One more anecdote for the disclosure debate. Team finds TLS vulnerabilities in live systems. Reports to Hacker One. Closed as irrelevant. And, best part, loses cyberhackerpoints for trying. Hurray, responsibility.

Paper here: https://www.usenix.org/conference/usenixsecurity19/presentation/merget

Slide from: https://twitter.com/matthew_d_green/status/1162766559703490560

Trying to read this mozilla dev-security-policy email thread, and... it's absolutely terrible. (the interface.) How is anybody supposed to make heads or tails of what's going on here? The quotes are all messed, sometimes gray sometimes black sometimes hidden entirely. And then this Doug tool decides to reply inline without quote marks? How do people communicate like this? I've seen threads on Mastodon that were easier to follow than this.

Also, how the flying flapjack is this the one and only official archive for a mozilla mailing list?

Anyway, CA cabal doing CA cabal things.

https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/iVCahTyZ7aw/9AVXifi9AQAJ

DZ: orange cone

Today's edition of one step forward, two steps back. Wordpress reverting to relying solely on https based security for updates.

https://make.wordpress.org/core/2019/08/16/ssl-for-auto-updates/

Neovim has adopted builds.sr.ht for OpenBSD CI 🎉 welcome to Sourcehut!

Long time ago in a Miami IDC far far far away... #OpenBSD

Being a network node operator hasn't been this thrilling since the glory days of Usenet.

To make things fun, any software that provides a time remaining estimation for an operation should also provide a counter of accrued error in the estimation as the operation progresses.

Whenever I see a quote I've seen before, I wonder if it's an original quote or a requote. As in, has the person making this quote read the original source (book, paper, etc.) or are they just copying a quote they read elsewhere. I've seen some quotes 100s of times, but always exactly the same. Never the sentence before, never the sentence after, no additional context ever. Curious.

many one-shot style command-line utilities like cal or ls would be better off using sbrk() than malloc(), but alas that only works if you're willing to tie yourself to POSIX since it's not part of libc. the difference is that sbrk() just changes the size of the heap, so everything is linear, there's no fragmentation, and allocation is a very cheap call. you don't actually need to worry about freeing memory unless you're using a *whole* lot of it in unpredictable ways. calling free() when you're just going to exit the program anyway and thereby automatically return all its memory to the operating system is incredibly wasteful.

If I've read the knob attack correctly, it breaks paired devices. There have been a lot of practical attacks against Bluetooth pairing in the past, but generally a reliable countermeasure was to go out to your cabin in the woods, pair devices, then disable further pairing, and you'd be mostly safe. No more!

Reply control is coming together...

The idea is that instead of the typical thing where every rando to reply gets a spot on your microblog, only acked posts appear. This is slightly different than liking or sharing, though. It's a silent ack. Like moderated mailing lists of old. And more refined than giant banhammer outright blocking somebody because you don't feel like rehosting their posts.

What appears elsewhere is elsewhere's concern, of course.

A quick rundown of today's usenix crypto security session. With some links to the papers.

hoot: https://twitter.com/matthew_d_green/status/1162388394803994624

@matthew_d_green: Going to chair the best session of the day: “Crypto means cryptography”. But also it’s Usenix so anything could happen.

@matthew_d_green: For all we know, these papers could all turn out to be about fuzzing. Stranger things have happened.

@matthew_d_green: So the first talk is on “mobile private contact discovery at scale”. The idea is to use private set intersection to perform contact discovery for tools like WhatsApp and Signal. Tools with large userbases. https://www.usenix.org/conference/usenixsecurity19/presentation/kales

@matthew_d_green: This is a big problem. Signal has proposed to do it with Intel SGX trusted hardware. This work skips all that and does it with actual crypto. They get a huge improvement over previous works, for contact databases as big as 250 million users.

@matthew_d_green: This work really kicks the performance ball forward. But not quite enough. The authors contacted a major service to see if this could be deployed, and here are the requirements they got back vs. what this work can do. https://pic.twitter.com/dUBiwNfpS6

@matthew_d_green: Our next paper is on fuzzing.

