Threads for djhworld
-
And what, exactly, is so wrong about MitM yourself, on your own network? Have we been so gaslit by “security specialists” that doing so on our own equipment is considered unthinkable? Or am I just an old man yelling at clouds?
-
There’s lots of research on the prevalence of people screwing up TLS interception like this (I recently looked for some so my team at work would have ammunition for refusing to do so on work laptops, which we manage).
That being said there’s a lot going for this approach:
- Go’s TLS library is probably pretty reasonable and is likely to prevent a lot of common footguns here - not passing on certificate validation failures from the upstream origin, etc.
- You’re only doing it for one website,
t.co, instead of generic TLS connections which significantly reduces attack surface (and complexity!). - You’re not doing this at scale/you’re probably not a target. Yeah someone could do Bad Things™ with your root CA certificate if they got onto your network, but on a typical home network you’ve got bigger problems then. So meh?
🤷 seems PROBABLY okayish even though it makes me sweat a little! Not that I am an expert.
-
On point #3, the Name Constraints Extension appears to be a good mitigation toward someone hijacking the root CA.
http://pkiglobe.org/name_constraints.html and https://www.sysadmins.lv/blog-en/x509-name-constraints-certificate-extension-all-you-should-know.aspx have interesting notes on how these constraints get applied to entity certificates by clients.
Unfortunately it seems some browsers only apply name constraints to intermediate CAs (https://bugs.chromium.org/p/chromium/issues/detail?id=1072083), so even this might not be a silver bullet.
Admittedly, if you’re only hijacking one hostname, you might as well self-sign an entity certificate for the target hostname and directly add it to your trust stores (without creating a self-signed CA).
-
Relatedly, I wish there was a way to add a CA to your trust base BUT only for certain specific domains and subdomains.
-
There’s a standard that exists for that. I was party toimplementations of that, but I don’t think it got much traction on the internet at large. The easiest mainstream way is to certify it using a root that you control and add name constraints, but for that to be secure (in a general way) you need to own both CAs.
-
I didn’t know CA name constraints are a thing. Thank you.
-
-
-
-
Agree. This is not a terrible solution and I don’t see why it wouldn’t be recommended. This is a great hack and I love it.
-
Not to say this is a bad solution, but what happens when your friends come over and ask to use your wifi? Presumably they haven’t installed your CA’s root cert. (Ignore for a moment the fact that obviously any TRUE friend would install their friend’s root cert.)
Anyway the benefits outweigh the downsides, but it’s something to think about.
A much better solution is to abolish
t.coaltogether, which is now a lot closer to happening than I would have dared to hope six months ago! I haven’t followed a t.co link in months, and with any luck never will again, but I understand others might not be so fortunate at this time.-
I operate an open wifi for friends to use, but that’s a fair point
-
-
This is a fair point.
For my situation I actually don’t have Adguard as the DNS resolver on my router, mainly because I’ve never been able to get it to work, so I just update the DNS manually on devices instead - so friends and family won’t be affected (but they wouldn’t be able to use this tool) unless they specifically set the DNS resolver on their phones.
It’s a fair point though, I guess creating an isolated VLAN/guest network for guests would be another way around this.
-
Another valid reply is that t.co is inherently sketchy as hell, and getting a warning when you’re accessing it isn’t necessarily a bad thing. (But it would be better if the warning were clearer about the specific problem.)
-
-
-
-
-
I’m shocked that the example t.co link took 9 hops to get to nytimes.com. That must make for a horrible user experience, introducing ~1 second of lag just to resolve the URL. I also find it unnerving that it redirects to an intermediate website “trib.al”, which a user would likely never see when clicking on the link directly. The only articles on the surface web that I could find describing Tribal Analytics are vapid and shallow, which only serves to make me want to avoid them more.
I commend the author for writing some software that at least allows the user to take back some control from these link shortening services, even though it was done with some… questionable security practices.
-
For most of the nytimes links I saw 3 levels of nesting, t.co -> nytim.es -> trib.al
However there were a few 6 level deep ones and the 9 level deep posted in the blog.
I suspect it’s probably people pasting short links that link to other short links in the software that posts out tweets etc, probably not realising the effect it causes.
Would be fun to see if there are longer chains out there!
-
-
-
With the “real” link URL now avaialble it’s often polluted with various query parameters used for tracking or affiliate descriptors, so the service also strips these out and presents a “cleaned” version of the link alongside the original
I started to write a comment to ask how this works—are you stripping all query params, or is there a block list, or an allow list?—when I realized that the code is just on GitHub. It looks like there is a block list for parameter names, and another block list for parameter name prefixes (e.g., “strip any parameter whose name starts with
utm_”). Neat! -
-
I bought a house so most of my weekend is really just internet shopping for new things, I’ve bought a new kettle, toaster, microwave, refuse bin and other bits and pieces so far. Next stop…furniture (this is my first proper house, I’ve always lived in rentals….)
