home tags events about login

tommy rss

Author of cybsec.network and gopher://secdiary.com | https://secdiary.com.

Micro-messages mirrored at https://secdiary.com/twtxt.txt.

tommy bonked 25 May 2020 23:07 +0200
original: tedu@honk.tedunangst.com
convoy: data:,electrichonkytonk-q8gBd8V8vFPR743rkw

In #today's edition of modern browsers are awesome, there's a javascript event that allows pages to see (log, store, analyze, sell) what you search for with ctrl-F. (That said, they can already spy on your scroll position and infer searches from sudden jumps. Just assume every site you visit is recording your screen at all times.)


tommy bonked 25 May 2020 15:21 +0200
original: cwebber@octodon.social
convoy: tag:octodon.social,2020-05-25:objectId=51305713:objectType=Conversation

More and more websites doing port scans against users... now including Ebay https://www.bleepingcomputer.com/news/security/ebay-port-scans-visitors-computers-for-remote-access-programs/

You may be surprised that websites you visit can access localhost+port on your computer. "Local only" daemons often aren't. That's because "your browser is a very confused deputy" https://www.youtube.com/watch?v=Yfsmc0b8o78&vl=en

I helped uncover a confused deputy attack against Guile's live REPL that allowed for arbitrary code execution along these lines: https://lists.gnu.org/archive/html/guile-user/2016-10/msg00007.html

Perimeter security is eggshell security.

tommy bonked 24 May 2020 20:57 +0200
original: tedu@honk.tedunangst.com
convoy: data:,electrichonkytonk-6tq4h1cfmV2976m11x

Alright, Spotify, I don't know what sick game you're playing, but garbage and daft punk don't belong in the same playlist. Help, I'm being oppressed by machine learning.

tommy bonked 23 May 2020 09:54 +0200
original: schlink@octodon.social
convoy: tag:octodon.social,2020-05-22:objectId=51178323:objectType=Conversation

huh, this seems bad

"macOS 10.15: Slow by Design"

> Apple has introduced notarization, setting aside the inconvenience this brings to us developers, it also results in a degraded user experience, as the first time a user runs a new executable, Apple delays execution while waiting for a reply from their server. This check for me takes close to a second.


tommy honked back 22 May 2020 12:44 +0200
in reply to: https://cybsec.network/u/tommy/h/Jx32XbMGJ6kQLTHxV9
convoy: data:,electrichonkytonk-WBzXSKc3z896rx9Nkk

The clear winner, which definitively works on OpenBSD as well is weasyprint. I actually can't see the difference between the princexml and weasyprint PDF output. Impressed.

weasyprint is a Python package which can be installed via pip.

pip3.7 install weasyprint

When it comes to the conversion speed, I can't tell the difference on that either (takes a couple of seconds).

Great to have a stable cross-platform PDF compiler.

tommy honked 22 May 2020 11:01 +0200
convoy: data:,electrichonkytonk-c1l3d619sj47d21x52

Every time I reset Spotify it starts out well with good recommendations, and from there on out it's downhill. I always end up with not so good lists. Either this is feedback on my bad taste in music, or algorithms should one again be replaced with curated music.

tommy honked back 22 May 2020 10:42 +0200
in reply to: https://cybsec.network/u/tommy/h/Xs2G7lZP83gJ52KLQx
convoy: data:,electrichonkytonk-WBzXSKc3z896rx9Nkk

Brief hack report:

  • wkhtmltopdf is a no-go. Rendering turned out to be more or less like on-screen
  • weasyprint is surprisingly good (Python)

The current things that broke, from the Princexml template were:

  • content: flow(
  • .fn::footnote-call
  • .footnote::footnote-call
  • column-break-after: always

Impressed that it rendered this well without adaption. Seems to be some issues with the CSS in the header.


tommy honked 22 May 2020 09:46 +0200
convoy: data:,electrichonkytonk-WBzXSKc3z896rx9Nkk

I use princexml to generate reports for printing, due to their visual parity with Latex.

