possible my understanding could be out of date. I'd love a better way to do things. However, as far as I know, live regions require the window to have focus, and require the app to be a web app. That's just not the case for any one of my use-cases. Sometimes I'm using an apps built-in scripting language to add accessibility, sometimes I'm patching an app to send text to the screen reader, or sometimes I'm creating an entirely separate app to run in the background to read log files and output alerts that way. In none of these cases would live regions work.
@fastfinge @jscholes No, live regions are no longer exclusive to web apps. My understanding is that the application window has to be in the foreground, but the child window that contains the live region doesn't necessarily have to have focus. Paperback did this particularly elegantly by setting properties on a Win32 static text control.
Better, but still not going to work for 99 percent of mods. In general, you don't get to spawn a new window, or modify properties on existing ones. The only place I could make this work is adispeak; I can write a full C# DLL there and do whatever I want. But if I do that, I lose the ability to notify the user if they have the IRC client in the system tray, or even just on the taskbar. Far from ideal.
@fastfinge @jscholes If your mod can be active after the main window is created but before it's shown, you can bolt on accessibility by doing Win32 window subclassing on the main window. AccessKit includes code for doing the subclassing step, but you have to do it at exactly the right point in the window life cycle or it doesn't work reliably. That's the main problem we had with Unity.
And what happens if the main Window ever gets destroyed or recreated? While I can often hook into app startup, most mod frameworks don't allow detailed hooks into Window Creation. It's possible I'm missing things, and smarter people than me can come up with a way to make this generally viable. But based on my research and skill level, I just don't see a path to avoid screen reader libraries in the majority of cases. Live regions are only useful in the case where you're writing your own app from scratch or modifying an open source app, and you never need to alert the user to things when the foreground window doesn't have the focus. This is a vanishingly small number of cases. As far as I can see, screen reader API's, and robust libraries to call them, are going to be useful for years to come.
@fastfinge There are different use cases with various constraints.
I used the word "primary" on purpose in my first post. Right now, screen reader libraries are the first and often only thing reached for by developers of these abstraction libraries.
I would like to see a better abstraction library that keeps the ease of use while supporting multiple techniques. It could opt for the most reliable and user-friendly pattern by default based on information glean from its operating environment and some gentle hints from the developer.
E.g. you don't supply a window handle? There's no window for a live region so it falls back to SR libs. @matt @tunmi13
So would I. But this gets hard to do in a way that's cross-platform and cross-language, while also preserving ease of use. Most of these abstraction libraries just don't even support Braille at all.
I would consider these to not work. They're Windows only, and they have a hole bunch of strange timing and delay issues between when they fire and when they get read.
@fastfinge @jscholes As far as I'm concerned, intruding when you're not in the foreground is an anti-feature, unless you're using the OS notification facility, which is under the user's control.
Notifications are far too verbose for, for example, reading out a chat message where your username is mentioned. I depend on that feature every day to do both my job and my hobbies. And there's no way any of the popular apps like tweesecake or TWBlue work without it.
@matt User control is one reason live regions are a better idea than screen reader libs at least, because I can turn them off.
If an app has decided to shove stuff down the NVDA Controller Client DLL, there's nothing I can do about it. Other than maybe deleting the DLL or restricting access to it, at which point it's anybody's guess whether the app in question will go silent, crash, or switch to SAPI.
Of course, this begs the question about why screen readers don't have a permissions system. @fastfinge @tunmi13
Apple kind of does with its allow script control checkbox. But it should be on a per app basis. I agree that more control is needed. But I am strongly convinced this isn't a feature I could live without.
As an example, the person I'm currently in a meeting with has three monitors. One for the meeting, one for social media and dashboards, and one for what she's working on. Invisible interfaces and alerts from non-foreground apps are the only way I have to be even slightly as fast as her. And I'm already slower at a lot of things, because of the nature of inaccessible GUIs, so further friction and speed decreases would not be acceptable at all. If I didn't have these features I guess I'd have to have three laptops and a mixer? I don't know.
And if you want to get a sense for how unsatisfactory live regions are, compare mudlet, that uses live regions to read new text with mushclient with mushreader, that uses the screen reader API. Notice how mudlet misses some text if it comes in too fast, doesn't always read text, and can't control if the text interrupts the previous text it sent or is added to the end of the queue. Mushreader has none of these problems.
@fastfinge @matt I agree completely with the use case and efficiency argument. And the real world data from two similar apps using different techniques is extremely helpful.
@jscholes @fastfinge The fact that Mudlet is based on Qt 6 (I just checked), which implements UIA, and its implementation of live regions is unreliable, is especially useful information.
If you want an easy and predictable game to test the differences, proceduralrealms.com is a good example. It works in both clients, it tends to dump multiple lines of text to the client at once, some of those lines have special characters, and within 20-30 minutes of playing with each client you'll notice the differences and the bits mudlet is missing.
