HackerTrans
TopNewTrendsCommentsPastAskShowJobs

taviso

no profile record

Submissions

Building a UMatrix Replacement

lock.cmpxchg8b.com
72 points·by taviso·2 ay önce·32 comments

Why are anime catgirls blocking my access to the Linux kernel?

lock.cmpxchg8b.com
839 points·by taviso·11 ay önce·908 comments

Zentool – AMD Zen Microcode Manipulation Utility

github.com
236 points·by taviso·geçen yıl·66 comments

A bullet hell game written in bash

twitter.com
104 points·by taviso·2 yıl önce·12 comments

SwissMicros DM32 Released [video]

youtube.com
25 points·by taviso·2 yıl önce·17 comments

comments

taviso
·3 ay önce·discuss
Hey, another 1-2-3 nerd :)

I don't have any nostalgia it, I just appreciate how thoughtfully it was designed for data-input efficiency. I actually ported the official UNIX version of 1-2-3 to Linux a few years ago, I still use it regularly. It uses some tricks to get the original UNIX binaries working on Linux: https://github.com/taviso/123elf

I had been thinking about how to add UTF-8 support, it only supports LMBCS (Lotus Multi-Byte Character Set) by default. It's actually worse than that, it stores everything internally as LMBCS but in a lot of cases can only display ASCII, so it transliterates a lot of characters (e.g. é -> e).

It's also possible to run the real DOS version in dosemu - in terminal mode it's basically indistinguishable from an ncurses application, although dosemu is just cleverly sampling the framebuffer and translating it on-the-fly.

I wrote a display driver to make that work a little better: https://github.com/taviso/lotusdrv
taviso
·4 ay önce·discuss
Major breaking bugs.

A regression here and there would be normal before, major features breaking in this stable 25 year old software is simply unheard of.

This is not exciting cutting-edge software, it's a boring financial app. My instinct is people want stability and confidence that the output won't change and that their records will still parse.
taviso
·4 ay önce·discuss
I'm experiencing something similar with another piece of software. ledger-cli is a boring, dependable accounting application.

The next release will be the first where the majority of commits will be made by AI, and it has definitely not gone smoothly.

After a dozen or so bug reports, it's mostly in a working state, but I worry the output is no longer reliable in subtle ways.
taviso
·8 ay önce·discuss
If you hear a rumor that sounds too crazy to be true on social media, maybe don't repeat it as fact. Imagine how you would feel reading something like that.
taviso
·8 ay önce·discuss
why would you post such a patently absurd accusation.
taviso
·9 ay önce·discuss
I really liked the QNX Photon aesthetic, for a long time I maintained an absurdly complex FVWM configuration designed to look like it.

This was a screenshot of my Gentoo desktop around 2004!

https://lock.cmpxchg8b.com/img/fvwm_desktop.jpg
taviso
·10 ay önce·discuss
The point is to view it in a terminal (e.g. XTerm, Konsole, etc), of course you can just run it in an X server.
taviso
·10 ay önce·discuss
It's fun, but reminds me of a trick using Xvfb.

For example...

    $ Xvfb :7 &
    [1] 21688
    $ xeyes -display :7 &
    [2] 21697
    $ xwd -display :7 -name xeyes -out /dev/stdout | convert xwd:- sixel:-

It looks like this: https://imgur.com/a/Eq2ToVO

Obviously no input though, you would have to use xdotool! The main benefit is that you probably already have all these tools installed :)
taviso
·11 ay önce·discuss
In 2022, Google TAG were awarded a "lamest vendor" award at defcon for fixing a Chrome vulnerability they discovered was being exploited in the wild... without asking for permission from the NSA first. That was the turning point for me.
taviso
·12 ay önce·discuss
I've used the tool sequin in the past to debug issues: https://github.com/charmbracelet/sequin

It worked great for me, seems much easier to debug logs directly in the terminal.
taviso
·geçen yıl·discuss
They accidentally used the example key from AES-CMAC RFC, the full details are in the accompanying blog post: https://bughunters.google.com/blog/5424842357473280/zen-and-...
taviso
·2 yıl önce·discuss
The attacker doesn't need to literally be sitting at a keyboard, that can just be automated.

> I'm curious though why you don't think TOTP or similar are good against credential stuffing though

I have written about this before, but looks like I lost the article somehow. https://web.archive.org/web/20210219185711/https://blog.cmpx...

Imagine you reuse the same password everywhere, and are sick of credential stuffing attacks. You ask your friend for advice, and your friend tells you to just enable TOTP when available, explaining that when there is a data breach you will be safe.

That is obviously bad advice, the vast majority of services do not use TOTP and you will have to race attackers to change your credentials quickly at dozens (hundreds?) of services. I think a reasonable person would say that you have not "prevented" credential stuffing.

A far better solution is unique passwords, it works today with all service providers.
taviso
·2 yıl önce·discuss
I'm not familiar with the expert they consulted, but the claim that "The main advantage of 2FA is that it is much more difficult to gain access to your accounts via phishing attacks" is just plain false.

TOTP or SMS-2FA are obviously phishable, if you just entered your password into a phishing site, why wouldn't you also enter a TOTP code? I usually point to Modlishka as a practical example (https://vimeo.com/308709275) to help visualize this.

In fact, the main (claimed) advantage of 2FA is that it prevents "Credential Stuffing" of reused passwords. I personally don't think TOTP (or similar) are a good solution to this problem at all, but this is a thorny issue.
taviso
·2 yıl önce·discuss
I think that's a miss for Claude, this doesn't look right at all. The accrual account is an okay solution, but the syntax is wrong! That syntax is only used for budgeting and forecasting.

I think the solution is effective dates, there is an example pretty close to this scenario in the manual:

https://ledger-cli.org/doc/ledger3.html#Effective-Dates
taviso
·2 yıl önce·discuss
This seems like a weak excuse, the same problem exists on UNIX, but slocate solves it well enough. The slocate solution is to build the index and record permission and ownership, then it can restrict output to entries you have permission to see at query time.
taviso
·2 yıl önce·discuss
I bought a few items at a drugstore yesterday, and noticed the cashier had very elaborate nails.

She used the second knuckles on her inverted hands (i.e. palm facing up) to operate the touchscreen PoS system, and was very efficient. Tool usage can sometimes be adapted.
taviso
·2 yıl önce·discuss
I think they're talking about the cp example, doesn't seem like it would handle filenames with spaces!

Super neat project, btw!
taviso
·2 yıl önce·discuss
Super cool, I didn't know about this - too bad it's not archived. I did know about a different game for 1-2-3, I even managed to track down original media and get it working in Linux!

https://lock.cmpxchg8b.com/doom.html

There is a brief gameplay video, if you want to see it.
taviso
·2 yıl önce·discuss
I dunno, I think Debian are being wise here.

A while ago KeePassXC published a glowing audit report, but the report just ignored the scary stuff -- i.e. the things being disabled here like browser integration. I took a quick look, and thought the design could use some work -- but when I tried to discuss it they were very dismissive.

I did file a bug for one of the vulnerabilities we discussed, but I don't think they changed anything and didn't seem interested.
taviso
·2 yıl önce·discuss
> Testing cannot be used to prove that a flaw doesn't exist, only that it does.

FWIW, I wrote a similar blog post about a different encryption bug that really seemed like it should have been found by fuzzing, and had 100% coverage.

https://googleprojectzero.blogspot.com/2021/12/this-shouldnt...

Not that I disagree with you, just a practical example.