badger is a user on mastodon.social. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.

badger @badger_@mastodon.social

badger boosted

iSuck-touch-icon.png requests are grade A farm fresh BULLSHIT!

Please, stop filling my web logs with garbage!

Anyone running MAME successfully on OpenBSD 6.2? I've compiled sdlmame-0.160p4.tgz and I get this kind of errors when I run it:

sdlmame:/usr/lib/libc++.so.1.0: undefined symbol 'iswalpha_l'
sdlmame:/usr/lib/libc++.so.1.0: undefined symbol 'iswprint_l'
sdlmame:/usr/lib/libc++.so.1.0: undefined symbol 'iswlower_l'
sdlmame:/usr/lib/libc++.so.1.0: undefined symbol 'towlower_l'
sdlmame:/usr/lib/libc++.so.1.0: undefined symbol 'isupper_l'
sdlmame:/usr/lib/libc++.so.1.0: undefined symbol 'tolower_l'

badger boosted

researcher about the mikrotik silent patch.

>I allowed OpenBSD to patch silently myself. I never allow MikroTek that. Unless CERT/CC allowed them, they broke embargo without permission

twitter.com/vanhoefm/status/92

Side note: It's funny that CERT/CC can decide who can do early patches no?

cc: @phessler @stsp

badger boosted

@starbreaker Yup. On , you can have multiple versions of ruby stuff at the same time without all the "virtual environments" or "version managers".

Mad props to the ports team.

badger boosted

Designers (and project managers) need to go back to dialup until the web becomes usable again

Downloading megabytes of JS and CSS to view your "coming soon" page doesn't give me high hopes for whatever it is you're trying to sell

badger boosted

The story ends with a lavish banquet. Everyone except Cacofonix agrees that embargos don't help.

badger boosted

@kurtm @kellerfuchs and to be perfectly clear: we coordinated with the original author on our commit in August.

That the author regrets that choice is 1) not our problem, and 2) not our responsibility.

it is completely inappropriate that he singled out , when e.g. Mikrotik also stealth published before hands.

badger boosted

Bugs show up everywhere:

marc.info/?l=openbsd-ports&m=1

This is a full disclosure of a 4 byte stack overwrite in GNU ghostscript 9.07.

Though perhaps I should have sat on it for 4 months, and registered a domain first? How does ghostsmash.com sound?

badger boosted

So is getting flak for early patch, yet a silent patch a week before release from Mikrotik is OK? forum.mikrotik.com/viewtopic.p

badger boosted

funny how the only vendor taking flak over #KRAK is #OpenBSD, for patching it. Not the vendors who left everyone vulnerable while they delayed and stalled for half a year.

badger boosted

and regarding the embargo:

Tedu on HN: “A bunch of dudes on a linux mailing list lack the authority to prevent OpenBSD from fixing things.”

Finally I got a 1991 IBM Model M for a good price. The Unicomp pales in comparison in spite of using the same Buckling Spring mechanism.

The typing feels more smooth and sweet. I really love this keyboard <3

badger boosted

looks like fixed the attack in 6.1 Errata 027. This is also fixed in 6.2-release.

badger boosted

As 's de-facto wifi maintainer, I first learned about this WPA problem in June. A simple patch was provided which I could commit with slight modifications.

The original embargo was already 2 months long, and then extended again for 2 months.

The generall public (you) were left in the dark about this for at least 4 months.

This is a very sad state of affairs. It takes the industry much too long to apply a simple patch.

badger boosted

Don't worry about today's WPA2 vuln if you're running - both 6.1-stable and 6.2 release are already patched.

badger boosted

@stsp What I don't understand is why noone asks why on earth one needs *another* 2 Months to apply a patch...

The tinfoil hat in me says:
Unless those 2 months should be used to penetrate some systems beforehand

badger boosted

@pierre The basic idea is that vendors hold fixes back, and cooperate to release their fixes concurrently.

On the surface, this looks reasonable.

But end-user security falls apart when information leaks, or when government agencies get involved which happens if someone requests a CVE. So in this WPA case, US gov agencies knew about the bug for at least as of the second embargo.

Does such an embargo serve your interests? Not really. As an end user, you are interested in getting a patch ASAP.