Notices by hanno (hanno@mastodon.social)

This is a gruelling summary of all the things wrong with OpenSSL https://www.haproxy.com/blog/state-of-ssl-stacks I've mostly watched this whole thing from the sidelines, but was also affected noting that private key parsing suddenly became 70 times slower. I think they've now improved it to "only" be 10-20 times slower, and there does not seem any effort to work on it any more.

Coding question / mmap:
I'm mmap'ing a file (Python, but I guess mmap should behave the same no matter which language), read-only. Code is constantly reading from the mmap'ed buffer. Another process is writing to the same file. Process reading from the file stops with a Bus error. Is this... to be expected? I find it surprising, to say the least. @dalias maybe you know?

Hey @letsencrypt is your plan for OCSP deprecation really "we will do it in one month, and we provide no way to let you test it whatsoever"? I mean... would it be asking for too much to at least have an HTTPS host configured with such a cert that people can, e.g, use to test monitoring tools? And ideally an optional way to get such certs issued before they become the default?

Dear Internet hivemind, I have a tech problem. I use nextcloud as my calendar. I get a lot of ics files these days, via email, or from web pages where I signup for events. I want to get the ics files into my nextcloud calendar without it being annoying. I think it should be simple to solve, but somehow, it isn't. I don't find any good answers how I might do that. Maybe I'm googling for the wrong terms. 🧵

About that Fortinet thing: there are also some private keys affected. https://blog.hboeck.de/archives/908-Private-Keys-in-the-Fortigate-Leak.html

I hear Fortinet customers are having a lot of fun. Shall I repeat my rant about "cybersecurity" products from last time? If you run a Forti appliance: Will you stop doing so? Will you buy one from one of those other vendors that fucked up in recent years? Is there any situation in which you will admit that these things do more harm than good?

Es sagt ja so viel über den kaputten Stand unserer gesellschaftlichen Diskurse, dass wir gerade eine Diskussion über den Krankenstand haben, aber kein einziger Vorschlag dazu zielt darauf ab, dass Leute weniger krank werden. Ich mein, ist ja nicht so dass man da nix tun könnte. (Luftfilter, Masken, Homeoffice, leichterer Zugang zu Impfungen, ...)

Due to lack of time, there was no Q&A after my #38C3 talk, but in the chat, someone asked an interesting question. I said in the talk that Methanol is the simplest carbon-containing liquid, the person remarked that this would instead be formic acic (de: "Ameisenseure") + asked whether using formic acid instead of methanol would be interesting. The molecular difference between formic acid and methanol is that it contains one oxygen atom instead of 2 hydrogen atoms.🧵

Ach echt, es war gar keine tolle Idee, die Heidekrautbahn mit Wasserstoff (wohlgemerkt aus Erdgas) fahren zu lassen? Hätte uns nur jemand gewarnt! https://www.rbb24.de/wirtschaft/beitrag/2024/12/wasserstoff-engpass-einschraenkungen-regionalbahn-berlin-brandenburg-vbb.html

This is quite something: The BBC reports about health misinformation. One example is... a show on BBC!
I mean, I guess it's good that they critically evaluate their own reporting.

But it gets better: "A spokesperson for the BBC declined to comment."

That's quite arrogant of the BBC to decline to comment when a journalist working for the BBC asks you for a comment

https://www.bbc.com/news/articles/c4gpz163vg2o

I'm seeing lots of spam lately either from domains that have [easytoremembername].com and end up being domains for sale, or, today, a flood of [name of bank].de, which belongs to the bank, but is probably not used by them for email. All without DMARC.
I don't recommend p=reject for actually used domains, but for domains that are *unused for email*, you have no deliverability problem, you want non-deliverability for all mails with that sender.

@TimPhSchaefers then @ubernauten should fix that. Allow customers to set a "no email" option that sets dmarc to reject, SPF to -all, and mx to . (nullmx)

Dear everyone who owns domains that are *not used for e-mail*, particularly ones that are potential targets for phishing (banks, high-profile names): Could you please configure SPF+DMARC, ideally with p=reject? You may wonder: Why should I configure anything email for a host that isn't used for email? Well... it helps others to identify spam sent with your domain as the sender.

@kees @yossarian I'm confused, this tells me [[ is the bash'ism, and [ the posix thing: https://mywiki.wooledge.org/BashFAQ/031

@kees @yossarian uh, good to know. I'm pretty sure at some point I've been told (maybe by some linting tool?) that [[ is preferrable to [.

I had feared that the topic would be too obscure, but #38c3 accepted my talk. So you'll be able to hear me talk about Green Methanol, and why it may be an important technology for a climate-neutral future.

Falls Ihr in Potsdam lebt und Fahrrad fahrt: Die Stadt Potsdam wüsste gern was Ihr zur Radverkehrssituation denkt. https://besserradeln.potsdam.de/potsdam/de/home/beteiligen

If you think that Texas is an example for successful clean energy buildout, please read this https://ketanjoshi.co/2024/08/12/texas-builds-clean-power-but-it-isnt-a-climate-champion/

Their products are flawed not just because they're badly implemented - which they are - but because they are based on a stupid idea. The idea that you improve your IT security by adding more complexity. Doing the opposite is the right approach. But you can't sell that as a product. (You can still sell it, but it's not something you just plug into your network and get security magically.)

Actually, the value of Citrix rose after that: https://www.marketscreener.com/quote/stock/CITRIX-SYSTEMS-INC-4863/ These things have no consequences for these companies, it's a completely broken market. I'm reading news that crowdstrike's value dropped, I have doubts that this will be permanent.