Notices by Jan Schaumann (jschauma@mstdn.social)

OpenSSH 10.0 just landed, now completely removing DSA signature support (you've been warned, repeatedly :-) and finite-field diffie-hellman key exchange. It also enables mlkem768x25519-sha256 as the default kex! (#pqc)

The new version string ("OpenSSH_10.0") is also likely to confuse a bunch of stupid scanners that assume anything starting with "OpenSSH_1" is a 1.x version.

https://www.openssh.com/txt/release-10.0

Oh, ok, Yahoo. That's interesting. I have another idea: fuck you.

Suppose you held a large amount of stock. Market's high. You sell.

You then announce totally bananas tariffs. Markets plunge. You buy.

You then announce "deals" and lift tariffs. Markets ralley. Profit.

Would be a sweet deal if you happened to be in a position to do that, or knew somebody who could, wouldn't it?

The secret language of coders, part N of many. Today, zoom call edition: "sorry, gotta drop"

The secret language of coders, part N of many. Today: security vendor vulnerability announcement phrases.

An interesting recap of how the #Plan9 OS developed at Bell Labs, with many familiar names, including, of course, Ken Thompson, Dennis Ritchie, Rob Pike, and many others, making appearances.

"What I Saw at the Evolution of Plan 9" by Geoff Collyer

https://adi.onl/oral.pdf

#unix

#OpenSSL will get the now standardized post-quantum cryptography algorithms (ML-KEM, ML-DSA, SLH-DSA) in 3.5 (planned release date is 2025-04-08):

https://openssl-library.org/post/2025-02-04-release-announcement-3.5/

This will include X25519MLKEM768, and will be enabled and preferred by default:

https://mailarchive.ietf.org/arch/msg/tls/g9sagkuAu8KlWpmJ30YdXbga5Xg/

#pqc

Wait, what? By using #Firefox, I now grant Mozilla "a nonexclusive, royalty-free, worldwide license to use" any data I "upload or input"? That seems, uhm, rather broad. Wtf.

I want my old Mozilla back.

https://www.mozilla.org/en-US/about/legal/terms/firefox/

Today in "#systemd ruins everything", Jan learns that systemd-resolve...

- runs a proxy DNS server on 127.0.0.53 (which is in /etc/resolv.conf)
- uses it's own /run/systemd/resolve/resolv.conf
- will read and cache /etc/hosts regardless of what /etc/nsswitch.conf says (`ReadEtcHosts` defaults to `yes` in /etc/systemd/resolved.conf)

Applications that follow traditional libc resolver logic now will continue to get /etc/hosts results even if /etc/nsswitch.conf excludes 'files'.

🤦♂️

@FallsMom This one was https://www.buildtheresistance.org/feb-17 but check their other events: https://www.buildtheresistance.org/actions

There’s also https://www.mobilize.us/ and https://indivisible.org/

Scenes from the “No Kings On Presidents’ Day” protest in Union Square just now.

Fuck Trump. Fuck Musk. And fuck the entire cowardly Republican Party.

#NotMyPresident #nyc

TIL: On Ubuntu, AppArmor restricts tcpdump from reading files that don't end in ".pcap". 🤦♂️

$ ls -l /tmp/out
-rw------- 1 tcpdump tcpdump 13651 Feb 13 15:49 /tmp/out
$ sudo tcpdump -n -r /tmp/out
tcpdump: /tmp/out: Permission denied
$ sudo mv /tmp/out /tmp/out.pcap
$ sudo tcpdump -n -r /tmp/out.pcap
reading from file /tmp/out.pcap, link-type EN10MB (Ethernet), snapshot length 262144
[...]

Why are people trying so hard to make "file extensions" happen?

Just spent 45 minutes groveling through 2,300 lines of bash completion gunk because apparently nowadays bash[1] will only tab-complete files based on filename "extension"[2] as if this was fucking MS-DOS.

Grrr.

[1] Well, _this_ bash on _this_ particular Linux version.
[2] E.g., "sh x<tab>" will only complete "x*.sh".

#LinuxGrievances

Oh, and while I'm complaining: requiring sudo for dmesg is stupid, too. 🙄

Today's #linux grievance: apparently #fedora comes up with a default firewall that blocks anything besides SSH and something called "cockpit" (apparently a remote admin web interface running on port 9090 using a self-signed certificate, so, uhm, yeah 🤦♂️).

Mozilla announces that Certificate Transparency is now enforced in Firefox, meaning certs lacking SCTs would be untrusted. (This applies to roots in the Firefox root store, so presumably your internal and snakeoil certs are not affected, but I think you want to explicitly verify that.)

https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/OagRKpVirsA

"/bin/sh: the biggest #UNIX security loophole", by James A. Reeds, 1984

https://www.tuhs.org/Archive/Documentation/TechReports/Bell_Labs/ReedsShellHoles.pdf

All the tried and true ways to escalate privileges, including your common shell-out of setuid programs, PATH games, etc. with the conclusion we still see people having to learn repeatedly:

A Visit from St. Root - a #SysAdmin poem

'Twas the night of the moratorium, and all through the cloud
not a pager was beeping: no deploys were allowed.
The packages frozen on the servers with care,
In hopes that an outage would strike nowhere;

Enterprise IT Security tends to lose its shit when their endpoint protection finds #Tor browser on employees' devices.

Unless you do deep packet inspection / middlebox all traffic, I don't see a meaningful risk increase. (If you do, then it seems comparable to e.g., Apple Private Relay + browsers' DoH use.)

Does anybody have a good summary (not written by a VPN vendor) on the actual risk to the enterprise from its use by average users (not attacks on Tor itself, nor running a Tor node)?

I swear, every time I use (a, any) Linux, I have to do a double-take and go "what the fresh fuck is this now". Today it's whatever is going on with /etc/motd on Ubuntu.

Making simple things complicated seems to be the trend there.