Notices by Filippo Valsorda :go: (filippo@abyssdomain.expert)

It’s disheartening to see AI reactionism lead my community to a 180° on copyright.

Everyone is merrily attacking LibGen now. If it didn’t exist, big tech companies would still find training data, it just wouldn’t be accessible to regular people.

@whitequark to be fair the clever campaign that everyone seems to be falling for lets you search for your books in the dataset, but still disappointing from people that I would have never imagined calling for the shutdown of TPB or ZLib

Ever wanted to benchmark RSA key generation but found it too slow and variable, like benchmarking a lottery? No? Just me?

Well, I nerd-sniped myself into producing average representative inputs that can be used to benchmark, profile, and compare RSA keygen.

Happy New Year(?)!

https://words.filippo.io/dispatches/rsa-keygen-bench/?source=Mastodon

Reusable vectors and generator at https://c2sp.org/CCTV/keygen.

age v1.2.1 fixes a security vulnerability in the CLI and in the plugin Go package.

An attacker that controls a recipient, identity, or plugin name could cause age to execute arbitrary binaries. On Linux and macOS, the attacker needs some control over $TMPDIR.

Advisory: https://github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c
Release: https://github.com/FiloSottile/age/releases/tag/v1.2.1
Also fixed in rage: https://github.com/str4d/rage/security/advisories/GHSA-4fg7-vxc8-qx5w

Thanks to ⬡-49016 for reporting this!

The Go team plans to issue a security fix for the golang.org/x/crypto/ssh package in the golang.org/x/crypto module on Wednesday, December 11th.

https://groups.google.com/g/golang-announce/c/ZA1tNV10Mcs

I wrote up how my NAS is now just a big initramfs based on Alpine Linux.

It's been pretty great. Immutable, declarative, and very very simple. Just some files, a list of packages, and a short script.

Turns out you don't need overlays, or special DSLs.

https://words.filippo.io/dispatches/frood/?source=Mastodon

@ryanc @matthew_d_green @jawnsy the appropriate person was paged to the courtesy phone

In 2022, I left Google in search of a sustainable approach to open source maintenance. A year later, I was a full-time independent professional open source maintainer.

Today I’m announcing the natural progression of that experiment: Geomys, a small firm of professional maintainers with a portfolio of critical Go projects.

Nicola Murino, the maintainer of x/crypto/ssh, and @dominik, the maintainer of Staticcheck and Gotraceui, are Geomys’ first Associate Maintainers ✨

https://words.filippo.io/dispatches/geomys/?source=Mastodon

@GossiTheDog No reason to make it personal. We’ve all introduced bugs, especially over a long open source career. Please don’t.

I'm watching some folks reverse engineer the xz backdoor, sharing some *preliminary* analysis with permission.

The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system().

It's RCE, not auth bypass, and gated/unreplayable.

More details in this thread: https://bsky.app/profile/did:plc:x2nsupeeo52oznrmplwapppl/post/3kowjkx2njy2b

@foone With Bluesky announcing federation today, how is Bluesky Social PBC more in the position to make arbitrary changes than Mastodon gGmbH?

@FediThing @foone

"Technically any hosting provider can do this for any online platform."

Not really? I host my website on Fly.io but they can disappear tomorrow and I will just change my DNS records. (Registry and registrar are strictly regulated.)

Likewise, my newsletter is on Ghost but I can take my subscribers with me unilaterally.

If chinwag.org goes offline though, you can't move your followers. Whether that's intentional or not.

Alas, the Mastodon spam wave found my instance. Anything I can do aside from turning off notifications?

Thanks for the scripts, but I’m on @mastohost and anyway I can’t run a script every time I want to check notifications.

Turned on the @ivory filter (which got two false positives) and turned off push notifications 🤷♂️

Why is the Mastodon default to allow open registration, anyway? It should be a heavily discouraged setting, with moderated signups being the default.

If the moderation team can't keep up with registration requests surely they can't moderate those accounts either.

We've seen this before with open SMTP relays.

@ryanc @matthew_d_green

IIRC @agl made an online test for it, a page that would only load for vulnerable clients.

That was the inspiration for making the Heartbleed test, which kickstarted my career.

So thank you :)

@ryanc I opened one at a Red Cross training 8am in the morning. Had to explain multiple times 😅

@icing git add -p 🧐

@icing oh it’s probably top 3 things that make git work for me. Lets me do a cursory review of everything I’m committing and encourages well scoped commits. Also works well with git-revise.

There's everything to love in

"X-Wing: The Hybrid KEM You’ve Been Looking For"
https://eprint.iacr.org/2024/039

- concrete choices!
- strong proofs
- easy to implement
- good performance
- "quantum superiority fighter"

\./
/^\

@durumcrustulum can I haz CCTV test vectors? <3