@matthew_d_green: No, I’m kidding! Sort of. Actually it’s on generating verifiable zero-copy parsers so you *don’t* have to fuzz. https://www.usenix.org/conference/usenixsecurity19/presentation/delignat-lavaud

@matthew_d_green: The authors have a formally verified system for generating parsers that aren’t going to be exploitable. This is really hard. They give examples from TLS and Bitcoin. https://pic.twitter.com/1HIP54Is3T

@matthew_d_green: Anyway, aside from the tool: the biggest upshot of this talk for me is that apparently all the zero copy parsers out there being used are not verified. That’s surprising and a bit scary.

@matthew_d_green: This next paper is about “blind Bernoulli trials”. This is a really cool idea that I’m going to have a hard time getting across in a quick series of tweets, but screw it I’ll try anyway. https://www.usenix.org/conference/usenixsecurity19/presentation/connor

@matthew_d_green: So imagine I have a group of people and I want them each to flip a coin so it comes up heads with some chosen probability. We do this all the time with stuff like Bitcoin PoW, where everyone is doing trials and each one will win with some (small) probability.

@matthew_d_green: But in Bitcoin a big feature is that the probability (difficulty level) is known to everyone. What if you want to keep it secret? That’s what blind Bernoulli trials do.

@matthew_d_green: Unlike Bitcoin this requires trusted setup. Each user gets a key from some master authority. When I want you to flip a coin I encrypt some randomness and send it to everyone. Each user combines with their key. They get “heads” with exactly the chosen probability.

@matthew_d_green: I wasn’t able to keep up. But the next talk was extremely cool. Basically, they found a way to convert a deep neural network into a Boolean circuit, so it can be evaluated by two parties using Yao’s garbled circuits. https://www.usenix.org/conference/usenixsecurity19/presentation/riazi

@matthew_d_green: TL;DR it looks like this kind of multi-party machine learning computation is getting freakishly fast.

@matthew_d_green: I mean: the fuzzing people may be exploiting vulnerabilities in HotCRP so these papers could be anything :)

It's funny. I've installed openbsd on laptops, desktops, sparcstations, beaglebones, edgerouters, and more. I am also completely flummoxed and thwarted by the mere thought of trying to reinstall android on a phone.

Just came across a bunch of old photos in a drawer, and it turns out I only know when it was that we last had that much snow in #Freiburg because the same film also had TV screenshots of the Giotto approach on comet Halley. Apparently, that was in March 1986...

Woman on the sidewalk yelling "zweiundeins" at her husband. Hey, now, watch your language!

Here's a simple security privacy thing which I think should be possible, but the rockstars have not aligned.

Was setting up Uber on a new phone (for reasons). I need to enter a credit card. Every app now has a feature where I can take a picture of the card, but this requires camera access. Can be revoked, but requires digging through settings. But all the app needs is a number. Why no option for letting the app read a number through the camera?

A lot of privacy concerns could be alleviated by only providing processed data, not sensor access. Mobile OS service architecture seems built for this as well.

Ah, the Carrier Services error message has been getting slightly more detailed in recent updates, but I'm still not tempted to give away those permissions, especially as I have also disabled the Google Messaging app (using QKSMS for good old standard SMS)...

A feature that auto mutes a thread where any participant posts "untag me".

"But this is a part of history" always sets me on edge.

I'm sorry. But once I started, it didn't let me stop. https://kristaps.bsd.lv/sblg/examples/brutalist

Oh, friendica, why must you be like this?

The Matasano Crypto Challenges (review)

https://blog.pinboard.in/2013/04/the_matasano_crypto_challenges/

If you don’t have time for the challenges themselves, reading this review a few times until the lessons are internalized may be a good substitute.

> How practical these attacks were. A lot of stuff that I knew was weak in principle (like re-using a nonce or using a timestamp as a ‘random’ seed) turns out to be crackable within seconds by an art major writing crappy Python.

https://cryptopals.com/

#crypto #development #exploit #programming #security

The long awaited xlogo 1.0.5 update lands in #openbsd!

https://marc.info/?l=openbsd-cvs&m=156589086715406&w=2

What's new since 2012? You may now exit the program by pressing q or esc instead of requiring q and esc. (If you're still on 1.0.4, try it out.)

https://lists.x.org/archives/xorg-announce/2019-March/002963.html

Also lots of other x updates today. I just found this one particularly amusing. This bug lasted at least seven years between releases. Perhaps an argument for regular time based releases, even if it seems not much has changed.

