Notices by q3k :blobcatcoffee: (q3k@social.hackerspace.pl)

I've been trying to avoid just complaining about technology here, but I've just discovered something so bonkers I can't not talk about it.

rust-matrix-sdk/examples/command_bot: 43MiB in release mode, 4m24 to build (excluding fetches)

mautrix/go/example: 16MiB, 1m8 to build (_including_ fetches)

I'm fine with Go having the faster build times here, and with it having a pretty large 16MiB output... but why is the simplest Matrix bot in Rust _forty mebibytes in release mode_ ‽

get anubis'd lmao

(thank you @cadey )

A sincere 'go step on a duplo' to all AI scraper bot authors.

pov: you're hosting a linux mirror on forgejo and you forgot to set a cpu resource limit

@skade

> Also: Helium (a lighter Neon)

motherf-

in the worked office straight up reading the 'ARM ARM (ARM edition)'

and by 'ARM ARM (ARM edition)' haha well let's just say the ARM Architecture Reference Manual, ARMv7-A, ARMv7-R, ARMv7-M edition

Not everything that Newag does is bad.

For instance, I would like to congratulate them on making the shortlist of the European SLAPP Contest 2025!

https://www.the-case.eu/latest/the-european-slapp-contest-2025/

Tomorrow is yet another hearing in the civil lawsuit of Newag IP Management Sp. z o. o. vs. SPS/Dragon Sector. This time we will be testifying.

It's happening at 10:00 at the 22nd Department of Intellectual Property on Czerniakowska 100 in Warszaw.

To those who wish to come observe the hearing (in Polish), you can come do so, refer to case numer XXII GW 493/24.

Belated holiday gift: a paper copy of the NEWAG S.A. vs. SPS/DS lawsuit in Gdańsk. 🥰

(The lawsuit was filed in September - that's the one we first heard about from social media before we even got any copy of it ourselves.)

@multisn8 @mrtick @redford Thank you! This means a lot. Having public support is what's keeping us sane :).

Już jutro kolejna rozprawa Newag IP Management Sp. z o. o. przeciw SPS/Dragon Sector. Tym razem będziemy przesłuchiwani informacyjnie.

Odbędzie się o 10:00 w XXII Wydziale Własności Intelektualnej na ul. Czerniakowskiej 100 w Warszawie.

Zainteresowanych ponownie zapraszamy do obserwowania na miejscu w ramach publiczności, sygnatura na którą możecie się powołać to XXII GW 493/24.

bring back userbars IMO

By using this Mastodon server instance (henceforth referred to as “Warsaw Hackerspace Social Club”) you agree to abide to the following Terms of Service:

1. The primary upstream fiber is bent. No, we will not replace it. It brings us luck. Deal with it.

More iPod Nano 7G discoveries!

gsch discovered that if you boot diags from WTF (instead of from bootloader), you actually get a serial console... with full memory read/write.

Turns out this works because WTF ships with an EFI UART/Serial driver, but the bootloader doesn't. So if you run diags from WTF, you get that very nice serial console. And since both WTF and the bootloader are signed, you can just send them over DFU.

Who need exploits when you have built-in functionality? :)

Thanks to __gsch's S5Late exploit, the wInd3x tool can now boot RetailOS with signature checks disabled.

Which means you can now do 1337 h4xx0r sh1t like edit strings and whatnot. Or, you know, come help us port U-Boot and Linux :).

https://github.com/freemyipod/wInd3x/?tab=readme-ov-file#cfw

If you've been at the #38c3 Onion Cluster assembly, or we've otherwise met in person around congress, get tested for Covid-19 ASAP.

There has been at least two positive antigen test results, one from me, one from someone else at the assembly cluster.

You have free access to GitHub Copilot

We are very grateful and honoured to now also be supported by the Chaos Computer Club.

Incidentally, our talk about the legal repercussions of disclosing the Impuls train DRM system is in less than 4 hours. There might not be many new technical things to talk about, but I'm sure at least some of you will find our story interesting. Especially as we haven't done much of an update in English since last year.

Watch the talk on https://media.ccc.de/ at 23:00 CET.

“The Chaos Computer Club supports the three hackers who explained in detail at 37C3 how the Polish rail vehicle manufacturer Newag had manipulated its trains in such a way that they could only be repaired in the company's own workshops. The manufacturer reacted to the publications with an attitude not seen since the 90s and sued the hackers under both criminal and civil law.

The CCC is calling for donations to cover the legal and other resulting costs incurred so far.”

https://www.ccc.de/en/updates/2024/das-ist-vollig-entgleist

I don't know if this is CVE-2024-41585, but this is how I've been getting code exec on my DrayTek Vigor 167 for custom firmware [1] research:

https://gist.github.com/q3k/46f75dd78b653369640efaa2295f7ecd

I wouldn't say post-auth code execution on a device you own is a security vulnerability (good network hardware vendors just ship this as a feature), so I never bothered publishing this before.

This is so trivial I'm sure dozens of other people have been using this, too.

[1] - https://github.com/q3k/vraytekdigor .