CoSin 2024 live streams:
👉 streaming.media.ccc.de/cosin20…
Live-Streams – Chaos Singularity 2024 Streaming
Die Chaos Singularity ist eine Mischung aus technisch-gesellschaftlichem Kongress, kreativem Beisammensein und Hacker-Familientreffen.streaming.media.ccc.de
reshared this
#BerndFix an der #CoSin2024 mit #WikiLeaks-Vortrag - zu #FreeAssange und (jetzt) #AssangeFree.
Es wird eine Gesamtübersicht seit den ersten Kontakten mit #JulianAssange 2008 (am CCC-Kongress) angekündigt; Bernd rekapituliert die Geschichte seither.
Punkto Spendeneinnahmen ist gleich einmal interessant:
Nach der Publikation der US-Depeschen nahm das Spendenaufkommen via #PayPal massiv zu: ca. EUR 100k / d wurden eingenommen - bis zum Punkt, wo PayPal das Konto der Stiftung @wauland sperrte.
elrido reshared this.
Group picture from the first day.
Took a lot of notes, my highlights so far were:
- Massimilianos' RP2040-based, Rust-driven robot racer
- options to improve handling of bitfields in packed structs
- typestate pattern for use in state machines, think objects that mutate into different types as the states progress, so only methods relevant to the current state are available and enforced at compile time, ex. rustls::ConfigBuilder
- Milica shared her teams' experience switching from C++ to Rust
- Simon Brummers' text-2-morse-code character device driver, an excellent example project to get started with Rust-based Linux-kernel-module development
Did go see Furiosa tonight, can highly recommend, if you enjoy George Miller's Mad Max series. I'd call this the Rogue One of the series. 🤩
It fills a lot of gaps and backstory of Immortan Joe and the citadel and the other wasteland towns and of course, Furiosa. It ends just before Fury Road hits off and even has short scenes from Fury Road as reminders of how that story went during the end credits. It would be perfect to watch the two back to back as a double feature.
Arguably, Max does briefly show up in this one, but it is only a vague reference via the iconic car and a brief shot of a man standing next to it with his back towards the audience. Bit like in the early Fury Road trailer.
Edit: Removed the CW reg. mild spoilers. Doesn't seem to translate properly to Mastodon, messed up the order of the content and didn't hide anything. Sorry.
With more people considering #Linux after the latest #Microsoft #Windows news, here is my advice:
- Before looking at Linux at all, determine what proprietary software you're using in your workflows (MS Office and Adobe stuff being big ones) and try FOSS alternatives on Windows. (LibreOffice, OnlyOffice, Krita, GIMP, Inkscape, kdenlive, etc.) This will very much ease any future transition away from Windows. (1/7)
reshared this
Congratulations @Natanael Copa on the release of Alpine Linux 3.20!
I know how much of an effort this one turned out to be and can not thank you enough for all of your efforts to get this one over the line and into our hands.
Natanael Copa likes this.
reshared this
MadMike77 likes this.
Note on all the #xz drama, there are some technical solutions for such #supplychainattack that can make such an attack way harder, at least to hide the code in tarballs etc.
slsa.dev/ e.g. is a solution. Combined with reproducible builds, it ensures that a software artifact is built exactly from the source given in a source repository, with the possibility to prove that and no way for any maintainer to tamper with (in the highest level).
#slsa #infosec #security #linux #backdoor
Supply-chain Levels for Software Artifacts
SLSA is a security framework. It is a check-list of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in your projects, businesses or enterprises.SLSA
elrido reshared this.
Furthermore produced software artifacts proofs are written into a database similar to #certificateTransparency.
We have recently implemented this in #PrivateBin and it works great: github.com/PrivateBin/PrivateB…
Of course practically, people (especially software consumers) needed to verify it, to be worth the work.
Obviously, it's no magic bullet. It just raises the burden for an attacker. Obviously, the source code repo could be made to contain bad code, but you cannot anymore tamper at built-time.
Getting SLSA ("Supply-chain Levels for Software Artifacts") compliance · Issue #1169 · PrivateBin/PrivateBin
The problem Any software can introduce vulnerabilities into a supply chain. As a system gets more complex, it’s critical to already have checks and best practices in place to guarantee artifact int...GitHub
The way this works, is, essentially, quite easy: the whole build process is documented in the same repository, builds are automated via CI/CD and all that is, to reach best support, done in an environment that prevents tampering and (crucially) is *out of your control*.
