HackerTrans
TopNewTrendsCommentsPastAskShowJobs

gnufx

no profile record

Submissions

Largest scorpion revealed from 415M-year-old fossils

manchester.ac.uk
5 points·by gnufx·в прошлом месяце·0 comments

Pintheft Linux LPE

openwall.com
4 points·by gnufx·2 месяца назад·3 comments

Brookhaven Lab's RHIC concludes 25-year run with final collisions

hpcwire.com
100 points·by gnufx·5 месяцев назад·69 comments

443M-year-old fossils reveal early vertebrate eyes

manchester.ac.uk
2 points·by gnufx·5 месяцев назад·0 comments

Umping giants: Fossils show giant prehistoric kangaroos could still hop

manchester.ac.uk
2 points·by gnufx·6 месяцев назад·0 comments

The proposed design of the digital euro: A critical analysis

link.springer.com
4 points·by gnufx·6 месяцев назад·0 comments

Stroke scientists gather more evidence for presence of 'gut-brain axis'

manchester.ac.uk
2 points·by gnufx·8 месяцев назад·0 comments

Why China's central bank is quietly leading the world on climate action

manchester.ac.uk
1 points·by gnufx·8 месяцев назад·0 comments

HPE to build two systems for Oak Ridge National: Next-generation exascale

hpe.com
6 points·by gnufx·9 месяцев назад·0 comments

First evidence in the UK of breeding aegypti mosquito – main spreader of dengue

news.liverpool.ac.uk
6 points·by gnufx·9 месяцев назад·0 comments

Potential new therapeutic target for asthma discovered

manchester.ac.uk
2 points·by gnufx·9 месяцев назад·0 comments

App-Solutely Modded: Surveying Modded App Market Operators and Original App Devs

lightbluetouchpaper.org
1 points·by gnufx·10 месяцев назад·0 comments

Taking Down Booters: The Cat-and-Mouse Game

lightbluetouchpaper.org
5 points·by gnufx·10 месяцев назад·0 comments

comments

gnufx
·2 месяца назад·discuss
The latest page cache-related LPE, even though it's not Thursday night (here). EL9 kernels don't have the modules enabled, and the PoC doesn't build on Debian 13 or Ubuntu 24.04, whether or not that means they're safe.
gnufx
·2 месяца назад·discuss
You might not have root on an organizational "managed" system.
gnufx
·2 месяца назад·discuss
Any university or national HPC system as I'd understand the term is multi-user.

There are also things like the extensive high energy physics WLCG compute federation, which is somewhat different, but can potentially be compromised quickly at large scale. For the original copy-fail we didn't want to drain our WLCG Alma9 cluster, or just kill all the jobs like the university HPC system. We got eBPF mitigation in place within a couple of hours, relieved the exploit signature wasn't in logs from the night before. That would have been done earlier if Proofpoint hadn't bounced the forwarded oss-security article as "contains malware"; sigh.
gnufx
·2 месяца назад·discuss
The primary source, which says keep the dirtyfrag mitigations in place, is https://github.com/v12-security/pocs/tree/main/fragnesia
gnufx
·3 месяца назад·discuss
Yes, but its authN components only act locally, and PAM is optional for sshd. It can/does call out to network services like Kerberos/LDAP given a password, of course, but I was thinking of network authN connected directly with OIDC somehow, for which I don't know a mechanism in vanilla OpenSSH. (I don't know what Authentik does for this -- I could imagine it's behind the scenes somehow.) I should probably look it up sometime.
gnufx
·3 месяца назад·discuss
I'm happy for anyone who doesn't have MS Windows/Active Directory -- so Kerberos -- in their organization, but I'd need (Free)IPA or similar for user/access management anyway. Certificates are an extra layer of SSH-specific complexity, which concerns me for security even if it doesn't involve some third party. MFA is needed once a day, say, for SSO to all Kerberized services. [As I understand it, "managing an OIDC IdP" includes shipping the contents of Active Directory to Entra, heaven help us.]

> Setting up Kerberos in 2026 feels somewhat close to malpractice to me.

