Notices by :marseyloadingneon: m0xEE :marseyloading: (m0xee@breloma.m0xee.net), page 16
-
Embed this notice
:marseyloadingneon: m0xEE :marseyloading: (m0xee@breloma.m0xee.net)'s status on Sunday, 31-Mar-2024 02:47:05 JST 
:marseyloadingneon: m0xEE :marseyloading:
@mischievoustomato
This is exactly what I'm talking about — most seem to only worry about sshd, but in fact so much more could be affected.
Downgrading to liblzma5.4.x isn't panacea — it's just the most obvious quick fix.
And of course it doesn't mean that only systemd-systems are affected, some lzma shit is in the kernel even — we don't know what could get in there when the project was basically taken over by hostile actors.
We have to wait for the results of proper source audit to feel safe again. -
Embed this notice
:marseyloadingneon: m0xEE :marseyloading: (m0xee@breloma.m0xee.net)'s status on Saturday, 30-Mar-2024 22:18:59 JST
:marseyloadingneon: m0xEE :marseyloading:
@kaia
But what if they are actually long time pals and are plotting something? :marseyworried: -
Embed this notice
:marseyloadingneon: m0xEE :marseyloading: (m0xee@breloma.m0xee.net)'s status on Saturday, 30-Mar-2024 17:05:54 JST
:marseyloadingneon: m0xEE :marseyloading:
@theorytoe
Fair point 😏 -
Embed this notice
:marseyloadingneon: m0xEE :marseyloading: (m0xee@breloma.m0xee.net)'s status on Saturday, 30-Mar-2024 08:40:09 JST
:marseyloadingneon: m0xEE :marseyloading:
@Doll @kirby
I wonder if I can keep running Linux (without interjecting for a moment), but identify myself as an OpenBSD person? :marseyhmmm: -
Embed this notice
:marseyloadingneon: m0xEE :marseyloading: (m0xee@breloma.m0xee.net)'s status on Saturday, 30-Mar-2024 08:38:18 JST
:marseyloadingneon: m0xEE :marseyloading:
@Doll @kirby
What's wrong with it? It's a glorious language from our Goobgle overlords :marseysmudge: -
Embed this notice
:marseyloadingneon: m0xEE :marseyloading: (m0xee@breloma.m0xee.net)'s status on Saturday, 30-Mar-2024 07:12:44 JST
:marseyloadingneon: m0xEE :marseyloading:
@0 @kirby @menherahair @phnt @shalien
Mah Gawd!!! :jpa_face_screaming_in_fear: -
Embed this notice
:marseyloadingneon: m0xEE :marseyloading: (m0xee@breloma.m0xee.net)'s status on Saturday, 30-Mar-2024 07:03:38 JST
:marseyloadingneon: m0xEE :marseyloading:
@TURBORETARD9000
To my own shame I can't play it. I'm a bass player if anything — but not a good one either. We've been experimenting with… let's call it "folk sound" at some point and I've been collecting everything I could lay my hands on, including toy flutes, wooden whistles — everything! So a friend of mine gave me this fine instrument and it remains with me to this day. I know it's tuning, but that's it.
Bass balalaika on the other hand… :marseyhmm:
That would be interesting! :marseystars: I think there was something like that in a Gorky Park video.
@menherahair @kirby -
Embed this notice
:marseyloadingneon: m0xEE :marseyloading: (m0xee@breloma.m0xee.net)'s status on Saturday, 30-Mar-2024 07:03:22 JST
:marseyloadingneon: m0xEE :marseyloading:
@0
One day I will become a great security researcher like Andres Freund and will make everyone downgrade a compression library in their system after discovering an unusual lag in my ssh-server :marseyemojismilemouthtighteyes:
@menherahair @phnt @kirby @shalien -
Embed this notice
:marseyloadingneon: m0xEE :marseyloading: (m0xee@breloma.m0xee.net)'s status on Saturday, 30-Mar-2024 06:51:15 JST
:marseyloadingneon: m0xEE :marseyloading:
@phnt @menherahair @kirby
Yeah, good point! Kernel possibly being affected is the worst part! -
Embed this notice
:marseyloadingneon: m0xEE :marseyloading: (m0xee@breloma.m0xee.net)'s status on Saturday, 30-Mar-2024 06:44:49 JST
:marseyloadingneon: m0xEE :marseyloading:
@menherahair @kirby
> How safe do you feel with a chained bear in the room?
Being Russian? Of course I feel safe when my bear sleeps at home soundly and not roaming the streets somewhere :marseyemojismilemouthtighteyes:
Sure, I do have a balalaika! :marseyrussiadolls: -
Embed this notice
:marseyloadingneon: m0xEE :marseyloading: (m0xee@breloma.m0xee.net)'s status on Saturday, 30-Mar-2024 06:35:44 JST
:marseyloadingneon: m0xEE :marseyloading:
@menherahair @kirby
Agreed!
But I've downgraded to 5.2.7 (that quite handily happened to be lying around :marseysmug2: ) in the meantime — someone should still do a proper source code audit I think :marseyshrug: -
Embed this notice
:marseyloadingneon: m0xEE :marseyloading: (m0xee@breloma.m0xee.net)'s status on Saturday, 30-Mar-2024 06:28:38 JST
:marseyloadingneon: m0xEE :marseyloading:
@menherahair @kirby
Yeah, I've seen that one, but the one who reported it explicitly states this in his message: "I am *not* a security researcher, nor a reverse engineer. There's lots of stuff I have not analyzed and most of what I observed is purely from observation rather than exhaustively analyzing the backdoor code"
That is why I'm still unsure.
