You know those networked devices with a microphone? You should probably do a threat model if you have them.

Cool to have them listening all the time and sending that info to an attacker? OK, no action needed, connect it up to anything.

Creeped out by that idea? Maybe don't hook them up to the network without looking i to it (or having someone look into it) first.

Self promotion, infosec 

My team at work found a way to hijack the update process of software that is used at Space X, the London Stock Exchange, Microsoft, Department of the Treasury and a bunch of other interesting places.

User interaction is required. We'll try to find bugs a bigger impact next time. 😄

blog.grimm-co.com/2021/04/time

greyware.com/software/domainti

OK, fediverse, help me out here. I want to set up CI/CD for a public repo to automatically build packages for each release. I found docs.gitlab.com/ee/ci/ci_cd_fo which is almost what I want except that it requires me to get my .gitlab-ci.yml upstream. I don't think they'd take it since they seem to use Travis CI instead. What are my other options?

What is your level of paranoia?
(boosts welcome)

It occurred to me that the people who need to defend against 0-days have a lot in common with those who run EOL products (for any reason whatsoever). Furthermore, if you expect your adversary to have 0-days, it's really not so risky to run EOL stuff.

With enough deployments, assigning static IPs with a dynamic protocol now causes more conflicts than it solves. Random MAC addresses **will always** collide eventually. They are nondeterministic. Setting a static IP address is deterministic, it will either never collide or always collide.

The latter is far easier to troubleshoot, simpler and self contained... all positive attributes.

DHCP is great for dynamic addresses. Use it there.

Show thread

Is there anyone out there who uses the Dynamic Host Control Protocol to set "static" IP addresses that wasn't using computers in the 90s?

My guess is no.

It may have made sense before VMs were common. Back when MAC addresses were baked into hardware.

Now it just requires hard coding a specific MAC address on each machines' deploy scripts instead of specifying the IP address, negating any benefit. It also makes it difficult to know the IP address before runtime, making scripting more difficult

Gemini, bitcoin 

Today I learned about Gemini, which appears to be the second most popular cryptocurrency exchange in the US. It's good to see some competition in this space.
gemini.com/

tech, KY politics 

Power used to produce new blocks will be tax free in Kentucky, USA if done by a company instead of an individual. The law was passed to attract business to their state: specifically "cryptocurrency miners".
legiscan.com/KY/bill/HB230/202

I'm not sure it'll work, but can't blame them for trying.

I don't have an OpenSSL 0-day. I haven't looked at that codebase very much and when I did, I was not looking for vulnerabilities, I was looking at the CPU-specific optimizations. I'd be happy to go spelunking in the codebase someday, but honestly, it's pretty low on my list. I have a lot of things on my plate these days.

Yo, users, who can tell me how to get disappearing messages?

I found the options to limit access to the message history, but I want to have the history age out for some groups.

My use case is to limit the damage in the event of an endpoint compromise.

Roadmaps to convert 139 countries to 100% Wind, Water, and Sunlight (WWS) for all purposes
web.stanford.edu/group/efmh/ja

80% WWS by 2030 at the latest. This sounds like the level of effort of "let's put a man on the moon".

Fun fact: 11% of total U.S. energy usage was due to electrical system energy losses!

Source: eia.gov/tools/faqs/faq.php?id=

I remembered that JPL mentioned that 1/3 of energy usage was from buildings, another 1/3 from transportation, and the remainder being industrial. I came across that little tidbit when searching for citations. That JPL presentation was really cool. If I can find it anywhere, I'll post a link to it.

GitLab admins: Upgrading from 13.8.5 to 13.9.3 is broken. You will get error 500s for all your repos. Downgrading to 13.8.5 (most recent in the 13.8 line) will fix everything without having to resort to restoring from backups.

Going from 13.8.5 -> 13.9.0 -> 13.9.2 -> 13.9.3 did work for me. (You may be able to skip one of the middle links)

The developers know about issues with 13.9.0-13.9.2 but seem to think jumping straight from 13.8.x to 13.9.3 works (it doesn't) docs.gitlab.com/ee/administrat

If solar panels covered 1/4 of Utah, those alone would be able to power the entire United States. US consumption is very high, weighing in at 12,000 kWh per year per capita.

So even without reducing consumption at all, we have the technology right now to produce ample clean energy. This is the message. There is hope.

Sources:
ecotality.com/how-many-solar-p
13750000 acres = 21,484.4 sq mi
justintools.com/unit-conversio
en.m.wikipedia.org/wiki/Utah 82,144 sq mi

I just found out about yq. It's like jq, but for yaml.

In other words, it allows one to easily edit fields in a yaml file without using sed/awk, without having to worry about getting the correct number of spaces before an entry, and other things that frequently go wrong when making either manual or automated updates to yaml.

If you automate installations so you have reproducible deployments, jq and yq are your best friends when it comes to config files!

github.com/kislyuk/yq

The term "fediverse" comes from users here being "fed" up with "adverse" conversations, meaning "a culture where honest discussions are encouraged and the goal is to find common ground rather than prove a point." I think that's a very desirable change.

Show older
hax0rbana.social

Mostly hackers, mostly in Urbana, IL, talking to each other & our friends on like-minded servers without giving our personal data to the marketing machine.