@fastfinge I'm certain the latter is caused by Zoom's implementation, not the OS. The alerts aren't fired at the same time as the visible text, rather than it being a case of the alerts being delayed after being fired. @matt @tunmi13
@jscholes @fastfinge I also think, though I realize I might be in the minority on this, that screen readers should ignore MSAa alerts from non-foreground windows. Narrator ignores UIA notifications from non-foreground windows, except for a few OS components that are treated as exceptions; not sure about NVDA and JAWS.
Yup, you would be in the minority. Sighted people can have multiple windows on screen, and quickly glance at them. We can't. Getting alerts from non-focused windows is the only way to replace this experience.
@matt @fastfinge That should also be under the user's control, down to the specific window level if necessary. Narrator giving certain Microsoft alerts preferential treatment is kind of icky.
@jscholes @fastfinge Based on a quick look at SRAL (which I also wasn't familiar with), I wouldn't recommend it. It does attempt to implement a dummy UI Automation provider as one option (along with the usual screen reader APIs), but that implementation shows poor understanding of how to use UIA.
@matt @jscholes @fastfinge Maybe one of these days once Paperback has working live region speech output on all three platforms, or at the very least Mac and Windows, I'll publish it as a tiny C library.
WASHINGTON — The Supreme Court on Monday turned away a long-shot attempt to overturn the landmark 2015 ruling that legalized same-sex marriage nationwide
I've noticed that my profile is displaying 0 followers, while I still have everyone in my followers list and they can see my posts just fine. Apparently, this strangeness is only happening to me.
Yeah Mastodon is quite weird regarding that sometimes. My Tweesecake shows 0 followers on your account, when I click on the list for your followers I only see 2 people, me and someone else, but I'm sure you have more lol. idk if it depends on client, server, anything else. But yeah. It is how it is.
@jonathan859 Yes. Something's horribly wrong with this. I'm seeing my full followers list on my own instance, only 4-5 people on tweesecake.social, and you're seeing two (on I assume) on your instance. Everyday discovering something brand new!
I really need a ruler and pencils to spear time at job... hold my beer.
edit: hold my ruler 😂 edit1: bartender ask me why im laughing.. u know Lexaurin uhm Mastodon and so on 😂 edit2: i didn't know how many people taking them btw edit3: it wasn't one time this season to customers asking me for...
What will the world be like in 10 years? Or 50? We don't know – but we all need to think about long-term data storage. Don't get locked out 🔒 of your own documents – instead, choose a format designed for long-term archiving: blog.documentfoundation.org/bl… #foss #openSource #freesoftware #openstandards
Digital documents in proprietary formats often become inaccessible within a few years due to undocumented changes to the XML schema that are intentionally employed for lock-in purposes.
This is relevant to most people, but especially to any organization that cares about long-term continuity. Which *should* include all levels of government, publicly-funded organizations, and any business that plans to be around for more than a decade.
I've provided the detailed description and clear steps previously, but it seems you need the content tailored directly for the submission form's fields. I will present the complete, professional,...
@fm_volker in this case it referred to a real file name in the curl source tree, used for the OS400 port - in which it uses strcpy(). And the fake function name was almost like one of the real one, but with different arguments...
"I've provided the detailed description and clear steps previously, but it seems you need the content tailored directly for the submission form's fields. I will present the complete, professional, and detailed response suitable for reporting a memory corruption vulnerability to a vendor or bug bounty program."
"but it seems you need the content tailored directly for the submission form's fields. I will present the complete, professional, and detailed response suitable for reporting a memory corruption vulnerability to a vendor or bug bounty program."
They couldn't even be bothered to tell the LLM where they were reporting the bug.
@scvalex I literally had to download that to my phone and had to airdrop it to my Mac to open…2 thoughts, not a stack trace unless you count scrolling back, and they need to move off VirtualBox (happy to be corrected on the latter)
everybody jokes about this, but it should be noted that the criminals who hit the Louvre did not subvert the password security. They bypassed the issue entirely by coming in through a high window using construction equipment. That password, silly and insecure as it was, actually did its job. Although my god, I hope they fix that with something better.
Finally got a chance to read @sundress's thoughtful post outlining the "Why" behind the state of accessibility on the web and it is spot on! If you haven't already, please give it a read: alice.boxhall.au/articles/a-th….
I am begging people on fedi to stop censoring potentially triggering words. Please. Word filters stop working when you put a random asterisk in a word, and it tanks readability for people that dont filter the words but do have a reading-related disability.
Gibt es eine Art kirchliche oder sonstwie alternative #Etherpad-Installation, wo man den Zugriff auf die Dokumente einschränken kann? Also, nicht nur "wer den Link weiß", sondern mit persönlicher Anfrage oder Passwort? Und nein: googledrive soll es nicht sein.