Our new blog is officially here. Come read about why we left Medium and how we built a crazy fast, privacy-respecting blog just for you.

https://blog.elementary.io/welcome-to-the-new-blog/

What if the antivirus is the virus? Reprint 47585.

https://www.heise.de/ct/artikel/Kasper-Spy-Kaspersky-Anti-Virus-puts-users-at-risk-4496138.html

If I were King of America, I would make it so every library provided a free course on password managers, and handed out YubiKeys like candy

I would like to announce a public server running #brutaldon: https://brutaldon.online/

Brutaldon is a brutalist, Web 1.0 web interface for Mastodon. You can use it as a client for any instance. Currently you do not need a separate brutaldon account. It is compatible with almost any web browser, including text-mode browsers like lynx, w3m, or eww.

Screenshots, issues tracker, and source code are available at https://github.com/jfmcbrayer/brutaldon.

Have fun!

My phone also tried to autocorrect Hong Kong to honk king. Glad I caught that; would have sounded a little narcissistic.

Journalism prof: you don't want to cover the Montgomery bus boycott as a transit story

NYTimes: call our tip line to tell us about your canceled Hong Kong flight

https://twitter.com/SnarlsDeGaulle/status/1161628895587663872

Our new MegaSecureZ laptop has a hardware kill switch for the keyboard to disable key loggers.

Saw the worst hashtag, thought eh, so there's nothing to it, cute I guess. Hovered the link. Oh...

the worst hashtag

#́

Two flash clips, a flash emulator, a flash programmer, surface mount soldered test points, oscilloscope probes, cat5 crossover cable, and both a TTL serial adapter as well as an RS232 serial adapter with null modem & genderchanger. Finally got my emacs setup just how I like it.

Why is Berlin expensive? This is very inconvenient, and I must say, quite inconsiderate.

A little more Baltimore malware commentary. This seems like an angle that won't get much coverage. If you run up a large bill, and never receive it, you may not be liable for penalties, but you still need to pay the principal, and maybe you haven't been diligently saving for that event. Another cost pushed down.

hoot: https://twitter.com/matthew_d_green/status/1161948213567512577

@matthew_d_green: We’re getting our first water bill since Baltimore got ransomwared this Spring. Apparently it’s expected to be so large that people will have trouble covering it.

@matthew_d_green: The cost of this thing is just phenomenal. I understand the arguments around not paying ransoms, but if you’re going to go down that road you’d better have your IT security figured out.

@matthew_d_green: In Baltimore all the qualified devs work for the NSA or are busy writing spyware for the UAE, unfortunately.

@tedu Go away or I will replace you with a very small shell script.

$ grep xman .profile
alias xman="MANPAGER=mupdf man -T pdf"

xman retired today.

https://marc.info/?l=openbsd-cvs&m=156587112209485&w=2

This post has expired

https://t.co/dGT9MYueOD

I missed the 30th anniversary of the release of The Abyss by a week. Anyway, enjoy this article about the making of the film. It wasn't fun.

https://www.nytimes.com/1989/08/06/movies/film-the-abyss-a-foray-into-deep-waters.html

Super weird ActivityPub observation. Friendica instance. When fetching object via AP, json has 8 actors in cc. When fetching the outbox, same object exists but has 9 actors in cc, same 8 as before, plus me! No idea what's going on. But kinda funny.

humerous technology rant, xserver bullshit, :archlinux:​💯💯💯memery💯💯💯

When you get a new laptop, and install arch, but the media keys are all fucked up because they have ID's higher than 255 and X server is 8-bit for some reason...

So you have to use evdev to test the keys individually for the hardware "scancode," then xmodmap -pke to list all the software *key*codes and then you have to manually scroll through the 255-8 (for some reason) keycodes and their functions to find the right ones you want.