Then you get #SLSA v3: slsa.dev/get-started#slsa-3 (quite easy with GitHub Actions)
Get started
If you’re looking to jump straight in and try SLSA, here’s a quick start guide for the steps to take to reach the different SLSA levels.SLSA
Now, you say, you have to trust GitHub? Sure, you do, to achieve this. But threat models: What is more likely compromised: a maintainer/account in your project, or the whole GitHub build infra?
Personally, I was also not quite convinced, given you loose "control" over your build and GitHub could theoretically now inject #malware.
However, as the project itself states, this is not a big deal, if you combine it with the older security feature aka #reproduciblebuilds.
To explain, we have #SLSA signatures that verify the build was done automatically by #GitHub as instructed, *and* we have traditional #gpg signatures with private keys only known to maintainer(s) that verify a maintainer actually triggered the built and locally reproduced it…
Given they both validate, you automatically achieve reproducible builds _and_ #SLSA validity.
One caveat: This was only easy, because our build process is essentially one command (git archive).
github.com/PrivateBin/PrivateB…
PrivateBin/doc/Release.md at master · PrivateBin/PrivateBin
A minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256 bits AES. - PrivateBin/PrivateBinGitHub
Wow, je mehr ich über die ganze #xz Saga lese, desto beeindruckter bin ich, was für ein unglaublicher Zufall es war, dass das so schnell gefunden wurde 😳
boehs.org/node/everything-i-kn… ist ein lesenswerter Überblick.
bugs.debian.org/cgi-bin/bugrep… gibt einen guten Eindruck, wie vor 5-6 Tagen angefangen wurde, Druck aufzubauen, die kompromittierte Version in Debian hochzuladen. Und wie viel Energie da rein gesteckt wurde.
Everything I know about the XZ backdoor
Please note: This is being updated in real time. The intent is to make sense of lots of simultaneous discoveriesboehs.org
like this
like this
reshared this
A classic bug for a leap day: At work, colleagues discovered and fixed a bug in a lesser used tool that only occurs on February 29th. It did trip up the tests, so no one got to merge until it got identified and resolved.
The source file in question hadn't been touched in over 4 years. Last leap year, the 29th was on a Saturday, so likely no one noticed.
What was annoying is that the logic had been clearly written with the intent of handling leap years. A leap year check condition was present, validated only on a February > 28th, but had to get inverted.
You may wonder why we wouldn't have used the languages' standard library date functions to validate the date - unfortunately the language in question doesn't have such a sophisticated standard library (language omitted to protect the innocent).
Niklaus Wirth, the inventor of the Pascal programming language, author of "Algorithms + Data Structures = Programs", and more, passed away on January 1.
Wirth's law, named after him, is an adage which states that software gets slower more rapidly than hardware gets faster.
reshared this
Best #37C3 quote so far:
[...] to observe the international compressor holiday [...]
Context: Newag's train "DRM"
like this
Congratulations to Sergio Benitez on releasing rocket.rs 0.5.0! Thank you for this great framework. 👏
I got to follow rocket's journey to async and stable #rust with the PrivateBin directory service. Coming from Python flask apps, it is really easy to pick up and get going with your webservice, offering static & templated content, easy to create web forms and JSON APIs.
Thanks to rust's strict type system I could focus on the logic and didn't have to waste time double checking and casting data received by clients. If my API accepts an integer in a certain parameter, Rocket will ensure I only receive valid requests in my logic.
Bill Barnhill / GhostBear likes this.
reshared this
I'm so so excited to announce #rust hyper v1.0 🚀
seanmonstar.com/blog/hyper-v1/
hyper v1
I’m excited to announce v1.0 of hyper, a protective and efficient HTTP library written in the Rust programming language. hyper provides asynchronous HTTP/1 a...seanmonstar
reshared this
I like CSS-animations, clocks and dials for making metrics easier to digest (we are quicker at detecting angular changes than reading and parsing digits). So I'm in awe with this creative use of a watch-dial to visualize a 32-bit hexadecimal number:
The letters below were discovered in September 1993 in a reverse time-capsule apparently sent from 2023.
The first of those emails dates from this morning. Note the author of the RFC and the publication date.
GitHub - Nessex/yaml2json-rs: Command line utility (+libraries) to convert YAML to JSON.
Command line utility (+libraries) to convert YAML to JSON. - GitHub - Nessex/yaml2json-rs: Command line utility (+libraries) to convert YAML to JSON.GitHub
Schade das zu erfahren und vielen Dank an Herrn Dornier für die jahrzehnte-lange gute Betreuung und die ausgezeichneten Produkte!