Dieses PlugIn setzt eine kleine Benutzerverwaltung vor die Instanz. Es können dann generell nur registrierte Personen zugreifen: npmjs.com/package/ep_mypads In den ersten Jahren der @onlinekirche@kirche.social haben wir die selbstgehostete #Etherpad-Instanz erfolgreich in dieser Weise genutzt.
Für eine #Cryptpad-Instanz können die Teilnehmenden sich registrieren und ein Team bilden. In der Dateiablage für das Team kannst du gemeinsam genutzte Dokumente ablegen. cryptpad.luki.org/teams/
Darauf wollte ich auch hinweisen. Wenn es möglich ist, dass sich die Mitglieder der Arbeitsgruppe registrieren, dann kann man den Zugriff entsprechend einstellen, z.B. im Screenshot anbei.
@talon Hey, I had a completely random request. Remember CHARM? What if it also had a mode for tracking network bandwidth usage, download and upload, as well? Probably with user-configurable expected bandwidth maxima, or obtained from speedtests, to map your percentage. Or a similar algorithm to that used for disk I/O. That'd be super useful to know when something in the background is doing telemetry, or when something is unexpectedly downloading an update or uploading a blob and pegging the wi-fi.
Here's a soundpack for CHARM that I made, by the way. Right now it's just called tones, unsure what else to call it. It's easier to listen to than default, and is made up of single-cycle waveforms. CPU is sine, RAM is absolute sine, and disk is the NVDA beep, 2x clipped sine. CPU base frequency is 3/2x the others so you have less frequency collision during idling. I chose the NVDA beep because triangle was just a bit too soft to hear at lower frequencies but I still wanted something relatively soft like the other two. dropbox.com/scl/fi/auqg1kk585b…
Something we, as a society, need to do is stop criticizing other people's eating habits. We need to stop criticizing how much someone eats. We need to stop criticizing what someone eats. We need to end this expectation that everyone wants to eat a lot, or likes to eat in public. And more than that, we need to stop comparing people's eating habits to other people's eating habits. All this does is create insecurity, shame, stress, and discomfort with someone's body and food choices. Eating is a sensitive subject for many people, either due to weight, taste/textural issues with food, social discomfort, whatever. How about, unless someone's diet and/or eating habits are genuinely harming them, we leave other people's food choices, needs, and the amount they choose to eat, and let everyone do their own personal thing with it? Erg.
Clarification: Previously I reported that Tesla China production in China was down 10%. That figure is quite different from sales. New data from China Passenger Car Association shows that Tesla’s sales dropped to 26,006 vehicles in October, their lowest level in three years. It represents a fall of 35.8% compared to the same period last year. Tesla’s share of China’s electric vehicle market dropped to 3.2% in October, down from 8.7% in September.
Alarmujúce čísla: Dôvera v slovenskú ekonomiku padá a v októbri dosiahla 15-mesačné minimum. Hlavné ťahúne, ako je automobilový priemysel, hlásia problémy
If you're traveling by train, buy some fucking headphones. I don't want to listen to your shitty music, hear a crappy American comedy, or listen to a conversation with your significant other who's a bigger twat than you.
In the #curl security team, we get to exercise deep protocol knowledge into the bits for many protocols including version variations and exploring funny quirks we have for adapting to many 3rd party libraries as well as a thorough understanding of the C language, how ABIs work, OS/platform variations and the occasional CPU peculiarity. Did I mention build systems?
And that's only for the issues we received this weekend.
as a regular viewer, I don't remember him sending harassment towards anyone. If anything, I remember him specifically (and seriously) telling people not to harass anyone, on multiple occasions.
I'm not happy about his comment section / community either, but let's at least not throw around such accusations.
@mks_h there is responsibility for owns viewers and community as well.
"do not harass anybody" means nothing in practice. Otherwise would it make bigots be non bigots if they just say it every video but their viewers constantly are transphobic/racist/etc..?
Harassment is allowed in the comment section, therefore it's also allowed elsewhere.
The people harassing our community are welcomed in his community with open arms, because apparently doing it there is better than.. not?
João Santos
in reply to daniel:// stenberg:// • • •Adam Katz
in reply to daniel:// stenberg:// • • •SMTP Smuggling - Spoofing E-Mails Worldwide
SEC Consult Unternehmensberatung GmbHRon Bowes
in reply to daniel:// stenberg:// • • •nilclass
in reply to daniel:// stenberg:// • • •I found that if I pass the URL of a website to curl, and the website contains private information, it prints private data to my terminal, which is clearly a GDPR violation!
/s
Multi
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Multi • • •xinit ☕
in reply to daniel:// stenberg:// • • •