Jérôme Radix is a user on mastodon.social. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.
Pinned toot

"It is a good practice to make your code as fragile as possible, letting it break when necessary."


There is a new Spectre variant in town: #4 called Speculative Store Bypass.

P0 ticket by Jann Horn:

Intel’s info which makes it sound there will be one of these each quarter... Q2 2018 Speculative Execution Side Channel Update:

RedHat even made a video titled “Speculative Store Buffer Bypass in 3 minutes”:

"A formal security analysis of the Signal messaging protocol"


"we have found no major flaws in the design"

BREAKING: #eff #fail at ssh, advice everyone to switch to #telnet.

I'm impressed by #OpenBSD's rc.
The documentation is top-notch, it's simple yet powerful and, if you have to read them or if you're curious, the underlying scripts are understandable if you have basic shell scripting skills.

@mherrb Là Paul en est à un peu plus 90% du code désassemblé. Les 10% restants sont sans doute les plus durs.
Reste aussi a vraiment comprendre ce que fait ce code et à le documenter, avant d'envisager de faire des modifications.

TIL: "No route to host" on Linux does not necessarily mean "no route to host".

If a firewall rejects a packet, it usually sends an ICMP port unreachable, which is correctly interpreted. The proper behaviour defined in RFC 1812 would be ICMP Admin Prohibited (Type 3 Code 13), but the Linux kernel converts that to EHOSTUNREACH, which is interpreted by libc as "No route to host".

Therefore - check the actual traffic using tcpdump/Wireshark. No route to host, well... doesn't mean no route to host.

»[M*A*S*H] taught me a lot of useful things; for example, if one's skills are sufficiently in demand, one can wear a bathrobe to work, and generally have one's eccentricities tolerated.«

How many microservices does it take to turn on a lightbulb

I think we've lost the battle of package management. I don't see how we can dig ourselves out of this hole. Rust, Node, Go, Python, Elixir, Ruby... Everything rolled their own package management, virtual environments, the ability to pin/lock to specific versions of code. All of this is wholly incompatible with traditional package management.

The battle is over. The next generation of programmers reinvented the wheel and it's full of razorblades. I think we should focus our resources on containing this mess with jails/containers. There's no other viable solution. It's our grim reality now.
@gme There will be untold amounts of regret the day Github, for example, goes offline permanently and people realize they can no longer build their own software because they don't technically have all the source code for their application on their servers and the build process *requires* information from a third party website.

Looking at the SSH bruteforcers (password guesssing) by country data so far this month it looks like RU has overtaken CN for the first time in a while. Is this a trend? Anybody else looking at this angle, I would like to hear from you!

"Crash-Only Software"


"In this paper we advocate a crash-only design for Internet systems, showing that it can lead to more reliable, predictable code and faster, more effective recovery."

Analysis of Applications


"This paper describes the challenges in collecting actionable data for Gmail, a service with more than 1 billion active accounts."