Then you have to use setkeycodes [scancode] [keycode] to rebind them manually HOWEVER you have to subtract 8 from the keycode number because for some reason beyond human comprehension the kernel decides to add 8 to the keycode.

wheezes

this is such a windows-tier problem my lord

Is there a non clickbait actually semi informative article about this iphone contacts sqlite exploit?

Screenshot of xman demonstrating the responsive design of the Xt toolkit.

Book recommendation, HTTP/2

In light of the recent HTTP/2 CVEs, here’s another book recommendation: if you want to learn a bit more about this protocol, Learning HTTP/2 is a decent choice.

It’s beginner-friendly enough to be accessible to people who didn’t really looked into most L7 protocols, and it’s a very easy read if you already have some HTTP/1.1 and TCP knowledge.

You can apparently get it DRM-free from ebooks.com, though there’s a mention of a “digital watermark” and I have no idea what that really is.

New blog post: "Browsers, input events, and frame throttling" https://nolanlawson.com/2019/08/14/browsers-input-events-and-frame-throttling/

A follow-up to my blog post from a few days ago, where I go possibly-way-too-deep into how browsers actually fire input events.

Presented without comment

https://asciinema.org/a/pdXxtEwaZnxN4U9Ek7fAx2Myr

Wolverine: Origins is playing on AMC. The American Movie Classics channel. Truly the darkest timeline.

Mobile safari reader mode is astonishingly bad at picking content out of honk. Not even an option on most pages (fine), but when available and selected it randomly chooses about two posts and ignores all the others.

I've seen this on enough other sites to wonder, what in the world does Apple have in their testsuite for this feature? Exactly one nytimes article about the launch of the first iPhone?

cpio user spotted in the wild!

pol, computer security

"Who Should Secure Congressional Campaigns?" by Maciej Ceglowski https://idlewords.com/2019/08/who_should_secure_congressional_campaigns.htm

Interesting, even-handed take on a tricky problem. Good follow-up to his last post on the topic.

#OpenBSD -stable binary packages are now a thing!

https://marc.info/?l=openbsd-announce&m=156577865917831&w=2

The view from an ancient defensive tower

#photography #mastoart

2.3. In this screen, there are at least 2 "secret cheat codes" (key combinations which do things), one being the tab key to learn more about the error and the other being ctrl+d to enable debug mode. In order to make these not secret, there needs to be some key combo which displays all other key combos and that key combo needs to be displayed somewhere on that screen.

I thought this comment was hysterical. But also true. If you haven't read the paper, it's good.

https://www.usenix.org/conference/woot19/presentation/fifield

hoot: https://twitter.com/tqbf/status/1161368349487575040

@tqbf: Best paper at WOOT is a zip bomb? This must be a hell of a zip bomb.

I actually wish pledge/unveil would be a thing on linux because of GNOME.

Anyone remember back in like 2002 when you could crash xchat by sending it a string of 񦙦 chars?

It keeps happening. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010238

Wasn't expecting to see this...

OrgName:        Linode
OrgId:          LINOD
Address:        249 Arch St
City:           Philadelphia

I accidentally bought a Lenovo X1 Carbon 7th gen. How?

I went to Costco to buy an #X1C6 to replace the one I returned months ago. Turns out Costco silently upgraded their stock to the #X1C7 ... for the same price. \o/

But, now I'm on the bleeding edge. The #X1C7 has the Intel 9560 wireless chip ... soldered to the mobo.

Brand new, cutting edge laptop, USB wifi dongle. ​

I need to buy @stsp beer or coffee. ​

Stupid building code

It's so great that the humidity-sensing fan switches I'm required to have in my bathroom to save energy while preventing mold come on constantly when my air conditioner is on, exhausting all the conditioned air to the ouside and sucking in hot air. So this requirement in the name of saving energy actually wastes it.

I'm illegally replacing them with timer switches while wishing death on every moron who supported that bullshit requirement.

@tedu I wonder if I could trigger chrome into detecting my pages into thinking it's klingon even if I define the lang.