Microsoft (if that means anything, but they've done good work) and Red Hat obviously disagree, along with decades' experience. It is malpractice not to secure NFS mounts (and other network filesystems with sensitive data), and that means Kerberos.
gnufx
·3 месяца назад·discuss
Yes, FreeIPA is Kerberos+LDAP+X.509 CA, and GSSAPI is in OpenSSH (normally with the key exchange patch). SSSD is a local mechanism, not network authentication. I mentioned authorized keys distribution mechanisms elsewhere, but I was thinking authentication (c.f. OIDC), not authorization.
gnufx
·3 месяца назад·discuss
I don't want to have to get a special purpose credential when I have a TGT which can work generally, and is at least required for secure remote filesystem access.

You have to manage extra infrastructure for certificates and, as a user, have the friction of firing up a JavaScript-enabled web browser via an additional tool, assuming "real IdP" means using OIDC. Unfortunately that flow is actually needed for remote systems and something like Edugain federation, since Moonshot/IETF ABFAB failed, but at least Shibboleth can use the TGT, and it's not the Globus horror.
gnufx
·3 месяца назад·discuss
Public keys (for OpenSSH) can be in DNS (VerifyHostKeyDNS) or in, say, LDAP via KnownHostsCommand and AuthorizedKeysCommand.
gnufx
·3 месяца назад·discuss
If you mean using OIDC, in that space there's at least https://github.com/EOSC-synergy/ssh-oidc, https://dianagudu.github.io/mccli/ and OpenPubkey-ssh discussed in https://news.ycombinator.com/item?id=43470906 (which might mention more).

How does SSSD support help with SSH authN? I know you can now get Kerberos tickets from FreeIPA using OIDC(?), but I forget if SSSD is involved.
gnufx
·3 месяца назад·discuss
Life is easier if you can use Kerberos SSO, i.e. GSSAPIAuthentication in OpenSSH. (If we're talking certificates, presumably it is OpenSSH, or does anything else implement them?)
gnufx
·4 месяца назад·discuss
As far as I remember, that's just because only the find/replace was implemented, and it could have more sophisticated (semantic?) features.
gnufx
·4 месяца назад·discuss
Its author says it implements a CRDT in its theory documentation.
gnufx
·4 месяца назад·discuss
Before isnan() the Fortran test for NaN was (x .ne. x), assuming an IEEE 754 implementation.
gnufx
·5 месяцев назад·discuss
> I had a Fairphone 3, and after 5 years, /e/OS was outdated by 4 years w.r.t. the manufacturer updates

Mine is running /e/ and reporting Android 13, which appears to be the last one Fairphone support. /e/ said it was too difficult to support 14 with the kernel involved. It's had continual security updates apart from the Android version.

Edit: Murena make it clear which phones are officially supported and which have "community" support.
gnufx
·5 месяцев назад·discuss
Some of those codebases might be (interesting) operating systems.

https://en.wikipedia.org/wiki/ALGOL_68#Operating_systems_wri...
gnufx
·5 месяцев назад·discuss
Used in the impressive Guix bootstrap.

https://guix.gnu.org/manual/1.5.0/en/html_node/Full_002dSour...
gnufx
·5 месяцев назад·discuss
Indeed. The first dedicated light -- for various values of "light" -- source[1] repurposed the tunnel and various bits and techniques from the particle physics accelerator it replaced, and on which parasitic "light" measurements were made previously. See also [2].

1. https://en.wikipedia.org/wiki/Synchrotron_Radiation_Source

2. https://www.ukri.org/publications/new-light-on-science-socio...
gnufx
·5 месяцев назад·discuss
In the context of the article "collider" means intersecting particle beams, like in RHIC and LHC, which obviously involves rather low probability interactions, as opposed to accelerators which slam a beam into a dense target (like the SLAC accelerator). In a synchrotron light source you want the beam to circulate and specifically not collide with anything; they were developed from particle physics accelerators, of course.
gnufx
·5 месяцев назад·discuss
You imply that experiment contaminated drinking, and other, water. How? Are you saying the Cs¹³⁷ leaked, and at concentration above that from fallout, say? Its γ-rays don't activate materials — I've used enough of them.