Habe beruflich und privat seit Ende der 2000er Jahre immer wieder auf PC Engines für m0n0wall- und später OPNsense-basierte Router gesetzt. Diese Nachricht wurde über eine apu4d4 ins Internet geschickt und von einem Server hinter einer apu2e4 gehostet.
#TIL:
prompt injection, which is a form of cyberattack that exploits [an AI's] natural language processing abilities.
Bing: “I will not harm you unless you harm me first”
Last week, Microsoft announced the new AI-powered Bing: a search interface that incorporates a language model powered chatbot that can run searches for you and summarize the results, plus do …simonwillison.net
Winterkongress der Digitalen Gesellschaft
Während zwei Tagen werden Themen rund um Informationstechnologie, Digitalisierung und deren Auswirkungen auf unsere Gesellschaft in verschiedenen Vorträgen und Workshops behandelt.
elrido reshared this.
Release v1.5.1 - Filesystem purge lookup change & administration script - PrivateBin
This release reverts a filesystem purge lookup change and adds a script for administrative tasks.privatebin.info
2022 update to this quantum computing progress chart: sam-jaques.appspot.com/quantum…
tl;dr Commendable progress, but we're still a long long way from factoring.
While python 3 now has decent native support for HTTP(S) with it's urllib module (which does cover 99+% of my use cases), PyCurl supports "FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP, SMTP, POP3 and RTSP. libcurl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate, Kerberos4), file transfer resume, http proxy tunneling and more!" -- pycurl.io/
So it can solves those edge cases. It may also be useful if you hit performance or memory usage issues in your python based search spider or similar massively parallel connection applications.
PrivateBin 1.5.0 released - Adding S3 Storage backend, storage migration script & 4 new translations
privatebin.info/news/v1.5.0-re…
Error | OPNsense
This minor release adds support for Simple Storage Service (S3), a storage migration script, adds four new languages to the translations and includes updated libraries.privatebin.info
Error | OPNsense
This release improves the safety of the SVG attachment preview, adds Google Cloud Storage and Oracle database support, and new translations.privatebin.info
My team at LzLabs GmbH in Wallisellen, Switzerland, is looking for a 4th DevOps Engineer. You'd be working primarily with a CloudBees (Jenkins) cluster of around 90 blades for build & testing, for several software stacks that targets RHEL, but hopefully soon™ also other platforms. And of course there are also a lot of build and deployment related projects to be spice things up on the side, like maintaining and developing a test statistics database, code coverage reporting, change log and other automation projects, all in a mostly ansible-ized environment. The companies main language is English, living in or moving to the vicinity of Zürich would certainly be advantageous.
#followerpower #Stellenangebote #jobs #jeRecrute
DevOps Engineer
As one of our DevOps engineers you will join a team who lead the way for our CI/CD environment. The ideal engineer will bring experience, best practices, and a collaborative attitude to help drive Linux based CI/CD initiatives.lzlabs.peoplehr.net
Yeah, das Friendica Update war wieder einmal ein voller Erfolg! Ich freue mich immer darauf nach dem Update die Netzwerkstatistiken zu durchstöbern und zu sehen wie das Fediverse wächst und gedeiht. Aktuell sehe ich da bei mir:
Momentan kennt dieser Knoten 2065 Knoten mit insgesamt 1238363700 registrierten Nutzern, die die folgenden Plattformen verwenden:
- Friendica (234/14306)
- BirdsiteLIVE (3/9295)
- Diaspora (104/745029)
- [...]
- Lemmy (4/15876)
- Mastodon (1195/2801105)
- Misskey (33/1234575069)
[...]
Hm, die Misskey stats bedürfen wohl noch etwas der Interpretation... 🤔
- rachelbythebay.com/w/2022/01/2…
- 3drealms.com/news/3d-realms-we…
Hernâni Marques
in reply to Hernâni Marques • • •Es kam in der Folge zum Entzug der #Steuerbefreiung von @wauland - die Gründe waren fadenscheinig:
Man warf dem Stiftungsrat vor, sich persönlich zu bereichern, was Unsinn ist und später auch fallen gelassen wurden. Stattdessen wurde der Stiftung auferlegt, genauer zu beschreiben, wofür die Mittel - bei #WikiLeaks - eingesetzt werden.