Apparently the word "paleoprogramming" appearing on a page triggers chrome language detect into suggesting a translation from Afrikaans. (I think that's the keyword; doesn't always work. I'm sorry this isn't an exact science.)

the only federated network that actually has any security is

@GeoffWozniak I'd rather read documentation in a word document off a hard drive platter with an electron microscope than use GNU Info

Running two browsers split screen on my phone. Seems pretty pointless, but iPhone won't let me do it, therefore I must. Anyway, rendering in chrome looks better than Firefox, especially apparent side by side. Thank you for reading my in depth review of Android.

Comment 10 here is big ouch.

https://bugs.chromium.org/p/project-zero/issues/detail?id=1859#c10

If you have more time than sense, here's a thread about iota with lots of crypto guy replies.

https://twitter.com/SarahJamieLewis/status/1161353122343604225

"Girl there's no variable" sounds like a sassy compiler error.

Stumbled across this. No Mastodon one click installer for digital ocean because intel MDS isn't fixed. I'm not sure if there's a soundbite moral to the story, but just take a moment to reflect on the path that lead us here. The circumstances which created a scenario where this could occur.

https://github.com/tootsuite/mastodon/issues/11541

HTTP/2 resource exhaustion coming only two months late for the tenth anniversary of slowloris.

How does one even manage to take a screenshot with a potato?

The vBSDCon 2019 conference is Sept 5-7 in Reston VA.

The schedule has been added to the website: https://www.vbsdcon.com/schedule/

The Early Bird registration of $100 closes on Aug 15 (Thursday this week).

https://www.vbsdcon.com/registration

See you there.

#FreeBSD proposes a firm timeline for full removal of #gcc from base: https://lists.freebsd.org/pipermail/freebsd-arch/2019-August/019674.html

#clang #llvm #compiler #toolchain

Is France a Cyber Superpower Yet? Short read, not bad.

https://medium.com/@thegrugq/is-france-a-cyber-superpower-yet-c6c79216d51b

State of the security is :sad trombone:. I still get kinda excited about crypto attacks that steal keys because they'll still be relevant when (if) we ever get working silicon, but that's just me.

hoot: https://twitter.com/matthew_d_green/status/1161076038471995392

@matthew_d_green: Is Intel’s plan just to let security researchers fix this one side channel at a time, on billions of production processors? https://twitter.com/kurmus/status/1159859369804259330

@matthew_d_green: If Intel built airplanes I feel like we’d be losing one every three months, with the company saying “yes, this is pretty much how it’s going to be for the next five years.”

@matthew_d_green: Thank god “the bad guys” aren’t very smart.

@matthew_d_green: Also, from a cryptography perspective these attacks are very annoying. Who’s going to get excited about your 100-million query attack that extracts a single EdDSA private key when right now you can dump like the whole kernel memory space.

@matthew_d_green: If I was a state sponsored attacker I wouldn’t even bother doing the research. I’d just hack like two or three academic teams’ email servers.

@opal fyi your dnssec on amine.website looks busted.

@tedu Or hg pull -u

After running hg pull, remember to run hg up before make. Works better that way.

The cumulative distribution function (CDF) of page load time (PLT) is a very nice visualization I haven't seen used before. The rest of the article is kinda meh, amp, but I liked seeing this. Good choice of presentation.

https://blog.apnic.net/2019/08/08/amp-up-your-mobile-web-experience/

Design and Evolution of C-Reduce

https://blog.regehr.org/archives/1678

> Since 2008, my colleagues and I have developed and maintained C-Reduce, a tool for programmatically reducing the size of C and C++ files that trigger compiler bugs. C-Reduce also usually does a credible job reducing test cases in languages other than C and C++; we’ll return to that later.

Part 2: https://blog.regehr.org/archives/1679

#c #compiler #development #fuzzing #programming #testing

I just decided it was time to list Rhapsode alongside Lynx, Dillo, and NetSurf as a smaller engine you can help grow by making sure your pages look (or in Rhapsode's case, sounds) decent in them.

But definitely, test in Firefox and Safari/Midori/GNOME Web/Odysseus/etc too! Whatever you do don't just test your pages in Chrome, I fear a Google monopoly.

