mjg59

mjg59 , 12 hours ago to random

We're watching season 6 of Project Runway and I am entirely unable to get over the absolutely awful deinterlacing

mjg59 , 1 day ago to random

Ok fine let's talk about why mTLS is hard:

1. Browsers have terrible UI around client certificate choice and picking the wrong one or hitting the wrong button breaks everyting
2. Issuing client certs is painful (not very important as far as token binding is concerned, you can just self-sign)
3. Hardware-backed client certs are slow (I think this is less true today)
4. If you have front-end proxies that terminate TLS you need to handle it there

What else?

mjg59 , 2 days ago to random

Ring cameras using wifi are obviously vulnerable (as are all other wifi devices) to just jamming wifi channels so they can't communicate, but that's noisy and attracts attention. But they also don't appear to implement WPA3 or 802.11w and so you can also just spam them with deauth frames while being much less obvious. This is very easy and also, in the US at least, very illegal. You shouldn't do it.

mjg59 , 3 days ago to random

It is honestly kind of amazing that lightbulbs just take a tenth of the power they did 30 years ago and also they last approximately forever now

mjg59 , 9 days ago to random

https://faultlore.com/blah/c-isnt-a-language/ deserves a fucking record for managing to trigger people into being extremely upset while also demonstrating that they don't understand the actual point being made

mjg59 , 12 days ago to random

If you're finding that gdm is falling back to X11 and refuses to start Wayland sessions then uh make sure you haven't accidentally changed the owner of / because that results in some exceptionally weird breakage

mjg59 , 20 days ago to random

The presumption that free software is sufficient or necessary to ensure all software you depend on is trustworthy is simultaneously naive and ignorant of what software is capable of. The only realistic way to develop trust in software is to trust the people who write it, and development processes associated with free software make that trust easier.

mjg59 , 25 days ago to random

https://www.openwall.com/lists/oss-security/2026/01/20/2 OH MY FUCKING GOD complete auth bypass in inetutils telnetd for over a decade and obviously nobody inside that decade should have been running a telnet daemon but wow

mjg59 , 1 month ago to random

Can someone please just write an ebpf script that blocks ../ and make it possible to automatically load that in systemd units and docker and any other security boundary

mjg59 , 1 month ago to random

It is actually kind of wild that we're simultaneously in an era of people complaining that Wayland is destroying choice and also maybe the greatest number of high-quality desktop environments aimed at different use cases the free software world has ever had

mjg59 , 1 month ago to random

I'm sure you're all aware of just how viscerally aware I am that UEFI is absolutely cursed and let me tell you it is nowhere near as cursed as vendor network stacks

mjg59 , 2 months ago to random

iRobot apparently just declared bankruptcy, so if you have an internet connected one and want to retain control if the cloud platform vanishes, take a look at https://github.com/koalazak/dorita980#how-to-get-your-usernameblid-and-password and stash that information somewhere safe (and note that it changes if you ever factory reset the device, so try not to do that)

mjg59 , 2 months ago to random

Poll for people from the UK and US only sorry I am being restrictive there is actually a reason

mjg59 , 2 months ago to random

In and around 2023, Roy and Rianne Schestowitz were subject to a horrific campaign of online harassment. Unfortunately they blamed me for it, and in turn wrote and published an astonishing array of articles making false accusations against me. Last year, I sued them in the high court in London. In turn, they countersued me for harassment. The case was heard last month and I'm pleased to say that the counterclaim was dismissed and I prevailed in my case. The court awarded me £70,000 in damages.

mjg59 , 4 months ago to random

I have been learning more about PDFs than I really wanted to for maybe the absolutely most funny reason possible - letting agency forgery: https://mjg59.dreamwidth.org/73317.html

mjg59 , 4 months ago to random

You obviously can't use LLMs to review code written by LLMs. So you still need people who know how to read code. How do you get those people without having people write code?

mjg59 , 5 months ago to random

A fun thing you can do right now to test whether your system will stop booting next week because of a secure boot certificate expiring!

1. Does your system currently have secure boot enabled? If not, go to step 5
2. Download Fedora 42
3. Does it refuse to boot with a secure boot violation? If not, go to step 5
4. This is interesting and unexpected! Please let me know, you will literally be the first
5. Nothing is going to happen to you next week

mjg59 , 5 months ago to random

https://github.com/askeksa/NoCpuChallenge is ludicrously cool

mjg59 , 5 months ago to random

People who are still inclined to believe that Linux systems will stop booting next month because of secure boot rollover! Send me evidence that you have donated to a charity and, if Linux stops booting on any system after 2025-09-11 because of some sort of certificate rollover bullshit, I will (your choice) either match that donation or pay you back your donation (you will need to deal with the tax consequences), up to a total of $50,000.

mjg59 , 5 months ago to random

2012: "Secure boot is a plot by Microsoft to kill Linux"
2025: EA's insistence on invasive anti-cheat results in a bunch of Windows users managing to get their secure boot configuration into a state where their GPUs no longer work and there's no recovery path: https://www.reddit.com/r/Battlefield/comments/1miaynl/secure_boot_megathread_guide_community_support/

