mulander is a user on You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.


@Wolf480pl two monitors also I am implementing something that is well understood and defined in requirements so it doesn't require much planning, debugging etc.

Coding while watching documentaries about Polish organized crime groups.

@pony free to play games have low per user cost of upkeep and if they fish out a spender they usually spend big and on a regular basis.

Guess that offsets huge marketing campaigns.

@Gargron bye bye productivity, welcome insanity.

mulander boosted

@starbreaker Yup. On , you can have multiple versions of ruby stuff at the same time without all the "virtual environments" or "version managers".

Mad props to the ports team.

mulander boosted

funny how the only vendor taking flak over #KRAK is #OpenBSD, for patching it. Not the vendors who left everyone vulnerable while they delayed and stalled for half a year.

@rey @phessler @kurtm @kellerfuchs how is non open-source any different? People use binary diffing to find vulnerabilities in the Windows kernel [1] how is Mikrotik mitigating that?

[1] -

mulander boosted

Bugs show up everywhere:

This is a full disclosure of a 4 byte stack overwrite in GNU ghostscript 9.07.

Though perhaps I should have sat on it for 4 months, and registered a domain first? How does sound?

mulander boosted

reminder @ me and anyone else who is essentially self-employed: take a break. don't work all weekend, don't run urself down, it will never be worth it (and it'll come back to bite you, hard)

mulander boosted

Astonishing how anyone could think this is anything BUT toxic..

"Mailed you a diff, please sit on it for 3 or 4 months while I pass it around to various government and private institutions."

So is getting flak for early patch, yet a silent patch a week before release from Mikrotik is OK?

@troubleMoney and was patched on August 30th both for 6.0 (errata), 6.1 (errata), -current (so included in the released 6.2).

I said on many occasions that I don't trust my phone. So why do I bother with signal?

Because no matter the endpoint security, making in flight messages easier to read should not be a global default - each bit counts and not all attackers are sophisticated.

You can't hack my servers/mail/ssh/gpg by getting into my phone - you can however read my texts about grocery shopping if you're willing to blow an exploit on it.

@nolan yeah, infosec, gaming+gamedev and seem present :) Don't need much more personally.

@nolan it has enough momentum already. I constantly see new & interesting things on my feed. Including toots exclusive to this platform (not cross posted to twitter).

mulander boosted

@pierre The basic idea is that vendors hold fixes back, and cooperate to release their fixes concurrently.

On the surface, this looks reasonable.

But end-user security falls apart when information leaks, or when government agencies get involved which happens if someone requests a CVE. So in this WPA case, US gov agencies knew about the bug for at least as of the second embargo.

Does such an embargo serve your interests? Not really. As an end user, you are interested in getting a patch ASAP.

mulander boosted

@stsp What I don't understand is why noone asks why on earth one needs *another* 2 Months to apply a patch...

The tinfoil hat in me says:
Unless those 2 months should be used to penetrate some systems beforehand

mulander boosted

Don't worry about today's WPA2 vuln if you're running - both 6.1-stable and 6.2 release are already patched.

mulander boosted

As 's de-facto wifi maintainer, I first learned about this WPA problem in June. A simple patch was provided which I could commit with slight modifications.

The original embargo was already 2 months long, and then extended again for 2 months.

The generall public (you) were left in the dark about this for at least 4 months.

This is a very sad state of affairs. It takes the industry much too long to apply a simple patch.

mulander boosted

looks like fixed the attack in 6.1 Errata 027. This is also fixed in 6.2-release.