Post B5tHdVvjV6Ce1hCZY8 by mangeurdenuage@shitposter.world
(DIR) More posts by mangeurdenuage@shitposter.world
(DIR) Post #B5t5MdNxKXDem8aUVc by icon_of_computational_sin@mstdn.starnix.network
2026-05-02T13:22:44Z
2 likes, 2 repeats
From: https://lowlevel.fun/posts/tiny-udp-cannon-android-vpn-bypass/The fact that this pretty stupid VPN circumvention exists isn't a big surprise, given how bloated and over-engineered Android (and probably any other L'Eunuchs system) is. The surprising part is these words here:Asked If I am free to discloseWith some uncanny rituals, not at all dissimilar from cults or MLM schemes, big tech corpos have managed to guilt trip a huge crowd of nerds that said corpos are owed the honour of being asked permission to do things. Not because these nerds are paid to do this--most bug bounty programs offer scraps, you can sell these 0days and other secrets to Mossad or CIA for 10x the amount--but because it's somehow "ethical". In quotation marks, because nobody can even tell what ethics system here is usually referred to (deontologists can suck a dingus). All while the same corpos have NO WARRANTY clauses in every single software licence they employ, even in EULAs. And where this isn't possible, they limit the maximum possible compensation to a laughable sum.Remember, boys and girls. You don't owe corpos anything. And you certainly owe their customers even less than that. Full and immediate disclosure is the only way. Let them deal with the consequences of pushing shit code into prod, this isn't your problem.SEE SOMETHING, SAY SOMETHING
(DIR) Post #B5t5i4gL2OalW0PRAm by phnt@fluffytail.org
2026-05-02T13:26:38.599198Z
0 likes, 1 repeats
@icon_of_computational_sin >Let them deal with the consequences of pushing shit code into prod, this isn't your problem.As I've said on IRC, you only say this because you don't have to deal with the chaos and panic in the aftermath of disclosing high severity issues before a fix is released. You never had to sit down and try to figure out which of your possibly hundreds or thousands of systems is affected and how to fix it.
(DIR) Post #B5t6mbhiIth92nmHVg by icon_of_computational_sin@mstdn.starnix.network
2026-05-02T13:38:39Z
2 likes, 0 repeats
@phnt you might think so, but it was you who deployed vulnerable software from an untrustworthy vendor. Yes, you. You put your trust in a corporation that leaks (or worse, sells for profit) data left and right, hires subpar engineers, reluctantly spends pocket change on QA, and in a normal world wouldn't be trusted with candy. So called "ethical disclosure" only upholds this status quo of you and your kin pretending everything is fine. It's not fine. It hasn't been fine for a long time now. Full disclosure only reveals this very uncomfortable fact.
(DIR) Post #B5t74d1s7EWOMmneVc by phnt@fluffytail.org
2026-05-02T13:41:55.347584Z
0 likes, 1 repeats
@icon_of_computational_sin Fully trustworthy vendor and non-vulnerable software does not exist. The world you are thinking of isn't real, for many things are you stuck with some vendor and or some other vendor and that's it. You either use that or you can build your own, which usually results in something even worse.Or are you running an OS along with the whole userspace on our computer that has been mathematically proven do that what it says it does without error?
(DIR) Post #B5t84oJuEiWLL3szKK by bonifartius@noauthority.social
2026-05-02T13:53:10Z
1 likes, 0 repeats
@icon_of_computational_sin > First, nobody checks the payload is actually a QUIC CONNECTION_CLOSE frame. The bytes are whatever you want. who comes up with these ideas.
(DIR) Post #B5t8bGbAdJpGJFRBZY by mangeurdenuage@shitposter.world
2026-05-02T13:59:02.799713Z
0 likes, 1 repeats
@phnt @icon_of_computational_sin >Fully trustworthy vendor and non-vulnerable software does not exist. That's not the point. The point is transparency that you aren't a piece of scum that leaches out your customers and wish to provide actual problem solving.> The world you are thinking of isn't real,So is the one you describe.>for many things are you stuck with some vendor and or some other vendor and that's itYes and when did you start to work to counter that bs ?Right now I have work so that a city hall can migrate to GNU/linux and they're stuck because they use a SaaSS that requires hard dependency to windows while it's all in a fucking browser.Short them solution: vm microslop to mitigate.Long term: changing software.Longer term: lobby representatives.>or you can build your own, which usually results in something even worse.Worse than default win11 and passwords being 123456 level ?
