Posts by isotopp@infosec.exchange
(DIR) Post #Av4B6uhUEQ2JbGq1IW by isotopp@infosec.exchange
2025-06-08T20:32:51Z
1 likes, 0 repeats
Today is PHP's 30iest birthday.I started using PHP in 1997 or so, and together with Boris Erdmann and a few other people (Jan Kneschke, Ulf Wendel, Tatiana Nürnberg) created a thing called PHPLIB.This was in the early days of PHP 3, and I think PHPLIB was the first thing trying to use the PHP object features. We found so many errors – I think Boris and I were responsible for 10 of 16 PHP 3 Beta-releases 🙂 But: It worked. It was even fast and convenient, and easily extensible in C and PHP itself.Ten years ago, in 2015, I was invited to give a keynote on 20 years of PHP, and interviewed.https://www.youtube.com/watch?v=oiYmjd9MYzE20 Years of PHP, a retroperspectivehttps://www.youtube.com/watch?v=VEA9FfYAmNgInterviewPHP today is a very different language than what it was 30 years or even 10 years ago. I mean, it is still mostly compatible, but modern syntax, modern type checking, and modern execution engines with just-in-time compilation put it into a different league.#30yearsofphp
(DIR) Post #AvBQjT0ny8RCRGR2ye by isotopp@infosec.exchange
2025-06-16T08:49:07Z
0 likes, 0 repeats
Dinge die mit "V" beginnen...Der #FotoVorschlag heute: Verkehrt.Ein Dodge RAM 2500 und ein Carver S+, 25-Aug-2024, Spottersplek, IJweg 614, 2141 CN Vijfhuizenhttps://photog.social/@FotoVorschlag/114691514492890688
(DIR) Post #AvDmSELLq8AhKV9SVc by isotopp@infosec.exchange
2025-06-17T07:38:42Z
0 likes, 1 repeats
Not being federated and E2E as an advantagehttps://revolt.chat/ is a chat that ultimately tries to emulate and displace Discord as an alternative.Revolt is not E2E encrypted and not federated. That is a big plus.Federation and E2E encryption are features that make an implementation much, much more complicated without need. Most people do not want to organize a women's shelter or abortion support or the antifash resistance. They just want to have a public guild server for their gaming guild or chat about 3D printers.Don't federate chatHaving a federated system for that has a number of implications that make implementations more complicated and impact quality of life for users.In a federated systems, different servers can be on different versions of the server software. This can impact features, which may or may not work properly. If will affect security of the whole network due to lack of patches in one place. And it will create propagation delays of messages inside the federated network, that is, order or even availability of messages can differ depending on what server in the federated network you are on.As a consequence for the individual user, there is no single history order of messages – some messages may be missing, appear out of order, and there will be spam. Lots of it.Back when Google Hangouts was still federating XMPP (Jabber) servers, specialized Jabber server implementations existed with the sole purpose of simulating user profiles, discovering Hangouts that are joinable, and spamming users with, well, garbage.Operating a public chat room in 2025 is already a moderation nightmare. Adding federation is a surefire way to make things fail.Federate identity, multihome clients.This is not to say that the client should be bound to a single server. It can, and should, in fact, connect to different servers for each community. The server, though, should be a "single visible instance, single history for all" thing, and have proper controls for the moderation team to control admission of new users to whatever their policy is.EDIT: And, obviously, federated identity can be quite useful. In fact, even Mastodon and other Fediverse systems should use federated identity, and also be identity servers. This will allow me to connect my client to a chat server without making any new account.Don't E2E encrypt chatUse TLS (or even a REST protocol over HTTPS) to connect to the chat server. But do not E2E messages.Keep a clear text history on the server.This makes it trivial for a single identity ("isotopp") to have multiple devices (desktop, ipad and web client) and switch between them, yet have the same chat history on all devices. It will allow new users to join a channel and see the full channel history, if the channel is configured to do that (and because the server is not federated, the channel backlog policy can actually be enforced).It makes it trivial to implement search and indexed archives for a server that wants that.It makes it easier to implement detection of spammy behavior, implement rate limits, and to autodetect inappropriate or banned content.With E2E, the server only has binary garbage that it cannot read itself, only distribute. It may not even have metadata.It will be complicated to scan messages for spammy behavior, detect banned content.It will be impossible to provide backlog to newly joined users. An existing identity (Isotopp) adding a new device (his phone) can only have backlog, if the other clients (the desktop of ipad client of Isotopp) of that user support client-to-client backlog transfer.Without E2E encryption, there is no keysplit problem ("half a channel only sees undecipherable messages"), there is no "known plaintext" problem to handle, and there is no large-scale key distribution problem.ConclusionThat is, a project thatuses TLS, but not E2E, andthat uses multi-homed clients but not federation,will be able to build a better client with better UX with less effort and be a lot more agile. Both properties (federation, E2E) do little for the end user experience except in a few limited use-cases, but come with a huge cost in implementation complexity, review and anti-abuse measures that will ultimately bind the majority of your dev capacity for nothing in return.