Would love to do some programming but feel kinda burnt out on it at the moment, got no side projects on the go. Work keeps me busy but I often enjoy doing non-work related projects for fun, but this spark hasn’t been lit for a while, which bums me out a bit.
-
Might be a bit against the grain of this thread, but does anyone ever feel they have the programmers “itch” but don’t have anything to program? Or have much motivation…
I often have projects that I stick a lot of free time into but then one they’re done, or half done with no motivation to go back, I often have dry periods where I just don’t do anything other than browse the web hoping inspiration strikes.
Yes it’s OK to do nothing at all I agree, but it’s nice to always have something on the go!
-
I find it interesting that the draw to Linux continues to be the custom window managers (I myself originally switched for this reason, though at this point I use a vanilla XFCE setup). Even though Linux sucks for desktop, especially laptops (buggy wifi/graphics drivers, buggy suspend/resume, messy upgrades, manually having to customize screen brightness scripts, etc, etc), there really aren’t better options if you want a moderate amount of control over what the system does.
I really wish there were a distro that specifically targeted laptop hardware (even if it was only specific models), and focused on optimizing the experience to be close to a Mac in terms of maintenance and configuration. I’ve been using elementary OS on my laptop, but I’d prefer something more lightweight. I’d even pay money for it. And at this point, I think money is the only way to maintain a distro that provides users with a pleasant user experience by squashing the annoying edge-case bugs. And it’s totally understandable why some of those bugs aren’t tackled – they’re fiddly, not fun to fix, and don’t get a lot of recognition if they are fixed.
-
Would love to see a laptop optimised distro too, although I’d imagine if you wanted to maintain it for a model line you’d need some funding to keep up :)
I find it interesting that the draw to Linux continues to be the custom window managers
I think this was the main thing for me, OSX is mostly unixy with BSD so there wasn’t really a compelling reason for me to switch, but i3 changed all that.
I’ve played with the OSX tiling window manager solutions (yabai, amethyst etc) and while I applaud their efforts it just isn’t the same and feels like a bolt on.
-
The only distro that I think comes close to what you want is probably Solus, which is targeted at personal use (“The Personal OS for Personal Computers”), which these days mostly translates to laptops.
-
-
Colleague of mine tried to install Linux on the Macbook we got him for work (2019 model, touchbar macbook pro 15”).
I can say that it was a lesson in futility, patience and over-all unpleasantness.
Aside from the obvious (no touchbar support, no esc key) there were issues such as fan control and the keyboard. Can you imagine having a laptop where you can’t use the keyboard? This is apparently fixed in kernel 5.3.
One of the major things was trying to bypass the system integrity protection.
I wouldn’t recommend buying an Apple Laptop if you intend to install another OS on it; it’s just too much work and there is equivalent quality hardware out there.
There is a good (active) document of people trying to do this though: https://gist.github.com/roadrunner2/1289542a748d9a104e7baec6a92f9cd7
-
-
What laptop do you recommend then?
-
ThinkPads are high quality machines and are well supported on Linux (and at least some other free operating systems).
-
-
Thanks: I thought support was pretty good on the BSDs, but I wasn’t sure about the uniformity, and suspected, but didn’t know, that things like Haiku and illumos would too.
-
-
-
As with all things it depends;
If you want a thin&light and don’t care about ports there’s the new Dell XPS 13” (with a 16:10 display!).
If you need something with a bit more ports and a rugged chassis, great keyboard I’d go with the Dell Latitude.
More power and it’s the XPS 15.
Most power and it’s the Asus ROG Zephryus G14 (AMD cpu).
There are countless others and alternatives here, but all of the above are practically on par with the MacBook line.
-
I have a Matebook X Pro (2018 model) and it works great with Linux. Dell’s XPS and Precision lines are also well supported. But the gold standard is ThinkPads. At least that’s what Google would give its employees if they wanted a Linux laptop.
-
-
Yeah it just seems like a nightmare.
I think my model (2015) was pretty much the last in the lineup before T2 got introduced and there seems to be a myriad of problems with stuff like getting sound working and the keyboard stuff you’ve mentioned.
It’s a real shame because they’re great hardware
-
One of the major things was trying to bypass the system integrity protection.
Could you elaborate on this? Where exactly did he try to bypass SIP?
-
-
I’m kinda surprised that firefox is that slow for you. I wish it had hardware decoding for videos (would prevent the loud fans), but otherwise works flawless for me. Though I may have a beefier machine and less plugins ?
-
I am not sure if it is enabled by default, but Firefox 76 added Wayland VA-API acceleration for all video codecs:
https://www.phoronix.com/scan.php?page=news_item&px=Firefox-76-VA-API-Formats
-
-
-
It’s no problem, I’m just surprised as I’m using it daily. (And I could totally understand if you’re also annoyed by how warm and loud FF gets playing videos. Then again, chrome does the same on most hardware under linux..) And I started to ask myself whether I’m having the wrong impression and am just used to it.