Here's my other asks: https://odysseus.adrian.geek.nz/developer/web-bloat.html

https://en.wikipedia.org/wiki/Berkeley_r-commands

Made with @krita - You can support this awesome Open Source Software here --> https://krita.org/en/support-us/donations/. #art #illustration #mastoart #krita

Every day I work with teams building custom widgets. They almost always fail to spec them well. An effort: http://adrianroselli.com/2019/08/basic-custom-control-requirements.html

#opengit clone over ssh just worked...

I had forgotten to close the other end of the pipe(2). That took me 4 days to realize...

oh wait I know how it's acceptable: NOBODY COMPILES RUST APPS, THEY DEPLOY WITH DOCKER

That's why nobody complains about this stuff. Building and packaging it is someone else's problem. Doesn't matter if it takes 128GB of RAM and 2 years of wall time, it's someone else's problem. You put on your DevOps shades and smash that docker deploy button and move on with your life ignoring that you have no idea how this software even works or if anyone will ever be able to build a new version

Best #metamonday ever. Going to retire the hashtag in honor of this fine day.

Clicked on a link to fedi.absturztau.be, five minutes later I'm still downloading sticker packs and themes... All I wanted is to view one post. I won't post a reaction, I promise.

Nice... Mastodon signs fetches with the key of the individual user receiving the boost or reply. Probably a good argument not to do signed fetches by default. You are sending me excess and identifiable credentials. At least use a per instance key.

Honk is the second best AP implementation (can't dunk on pleroma, sorry)

General silliness and mumbling. May contain bits of grouse.

Probably a bad idea, but (not quite seriously) considering rejecting signed fetches. There's a robustness argument to secure system design that operations with excess authority should fail. Mandatory principle of least authority. Kinda, I think I'm stretching a bit.

But this is how some systems do work. Accounts with blank passwords require a blank password. If you enter a real password, that's a failure. If it's a public object, then you should fetch it without passing any credentials.

Hopefully, with ocap, this isn't a problem because you'd know whether to obtain a cap or not. You wouldn't accidentally pass along a cap without need.

Return of the iconic infosec duo: ghostscript and untrusted postscript files.

https://www.openwall.com/lists/oss-security/2019/08/12/4

In today's edition of will it federate... CSS classes like <p class="signature">.

Answer: not really.

Is there any extra metadata I can add to image attachments so that they're scaled to fit nicely on mastoroma, instead of zoomed all the way in on some random section?

I gotta say the feedback and patches I've #got in my private mail box is super high quality content compared to all the bros with their entitled knowitall opinions on various web sites...

But for now nobody else is seeing it because my preference for #selfhosting is getting in the way of getting a public repo up quickly.

Thank you kn, @gonzalo, @sthen, bentley, semarie, Artturi Alm, @otto, Hiltjo Posthuma, and Thomas Klausner for contributing within the first 3 days of public project history!

nature, please don't disturb.

#berlincameraclub #ベルリンカメラ部
DSC01235.jpg

So how much do I care to implement activitypub signed gets? Just to fill in a thread that's not that interesting? Guess I'll never know what I'm missing.

Now this is the #metamonday I signed up for! No mods, no masters!

@tedu we must go deeper. compare failed login cycles to writing auth log to disk.

What if I can't decide? Where's the Goldilocks option for just the right number of sub posts?

Oh, geeze, I haven't given you my sshd port take yet.

If you run sshd on port 22, you don't hate your users, you hate the planet. Failed login attempts, even with password auth disabled, still burn CPU crunching hashes, wasting precious electrons. The dinosaurs did not die for your laziness!

Based on the name alone, Ways and Means sounds like it would be a pretty sweet committee.

I thought this was pretty funny.

http://www.basicinstructions.net/basic-instructions/2019/8/11/how-to-find-hope-for-the-future-of-humanity

Whenever I see Martin Fowler or Bob Martin mentioned, I can never remember which is which.

Distributing the resulting size to the children turns out to be two-step process. First it needs to know how much space is left over, and then it needs to distribute that out equally to all children so have plenty of whitespace in which to drag the window.

This is essentially the same process used by the deprecated GTKBox.

