Notices by Ignas Kiela (ignaloidas@not.acu.lt)

@mei@donotsta.re FIY, it's probably the garbage collector doing that, it periodically tries to check for cycles, which with big structures can suck massively

I'd recommend trying to temporarily disable the GC, can work wonders sometimes (some of my programs went from unusable to quite fast just by disabling gc in the busy part and then enabling it after)

@p@fsebugoutzone.org what they were seeing were a bunch of residential IP's doing that shit, with each IP only sending a single request and stuff. Hard stuff to block

@p@fsebugoutzone.org they had a bunch of problems with dumb llm scrapers https://status.sr.ht/issues/2025-03-17-git.sr.ht-llms/

Reportedly, they scraped every single git blame, for some fucking reason.

@wolf480pl@mstdn.io @lynne@pars.ee this very much feels like a length extension attack though, no?

You have some predefined bit at the start that you can't control, and then you're trying to get to some other state with what you control.

@wolf480pl@mstdn.io @lynne@pars.ee still safe for SHA3, AFAIK

@wolf480pl@mstdn.io @lynne@pars.ee It's got to do with the sponge construction as far I'm aware, because there's hidden state and how it's updated depends both on the inputs and the state.

Though probably you'd want to use some kind of KDF for this anyways, SHA3 has a KDF mode that's faster than just using in HKDF

@wolf480pl@mstdn.io @lynne@pars.ee yes, SHA3 is not vulnerable to length extension attacks or similar stuff

@chjara@akko.wtf @lanodan@queer.hacktivis.me all feature phones since ~2019 or so had 4G last I looked

@lanodan@queer.hacktivis.me @wolf480pl@mstdn.io @domi@donotsta.re I think now the defaults do have the random delay step, but people do change it for no reason and then have angry mirror sysadmins block their IP ranges

@sun@shitposter.world I'd say the problem is that a lot of his other metrics have been built on top of that one metric, and it will eventually bring the other ones down together with it

@lanodan@queer.hacktivis.me @wolf480pl@mstdn.io @domi@donotsta.re the problem comes up when you have a bunch of servers/VMs that all are automatically brought up / created from the same base image, and nobody bothers to change that.

The proper solution is to: have a random delay step before actually running the update and if needed, have your own mirror.

@lanodan@queer.hacktivis.me @wolf480pl@mstdn.io @domi@donotsta.re yeah, I would happily do torrents too for the packages sitting in my machine cache, while setting up a full mirror is a big commitment

@lanodan@queer.hacktivis.me @wolf480pl@mstdn.io @domi@donotsta.re also, while it wouldn't fully eliminate the problem, but it would certainly help the "all of the servers start their auto-updates at exactly midnight and overwhelm some mirror" issues, as they could share parts between them.

@lanodan@queer.hacktivis.me @wolf480pl@mstdn.io @domi@donotsta.re package mirrors is essentially like torrents but without the sharing stuff part

@domi@donotsta.re @wolf480pl@mstdn.io I usually don't like the "if it's not FOSS it's trash" argument, but I think it's fair to argue that TLS updates breaking compat with older devices is mostly a problem of said older devices being proprietary-only, with no (good) way to update the software beyond what the manufacturer supports. There is no technical reason why 3DS couldn't support newer TLS versions, it's just because the vendor abandoned the otherwise very usable device and left no way to update it. Plenty of otherwise ancient machines, some older than 3DS, can and do surf the web without TLS problems, because they could just be updated to support the updates in security, which to me shows that it's more of a problem in the vendor of the device, rather than the TLS protocol.

@sun@shitposter.world @feld@friedcheese.us @lain@lain.com at least from the more military side (e.g. DARPA), there was a worry that businesses would not invest enough into fundamental research because the payoff period is far, far too long for most business people (20+ years from fundamental research to any kind of use is not uncommon, the risks are quite high, and it's usually useless to the guys who made it in the first place)

@sun@shitposter.world did he really?

@piggo@piggo.space @pony@blovice.bahnhof.cz why not just butter at that point

never understood avocados, it's just a "fake healthy" shit butter

@sun@shitposter.world they dug themselves into a corner by elon repeatedly saying that every tesla could do full self driving (as in, SAE Level 5) when they had cars with only cameras

and then for the models where they had lidars they no longer add them because of cost

so they either admit that not every tesla could do real FSD and open themselves to a class action lawsuit, or they continue taking this position untill they either figure something out or crash and burn to the ground

@sun@shitposter.world I see it more as a demonstration on why tesla's stance is so dumb, rather than a demonstration of an actual real life problem. Elon has been spouting shit about how cameras will be enough, and there's quite good evidence on how they aren't.