Edit: plugins running currently are umatrix + ublock origin, VideoDownloadHelper(though you should blacklist youtube). At least umatrix can create some overhead.
-
-
-
Nice to see more people switching to Linux!
You might like Flameshot for taking screenshots and for the ability to edit them (add blur, add arrows, draw etc) immediately after taking them.
I haven’t experienced problems you’re mentioning on Firefox. I believe default Firefox on Fedora is Wayland so if you try SwayWM, it should run Firefox Wayland perfectly which now includes native hardware video acceleration. See this recent development.
-
-
Not as low-level, but for learning assembly language concepts and actually doing useful things right away, I really enjoyed How Computers Do Math by Clive Maxfield and Alvin Brown. It’s written in an informal and irreverent style that’s very approachable, and while people who are more knowledge might skip the introductory chapters, I found the project quite fun, and it’s approachable by people without any such experience. The concept of the ‘DIY Calculator’ platform and virtual machine isn’t new (LMC, MIX, MMIX, DLX, LC3, etc.) but the execution was superb.
I enjoyed learning 6502 assembly on the Commodore 64 (and before that, being able to directly affect the entire running memory directly from BASIC with POKE commands). I think the inability to easily get underneath all the layers and onto the actual hardware of modern computers is really depriving the current generation of the opportunity to work by themselves, self-directed, and gain a low-level understanding.
On a modern PC system, it’s not even possible to work with the directly hardware, at least not exclusively - you’ll still have things like SMM or ME running without your knowledge (or with your knowledge but not under your control).
-
-
Daniel, you may enjoy Code: The Hidden Language of Computer Hardware and Software by Charles Petzold.
-
-
Honestly, I think that this is a bug and the Chrome team is just being lazy about it.
If the
typewasn’t provided, I’d expect this behavior, but Chrome shouldn’t be allowing you to embed the wrong type w/ the same URL that the right type was hosted on before. That’s the issue here in my opinion.-
The chromium devs have commented on their bug now, as the spec bug has been raised they’re probably going to look at fixing it once the spec has been finalised.
In both Firefox and Chrome they handle it differently, Safari seems to be the only one (from what I’ve tested, I didn’t test Edge or Opera!) that is very opinionated.
-
-
-
Not sure whether I’d call it a security bug, but it’s definitely a bug. Thank you for filing it!
-
-
I have my blog here at the moment https://djhworld.github.io/
It feels a bit crappy pushing to github though, but I worry about the ‘hug of death’ from wanted or unwanted traffic knocking my site offline as all I have are a bunch of raspberry pi’s on my home network.
Might be tempted to join cloudflare with their free account to cache thet content, but that makes me uncomfortanle too!
-
If you decide to use Cloudflare, you might be interested in this: https://lobste.rs/s/czdb39/dear_customers_cloudflare_appeal
-
-
I don’t use many of the “native” OSX applications either, with Calendar being the exception. It’s not that bad, seems to function well. My only concern right now is with each OS upgrade, the OS appears to be using more and more RAM. You need at least 8GB of RAM to run OSX these days, 4GB just isn’t enough.
I wouldn’t move to something like Linux, even though I secretly would like to, but I’m too invested in the OSX ecosystem. I’ve purchased and regularly use applications like: -
- Bartender
- Alfred
- Dash
- Caffeine
- Flux
- Textual
- YouNeedABudget
etc. These are great and some of them are not cross platform. Admittedly a few of them are designed to correct or improve features in OSX (e.g. Alfred) but I find I’m using them every day.
-
I think the issue he is having with the hiring process is with his line of questioning
Taking in stdin, doing some transformations and then putting the result to stdout is easy in most languages, but in Java it’s a pain as there are so many different ways to do it, e.g.
BufferedReader bi = new BufferedReader(new InputStreamReader(System.in)); String line; while ((line = bi.readLine()) != null) { ....…etc. I have trouble remembering that snippet and often have to search my snippet library for it if I ever need to use it in my code.
Plus, combined with the fact that most typical Java developers don’t tend to write command line applications, with a lot of application development focused around the web/server side of things, you can kind of understand why this might present a problem to Java developers who’ve never ventured outside of their IDE.
-
-
djhworld
edited
9 years ago
|
link
| on:
bro pages show concise, common-case examples for Unix commands
I think this is a good idea, I often find myself frustrated at man pages for not providing decent examples. While I enjoy the depths man pages often go into, sometimes an example usage section is all you really want.
Also I think the community maintenance and “wisdom of the crowds” approach of the “bropages” is a nice touch too.
The only slight irritant for me is the dependency on Ruby, the start up time to spin up the runtime is grating, especially when compared to opening man pages is almost instantaneous
-
This is a great post, I used a train today so used the web tool the author wrote to scan my ticket and it worked.
Would be interested to learn more about the bar code too, I always assumed it was a QR code so learning about Aztec codes has been fun