modrobert @modrobert@qoto.org

𝗖𝗼𝗽𝘀 𝗞𝗲𝗲𝗽 𝟵𝟬% 𝗼𝗳 𝗪𝗵𝗮𝘁 𝗧𝗵𝗲𝘆 𝗦𝗲𝗶𝘇𝗲 𝗮𝗻𝗱 𝗦𝗽𝗲𝗻𝗱 𝗜𝘁 𝗼𝗻 𝗖𝗹𝗼𝘄𝗻𝘀
(𝗵𝗼𝘄 𝘁𝗵𝗲𝘆 𝗿𝗼𝗯 𝘆𝗼𝘂)
https://www.youtube.com/watch?v=-HGCGivMSUs

Go hack more Cloudflare shit.

https://www.cve.org/CVERecord?id=CVE-2025-13353

\n \n

In gokey versions <0.2.0,\n a flaw in the seed decryption logic resulted in passwords incorrectly \nbeing derived solely from the initial vector and the AES-GCM \nauthentication tag of the key seed.

\n

This issue has been fixed in gokey version 0.2.0. This is a breaking change. The fix has invalidated any passwords/secrets that were derived from the seed file (using the -s option). Even if the input seed file stays the same, version 0.2.0 gokey will generate different secrets.

\n

Impact

\n

This vulnerability impacts generated keys/secrets using a seed file as an entropy input (using the -s option). Keys/secrets generated just from the master password (without the -s\n option) are not impacted. The confidentiality of the seed itself is \nalso not impacted (it is not required to regenerate the seed itself). \nSpecific impact includes:

\n

\nkeys/secrets generated from a seed file may have lower entropy: it \nwas expected that the whole seed would be used to generate keys (240 \nbytes of entropy input), where in vulnerable versions only 28 bytes was \nused
\na malicious entity could have recovered all passwords, generated \nfrom a particular seed, having only the seed file in possession without \nthe knowledge of the seed master password
\n

\n

Patches

\n

The code logic bug has been fixed in gokey version 0.2.0\n and above. Due to the deterministic nature of gokey, fixed versions \nwill produce different passwords/secrets using seed files, as all seed \nentropy will be used now.

\n

System secret rotation guidance

\n

It is advised for users to regenerate passwords/secrets using the patched version of gokey (0.2.0\n and above), and provision/rotate these secrets into respective systems \nin place of the old secret. A specific rotation procedure is \nsystem-dependent, but most common patterns are described below.

\n

Systems that do not require the old password/secret for rotation

\n

Such systems usually have a \"Forgot password\" facility or a\n similar facility allowing users to rotate their password/secrets by \nsending a unique \"magic\" link to the user's email or phone. In such \ncases users are advised to use this facility and input the newly \ngenerated password secret, when prompted by the system.

\n

Systems that require the old password/secret for rotation

\n

Such systems usually have a modal password rotation window\n usually in the user settings section requiring the user to input the \nold and the new password sometimes with a confirmation. To \ngenerate/recover the old password in such cases users are advised to:

\n

\ntemporarily download gokey version 0.1.3 for their respective operating system to recover the old password
\nuse gokey version 0.2.0 or above to generate the new password
\npopulate the system provided password rotation form
\n

\n

Systems that allow multiple credentials for the same account to be provisioned

\n

Such systems usually require a secret or a cryptographic \nkey as a credential for access, but allow several credentials at the \nsame time. One example is SSH: a particular user may have several \nauthorized public keys configured on the SSH server for access. For such\n systems users are advised to:

\n

\ngenerate a new secret/key/credential using gokey version 0.2.0 or above
\nprovision the new secret/key/credential in addition to the existing credential on the system
\nverify that the access or required system operation is still possible with the new secret/key/credential
\nrevoke authorization for the existing/old credential from the system
\n

\n

Credit

\n

This vulnerability was found by Théo Cusnir (@mister_mime) and responsibly disclosed through Cloudflare's bug bounty program.

