@hanno@mastodon.social cover
@hanno@mastodon.social avatar

hanno

@[email protected]

Freelance Journalist. Industry Decarbonization, Climate, Energy, IT-Security. #searchable

This profile is from a federated server and may be incomplete. View on remote instance

@hanno@mastodon.social avatar hanno , to random

Was there a massive leak of a dangerous greenhouse gas in Iceland🇮🇸 in 2011 - or was it just a data📈 reporting error? European emission databases show that the Norðurál aluminium factory🏭 in Iceland released 60 tons of SF₆ in 2011 — but no such emissions in any other year. It's so much that it is hard to believe this really happened. And that is not the only odd thing I found in emission databases. https://industrydecarbonization.com/news/errors-and-inconsistencies-in-european-emission-data.html
🧵

@hanno@mastodon.social avatar hanno , to random

This is a gruelling summary of all the things wrong with OpenSSL https://www.haproxy.com/blog/state-of-ssl-stacks I've mostly watched this whole thing from the sidelines, but was also affected noting that private key parsing suddenly became 70 times slower. I think they've now improved it to "only" be 10-20 times slower, and there does not seem any effort to work on it any more.

@NGIZero@mastodon.xyz avatar NGIZero , to random

We are happy to let you know that 49 fantastic free and open source projects will receive NGI0 Core grants.

It's a wide variety of projects covering all 10 layers of the technology stack, from open hardware to applications.

But what unites them is they all contribute to alternatives and improvements to core internet architecture.

Together they are working on an open, resilient and trustworthy internet for all.

Come over and meet the projects! https://nlnet.nl/news/2024/20241003-announcing-Core-call.html

hanno ,
@hanno@mastodon.social avatar

@melroy @NGIZero I am always trying to reasonably report things, but it's highly context dependent what an "official channel" is. But a lot isn't covered by CVEs. CVEs are software vulnerabilities, that would apply if you have, e.g., a software with a hardcoded key. But not for, like, DKIM-setups, TLS certificates, or DNSSEC keys.

@hanno@mastodon.social avatar hanno , to random

Today, 16 years ago, Debian published a security advisory announcing CVE-2008-0166, a severe bug in their OpenSSL package that effectively broke the random number generator and limited the key space to a few ten thousand keys. The vulnerability affected Debian+Ubuntu between 2006 and 2008. In 2007, an email signature system called DKIM was introduced. Is it possible that people configured DKIM in 2007, never changed their key, and are still vulnerable to CVE-2008-0166? https://16years.secvuln.info/

@hanno@mastodon.social avatar hanno , to random

Given that I see calls for better support for those random opensource devs that happen to maintain some of the most important pieces of software on the planet: a good friend of mine is maintaining expat - possibly the most important+popular xml library out there - and he has a message in his latest changelog that you may want to read: https://github.com/libexpat/libexpat/blob/R_2_6_2/expat/Changes