yeroc @yeroc@qoto.org

The New York Times are using the Ruffle WASM Flash emulator to get all of their archived Flash data visualizations to work again, this is so great to see https://flowingdata.com/2024/01/10/nyt-flash-based-visualizations-work-again/

This is an article that took a lot of strength to write and I might take it down again. But I felt like it is an article that is very necessary right now. https://bastianallgeier.com/notes/grandpa

Microsoft says a Russian state-sponsored hacking group known as Midnight Blizzard/Nobelium used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of

"Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself."

https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/

Password spraying is low-tech and pervasive. The good news is, you can password spray your own users just like the bad guys can, and then tighten things up.

So how do you make water at the South Pole?

It might seem simple since there are seven million cubic miles of frozen freshwater all around us, but the reality is a bit more interesting.

German law is making security research a risky business.

Current news: A court found a developer guilty of “hacking.” His crime: he was tasked with looking into a software that produced way too many log messages. And he discovered that this software was making a MySQL connection to the vendor’s database server.

When he checked that MySQL connection, he realized that the database contained data belonging to not merely his client but all of the vendor’s customers. So he immediately informed the vendor – and while they fixed this vulnerability they also pressed charges.

There was apparently considerable discussion as to whether hardcoding database credentials in the application (visible as plain text, not even decompiling required) is sufficient protection to justify hacking charges. But the court ruling says: yes, there was a password, so there is a protection mechanism which was circumvented, and that’s hacking.

I very much hope that there will be a next instance ruling overturning this decision again. But it’s exactly as people feared: no matter how flawed the supposed “protection,” its mere existence turns security research into criminal hacking under the German law. This has a chilling effect on legitimate research, allowing companies to get away with inadequate security and in the end endangering users.

Source: https://www.heise.de/news/Warum-ein-Sicherheitsforscher-im-Fall-Modern-Solution-verurteilt-wurde-9601392.html

"Go to an old cemetery. See all the baby graves from before the 1950s & 60s? After that, hardly any. That's when people started vaccinating their children against deadly childhood diseases. If you're unsure what to do to protect your kids, the answer is literally written in stone." — Michael Okuda

Without vaccines, many transmissible diseases were once an early death sentence. People are so quick to forget how fortunate we are to have access to them.

Post Canada's #OnlineNewsAct and Meta's ban on Canadian news content, sharing journalism on social media has been tough to say the least.

And yet The Tyee has seen much growth here on #Mastodon.

We want to see how far we can go. If you enjoy coming across Tyee stories on your Mastodon feeds, share our profile with your friends, or repost this toot, to help us get to 6,000 followers. 🐘🌟🗞

Diesel enginemaker agrees to nearly $2 billion in fines with feds and California

More than 600,000 Ram trucks have Cummins engines with software defeat devices.

https://arstechnica.com/cars/2024/01/diesel-enginemaker-agrees-to-nearly-2-billion-in-fines-with-feds-and-california/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social

New insider training question coming to your compliance quiz soon:

6 Jan 1789
Bitter cold day again with high wind, it froze in all parts of the House. Sent Ben around my Parish with some Money to the Poor People this severe Weather, chiefly those that cannot work at this time, some 1 Shilling apiece… In all Ben gave for me this Day 1.14.6.

🥇For the 1st time in recorded history, #Calgary's mean temperature was above 0.0°C during a December (December 2023). #YycWx #YYC #ABWx

The funny thing about LLMs is they’re not good for knowledge work because they sometimes make up stuff that doesn’t exist and they’re not good for creative work because they sometimes make up stuff that does exist.

When the weather is terrible, we need to drive slow but never the guy-in-front-of-me slow.

https://www.postfix.org/smtp-smuggling.html

"SMTP Smuggling" vulnerability in Postfix allows to spoof senders even in the presence of some DMARC checks. Configuration workarounds exist.

Also, a wholehearted f* you to SEC Consult, who sat on this since June and disclosed it to some closed-source vendors and MSPs, but could apparently not be bothered to give e.g. Postfix a heads-up, publishing this close to the holidays.

Boosts for awareness welcome.

Please don't make this a new trend. 😕

(issue closed by bot because the user filing the issue has not starred the repository...)

"New Kia vehicles that have arrived from overseas are sitting on a storage lot in Wolverton, Ont., purposely locked up even though customers have been waiting months and months — some well over a year — to get their vehicles.

The new cars are being withheld from Kia's Ontario dealerships — and reportedly from many more across the country — as part of a controversial plan by Kia Canada to game the number of sales in the last six weeks of the year."

https://www.cbc.ca/news/canada/kia-canada-car-sales-1.7063216

#canada #kia #cars

The Verge is such a great website, and the design on their features (especially this one) blows me away. https://www.theverge.com/c/23972308/twitter-x-death-tweets-history-elon-musk

(Un)popular opinion: I honestly wish we could go back to using one client (i.e Pidgin or Kopete) for all IMs.

For some people out there it might be a history lesson, but just like now, we used to use multiple IM services for different social circles.

- IRC
- XMPP/Jabber
- Google Talk/iChat
- Localized services (i.e GG or TLEN in Poland)

Just imagine that you could use Matrix, Discord, Telegram, Signal or whatever people use these days in a single app with coherent interface, that would use maybe like 200 - 500MB of RAM (assuming caching from Discord severs and what not).

Instead of having each "webapp" open which on my desktop usually accumulates to ~2GB of RAM usage on the desktop, you could use a literal potato to talk to other people.

I fondly remember using an ancient PDA (HTC TyTn II with Windows Mobile 6) in high school. It was an absolute marvel to use - mSD card, headphone jack (though via dongle, so how tables have turned), physical QWERTY keyboard and stylus.

It served me for literal ages. I would use it to talk to my friends, watch movies, connect to server in my bedroom running FreeBSD 9.2 over SSH and so on.

All of that on Qualcomm MSM7200 - 400MHz ARM11 (though not sure why I thought it was an XScale, weird) and 128MB of RAM.

I know for a fact that most IM software is unnecessary bloated, as my laptop lasts a loooot longer on battery if I don't use Discord on it.

This opinion will once again will light my butt on fire, but I believe EU should force companies providing messaging services to open up their APIs and allow using 3rd party clients without ToS bullshit that discord is doing.

How the first gen ipod that was reverse engineered to run #Rockbox:

1. Someone figured out that when loading a particular HTML page (for viewing on the device), the device would reboot. It crashed. A buffer overflow in the HTML viewer!

2. The device remembered what it did before the crash, so it would reload the HTML page again after boot. Unless you connected to it over USB and removed the HTML file it would stick in this cycle.

(continues...)

"Would you recommend the new Microsoft Teams to a friend or colleague, if asked?"

My guys. No one is going around asking their friends or colleagues if they would recommend using the new Microsoft Teams. That is not a conversation that normal people have.

Go outside. Touch some grass. Think about the choices you've made in life that took you this moment.