Notices by hanno (hanno@mastodon.social), page 2

In Brandenburg ist morgen auch Kommunalwahl, also auch in Potsdam, und das ist vielleicht ein guter Zeitpunkt darauf hinzuweisen, dass der Gastgeber des rechtsextremen "Remigrationstreffens" immer noch im Vorstand der CDU Potsdam ist.

Today, 16 years ago, Debian published a security advisory announcing CVE-2008-0166, a severe bug in their OpenSSL package that effectively broke the random number generator and limited the key space to a few ten thousand keys. The vulnerability affected Debian+Ubuntu between 2006 and 2008. In 2007, an email signature system called DKIM was introduced. Is it possible that people configured DKIM in 2007, never changed their key, and are still vulnerable to CVE-2008-0166? https://16years.secvuln.info/

In case anyone from @1password is reading this, you may want to get in touch with me. I have reported a security vulnerability via their bugbounty program, and bugcrowd's staff thinks it's "not applicable", in my view clearly misinterpreting the program's rules. I am pretty sure it's something they want to address. I may consider other means of disclosure if this is "not applicable" for their bugbounty program..

@darnell @deanbetz I did some experiments with ad spending (low amounts) to push some of my articles. Facebook always rejected them as political, even though they were usually very technical, but climate-related.

I have a story to tell that is relevant to the xz-utils thing that just happened. I'll probably write this up properly later, but I'm in pre-vacation mode so it may take a while . We have a problem with the way we develop and then distribute FOSS software, and both stories show that. A while ago I looked at the testcases of a widely used library implementing a widely used data format. There was one file that was... strange. 🧵

I wanted to disclose this eventually, but then a new version of that library came out and fixed the bug. And plenty of others, and well, people crash parsers for data formats from hell all the time. And I had some concerns that it would sound like I wanted to ridicule the dev, which wasn't my intention at all. But I already thought there's a deeper story here than someone accidentally leaking a PoC for an unfixed vuln. Why can this even happen?

I contacted the responsible project, but I never got an answer and never really got to the bottom of this. But here's what I think happened: This was a proof of concept file for a yet unfixed and undisclosed vulnerability. It appears the developer already had a testcase for that bug in his local copy of the source tree. And then created the tarball from that source tree. And by doing that leaked a PoC for a zeroday. FWIW, it was "only" a DoS bug. But still.

That file was named similar to the other testcases, but it was not used in any test. And if you fed that file into anything using that library, it would either crash or cause enormous CPU spikes. And most interestingly: This file was nowhere to be found in the project's git repository. It was *only* in the tarball.

This creates a situation where even when the "many eyes" principle works, i.e. people are actually looking at the code, and at code changes and commits, you still have a path to a compromised package. Because noone checks how this git repo turns into a tarball. Because noone can, as nothing is standardized or reproducible. I can tell noone does for one of the most important libraries to parse one of the most important data formats, because of the story I just told you.

Pretty much everyone develops code using Git these days, or some other SCM (some don't, there's this mail server, but I disgress). But people distribute code in tarballs. How does a Git repo become a tarball? The answer may disturb you. It's basically "every dev has some process, maybe some script, maybe some commands they remember". Nothing is reproducible, nothing is verifiable.

Given that I see calls for better support for those random opensource devs that happen to maintain some of the most important pieces of software on the planet: a good friend of mine is maintaining expat - possibly the most important+popular xml library out there - and he has a message in his latest changelog that you may want to read: https://github.com/libexpat/libexpat/blob/R_2_6_2/expat/Changes

Es ist offensichtlich nicht zu wenig Geld für Klimaschutz da solange man es sich leisten kann für solch offensichtlichen Unsinn Geld auszugeben... https://www.elektroauto-news.net/news/goerlitz-erste-wasserstoff-strassenbahn

Hmja, dann jetzt auch Covid-positiv. Datenpunkt: Wir sind hier grad 2 Leute positiv im Nasentest, negativ im Rachen/Lollitest... gibt es da erkenntnisse zur aktuelle zuverlässigkeit von lollitests? Funktionieren die bei aktuellen varianten schlechter?

Mastodon never tried to prevent me from posting links to twitter...

Iceland's regulator argues what is happening here is "Double Claiming", not "Double Counting", and that's allowed by their interpretation of the rules. AIB seems to accept that. This severely questions the usefulness and legitimacy of green electricity certificates and pretty much all green electricity tariffs in Europe. All details in my latest article: https://industrydecarbonization.com/news/the-trouble-with-european-green-electricity-certificates.html?source=mn #renewableenergy #greenelectricity

It looked like a major case of fraud. Later, I learned that very similar things were happening in Norway. After trying to understand what was happening and finally confirming this, the stories I published had some fallout: The Association of Issuing Bodies temporarily banned exports of these GOs from Iceland. But that didn't last long. This story now appears to have come to an end, with AIB accepting the Icelandic practice and with no plans to even investigate Norway.

During a press trip to Iceland last year, I noticed something that looked very strange: Within the country, practically every large electricity consumer would claim that they use renewable energy. Of course: Iceland's grid is entirely powered by hydropower and geothermal energy. But at the same time, green electricity from Iceland is sold in EU countries through certificates called "Guarantees of Origin". It appeared that the same green electricity was sold twice. 🧵

Bei vielen E-Fuels-Projekten muss man nur mal 3 kritische Fragen stellen und plötzlich wirkt das alles sehr komisch, aber irgendwie macht das kaum jemand... Ich glaube ich könnte auch fulltime-efuels-debunker werden, aber ich seh mich da garnicht so sehr in der rolle und mach das eher weil macht ja sonst keiner...

Fragen die man zu konkreten E-Fuels-Projekten stellen sollte: 1. Sind es wirklich e-fuels oder vielleicht eher Biosprit? Oder was ganz anderes? 2. Wo kommt das CO2 her? 3. Wo kommt der Wasserstoff her? 4. Von welchen Mengen reden wir?

weil ihr das alles gerade so fleißig liked und retootet sollte ich natürlich auf meine bisherigen recherchen zum thema hinweisen, etwa hier https://www.golem.de/news/treibstoffe-die-suche-nach-dem-e-fuels-phantom-2303-172725.html (Golem, deutsch) oder hier https://industrydecarbonization.com/news/hype-and-e-fuels-the-haru-oni-pilot-plant.html (Englisch, zu Haru Oni) #efuels