log☇︎
731400+ entries in 0.412s
asciilifeform: wait for... the new, seekuur!1! replacement for tor.
ThickAsThieves: he seemed pretty proud of the notion that most nodes were USG
ThickAsThieves: i was speaking with a former military tech at the bar a few weeks ago and he was giving me a shit-eating grin about NSA/Tor
asciilifeform: where they get reprocessed into biodiesel.
asciilifeform: they should just build a surrender pit for idiots to jump in.
BingoBoingo: ThickAsThieves: And this is why I've never upgraded Multibit beyond version 0.5.11
ThickAsThieves: pass everything through NSA plz!
ThickAsThieves: " Jered Kenna interviewed Bitcoin core developer Mike Hearn about BitcoinJ, the Tor network, and what developments are coming to the Bitcoin protocol. Mike explains why BitcoinJ will be using the Tor network for greater privacy and security."
BingoBoingo: The state of the art from 1980 on 2004 semiconductors would be a hell of a thing to behold
BingoBoingo: But they happened because it is easy to "circle the wagons around the cesspool buying time to fish out another turd for sale"
asciilifeform: (tldr - pretend the last 40 years, other than semiconductor chemistry, never happened)
asciilifeform: people have this very special facial expression they make when they finally understand what i've been arguing for
BingoBoingo: Seems the hardware aspects of Loper are only the beginnings of the mess
asciilifeform: so they're as hosed as everyone
asciilifeform: most web crap in common lisp uses 'CL+SSL', an FFI wrapper of traditional openssl.
BingoBoingo: I see. It's also the implementation "Land of Lisp" supposes for most of its exercises
asciilifeform: it is dog-slow - exactly what unfortunates who went to uni for 'comp sci' expect a lisp to be like.
asciilifeform: 'clisp' is mostly used by people running 'exotica' (machines for which there is no 'sbcl')
BingoBoingo: Ah, I have yet to play with SBCL
BingoBoingo: asciilifeform: The particular implementation
asciilifeform: they're rather different things
asciilifeform: clisp as in 'common lisp' or the particular implementation thereof called 'clisp' ?
BingoBoingo: How is clisp's webserver on the SSL stuff
asciilifeform: BingoBoingo: just about anything that involves a book-length standard, esp. with the familiar committees, is an inevitable turd.
asciilifeform: BingoBoingo: it's a bigger issue than one particular C turd
BingoBoingo: So... what Open source alternatives are there to OpenSSL which aren't as much of a bitch to read?
punkman: how do you even do that
asciilifeform: wtf is that
assbot: Last trade for S.MPOE on MPEX was at 0.00097812 BTC [-]
TestingUnoDosTre: ok I acn't argue with that
zacm: competent to follow the incentives, like getting through the revolving door to a higher paying job, making deals along the way to do so
TestingUnoDosTre: It's not like the USG can afford, or even needs to pay a high salary
decimation: and that explains the workings of the USG
zacm: better off having the dumber ones there anyway
TestingUnoDosTre: Thats the thing, they would never go to the SEC in the first place
zacm: what?! Don't Ivy League graduates at the top of their class look forward to that nice, lucrative SEC position?
decimation: the other problem the SEC has is that thier lawyers are at best 'C' league compared to Goldman's army
TestingUnoDosTre: never getting a job at the SEC
decimation: if you could double your income or better, which side of the fence would you play?
decimation: This is what happens when the USG pays peanuts for 'talent'
zacm: ra, ra, there's your "regulation"
ozbot: SEC Goldman Lawyer Says Agency Too Timid on Wall Street Misdeeds - Bloomberg
zacm: Kidney said his superiors were more focused on getting high-paying jobs after their government service than on bringing difficult cases. The agency’s penalties, Kidney said, have become “at most a tollbooth on the bankster turnpike.”
zacm: The SEC has become “an agency that polices the broken windows on the street level and rarely goes to the penthouse floors,” Kidney said, according to a copy of his remarks obtained by Bloomberg News.
decimation: woe to those who upgrade
decimation: "This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6.4 and earlier. This issue does affect Red Hat Enterprise Linux 6.5, Red Hat Enterprise Virtualization Hypervisor 6.5, and Red Hat Storage 2.1, which provided openssl 1.0.1e."
thestringpuller: only the cool kids are allowed to read and post
BingoBoingo: mircea_popescu I suspect they must have a seekrit forum, because You have more socks than that everywhere.
mircea_popescu: i wonder how many of them were me.
mircea_popescu: BingoBoingo "To understand this by repeating this, only 20 members have posted on the Big Rock Candy Foundation 's forum in the last six months."
