|
Nonfuckup: cert renewal day and I abandoned startssl and did let's encrypt good lord that was easy
|
#
?
Feb 19, 2017 14:54
|
|
|
|
| # ? May 17, 2024 07:31 |
|
|
Wheany posted:windows 10 home apparently doesn't come with bitlocker. how bout that. use to be enterprise sku only, you're lucky they pushed it down to pro
|
|
#
?
Feb 19, 2017 15:51
|
|
|
Today in non-sec fuckups I made a tool that chunks through all of the packages in Buildroot and if it's hosted on GitHub or PyPI it checks to see if there's an update and if so auto-generates a patch to submit to the Buildroot team. Almost 60% of the python libraries were out of date. 40% of those were out of date by more than 2 major revision numbers.
|
|
#
?
Feb 19, 2017 18:44
|
|
|
anthonypants posted:in chrome there is no "view info" link when you click the lock icon next to a url Microsoft did this in Edge too and its the only thing that really annoys me about it.
|
|
#
?
Feb 19, 2017 18:46
|
|
|
ratbert90 posted:Today in non-sec fuckups I made a tool that chunks through all of the packages in Buildroot and if it's hosted on GitHub or PyPI it checks to see if there's an update and if so auto-generates a patch to submit to the Buildroot team. Lol that's obnoxious and they will kill you if actually run it
|
|
#
?
Feb 19, 2017 19:30
|
|
|
Shaggar posted:Microsoft did this in Edge too and its the only thing that really annoys me about it. edge at least still shows the ev organization name by the padlock right? i am unsure if there was actually some deeper issue with that, but i found it to be a very sensible double-check of the url not being off
|
|
#
?
Feb 19, 2017 19:42
|
|
|
jre posted:Lol that's obnoxious and they will kill you if actually run it Oh I talked to the maintainers and they were all for it. 58 patches submitted!
|
|
#
?
Feb 19, 2017 20:39
|
|
|
https://twitter.com/cyb3rops/status/833354634735534081
|
|
#
?
Feb 19, 2017 20:46
|
|
|
ratbert90 posted:Today in non-sec fuckups I made a tool that chunks through all of the packages in Buildroot and if it's hosted on GitHub or PyPI it checks to see if there's an update and if so auto-generates a patch to submit to the Buildroot team. I thought you'd been doing embedded stuff for a while? Who wants the web programmer-y moving target APIs that keeping all those packages current for "author bumped a version" reasons alone would introduce? My first thought is of that "Calibre" ebook software whose author obnoxiously (because it nags) does a release or two every week and has sustained that pace for a decade. A one-time catch-up, people can maybe handle, but oh man maintenance...
|
|
#
?
Feb 19, 2017 20:51
|
|
|
Was just about to come here and post this. It tries to log in to your twitter account (and others? didn't check) with the info, lmfao. The git bio just straight up says to never use this.
|
|
#
?
Feb 19, 2017 21:16
|
|
|
i just saw it on twitter too, and it looks like it checks twitter, facebook, github, reddit, hackernews, and google, in that order
|
|
#
?
Feb 19, 2017 21:32
|
|
|
lmao
|
|
#
?
Feb 19, 2017 21:36
|
|
|
ratbert90 posted:Oh I talked to the maintainers and they were all for it. 58 patches submitted! This is totally retarded and will almost certainly break stuff. How did you check that bumping libraries major versions hasn't broken functionality ? There are already tools (e.g. https://snyk.io , https://pypi.python.org/pypi/dependency-check/ ) which scan your dependancies for known vulnerabilities so you can limit the updates to things that actually matter. jre fucked around with this message at 22:20 on Feb 19, 2017 |
|
#
?
Feb 19, 2017 22:18
|
|
|
anthonypants posted:in chrome there is no "view info" link when you click the lock icon next to a url yeah they moved a thing that'd just confuse most people to the developer options - which takes three steps to get to not eight this annoys developers slightly which is OK because we're a tiny percentage of users the really hosed thing is that regular users even know what cookies are let alone care so deeply about them that they want to inspect them
|
|
#
?
Feb 19, 2017 23:26
|
|
|
jre posted:This is totally retarded and will almost certainly break stuff. How did you check that bumping libraries major versions hasn't broken functionality ? I actually scanned the dependencies if there was a dependencies.txt, I tried to import the module as well, and then if there was example code I tried to run that. Out of the 58 patches, 3 were broken as far as I could tell. James Baud posted:I thought you'd been doing embedded stuff for a while? I am embedded, this is just a side project for fun.  Also yeah, we are in discussions on how to actually maintain python libraries buildroot, as it's already 10~% of the packages and there are over 20,000 libraries on pypi.
|
|
#
?
Feb 19, 2017 23:45
|
|
|
ratbert90 posted:I actually scanned the dependencies if there was a dependencies.txt, I tried to import the module as well, and then if there was example code I tried to run that. quote:As far as I could tell ... Hey I've just changed 58 dependancies without reading the change logs for those dependancies. I've done no meaningful tests so gently caress knows if this breaks the app, I've also not profiled what the effect of new versions on mem / cpu / io is. Nor did I actually check for advisories so the new versions are just as likely as the old to have horrible vulnerabilities in them. What do you mean your taking away my push privs ?
|
|
#
?
Feb 20, 2017 00:16
|
|
|
Cybernetic Vermin posted:edge at least still shows the ev organization name by the padlock right? i am unsure if there was actually some deeper issue with that, but i found it to be a very sensible double-check of the url not being off its got the signing org and the subject name from the cert. I can guarantee u tho what happened was that they didn't want to have to grant access to the win32 certui through the UWP framework but they were also too lazy to re-implement it fully.
|
|
#
?