(DIR) Post #B5t8fKjNDA7aHfDILQ by mangeurdenuage@shitposter.world
2026-05-02T13:59:46.486586Z
0 likes, 1 repeats
@bonifartius @icon_of_computational_sin Probably someone who though "this is practical".
(DIR) Post #B5t8lYig78v5PHrBqq by phnt@fluffytail.org
2026-05-02T14:00:53.462091Z
0 likes, 1 repeats
@mangeurdenuage @icon_of_computational_sin Btw, the context for this thread is Copy Fail on irc.nishi.boats.It's about trusting Linux and the broader ecosystem around it such as GNU. You cannot fully trust Linux nor GNU as vendor, because you cannot fully audit and prove it.
(DIR) Post #B5t96mjDE3I6w2ECOG by mangeurdenuage@shitposter.world
2026-05-02T14:04:44.189210Z
0 likes, 1 repeats
@phnt @icon_of_computational_sin Yes I'm aware of it. I posted about it previous to this post.>You cannot fully trust Linux nor GNU as vendor, because you cannot fully audit and prove it.Fallacious reasoning. Thank you for the bait. Please go kill yourself.
(DIR) Post #B5t9Gt46WHxdU6oirg by phnt@fluffytail.org
2026-05-02T14:06:32.946279Z
0 likes, 1 repeats
@mangeurdenuage @icon_of_computational_sin >Fallacious reasoning. Thank you for the bait. Please go kill yourself.lol, lmao even. :puniko_laugh:
(DIR) Post #B5tAAOnoDu6PqJfJKq by icon_of_computational_sin@mstdn.starnix.network
2026-05-02T14:16:31Z
1 likes, 0 repeats
@phnt yes, it does exist, but that is not the point. The point thatSome software is better than the otherMonoculture is among the worst things to have happened in tech. This has been known for a long while, if you look up articles from early to mid 2000s, they argue that Microsoft monoculture is toxic. And yet the nerd herd has managed only to replace one monoculture with another.By the standards of the time described above, most big tech software today would be classified as malware, whether intentionally so or not.I have never claimed that you must run some perfect software (I can claim this tho). But at least try to have some semblance of standards.
(DIR) Post #B5tAKdPImIny2C5CnQ by icon_of_computational_sin@mstdn.starnix.network
2026-05-02T14:18:23Z
1 likes, 0 repeats
@phnt @mangeurdenuage no, not really. Here I only refer to the Android bug above.But I would've published this "CopyFail" immediately. Linux licence claims NO WARRANTY and that really does mean NO WARRANTY.
(DIR) Post #B5tB6Ps6PDoLxGL1uq by mangeurdenuage@shitposter.world
2026-05-02T14:27:04.804730Z
0 likes, 1 repeats
@phnt @icon_of_computational_sin You know feeding your ego from negative shit like this isn't healthy for you.
(DIR) Post #B5tBKDWl69MHiww4US by bonifartius@noauthority.social
2026-05-02T14:29:34Z
0 likes, 0 repeats
@mangeurdenuage @icon_of_computational_sin likely. or some performance reason. can't have structured data that can be easily checked, that would take a few nano seconds too long on a system largely implemented in java ;)
(DIR) Post #B5tCOBf0589p2uFPAe by m0xEE@breloma.m0xee.net
2026-05-02T14:41:23.777085Z
0 likes, 0 repeats
@phnt @icon_of_computational_sin @mangeurdenuage To me CopyFail revealed what a complete and utter clusterfuck modern Linux systems are — and it's not about the fact that vulnerabilities exists or how they are disclosed.Cryptographic routines running in kernel space exported to user space via a socket, what the fuck for? For a 0.1% performance gain?!And kernel module getting loaded when a user — any user at all, creates a socket of a particular type? For real?! This is the shit a ni~ ehm… user gets to deal with now?!And in RHEL AFAIK they went even further and built that module right into the kernel — so there is nothing to unload or prevent from getting loaded.Neither of these things should be possible in a system that is considered even remotely secure! :marseytabletired2: While security folk insist on putting everything in a container — these things exist!
(DIR) Post #B5tD4sfCaS7Ua3hRTs by m0xEE@breloma.m0xee.net
2026-05-02T14:49:06.826283Z
0 likes, 0 repeats
@icon_of_computational_sin > pretty stupid VPN circumvention exists Android is as lax as it can possibly be with such things. There is a http(s) proxy configured for this network, but it doesn't respond in a timely manner? Let's send all traffic directly — software has to be able to phone home at all cost!Then there is this switch in VPN settings: "Block connections without VPN" :marseysigh: What happens if VPN connection goes down, does the traffic get dropped? From the phone it does — or at least so it seems. But what if you've been sharing your VPN connection wirelessly, can wireless clients still connect to the outside world? They sure do! NAT just switches to sending all their traffic directly over your cellular connection.