That didn't prevent OpenSUS people from referring to him as "Security Researcher Andres Freund" in their post of course :marseylaughpoundfist: -
Embed this notice
:marseyloadingneon: m0xEE :marseyloading: (m0xee@breloma.m0xee.net)'s status on Saturday, 30-Mar-2024 06:05:28 JST
:marseyloadingneon: m0xEE :marseyloading:
@kirby @Tony
Do you have a minute to talk about our lord and saviour "downgrade the xz package"? :marseysmug2: -
Embed this notice
:marseyloadingneon: m0xEE :marseyloading: (m0xee@breloma.m0xee.net)'s status on Saturday, 30-Mar-2024 05:45:18 JST
:marseyloadingneon: m0xEE :marseyloading:
@kirby
Of course! Now you have to make them fix their tests so they work with your malicious code :marseyretard2:
This reminds me of a story: a "hacker" on my district's LAN (when those were still a thing) convinced me to make an account for him so he could ssh in and test some things. Probably thinking that he achieved that not by having my trust (we often played Quake together and other such stuff), but by being a cool social engineer he used that to run a perl script that was listening on some port so he could run stuff on this machine even when I shut the ssh-server down. But I had a habit of removing the default route when I was sleeping/away/not using the LAN for other reasons and making one manually just to our local IRC server so I could still have access to that. He was from the other network segment so of course his neat little trick didn't work.
Later I have found out that something was listening on a weird port number, ran through his shell history and found out that it was him who placed it (he didn't even care enough to clean the history up).
I confronted him and to my surprise he started explaining me how to fix it so he could still access my machine: and I was like: "Man, are you insane?" :marseywtf2: -
Embed this notice
:marseyloadingneon: m0xEE :marseyloading: (m0xee@breloma.m0xee.net)'s status on Saturday, 30-Mar-2024 05:04:40 JST
:marseyloadingneon: m0xEE :marseyloading:
@romin
Smartass! :marseysmug2:
AFAIR there was a very good reason for me to update llvm12 to 15, but I can't recall what it was :marseyhmmm:
@mona @bronze -
Embed this notice
:marseyloadingneon: m0xEE :marseyloading: (m0xee@breloma.m0xee.net)'s status on Saturday, 30-Mar-2024 05:00:31 JST
:marseyloadingneon: m0xEE :marseyloading:
@romin
I agree, but on more obscure architectures it often does make sense — gcc and llvm often introduce critical bugs which get fixed in later releases, but never get backported, e.g. clang from llvm15 was segfaulting randomly on my PPC machine — I tried a few patches, including the one that looked very much like it symptoms-wise — all to no success. But with llvm17 it works perfectly again :marseyshrug:
Now Python3.12.2 segfaults right on being launched — I thought it's some weird endian-ness problem due to cross compilcation, so I've built it natively — and it's just as broken. 3.12.1 works fine — I'm simply out of ideas what could've introduced such a bug with a patchlevel update.
With marginal architectures — it's often weird shit like this :marseysigh:
@mona @bronze -
Embed this notice
:marseyloadingneon: m0xEE :marseyloading: (m0xee@breloma.m0xee.net)'s status on Saturday, 30-Mar-2024 04:44:16 JST
:marseyloadingneon: m0xEE :marseyloading:
@romin @mona @bronze
I won't be so sure: https://news.ycombinator.com/item?id=39867431
According to this comment on hnews, this person was with the project long before 5.4.5 that Debian maintainers consider safe. We still can't be sure.
And how do you guys stay on old versions for so long while using mainstream architectures? :marseyemojismilemouthtighteyes:
Even PowerPC machine this instance runs on has xz-5.6.0 — and I not only have to build it myself, mainline Void maintainers don't even longer patch software to remain buildable for PowerPC :marseylaugh:
Well, I probably have too much free time :marseyshy2: -
Embed this notice
:marseyloadingneon: m0xEE :marseyloading: (m0xee@breloma.m0xee.net)'s status on Friday, 29-Mar-2024 21:37:49 JST
:marseyloadingneon: m0xEE :marseyloading:
@newt @beep @hj
In my late uni days we had something called miniQ2 — it was, as the name implies, Quake 2 that fit on only four floppies, it had just q2dm1 and all the resources used on that map — even the textures and models not present on it were removed. It was a formidable debloating work! -
Embed this notice
:marseyloadingneon: m0xEE :marseyloading: (m0xee@breloma.m0xee.net)'s status on Friday, 29-Mar-2024 19:19:37 JST
:marseyloadingneon: m0xEE :marseyloading:
@kaia @foxhkron
I have three! And built-in ones on almost all of my computers, but I don't even remember when I used them last, probably to record some music that I got on BandCamp (yes, I listen to music on CDs). Do they even still sell blanks? Not that I'm worried, I still have about a hundred of both: CDs and DVDs, never had Blurays though, neither drives nor discs. -
Embed this notice
:marseyloadingneon: m0xEE :marseyloading: (m0xee@breloma.m0xee.net)'s status on Friday, 29-Mar-2024 17:42:22 JST
:marseyloadingneon: m0xEE :marseyloading:
@kirby
Or crap yard/lavatory :marseysmug2:
All GNU social JP content and data are available under the