Feb 20, 2017 00:30
|
|
|
jre posted:Hey I've just changed 58 dependancies without reading the change logs for those dependancies. I've done no meaningful tests so gently caress knows if this breaks the app, I've also not profiled what the effect of new versions on mem / cpu / io is. Nor did I actually check for advisories so the new versions are just as likely as the old to have horrible vulnerabilities in them.
|
|
#
?
Feb 20, 2017 02:03
|
|
|
i don't know, i personally wouldn't mind having a dedicated scapegoat for everything that goes wrong for the foreseeable future on some projects
|
|
#
?
Feb 20, 2017 02:08
|
|
|
BobHoward posted:depends. on some ssds the sata password mechanism is a potentially deece fde (*), but sata is a very pc industry standard so you'd better be sure your particular drive mfr did it right before you depend on it for opel-whatever drives, bitlocker will keep the key in the TPM where it probably should be and just use the embedded hardware acceleration of the drive to prevent that stuff from being run in CPU which usually results in zero effective overhead. bitlocker on cpu even with a modern processor and AES extensions can halve ops rates on a SSD though you're talking about the different between 10 and 20k ops so it probably doesn't matter for most workloads. there have been some demonstrations of poo poo key management in the self-encrypting drives and I would trust MS to hold key material in TPM over sarnsung or whoever.
|
|
#
?
Feb 20, 2017 02:18
|
|
|
Right but I mean what difference is it going to make. If somebody's going to go to the trouble of taking apart my computer in a lab and applying specific Samsung exploits to the SSD firmware or whatever then they can also cold-boot attack my FDE laptop, which is probably asleep so it already has the encryption keys in DRAM. Tbf though Macs have some sort of special firmware lock screen that lets them purge keys out of RAM when they go to sleep. Define an adversary for your security measures, or you're just jerking off.
|
|
#
?
Feb 20, 2017 16:00
|
|
|
https://twitter.com/paaleksey/status/833353340079706112
|
|
#
?
Feb 20, 2017 16:37
|
|
|
beautiful e: lol https://mobile.twitter.com/paaleksey/status/833355010637455367 Lutha Mahtin fucked around with this message at 16:58 on Feb 20, 2017 |
|
#
?
Feb 20, 2017 16:46
|
|
|
Sapozhnik posted:Right but I mean what difference is it going to make. i'm kinda confused what exactly the point you're trying to make is? like sure, for 99% of attack scenarios for 99% of people a SATA password is probably perfectly secure, this has nothing to do with it requiring NSA level ability to circumvent, simply that its usually just not worth the trouble for most people's data its definitely not as secure as FDE though, even if that fact is only being demonstrated theoretically, and using FDE isn't any more of a hassle so I don't really understand what you're making a stand about?
|
|
#
?
Feb 20, 2017 19:00
|
|
|
Lutha Mahtin posted:beautiful how many bitcoins can you mine in the time it takes for a CI build to run?
|
|
#
?
Feb 20, 2017 19:35
|
|
|
they might be hijacking the build so unless the CI server doesn't have a max run time for a build it would run until killed by someone else.
|
|
#
?
Feb 20, 2017 20:28
|
|
|
Shaggar posted:they might be hijacking the build so unless the CI server doesn't have a max run time for a build it would run until killed by someone else. yeah but basically every public project that uses some public CI service is gonna have sane defaults for that, right? 🤔
|
|
#
?
Feb 20, 2017 20:31
|
|
|
oh definitely.
|
|
#
?
Feb 20, 2017 20:36
|
|
|
also the creds for the CI service totally wont be in the repo either so theres surely no way the bot could get access to and change the config.
|
|
#
?
Feb 20, 2017 20:37
|
|
|
uncurable mlady posted:yeah but basically every public project that uses some public CI service is gonna have sane defaults for that, right? 🤔 lol
|
|
#
?
Feb 20, 2017 21:01
|
|
|
CI?
|
|
#
?
Feb 20, 2017 22:26
|
|
|
Continuous Integration. Basically automatic builds and tests run on every commit to the main branch(s)
|
|
#
?
Feb 20, 2017 22:31
|
|
|
seems more like code injection op
|
|
#
?
Feb 20, 2017 22:35
|
|
|
LeftistMuslimObama posted:seems more like code injection op 
|
|
#
?
Feb 20, 2017 22:43
|
|
|
LeftistMuslimObama posted:seems more like code injection op
|
|
#
?
Feb 20, 2017 22:46
|
|
|
Jewel posted:Was just about to come here and post this. It tries to log in to your twitter account (and others? didn't check) with the info, lmfao. The git bio just straight up says to never use this. that actually might not be a bad idea to use in sign in forms i mean, might creep your customers out but they'll be more informed about good security practices as they leave your site never to return never mind that's a terrible idea
|
|
#
?
Feb 20, 2017 22:51
|
|
|
Stop stealing my talk topics guys
|
|
#
?
Feb 20, 2017 22:54
|
|
|
LeftistMuslimObama posted:seems more like code injection op :neo whoa:
|
|
#
?
Feb 21, 2017 00:56
|
|
|
continuing on from the bitcoin CI, a great one i just saw on twitter https://github.com/auchenberg/volkswagen quote:Volkswagen detects when your tests are being run in a CI server, and makes them pass.
|
|
#
?
Feb 21, 2017 01:01
|
|
|
|
| # ? May 17, 2024 07:31 |
|
|
Jewel posted:continuing on from the bitcoin CI, a great one i just saw on twitter lol also ratbert I like your idea in abstract but maybe restrict it to major version updates or something? idk. it does sound like a Lot but we are in a kind of risk averse profession
|
|
#
?
Feb 21, 2017 01:09
|
|