(DIR) Post #AvDmSK3UbRS32qqHVQ by isotopp@infosec.exchange
2025-06-17T07:42:58Z
0 likes, 0 repeats
See also https://blog.cyrneko.eu/matrix-is-cookedMatrix and Element have been digging their own complexity grave, wanted to VC their way out of that, and now their commercial entity has a homepage littered with military clients.
(DIR) Post #AvNtkd4lGZOeVZiAWe by isotopp@infosec.exchange
2025-06-22T04:45:53Z
1 likes, 0 repeats
@filippoMaybe, as a bank, you should not be using a random library taken from the internet, with a single maintainer and some 100 stars, and make it a critical dependency of your banking operations.Maybe, as a bank, your IT should write and maintain such a library and open source it.Maybe, as a bank, you should not continue to use the first library, and do the second thing after the first library was able to take down critical parts of your infra the first time.Because we live in a society, and as a bank, you should be contributing to it, too.But then, what do I know.@julijane
(DIR) Post #AvUHeUbs1yOLjfO2y0 by isotopp@infosec.exchange
2025-06-24T18:24:39Z
1 likes, 1 repeats
Scroll.Scroll.Scroll.Scroll.Alle diese Meldungen sind dieselbe Meldung.Gebraucht werden keine Panzer. Sondern Guillotinen.
(DIR) Post #AvUcy5EcBNVdrhgyCe by isotopp@infosec.exchange
2025-06-25T14:47:43Z
2 likes, 2 repeats
Wednesday, it's Captain!
(DIR) Post #AwMDFIAgzdpeL8hTMm by isotopp@infosec.exchange
2025-07-21T11:56:35Z
0 likes, 0 repeats
@futurebird Hello, European person here.In our countries under the oppressing thumb of ruthless socialist governments, all listed consumer prices are required to be end prices including all taxes and fees, by law.
(DIR) Post #Awoto8S4x46ApdpHma by isotopp@infosec.exchange
2025-08-04T06:33:35Z
0 likes, 0 repeats
AWS deletes Ruby developers entire lifehttps://www.seuros.com/blog/aws-deleted-my-10-year-account-without-warning/
(DIR) Post #AxM7FMjleqVaZn5moS by isotopp@infosec.exchange
2025-08-20T07:08:48Z
0 likes, 3 repeats
(DIR) Post #Axdc9es1j5UvLP25Nw by isotopp@infosec.exchange
2025-08-28T12:23:45Z
0 likes, 1 repeats
"Workloads sind nur so lange I/O-Bound bis Du genug RAM nachgesteckt hast." -- Köhntopp's Gesetz."Workloads are only I/O-bound until you have added enough RAM." -- Köhntopp's Law.
(DIR) Post #AzlR7UpbftO7m80p3w by isotopp@infosec.exchange
2025-10-31T06:52:58Z
0 likes, 0 repeats
Today is 31 October 2025.Twenty years ago today, on 31 October 2005, https://en.wikipedia.org/wiki/Mark_Russinovich published a detailed description and technical analysis of First 4 Internet’s (F4I) XCP software, which he discovered had been secretly installed on his computer by a Sony BMG music CD.The software was part of the CD’s digital component and automatically installed itself on Windows computers when the disc was inserted into a CD-ROM drive. A similar component for MacOS was blocked from automatic installation with Operating System confirmation prompts. The driver interfered with any attempt to rip audio CDs on that system and actively concealed itself to prevent detection or removal.Russinovich compared XCP to a rootkit because of its covert installation and use of stealth techniques to hide its presence. He pointed out that the EULA made no mention of the software and argued that its behavior was illegitimate.The security firm F-Secure agreed, stating: "Although the software isn't directly malicious, the rootkit hiding techniques it uses are exactly the same as those used by malicious software." Following public backlash, Symantec and other antivirus vendors added detection and removal for the rootkit, and Microsoft announced that it would include protection against it in its security updates.XCP operated with high system privileges and contained numerous exploitable vulnerabilities, creating a serious security risk. That risk quickly became real: within weeks, several trojans and worms appeared that exploited flaws in the XCP software.As the result of government investigations and class-action lawsuits, Sony BMG partially addressed the scandal with consumer settlements and a recall that affected about 10% of the affected CDs. It ceased the copy-protection efforts in 2007.The Sony rootkit scandal only affected users that bought legitimate copies of music. Everybody who used Napster or Donkey to grab the MP3 was of course unaffected.Sony has never apologized to its customers.Timeline, in German:https://netzpolitik.org/2005/rookit-sonys-digitaler-hausfriedensbruch/Sony also produced, only one year later, thehttps://www.engadget.com/2006-01-05-sony-vaio-xl2-digital-living-system.htmlLike the XL1, the XL2 sports an HDMI video out, operation via wireless keyboard and remote, and an optional 200 CD/DVD changer for library management. Running Windows MCE 2005, the XL2 is harboring Intel Viiv insideSony also turned off the DRM-Servers for the Conect-Online Musicshop in March 2008, again fucking over all customers that paid for their content.https://www.golem.de/0804/59229.htmlIn an interview 2012, Sony Music boss Edgar Berger saidhttps://www.welt.de/wirtschaft/webwelt/article13881492/Musikindustrie-Das-Internet-muss-frei-sein-nicht-umsonst.htmlDas Internet ist für die Musikindustrie ein großer Glücksfall, oder besser gesagt: Das Internet ist für uns ein Segen. "The Internet for us is a boon."Whatever companies think, even today the only way to actually purchase content on the internet is to buy content without DRM, or buy content with removable DRM, downloiad and deDRM it immediately.Have a media library. Make sure your stuff can use this media library. Back up your media library.
