dgl - Network

🍋‍🟩 The ChatGPT app can happily render a lime, but it insists it doesn't exist.

🍋‍🟩 The ChatGPT app can happily render a lime, but it insists it doesn't exist.

If only solving my problem was this simple.

If only solving my problem was this simple.

New blog post: Ghostty 1.0.0 terminal security; https://dgl.cx/2024/12/ghostty-terminal-title (CVE-2024-56803)

New blog post: Ghostty 1.0.0 terminal security; https://dgl.cx/2024/12/ghostty-terminal-title (CVE-2024-56803)

New blog post: restricting SFTP access with Linux user namespaces. Wherein I pass off a pretty awful shell script as a good...

New blog post: restricting SFTP access with Linux user namespaces. Wherein I pass off a pretty awful shell script as a good idea.

https://dgl.cx/2024/10/restricted-sftp-with-userns

also, locale specific escaping, thanks Windows.

also, locale specific escaping, thanks Windows.

I do like bugs that involve Unicode rehashes of 10 year old bugs: https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/

I do like bugs that involve Unicode rehashes of 10 year old bugs: https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/

Saw xxd in colour in a FOSDEM talk (James Bottomley's one on TPMs). I know there's plenty of hex editors, but cool to have it built...

Saw xxd in colour in a FOSDEM talk (James Bottomley's one on TPMs). I know there's plenty of hex editors, but cool to have it built in to a standard tool. (Needs a pretty recent xxd, it's from https://github.com/vim/vim/pull/12131)

Open source licences are one of those cans of worms I mostly try to avoid. Except it really annoys me when I want to borrow some code and I...

Open source licences are one of those cans of worms I mostly try to avoid. Except it really annoys me when I want to borrow some code and I can't work out what the licence is.

If you're writing sample code or something small, you should include a #licence. However which to use? One of the *BSD or MIT licences is usually a good choice (but be careful which version!), they place minimal requirements on you. However the requirement to include a copyright notice is just annoying for everyone involved (when the code is small). Android Toybox (https://en.wikipedia.org/wiki/Toybox) solved this with the Zero-clause BSD licence (aka #0BSD); it is a modification of the ISC license, not a BSD one, but the name doesn't matter really.

My attempt to make this easier to use is now available at http://©.st (think copyright street? © can be obtained with Option+G on a Mac, Ctrl+Atl+C on Windows, Compose o c on X11 or use the emoji selector). It's really just a way to make it easier to apply 0BSD, as it gives you some very short copy pastable comment lines. Consider 0BSD next time you write some small piece of code.

Also you can use it to test your #IDN support.

While 0BSD may not be perfect, I believe it (or MIT-0, which is nearly identical) achieves the best balance of all the "do what you want" licences. I'm mainly talking about "small" pieces of code here; for larger projects it's understandable the licence choice is more nuanced and you may want Apache, #GPL, etc. This is not legal advice. Talk to a lawyer if in doubt.

#OSS #opensource #license #licences #bsd #mit0

At least fast.com lets you know when the local Netflix cache is really broken. Images show fast.com vs speedtest.net....

At least fast.com lets you know when the local Netflix cache is really broken. Images show fast.com vs speedtest.net. ("https://ipv4-c003-hba001-launtel-isp.1.oca.nflxvideo.net" seems sad, in case anyone I know can have a look.)

Escape character injection on Hacker News: https://news.ycombinator.com/item?id=37963815

Escape character injection on Hacker News: https://news.ycombinator.com/item?id=37963815

curl https://infosec.exchange/@dgl/111185347141152699

curl https://infosec.exchange/@dgl/111185347141152699

[31mred

[31mred

I've posted a write up on my terminal security research on the G-Research site:...

I've posted a write up on my terminal security research on the G-Research site: https://www.gresearch.com/blog/article/g-research-the-terminal-escapes/ -- this has been nearly a year of research (although not full time) and 4 talks! There is also a more technical write-up at https://dgl.cx/2023/09/ansi-terminal-security that goes into all the details and some so-far-unpublished things!

RFC 9413 was published back in June; https://datatracker.ietf.org/doc/html/rfc9413 -- it makes the argument that modern protocol development...

RFC 9413 was published back in June; https://datatracker.ietf.org/doc/html/rfc9413 -- it makes the argument that modern protocol development should think carefully about how to interpret the robustness principle. More interesting is the draft name at one point was "draft-thomson-postel-was-wrong" which seems to have been toned down for the final RFC.

Does anyone know how macOS's malware scanning works or how to report issues? They appear to have a signature for something like...

Does anyone know how macOS's malware scanning works or how to report issues? They appear to have a signature for something like 'eval "exec ..."' in a shell script... which https://github.com/dgl/paste.sh/blob/master/paste.sh triggers (minimal repo: https://paste.sh/p7KKqMU2m, chmod +x that and ./script and it will trigger).

For once a non-security terminal thing. I'm sure someone else has written this but I couldn't find it; here's a simple script...

For once a non-security terminal thing. I'm sure someone else has written this but I couldn't find it; here's a simple script that makes commit IDs in "git log" clickable (in many terminals): https://gist.github.com/dgl/ef848e75c03c09b0db63a43173ee5662

Thank you to everyone who attended my @everythingopen talk. I've published the Docker image that I demoed which can be used to test...

Thank you to everyone who attended my @everythingopen talk. I've published the Docker image that I demoed which can be used to test whether you're vulnerable to the kubectl issue (CVE-2021-25743). It includes a selection of terminal exploits so can achieve cross platform code execution on several vulnerable terminals -- all patched now, so make sure you update your terminals!

https://github.com/dgl/houdini-kubectl-poc

#EverythingOpen #Terminal #Security #Kubernetes

Just used ChatGPT to write some OpenBSD pf rules. It's not perfect, but it's far quicker than either carefully reading the manpage...

Just used ChatGPT to write some OpenBSD pf rules. It's not perfect, but it's far quicker than either carefully reading the manpage or searching for roughly the right example and then modifying it. The main issue right now is it sometimes is too sure of the answer it gives, but provided you're able to apply a filter to the answer, it points you in the right direction faster than anything else.

It's amazing how it can handle not just common programming languages but many configuration formats too (it's okay at Prometheus rules, needs some training in places). I can see with a bit more training this could speed up the usual work of an SRE, as it can not just point you at the right search terms to find more information, but the right syntax.

So many applications, e.g. I wonder what would happen if you trained this on a companies internal documentation -- it could help new starters get up to speed so much quicker.

#openbsd #pf #chatgpt #sre

Content warning:DNS and GitHubThe new integrated GitHub code search is nice, it properly supports regexps (mostly, it's still beta).I...

Content warning:DNS and GitHub

The new integrated GitHub code search is nice, it properly supports regexps (mostly, it's still beta).

I was wondering why monkeys are such a popular query[1] in Wikipedia over DNS (https://dgl.cx/wikipedia-dns). The answer is.... camel is unit testing me: https://github.com/search?q=%22monkey.wp.dg.cx%22&type=code (may need to be in code search beta to see the full results there).

To be clear this isn't high enough usage to really care or complain, more amusing than anything. Please do consider not calling services in unit tests, someone somewhere is probably running it.

[1]: I don't actually keep logs before someone asks what the log retention policy is, I was just running it in a terminal to debug something.