Fin.

hysteresis & slack http://joshuahhh.com/projects/hysteresis/

"Deceived by Delete and Redraft," a new romantic thriller.

The first paged out zine is excellent

https://pagedout.institute/

@tedu as a package builder, I don't think any package measured in single digit hours or less is "too long for bulks".

The last time we checked in with the openbsd port of alacritty, we learned it required doubling memory limits to compile. As things have progressed, we learn it calls lstat on its own config file ten times per second, cranking up CPU usage. Must be fun to have two dozen such processes running. And also takes 45 minutes to build, which in the grand scheme of things is perhaps too high a cost for regular package builds.

Sometimes people wonder why there are at least a few rust skeptics in the openbsd project. It's not entirely fair to pick one program to represent rust, but I think this is a good example of why, security aside, there's been a less than complete meeting of the minds.

Thread: https://marc.info/?t=156468248200002&r=1&w=2

Reviewing my current toolkit:

Using #SVN for working on... well, SVN

Using #Git for working on Got

Using #hg for my web sites (including Got's site) and for managing files related to self-employed work and taxes

Using #got for working on OpenBSD

Using #cvs to commit to OpenBSD

Using #fossil to get back to older unfinished work I've done for OpenBSD

​

#allthethings #vcs

I just discovered that devtools splits the element inspector vertically for some sites and horizontally for other sites, and I have no idea why this happened or how to change it. Slowly but surely, modern browsers are turning me into my parents.

@tedu I know how to fax thank you tedu.

Vague post a complaint about something seen elsewhere. Check feed, see similar thing here. Friendly fire, friendly fire!

Tired: sharing an article by posting a link.

Wired: sharing an article by posting a screenshot of it.

Inspired: sharing an article by finding a print copy and posting a photo of it.

It's not even #metamonday yet.

depressing: OpenBSD performance

I wanted answers. Now I want to forget.
http://bluhm.genua.de/perform/results/2019-08-10T05%3A41%3A55Z/perform.html

WHY! Why is the drop of 100Mbit due to a change in kern_unveil.c

The price of gas is a Shepard tone.

There is now a Free Meek documentary.

https://www.washingtonpost.com/arts-entertainment/2019/08/10/free-meek-tracks-rappers-lengthy-battle-with-criminal-justice-system-heres-what-we-learned/

New blog post: "High-performance input handling on the web" https://nolanlawson.com/2019/08/11/high-performance-input-handling-on-the-web/

@knuxify I'm looking for an absolute origin but in the meantime here's someone trying to get email quote usage standardised *in 1999*

https://tools.ietf.org/html/rfc2646

Attempts to deploy new media types, such as Text/Enriched [RICH] and Text/HTML [HTML] have suffered from a lack of backwards compatibility and an often hostile user reaction at the receiving end.

on another note, I like that youtube-dl supports Twitter videos, so I can watch them this way instead of enabling js

I blogged. Mini Review of tog(1)

"Just tried tog(1), the 'interactive read-only browser for Git repositories' included with Game of Trees. May I just say *swoon*?"

#OpenBSD #got

http://akpoff.com/archive/2019/mini_review_of_tog.html

How is a Philip K Dick novel like a super burrito?

Both are awesome and both completely fall apart when you get close to the end.

One would not think compiling a terminal emulator would exceed the default memory limits for a staff user. Unless, surprise twist, it's written in rust.

https://marc.info/?l=openbsd-ports&m=156545846010751&w=2

Elsewhere in #openbsd, from the department of is it good or is it awful... Work towards supporting Cryptographic Message Syntax (CMS) in libcrypto, imported from OpenSSL.

https://marc.info/?l=openbsd-cvs&m=156545252809756&w=2

Wheeee! #opensbd TSC sync for MP systems.

https://marc.info/?l=openbsd-cvs&m=156536401524562&w=2

The long hard road to getting here: https://marc.info/?t=156163735700005&r=1&w=2

Suddenly feeling the urge to get a new X1 so I can listen to Moving in Stereo in stereo...

https://marc.info/?l=openbsd-tech&m=156545436110103&w=2

https://www.youtube.com/watch?v=BZhfFXEMMI4