106100+ entries in 0.058s
mircea_popescu: and with
this, ladies and gents,
the FOUR YEAR
tits for bits hole closes.
trinque: heh, got an alpha in
there
a111: Logged on 2018-04-09 14:31 mircea_popescu: a right. hanbot do me a favour : download ~only~
those patches which are in
the leftmost
trunk seen on phf's viewer (so exclude vtools_vdiff_sha, and its dependents) and
try
to flow again ?
phf: trinque: it wouldn't, i believe
there's an antecedent->dependency
transformation issues (i.e.
the
transform in mod6 v is adhoc, so it can't handle
the
tricky antecedent graph).
the approach hanbot used was
to just use
the patches from
the left branch of
the graph, until, per mircea_popescu's request, i write a general purpose v graph code.
☟︎ a111: Logged on 2018-04-09 04:25 hanbot: phf et al: attempted
to press latest vtools
to
the keccak head. v (mod6's) reports vtools_vpatch_newline not in flow, neither its antecedent vtools_fixes_static_tohex, despite both patches and (verified good) sigs present (they neither show up via flow command). v will press
to vtools_vpatch.vpatch, but no further. see
http://p.bvulpes.com/pastes/oNRhE/?raw=true .
trinque: only
thing I do
to modify V is make
the seals dir not dotted.
trinque: phf:
trying
to press your vtools using mod6's V 99993
trinque: I'm not committing
to a
time
mircea_popescu: haleyyyyy, 0f9a63b5 ; but mind
that you only get it once.
mircea_popescu: Starrrcx, yeah, i
think you're
the years young-est person in
there.
a111: Logged on 2018-04-19 18:29 mircea_popescu: and it all came from original idiocy, "oh,
to have bash AT ALL you must have access
to /sbin/bash or else a copy of it somewhere". bullcrap. look at what apache does -- somehow it DOES manage
to run all users' php crapolade from whatever directories. bash can (and obviously should fucking have) worked
the exact same way. of course you can run bash from your homedir even if
that is /home/users/f/u/c//k/t/h/i/s/l/u/s/e/r/john.
douchebag: mircea_popescu: Safe
to say
this is
the oldest participant in
the "i will pay for your
tits" campaign
Starrrcx: i hear
the price on it went crazy high since it was started
Starrrcx: i dont have much of an opinion besides it being money can you
tell me more about it?
mircea_popescu: think about it --
the sort of people who'd publish idiotic crap a la
tor docker etc LIKE
the meat injection. and
the sort of people who'd protest don't get involved with
that.
ckang: just someone publicly calling someone out at
trying
to inject malicious code into a project
mircea_popescu: contrary
to what you might
think, it's 9x%
the function of nsa,
trolling on github all day.
ckang: has
there been any documented cases of such happening recently? or attempts
ckang: i imagine
to infiltrate a project successfully
they need
to 'invest' into it before it becomes
too large so
theres not 1000s of nerds reviewing commits
mircea_popescu: now, of course
they've been pretending like "it never happened" for five years now ; but
then again
they're also pretending
to be solvent, and militarily relevant, and whatnot.
ckang: ahh yea, it was just recently
they had
the
torbrowser svg stuff
too
ckang: i could
totally see
them buying up new 0days and letting
them go unpatched for future use
ckang: im surprised we haven't heard more about
that, someone with a email or offer publishing it
mircea_popescu: usg
trying
to leverage
the fact
that idiots stick
together whereas intelligent people jwz, into
this situation where
they keep shitting
turds larger
than what you can fit in head and so "one man's guess is as good as any other's" and "we don't actually know it's a scam" hurr durr.
a111: Logged on 2018-04-16 16:05 zx2c4: mircea_popescu: i
take it now
that mostly you're skeptical because
the nsa was pushing ecc in
the early years, before everyone else woke up
to it
mircea_popescu: y're reasonablyt safe, as far as we know" ; and as we learn better...
they just come up with a new piece of shit.
mircea_popescu: understand how
the empire of idiots' euphemism
threadmill works :
they noticed
that you go by
the heuristic of "published holes", and
they've adapted
to
that (because
that's what
the idiots are all about, "Exam
taking", ie optimizing for
the measurement not for
the variable measured). so,
they keep publishing strainers and calanders, except
the sort where YOU don't know
the holes. it gives you
the warm fuzzy feeling
that "The
☟︎ ckang: oh, in
terms of stability and usability
ckang: and being able
to control
the network gives way more flexibility in limiting what someone can/cant do
ckang: openvz i didnt care much for, docker has been solid
though
ckang: PATH
turns into a a cluster fuck, always
mircea_popescu: yeah.
the whole stygian stable has
to be cleanned out. no more PATH and no more bash-style calls. apache style calls.
mircea_popescu: metaphorically speaking,
the solution
to spilling some food in front of
the fridge is not
to attach a mechanical broom
to it.
mircea_popescu: depends how you count
the hit. complexity hit is significant.
ckang: re: chroot/$PATH stuff, is
there any reason not
to opt for a container model and leave
that abstraction up
to a dedicated system?
ckang: mircea_popescu: yea, i found
the !!pay but !!ledger shows nothing
ckang: i
think it may have been when
the code registration issue was happening
ckang: if you get a min, had an issue with
the bots on 1 girl, pheeby
ckang: even more so after
the recent changes in gov policy in regards
to information harvesting by ISPs
a111: Logged on 2018-04-19 17:11 ckang: what have you managed
to push encrypted on
the board?