(DIR) Post #B5tEDofyshxQm3tAI4 by phnt@fluffytail.org
2026-05-02T15:02:01.019500Z
0 likes, 1 repeats
@icon_of_computational_sin >yes, it does exist, but that is not the point.It does not, even your industry doesn't have such properties, nor does aeronautics which does math proofs only for certain absolutely critical pieces of software. You can never have a trustworthy vendor or software unless you fully audit every piece of it and prove correctness of it. Linux will never have that, seL4 only proved the microkernel.>Some software is better than the otherBut none is fully trustworthy at the scale we are talking.>Monoculture is among the worst things to have happened in tech. This has been known for a long while, if you look up articles from early to mid 2000s, they argue that Microsoft monoculture is toxic. And yet the nerd herd has managed only to replace one monoculture with another.Agreed.>By the standards of the time described above, most big tech software today would be classified as malware, whether intentionally so or not.By my definition IPv6 is malware, because it autoconfigs interfaces without me telling it to do so (via running an autoconfig service on the network). It does something I never asked it to do.
(DIR) Post #B5tESGG57zd0NCf8Jk by phnt@fluffytail.org
2026-05-02T15:04:37.764039Z
1 likes, 1 repeats
@m0xEE @icon_of_computational_sin @mangeurdenuage >To me CopyFail revealed what a complete and utter clusterfuck modern Linux systems areHave been for a very long time now.>And in RHEL AFAIK they went even further and built that module right into the kernel — so there is nothing to unload or prevent from getting loaded.initcall_blacklist=af_alg_initkills it.
(DIR) Post #B5tEUrneWL93NwbiUq by lain@lain.com
2026-05-02T15:05:05.470709Z
0 likes, 1 repeats
@phnt @icon_of_computational_sin @mangeurdenuage wiat linux is now something i'm not allowed to install unless i want to get punched in the face?
(DIR) Post #B5tEiULAXTRegImOum by phnt@fluffytail.org
2026-05-02T15:07:34.061660Z
0 likes, 1 repeats
@mangeurdenuage @icon_of_computational_sin I'm stating the reality, nobody can fully audit GNU corelibs/gcc/glibc/and friends because they are way too huge for that. You will always have to live with a possibility that a vulnerability will exist in these pieces of software, similarly to Linux, because they are simply too big to be fully correct.The truth that free software/open-source software gives you better security, because you don't need to disassemble it and/or do weird behavior analysis, is only truth to a certain extent.
(DIR) Post #B5tEpWp1i8OMPA6OzA by phnt@fluffytail.org
2026-05-02T15:08:48.647999Z
0 likes, 1 repeats
@lain @icon_of_computational_sin @mangeurdenuage No, it's something you can never be sure is free of vulnerabilities.Context: https://mstdn.starnix.network/@icon_of_computational_sin/116505255548409394
(DIR) Post #B5tFYDwck9wst9y62S by icon_of_computational_sin@mstdn.starnix.network
2026-05-02T15:16:53Z
1 likes, 0 repeats
@phnt @mangeurdenuage all it means is that glibc/gcc/whatever need to be killed with fire like the atrocious disgrace of engineering that they are. Same goes for Linux.Actually, it is possible to build secure systems that incorporate Linux. This has been done numerous times and involves isolating different application domains with paravirtualised kernels. A tad bit harder than installing Booboontu or RHELL and calling it a day.
(DIR) Post #B5tHdVvjV6Ce1hCZY8 by mangeurdenuage@shitposter.world
2026-05-02T15:40:17.862025Z
0 likes, 1 repeats
@phnt @icon_of_computational_sin What is a The big ball of mud paper.pdf.What is the art of software destructibilityhttps://max.hn/favorites/talks/programming/the-art-of-destroying-software/.>The truth that free software/open-source software gives you better security, because you don't need to disassemble it and/or do weird behavior analysis, is only truth to a certain extent.Yes it's not a black box.But it's more than that.You only look at the security aspect of the tools.Tools are much more than just that.
(DIR) Post #B5tHjl0OMesWWDMG2a by mangeurdenuage@shitposter.world
2026-05-02T15:41:25.535640Z
0 likes, 1 repeats
@icon_of_computational_sin @phnt Depends on your adversaries.