(DIR) Post #AzrtT9YFR9VFoQleLY by isotopp@infosec.exchange
2025-11-03T12:22:03Z
0 likes, 0 repeats
@shalien MacOS be like...
(DIR) Post #Azslk2sUtepvYxk7Xc by isotopp@infosec.exchange
2025-11-03T14:04:50Z
0 likes, 0 repeats
@burak @shalien Apple's filesystems, APFS and HFS+, are case-folding. H is mapped to h, and ß is mapped to ss.For some reason, trü is not mapped to true.
(DIR) Post #Azxb7gfL0ObVuwSSAa by isotopp@infosec.exchange
2025-11-06T06:16:28Z
0 likes, 0 repeats
@timbray It's not you. You can output brightness from a small area, almost a point source, or the same amount of light from a larger area.The former is blinding, the latter less so.https://www.nature.com/articles/s41598-023-30658-0https://pmc.ncbi.nlm.nih.gov/articles/PMC9508687Very modern cars have dynamic headlights. These are composite LED lights, so an array of point sources, that can be controlled by the cars' camera. The car will darken a segment in which it spots another light source, i.e. the headlights of an oncoming car.As a pedestrian, unlighted, you do not register, so it won't.Most cars do not yet have integrated systems, so registered obstacles from a cars lidar system will usually not (yet) be taken into account.
(DIR) Post #AzxbVky2fC5OD0gSSu by isotopp@infosec.exchange
2025-11-06T06:29:11Z
0 likes, 0 repeats
@tomjennings @timbray I have a Euro background, regulatory constraints here are a bit different, and somewhat more constrained. A lot of what is street legal on US and Canadian roads would not be here.But yes, a lot of the more modern tech (the things that are part of GSR2, https://www.rac.co.uk/drive/advice/road-safety/what-is-gsr2-important-eu-car-safety-features-explained/m and a few other things that come from an insurance and not a primary regulatory background) is forced on the market through regulation, and is basically too immature to reliably help drivers or innocent bystanders.
(DIR) Post #B05iK1nwqfZleCZdUu by isotopp@infosec.exchange
2025-11-09T14:25:28Z
0 likes, 0 repeats
@futurebird Warning! Unshielded cuteness ray source deteced!
(DIR) Post #B0MmgRGaiqdEjTCyDQ by isotopp@infosec.exchange
2025-11-18T09:51:39Z
1 likes, 1 repeats
@Saupreiss @kami_kadse
(DIR) Post #B0dNbdbBo4uf82ppcu by isotopp@infosec.exchange
2025-11-26T10:11:11Z
0 likes, 0 repeats
@futurebird Ray Bradbury did, https://en.wikipedia.org/wiki/The_Pedestrian
(DIR) Post #B2SLAyPgjbLs4mhqCW by isotopp@infosec.exchange
2026-01-19T21:00:26Z
1 likes, 0 repeats
@Ollivdb @harkank @caravantraveller Oracle hat im Dezember die letzten MySQL-Entwickler gefeuert.https://github.com/mysql/mysql-server/graphs/commit-activityDas ist als Projekt komplett tot. Letzte Woche gab es in den Räumen von Planetscale in SFO eine von Percona gesponsorte Krisenkonferenz zum Thema. Percona unterhält einen Slack-Server zum Thema. Im erweiterten FOSDOM-Umfeld wird es ein weiteres solches Treffen in Brüssel geben. Das Ziel ist die Schaffung einer Foundation für MySQL. Es ist unklar, ob Oracle eine solche Foundation unterstützen wird und wie.MariaDB ist ein Form von MySQL, der sich um 2010 herum gebildet hat und der seit 15 Jahren getrennt entwickelt wird. MariaDB ist in den Datenformaten auf Disk, im Protokoll, bei der Authentisierung und in der SQL Syntax nicht mehr mit MySQL kompatibel.Insbesondere kann MariaDB nicht zu MySQL replizieren oder anders rum, außer im total veralteten Single-Threaded Statement Based Replication Format, FALLS beide Server in der Anwendung sich dabei auf das SQL beschränken, das beide Server als Schnittmenge verstehen.Um MariaDB gab es eine Reihe von Verwirrungen, mit einer gescheiterten Kommerzialisierung (mit einem SPAC), Venture-Kapitalgebern, die die Reste vom SPAC gekauft haben, und anderen Geschichten.TL;DR: Verwende Postgres.