phf:
http://btcbase.org/log/2018-04-19#1803375 << i have ipsec subnets
to essentially identical openbsd installs, but egress is
to wan. i use pf
to route specific
things
through
the ipsec subnets. i've never benchmarked it
though. it's good enough
to watch an occasional regioned youtube, or pull a
torrent at 5mbit saturation
☝︎ trinque: need moar practice with
titties eh?
douchebag: Starrrcx: you'll have
to wait for mircea_popescu
mircea_popescu: i must now retire and meditate in sadness over
the miserable fate fate had in store for me
this morn.
mircea_popescu: so i pick
the yesterday's chicken pilaf, and dump on it
three spooning heapfuls of
the mango-raisin-ginger jam in
the half gallon jar.
then a spoonlet of chilera. and
then... a small and kinda
tired&old but very ripe aguacate.
mircea_popescu: to eat,
to eat, but what
to eat!
there's no fire going happily in
the hearth,
there's no water splashing on nude
thighs unintentionally and aggravatingly,
the kitchen's dead and i must have leftovers!
mircea_popescu: bereft of female support, i woke
this morning among empty vast halls, ruin already gnawing silently in
their corners.
mircea_popescu: mp's morning adventure :
the curse of
the shapely bottles.
spyked: ^ my point in
the first place. POSIX ACL was designed from
the idea
that "all users are equal, except /a/b can be accessed only by X and /c/d only by Y etc.". while saying
that "Z can only access /e/f" can only be implemented as "/a/b and /c/d and etc. can't be accessed by Z". and sure,
there's chroot,
that sets /e/f
to /, but in practice
this introduces other issues
a111: Logged on 2018-04-19 18:26 mircea_popescu: "i can't identify you so here's
the oval office"
hanbot:
http://btcbase.org/log/2018-04-19#1803390 << exactly,
that blew my mind. no idea why limiting someone
to
their homedir should be complicated either. isn't keeping users cloistered like...the fucking reason a "users" system even exists? what else is it for, personalized wallpaper?
☝︎ mircea_popescu: the fucking path. and for
the very good reason
that it's nonsense enough
to make gates proud.
mircea_popescu: you know what is
the HARDEST, most screaming, wailing and
tear ladden item every
time i explain unix,
the posix model, linux basics etc
to fundamentally minded slavegirls
that are well accomplished in other fields and can
think ?
trinque: now
there's a point. user's shell should just have whatever commands he can use loaded into it
mircea_popescu: (which is what is
the only fucking POSSIBLE meaning of "set home directory" : as far as ALL POSSIBLE
terminals
that user springs up,
the indicated point in
the filestructure is his root. and he sees its downstream and nothing else fucking ever.)
mircea_popescu: and even if you
think /home/users/f/u/c//k/t/h/i/s/l/u/s/e/r/john is actuyally /
mircea_popescu: and it all came from original idiocy, "oh,
to have bash AT ALL you must have access
to /sbin/bash or else a copy of it somewhere". bullcrap. look at what apache does -- somehow it DOES manage
to run all users' php crapolade from whatever directories. bash can (and obviously should fucking have) worked
the exact same way. of course you can run bash from your homedir even if
that is /home/users/f/u/c//k/t/h/i/s/l/u/s/e/r/john.
☟︎ mircea_popescu: "you were fired,
the way
to
the vp lounge is
to
the left"
mircea_popescu: understand,
this model whereby user falls into root because "we couldn't open
the subdir you should have" is
the lulz of all
time.
spyked: (note
that I did not claim
this
to be "the wrong way" or anything. just
that in other access control schemes it can be explicitly expressed, in some cases at cost of implementation complexity etc.)
mircea_popescu: spyked, by making
the first dir
that's not specifically world-visible or his own whatever she wanted it
to make.
spyked: anyway, I'm sure
that
this can be enforced by having all
the other users except
the "limited user" deny rwx access
to
their dirs. but
this doesn't say anything about
the "limited user" explicitly, only implicitly. kinda like in
that joke with enclosing
the sheep using as little fence material as possible.
spyked: mircea_popescu, okay, but can you make klinki see *only* /home/klinki/sikrit and nothing else?
that's how I understood hanbot's problem. I dun see any practical way of doing it (other
than by chroot'ing).
lobbesbot: BingoBoingo:
The operation succeeded.
BingoBoingo: !Q later
tell avgjoe I don't
talk
to strangers in private
mircea_popescu: what
the fuck,
there's 0 high level difficulty here, 100% unixtards being unixtards.
mircea_popescu: and if you want
to get fancy you can even reconstruct dirstructure by restating it while skipping invisible spots, so
that a path may be /a/b/c/ for one and /a/c/ for another.
mircea_popescu: ie if you have / 755 root:root home/ 755 root:root klinki 755 klinki:klinki /sikrit 700 klinki:klinki
then user bolek can see all
the way
to /home/klinki and user klinki all
the way
to /home/klinki/sikrit.
a111: Logged on 2018-04-19 10:24 spyked:
http://btcbase.org/log/2018-04-19#1803146 <--
this is (nearly?) impossible
to achieve within
the Unix access control model. it's easy
to express "no one but user1 has access
to dir1", but no reasonable way of expressing
the reverse, i.e. "user2 can access only dir2". must be one of
the reasons why namespaces and cgroups were added
to Linux
mircea_popescu:
http://btcbase.org/log/2018-04-19#1803308 << very fucking easy
to do, are you kidding me ? system builds
the FS
tree, exposes /
to all users symbolically but only lists permitted files and
then for every node in
the directory
treee only lists
those which are either all or user.
☝︎ ckang: i ended up just adding a deb8 vm and my entire router is virtualized now, only lose ~2Mbit off
the
top (148Mbit) while still only using
the
tunnel with wireguard
ckang: what have you managed
to push encrypted on
the board?
☟︎