Das hatte zur Folge, dass der Stiftunsrat (i. d. R. Bernd oder Andy Müller-Maguhn) +/- mtl. nach London musste, um mit Julian Aktivitäten zu besprechen.
Hernâni Marques
in reply to Hernâni Marques • • •Hernâni Marques
in reply to Hernâni Marques • • •Hernâni Marques
in reply to Hernâni Marques • • •Beim Besuch der Botschaft ferner zu beachten: die spanische Firma #UCGlobal war von der ecuadorischen Regierung beauftragt, für die Sicherheit (gerne hier: #Totalüberwachung) der Besuche / Besucher zu sorgen.
Wie später nämlich publik wurde, sind auch Geräte geöffnet und verwanzt, Daten abgesaugt worden usw.
Dies ist auch Gegenstand eines laufenden juristischen Verfahrens.
Hernâni Marques
in reply to Hernâni Marques • • •Mit dem #Machtwechsel in #Ecuador von Correa zu Moreno wurde der Druck auf den nunmehr "unerwünschten Gast" #JulianAssange erhöht. Im Zuge dessen wurde ihm der via Correa in der Amtszeit zuvor ausgestellte ecuadorianische Pass entzogen und organisiert sowie medial inszeniert, dass er aus der Botschaft rausgeworfen wurde - in die Hände der britischen Polizei, so dass er schliesslich nach #Belmarsh (besser: #Hellmarsh) kam.
#ChaosSingularity #CoSin #CoSin2024 #FreeAssange #AssangeFree #WikiLeaks
Hernâni Marques
in reply to Hernâni Marques • • •Hernâni Marques
in reply to Hernâni Marques • • •Zum Finanziellen des Ganzen - von #FreeAssange zu #AssangeFree:
Für die Anwälte wurden für zehn Teams in acht Ländern EUR 12 Mio. ausgegeben.
Das Geld für die immensen juristischen Ausgaben kam von der "Einkaufsgesellschaft" #AssangeDAO, die ein #NFT vom Künstler pak gekauft hat.
pak hat in dem Rahmen 16'593 #ETH (#Ethereum) eingenommen, was (damals) umgerechnet ca. EUR 52 Mio. waren. Das Geld hat er im Februar 2022 an die #WHS-Stiftung gegeben, wo Kryptowährungen auf einem Hoch waren.
Hernâni Marques
in reply to Hernâni Marques • • •Total hat die #WHS ca. 11'000 #ETH getauscht - immer nach Bedarf. In Fiat-Währung umgerechnet waren das über die rund zwei Jahre tatsächlich ca. EUR 17 Mio., weil der #Ethereum-Kurs in den diesen Jahren auch (länger) weiter unten war.
Dies bedeutet folglich, dass noch ca. 5'000 #ETH da sind, wo jetzt geschaut werden muss, was damit zu machen ist; gegeben die Tatsache, dass der Spenderwille (vom Künstler pak) im Wesentlichen erfüllt ist.
Hernâni Marques
in reply to Hernâni Marques • • •Ich stelle die Frage, was mit Leuten wie #OlaBini und anderen vom #WikiLeaks-Umfeld ist.
Dazu sagt Bernd, dass nicht ausgeschlossen werden kann, dass die US-Regierung gegen das (erweiterte) Umfeld von WikiLeaks noch einmal eine Keule auspackt. Es müsse dann geschaut werden, wie vorgehen.
Das #NFT-Geld kann dafür zumal nicht genutzt werden, weil das nicht dem expliziten pak-Wunsch entspräche. Juristisch betrachtet sei dies klar an ihm gebunden.
Hernâni Marques
in reply to Hernâni Marques • • •Hernâni Marques
in reply to Hernâni Marques • • •... d. h.: die EUR 7'500 wurden nicht überwiesen, weder an Anwälte noch sonst irgendwohin. Das wurde dem Finanzamt auch mitgeilt. Nach viermonatiger "Arbyte" hat das Finanzamt vor zwei Tagen festgestellt, dass es wieder wilde Theorien über den Korruptionsgrad der Stiftungsräte aufgestellt hat; entsprechend ist die #Steuerbefreiung von @wauland wieder hergestellt. - just vor zwei Tagen, also am 27.6.2024! 🍾 ✊
(Da hat sicher das jüngste mediale Licht #FreeAssange -> #AssangeFree geholfen. 😉)
Christian Pietsch 🍑
in reply to Hernâni Marques • • •Hernâni Marques
in reply to Christian Pietsch 🍑 • • •Hernâni Marques
in reply to Hernâni Marques • • •