yeroc @yeroc@qoto.org

Clever attack against Signal and others, locate any user by revealing their closest CloudFlare datacentre. https://gist.github.com/hackermondev/45a3cdfa52246f1d1201c1e8cdef6117

Disappointing response from Signal, which is unusual.
“Signal has never attempted to fully replicate the set of network-layer anonymity features that projects like Wireguard, Tor,…”

This isn’t a classic network layer attack: it doesn’t require a privileged network vantage point to carry out. Whilst it’s a CloudFlare feature that’s being abused, it’s Signal that chooses to use it in this way.

Feels like CloudFlare could make this header configurable so you could still benefit from caching without leaking information?

<< “Do something.” He gave me three rules: make it simple, immediate and collaborative.
–
That’s how, a week later, I found myself in Victoria Park in Ashford, Kent, fishing old carrier bags out of the river. In subsequent sessions, our band of volunteers put up bat-boxes, created new paths, renovated the dried-out pond and surveyed for amphibians.
–
Psychologists call the mental boost from volunteering the “helper’s high” [1]. And boy, did I get high. >>

https://www.theguardian.com/lifeandstyle/2025/jan/13/i-was-in-despair-about-the-environmental-crisis-then-i-volunteered-to-clean-up-my-local-park

[1] https://pubmed.ncbi.nlm.nih.gov/30424992/
#EcosystemCollapse #GlobalWarming

Bambu's firmware shenanigans are making me rethink ever recommending one again.

They have to backtrack on it, or lose the goodwill of the 3DP community that is "open source but willing to give on value sometimes", which is not an insignificant sector.

Well, well, well...

"#Allstate ... used data from apps like #GasBuddy, #Routely, and #Life360 to quietly track drivers and adjust or cancel their policies."

https://arstechnica.com/gadgets/2025/01/allstate-sued-for-allegedly-tracking-drivers-behavior-through-third-party-apps/
#privacy

Wolf Moon Engulfs Mars

Image Credit & Copyright: Imran Sultan

https://apod.nasa.gov/apod/ap250115.html #APOD

A study from the Berlin Senate showed that highway lights have no measurable influence on collision statistics. After this result, and further improvement of retroreflectors and other markings, the Berlin highway lighting wil be almost entirely extinguished step-by-step during 2025: https://viz.berlin.de/aktuelle-meldungen/beleuchtung-auf-den-stadtautobahnen-wird-abgeschaltet/

Belgium also turned off a huge fraction of its highway lighting two years ago without incident.

#RoadStandards #LightPollution #Safety #GlobalEnvironmentalChange

Also, check out this outstanding series of images of the Lunar Occultation of Mars on Dec 8, 2022 taken by astrophotographer Ethan Chappel.

Hardware: Celestron EdgeHD 14, iOptron CEM70, ZWO ASI462MC, ZWO UV/IR Cut, Astro-Physics BARADV, Moonlite CHL with High Resolution Stepper Motor v3, ZWO ADC, EFW 8 x 1.25″/31mm, Spike-a Large Flat Fielder

https://www.cloudynights.com/gallery/image/166231-36-lunar-occultation-of-mars-on-december-8th-2022/
Credit: Ethan Chappel
8/n

what's involved in getting a "modern" terminal setup? https://jvns.ca/blog/2025/01/11/getting-a-modern-terminal-setup/

#RIP Peter Yarrow, the Peter of Peter, Paul and Mary, Dies at 86

The folk trio he formed with Noel Paul Stookey and Mary Travers became a pop phenomenon, scoring hits like “If I Had a Hammer” and “Puff the Magic Dragon.”

https://www.nytimes.com/2025/01/07/arts/music/peter-yarrow-dead.html?smid=nytcore-ios-share&referringSource=articleShare

Took Project Farm's capacity testing of AA batteries along with the best deals I could find for large quantities (Harbor Freight, Costco, Amazon) to find the batteries that give you the most capacity per dollar. Contrary to the video's findings, AA in bulk is still better than AA Lithium.

Varta or Amazon basics win at 8048 and 7568 mAh per dollar.

https://www.youtube.com/watch?v=efDTP5SEdlo

New from 404 Media: data hacked from location giant Gravy reveals thousands of ordinary apps hijacked to steal your location data. Candy Crush, MyFitnessPal, Tinder. Period trackers, prayer apps. Because of how data collected, apps may not even know https://www.404media.co/candy-crush-tinder-myfitnesspal-see-the-thousands-of-apps-hijacked-to-spy-on-your-location/

People have probably seen this before, and I have - but not to this extent.

All certificates that are public, are actually "streamed" to public databases, that in line with regulation set by CA's, browsers and other vendors.

What that means, is that if you issue (or buy) a certificate from a public CA - and you are only using it in an internal environment - people WILL know that you have a host with that particular CommonName somewhere.

I've issued a couple of certificates today, and since I host my own Authoritive DNS-servers, I am able to fully trace the requests coming into my DNS-zone.
Immediately after I've issued said certificates - I see many request arriving from all over the world, together with port-scans and all that shit.
And if you dont have a A-record for that particular hostname - the portscans will go directly against @.
All that from Cloud providers such as AWS, GCP, and shit.

Fascinating.

And if you want to check all the certificates that is issued - in real time, Check out "certstream"

https://certstream.calidog.io/

#linux #infosec #security #letsencrypt