I wasn't interested in running conversion from markdown, to latex and then PDF (Pandoc), so a couple of years ago I went for princexml and switched the Latex-part for HTML.

princexml was great on other systems for my report generator program. However, they are proprietary, and their build process have turned unreliable for me between OpenBSD versions. Now looking for alternatives and already have wkhtmltopdf on my list.

#openbsd #html #conversion #pdf

tommy honked 21 May 2020 17:05 +0200
convoy: data:,electrichonkytonk-Z74HyHtwG2hm3p96Q4

doas is a big improvement over sudo. The minimal utility is just much simpler to understand and use, which made my life way easier when setting up automatic provisioning with drist on my OpenBSD servers. The opposite happened when I got to Debian of course.

#openbsd #drist #sudo #notty #ssh #doas

tommy honked 21 May 2020 15:22 +0200
convoy: data:,electrichonkytonk-jxPt3sMTh4t3ZFrYp1

Just setup drist to configure users, deploying SSH authorized keys and doas.conf, installing my default packages, applying updates and rebooting servers. This is a nice breather from Ansible which I seem to always forget the structure of between each time I use it.

Being a die hard PGP card user, this creates a bit of delay and issues with parallelization. But that's something I can live with.

Just lovely.


tommy honked 21 May 2020 14:07 +0200
convoy: data:,electrichonkytonk-Q8q3p2QQF99S2xG742

Testing microg on GrapheneOS, the result is that I know I won't use microg-dependent apps on GrapheneOS.

#grapheneos #android #microg #push

tommy honked 21 May 2020 12:36 +0200
convoy: data:,electrichonkytonk-7YtjZ8L4Jp5R31yvbl

One thing that doesn't work well in OpenBSD 6.7 is screen backlight controls on my X395. It actually adjusts from max backlight to about 90% and then it seems to think it is at 0%. Despite that it is nice see the backlight buttons actually work partially. Some progress after all.

#openbsd #x395

tommy honked 21 May 2020 12:32 +0200
convoy: data:,electrichonkytonk-5BQN4WJ61mg2q5121Z

Some interesting Matrix numbers in the latest Techcrunch article on the Automattic investment into New Vector/Matrix [1]:

Hodgson says New Vector is able to contemplate the prospect of profitability ahead, with ~16.8 million users and 45,000 deployments at this point (up from 11M and 40k back in October).

Perhaps just as important:

The e2e encryption Matrix uses is based on algorithms popularized by the Signal protocol. It was audited by NCC Group in 2016 but plans for the new funding include a full stack audit

Either way you see the Matrix protocol and its implementation, this is a win to open source, privacy, encryption and decentralization over the established tech giants which still maintain control over a major part of daily life.

[1] https://techcrunch.com/2020/05/21/automattic-pumps-4-6m-into-new-vector-to-help-grow-matrix-an-open-decentralized-comms-ecosystem/

tommy honked 21 May 2020 12:25 +0200
convoy: data:,electrichonkytonk-3d87dlP1fZDXpXRN1b

OpenBSD 6.7 is such an experience. I got the thing with U2F and SSH in the upgrade, but suddenly my Yubikey USB-C PGP-card works as well!

#openbsd #yubikey

tommy honked 21 May 2020 12:16 +0200
convoy: data:,electrichonkytonk-DjFY8m1fvS7Yx4Kp72

@solene any recommendations for drist and connecting to a host running on a non-standard SSH-port?

tommy bonked 20 May 2020 09:46 +0200
original: vecna@www.librepunk.club
convoy: tag:www.librepunk.club,2020-05-14:objectId=1800202:objectType=Conversation

Sometimes people say things like "Doing X is pointless because you're still doing Y." (For example, I saw a discussion of free software where someone went off about how having a fully free OS was pointless because you're just going to use it to access Facebook, etc. anyway.)

1. A lot of positive change happens incrementally. Don't disparage that just because "it's not instantly perfect, so you should give up."
2. Who says I'm doing Y?