dexX7: http://i.imgur.com/5PHeaHu.png << this is what a vulnerable webwallet returns
bounce: the guy's an academic with a bunch of publications and two rfcs to his name. time to send in some tin foil hats to check all that, too.
bounce: that code looks familiar when comparing the attached patch to http://lists.freebsd.org/pipermail/freebsd-security/2014-April/007405.html
Naphex: http://cvs.openssl.org/chngview?cn=22271 - and this is the changeview
Naphex: for the bug
Naphex: http://cvs.openssl.org/timeline?d=30&e=2012-03-14&c=2&px=&s=1&dt=1&x=1&m=1&w=0 - Timeline
mircea_popescu: bounce they may not be exactly right. this will take a lot of work.
mircea_popescu: well this has been quite the day hasn't it.
mircea_popescu: talk about a product that owns its market. the french f1
Naphex: https://web.archive.org/web/20130202155024/http://www.openssl.org/source/repos.html - move to git
asciilifeform: (german grenade had a convenient, almost identical ring that wasn't attached to the pin)
asciilifeform: like germans who carried captured russian 'limonka' grenades by their rings.
mircea_popescu: this is promising. ty chan, and let it become part of the permanent record : more has been ruined by convenience than by any other sin.
bounce: apparently 2012-12-30 last cvs entries says timeline
asciilifeform: so, to be kind to him, git, which he was accustomed to.
asciilifeform: herr mole couldn't be bothered to learn cvs.
mircea_popescu: actually... they moved just with 1.0.1 didn't they ?
bounce: when did they move to git from cvs?
Naphex: atleast that went right.
Naphex: until 12.00 GMT+2 mostly everything was vulnerable, and as the sploit went public everyone started sniffing everything.
mircea_popescu: anyway, this suddenly makes tor significantly more useful. at least for a few weeks.
bounce: probably not, but last in this channel, possibly
Naphex: i'm guessing that was the logic behind it
Naphex: so you go compile from source to get ECDH, to avoid stupid encryption restrictions
mircea_popescu: asciilifeform yes. i'm exactly that sorta guy.
bounce: there was also that = vs == in a linux syscall a while back
mircea_popescu: bounce maybe you're the last guy on the internet that hasn't made copies.
Naphex: i got screwed cause i had to compile from source to get ECDH.
asciilifeform: still trying to discern how they got it in << this is by far the least surprising part. next, what, ask how the roaches got in the kitchen?
mircea_popescu: question is who were the idiots and who were the patsies.
bounce hasn't checked the repo, if any. probably should.
fluffypony: on that HIGH note, it's bed time here, well as close to bed time as 1:15am is when the wife is fast asleep next to you
mircea_popescu: im still trying to discern how they got it in.
gribble: The Underhanded C Contest: <http://underhanded.xcott.com/>; The Underhanded C Contest » This Year: <http://underhanded.xcott.com/?page_id=5>; The Underhanded C Contest » About: <http://underhanded.xcott.com/?page_id=2>
mircea_popescu: Naphex all the poor souls arguing with me over tor's safety a few months ago. awww.
bounce recalls an irc discussion going on 15 years back, where someone speculated that a nsa backdoor might look like "int foo;" instead of "long foo;". and you just can't tell. well, here we have such an innocuous thingy. and you never can tell. but spectacular, that the effects certainly are.
Naphex: mircea_popescu: you can basically sniff whole SSL trafic with Heartbleed.
fluffypony: if POST/GET vars bleed that's one thing
fluffypony: yeah I'm not talking about mitigating the heartbleed attack
mircea_popescu: the point here is that this attack spent most of the past two years unknown.
fluffypony: but locking a session to an IP is also fraught with issues, so that's not a good technique
mircea_popescu: fluffypony there's many ways to mitigate a known attack, by the very definition of "known".
fluffypony: mircea_popescu: I still maintain that the damage from something like this could be reduced by mitigating session hijacking
mircea_popescu: fluffypony mike_c was liveircing wowmoments with it earlier too
fluffypony: some of them are broken, but enough weren't
fluffypony: it bleeds tons of cookies from the httpd's memory space
fluffypony: before I patched our local server this morning (not behind CloudFlare as CloudFlare don't have a node in South Africa) I played around with it
asciilifeform: and when people realize the actual root of the problem (as eventually must) they will piss themselves.
mircea_popescu: asciilifeform you know you're in the footnotes for that reason :)
asciilifeform: i specifically mentioned 'openssl' in 'don't blame the mice.' well, nobody want to read a crackpot blog, they will have to learn the lesson on their own arse.