(DIR) Post #B5tNroSnzRKRHmsAC0 by icon_of_computational_sin@mstdn.starnix.network
2026-05-02T16:50:04Z
0 likes, 0 repeats
@mangeurdenuage @phnt Don’t try to plan for future changes. Focus on the ability to completely rewrite everything from scratch when that change actually occurs.I'm not exactly sure this guy is sane or that his advice on software is to be taken seriously.
(DIR) Post #B5tO4ukxu8KaZFc8ES by mangeurdenuage@shitposter.world
2026-05-02T16:52:28.874481Z
0 likes, 1 repeats
@icon_of_computational_sin @phnt It's the same thing that has been repeated since the 80s smalltalk etc..
(DIR) Post #B5uPdpqAT6GKZIDsJs by m3tti@functional.cafe
2026-05-02T16:26:57Z
1 likes, 0 repeats
@phnt @m0xEE @icon_of_computational_sin @mangeurdenuage i'm really considering openbsd right now i was a fanboy while studying but had to switch to linux for work related stuff or even worse windows. We should get back to keep it simple stupid.
(DIR) Post #B5ufOnzOfQT1kYOXCq by m0xEE@breloma.m0xee.net
2026-05-03T07:41:01.705945Z
0 likes, 0 repeats
@phnt > initcall_blacklist=af_alg_initHa-ha, yeah, I know that. Blocking the entry point to prevent the module from loading — neat trick!But AFAIK, you can't pass it to an already running kernel, there probably is some equally clever kexec trick to minimise the downtime, but in most cases running the kernel with updated command line would require a reboot, which might be undesirable.But all that aside, sure — a hardened kernel would likely have support for loadable modules disabled and have everything built into it, but it would only be a bare minimum: support for hardware that is present in this particular system (maybe not for all hardware even, some intentionally disable peripheral ports) and support for kernel features that are necessary in this particular usage scenario…But building everything AND the kitchen sink right into the kernel? That's just sloppy! To me RedHat doing this is a shocking discovery! I thought all distros moved beyond this for one reason or the other. I wonder how big their kernel images are. Even ZStandard-compressed! 🤭@icon_of_computational_sin @mangeurdenuage
(DIR) Post #B5ugBzBtoB88gGh4V6 by m0xEE@breloma.m0xee.net
2026-05-03T07:50:03.158666Z
0 likes, 0 repeats
@m3tti @phnt @icon_of_computational_sin @mangeurdenuageKeeping software design simple is sadly not the reality we have to deal with. Reducing complexity until attack surface is so tiny that it can be tested thouroughly with minimal effort is classic apploach to security, modern approach is adding one layer of complexity over another until it snowballs and no one understands how all this mess works and then we need another layer of abstraction and isolation to keep it in check in case things go south, and of course neural network based tools and fuzzers to test it 😩
(DIR) Post #B5uupYo4iqirnEJabI by phnt@fluffytail.org
2026-05-03T10:34:08.670223Z
1 likes, 1 repeats
@m0xEE @icon_of_computational_sin @mangeurdenuage >Ha-ha, yeah, I know that. Blocking the entry point to prevent the module from loading — neat trick! But AFAIK, you can't pass it to an already running kernel, there probably is some equally clever kexec trick to minimise the downtime, but in most cases running the kernel with updated command line would require a reboot, which might be undesirable.var=$(cat /proc/cmdline)cmdline="${var} initcall_blacklist=af_alg_init"# kexec -l=<kernel> --initrd=<initrd> --append="${cmdline}"# reboot>But building everything AND the kitchen sink right into the kernel? That's just sloppy! To me RedHat doing this is a shocking discovery! I thought all distros moved beyond this for one reason or the other.It's still heavily modularized like any distro kernel, why they decided to bake the userspace crypto into the kernel image itself probably has some reason like it being expected to be used on a default install, so it being possible to unload it wasn't a consideration. OpenSSL can be built to use it by default I think.>I wonder how big their kernel images are. Even ZStandard-compressed!Almost the same as my custom Gentoo kernel with only the necessary stuff to boot baked in (slightly smaller actually)image.png
(DIR) Post #B63dcPdvX1eSoGLuXA by icon_of_computational_sin@mstdn.starnix.network
2026-05-07T15:33:37Z
0 likes, 0 repeats
@mangeurdenuage @phnt and where exactly is Smalltalk today? Right...