\n \n

C64 SID rendition of Major Tom: https://www.youtube.com/watch?v=g88BPbPlRzI
#C64 #Music

M77: Spiral Galaxy with an Active Center https://apod.nasa.gov/apod/ap251202.html #APOD

Pocket Acid! A free software tracker for techno acid style music designed to run on linux based gaming handleds https://github.com/boomlinde/pocketacid

Woah, a usable (performance-wise on 68k) modern crypto ssh client for #Amiga (handshake takes 1 minute, interactive session is faster obv) https://franke.ms/git/bebbo/bebbossh

Grab a mini Van De Graff kit In our "Black fly day" sale" 10% off, if you use BLACK FLY DAY code at the checkout.

We don't do #BlackFriday until Dec 1st.

https://extkits.co.uk/product/van-de-graaff-vdg-generator-kit-v2-150mm-40000v-of-sparky-fun/

gaslight the llms!

Hardfloor - "Black Train"

Originaly released in 2014 to celebrate 5 years of the De:tuned label from Belgium on a 5x12" Vinyl Compilation Box-Set.

Now for the first time on to download and re-released on vinyl.
(HF033 Data Mining Vinyl Edition Vol.1)

►YouTube: https://www.youtube.com/watch?v=1GesOsxTOUs

OpenAI has experienced a data breach. Any user who utilized their API services should assume that personal data, including their name, location, user ID, and other details, is now in the possession of the hacker

https://openai.com/index/mixpanel-incident/

Arduino’s new terms of service worries hobbyists ahead of Qualcomm acquisition
“Why is reverse-engineering prohibited... for a company built on openly hackable systems?”
https://arstechnica.com/gadgets/2025/11/arduinos-new-terms-of-service-worries-hobbyists-ahead-of-qualcomm-acquisition/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social

Everybody go read "Termination Shock" by Neal Stephenson, because apparently that whole scenario is actually about to start happening: https://www.politico.com/news/magazine/2025/11/21/stardust-geoengineering-janos-pasztor-regulations-00646414

@harrysintonen It seems more relevant to blame Cloudflare for being a deliberate MITM for most of the HTTPS internet.

Zork source code repositories

Zork I https://github.com/historicalsource/zork1

Zork II https://github.com/historicalsource/zork2

Zork III https://github.com/historicalsource/zork3

What’s Zork?
It is a game from the 80s but unlike modern video games, Zork has no graphics. The entire game world described to you in text, like an interactive novel. You interact with the game by typing commands in human language like “Open Door.”

EDIT: The Malwarebytes article has been updated:

"After taking a closer look at Google’s documentation and reviewing other reporting, that doesn’t appear to be the case."

This confusion could've been easily avoided if Google was more clear in how they communicate with their users.

ORIGINAL:

PSA to anyone who uses Gmail!

"Reportedly, Google has recently started automatically opting users in to allow Gmail to access all private messages and attachments for training its AI models. This means your emails could be analyzed to improve Google’s AI assistants, like Smart Compose or AI-generated replies. Unless you decide to take action."

https://www.malwarebytes.com/blog/news/2025/11/gmail-is-reading-your-emails-and-attachments-to-train-its-ai-unless-you-turn-it-off

#gmail #AI

New video! Fully restoring a PAL Super Nintendo Entertainment System. Recapping, Cleaning, Retrobrighting, Repairing, even some 3D Priniting.

YouTube: https://youtu.be/N_58DqbB3e8
PeerTube: https://makertube.net/w/4DYddo3pkmQ3mGxNZoWFKA

#SNES #SuperNintendo #Nintendo #Restoration #Repair #Retrobrighting #Capacitor #Recapping #CapacitorLeakage #CorrosionRepair #LEDDiffusor #PlasticRepair #RetroGaming

but hey, the first prototype of my portable floppy disk imager has just imaged its first floppy disk!