Microsoft would have to be very bad at this for a plot to have backfired this badly

mjg59 , 6 months ago to random

For Reasons that I cannot discuss I had the opportunity some years ago to review the security of some source code that was used in both an internet access device and also a crewed spacecraft and discovered a (minor) flaw that based on the memory layout of the device located on Earth was unexploitable but could have been exploited if you had the ability to rewrite flash on a device in orbit and well that feels like a conversation about whether Bond movies are realistic threat models

mjg59 , 6 months ago to random

Need my GB driver's license details For Reasons, can't find the card, remember it's saved in my Hertz profile, go there, page shows me most the the number ***d out, check developer tools, API is returning the full number and just obfuscating it client side, hurrah

mjg59 , 6 months ago to random

Anyone sharing anything about phones always listening to your conversations and showing you adverts about that:

(a) Do you realise how incredibly easy it is to monitor all the traffic coming from your phone?
(b) Do you understand how giant a scandal it would be if that were demonstrated?
(c) Do you know how many people there are who would love to be at the confluence of (a) and (b) and yet have not been because it's not a thing that's happening?

mjg59 , 6 months ago to random

Once again learning the "image the spinning rust onto an SSD and then try to archive the directory with a bunch of small files in it rather than doing that directly from the spinning rust" lesson

mjg59 , 7 months ago to random

Some people in the free software community now appear to be asserting that requiring the execution of remotely-provided Javascript on a user's system is incompatible with free software even if the Javascript in question is free software, and I'm genuinely confused by this. Could someone please explain it to me?

(I do not want sarcastic responses, complaints about the FSF, or anything along those lines. I am asking an earnest question and want earnest replies)

mjg59 , 7 months ago to random

"Huh why is logging into the server in the room next door so slow" because my eeros rebooted overnight and my laptop roamed onto the other SSID that's VPNed back to the UK and all my packets have been travelling 10,000 miles to go a few metres

mjg59 , 7 months ago to random

"Why bother writing free software if nobody's going to use it" why bother producing art or documenting the life cycle of an extinct insect or sharing anything that you find interesting or fun - if people find something I've done useful then wonderful, but even if they don't I want to be able to share it with them

mjg59 , 7 months ago to random

My first paid software development job was on accessibility software. I remember visiting a user to help set up our code, and the sheer joy he had at being able to communicate more quickly than he had been able to for years.

Seeing the effort put into improving modern Linux accessibility is heartwarming. There's been almost 20 years of almost nobody caring. It's important. It's worthwhile.

Say thank you to the people doing that work. Stop amplifying the people saying that work isn't happening.

mjg59 , 8 months ago to random

Twitter's new encrypted DM system stores your private key material on Twitter-owned services, protected with nothing more than a 4-digit PIN. If hostile, or if legally compelled to, Twitter could easily decrypt all your messages. It's also MITMable and doesn't secure metadata. Use Signal.

https://mjg59.dreamwidth.org/71646.html

mjg59 , 8 months ago to random

Just got back from the POSIX rally. Amazing turnout. Thousands of people holding hands and chanting “Better things aren't possible”

mjg59 , 8 months ago to random

Them: code stored in an immutable physical form is hardware
Me: an Ubuntu live CD is hardware

mjg59 , 9 months ago to random

Someone explain dpop in the browser to me. If the keys are long-lived then I just steal them at the same time as the token? What's this actually protecting against? Someone compromising a corp middleware box? Cloudflare being popped?

mjg59 , 9 months ago to random

I never expected to have to be searching my mailbox for the term "cum-cum-cum-cum-cum" (yes, including hyphens), but this year continues to be full of surprises

mjg59 , 11 months ago to random

Free software is about granting people rights, and as such it is incompatible with racism. It is incompatible with homophobia. It is incompatible with "gender critical" ideology. Those people all reject the idea that all humans have rights based on who they are are ideologically incompatible with free software and deserve to be sidelined. We can replace anyone's contributions, we can't replace all those they drive away.

mjg59 , 11 months ago to random

This may seem odd given my position on secure boot, but: I think Boot Guard is absolutely pointless in almost all real-world scenarios, and in the scenarios where it matters I think TPM-backed measurement gets almost all the benefit without restricting what users can do with their firmware. AMD's Platform Secure Boot is even more pointless, since it can be bypassed by simply replacing the CPU with an unfused one.

mjg59 , 1 year ago to random

We produce some of the finest memory unsafe code in the world. Big code mines just digging up beautiful buffer overflows, factories turning out world-class use after frees. I spoke to someone and he said sir, those commie Europeans want to get rid of their data races, sir, but we make the best data races. Did you know that America made 15 of the top 20 most exploitable codebases in 2000 year? We're going to be bringing that back. No more woke languages. Good honest American C.