[ANN] [CVE-2024-9680] Update Tor Browser & Firefox immediately

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild.

Links:

• https://blog.torproject.org/new-release-tor-browser-1357/
  
• https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/
  

n … ⌘ Read more

[WTS] [CA] [$15] Monero Stickers

5 stickers that you can place anywhere to market this private, untraceable money.

Link: https://xmrbazaar.com/listing/tDUb/

PaPaMorty (XMRBazaar) ⌘ Read more

[WTS] [US] [$95] ThinkPad T560

ThinkPad T560 - i7-6600U @ 2.60GHz - 8GB DDR3 RAM - 256GB SSD. Pop_OS! is installed, but I can put whatever distro you’d like. I can also load the Monero Blockchain on it if you wish. Comes with charger.

Link: https://xmrbazaar.com/listing/gHpx/

xmrRedux (XMRBazaar) ⌘ Read more

[WTS] XMR for your USD on Zelle or Venmo
Link: https://farside.link/nitter/rottenwheel1/status/1843346659641839937

rottenwheel.com ⌘ Read more

[ANN] Understanding Jamtis: A New Addressing Scheme for Monero

By simplifying how addresses are shared, speeding up wallet synchronization, and ensuring more reliable output detection, Jamtis represents a big leap forward in usability—without sacrificing Monero’s commitment to privacy and security.

Link: https://kewbit.org/understanding-jamtis-a-new-address-format-for-monero/

KewbitXMR (Github) ⌘ Read more

[WTS] [EU/US] Famous Dutch Cheese
Link: https://xmrbazaar.com/listing/Pmfc/

TheDutchCheeseBoy (XMRBazaar) ⌘ Read more

[ANN] Please help test calc.revuo-xmr.com and share with friends! Couple updates recently deployed
Links:

• https://calc.revuo-xmr.com/
  
• https://farside.link/nitter/revuoxmr/status/1842451852157223089
  

rottenwheel.com ⌘ Read more

[ANN] Anyone notice more newborn Monero nodes recently?

I’ve perceived an increase in the number of newborn nodes syncing the blockchain from my nodes. Maybe after the Chainalysis video showed the privacy risks of using remote nodes over clearnet, more people are setting up their own nodes.

Link: https://lemmy.cafe/post/8489209

Rucknium (Github) ⌘ Read more

[ANN] Monero Meetup in Mexico City with Doug of MoneroTalk/Monerotopia on Sun, Oct 13th at 11AM!

Date/Time: Sun, Oct 13th at 11AM
Location: Cardinal Casa de Café (Córdoba 132, Roma Nte., Cuauhtémoc, 06100 Ciudad de México)

Link: https://farside.link/libreddit/r/Monerotopia/comments/1fw6q8t/

monerotalk.live ⌘ Read more

[AFH] [€20/hr] Data processing services by Python dev with 6 yrs of experience
Link: https://farside.link/libreddit/r/forhire/comments/1fv9qe2/

u/ILOTEbunny (Reddit) ⌘ Read more

this log can contain ips so im place it in secret path and send link via salty

(#2024-09-24T12:45:54Z) @prologic@twtxt.net I’m not really buying this one about readability. It’s easy to recognize that this is a URL and a date, so you skim over it like you would we mentions and markdown links and images. If you are not suppose to read the raw file, then we might a well jam everything into JSON like mastodon

#fzf is the new emacs: a tool with a simple purpose that has evolved to include an #email client. https://sr.ht/~rakoo/omail/

I’m being a little silly, of course. fzf doesn’t actually check your email, but it appears to be basically the whole user interface for that mail program, with #mblaze wrangling the emails.

I’ve been thinking about how I handle my email, and am tempted to make something similar. (When I originally saw this linked the author was presenting it as an example tweaked to their own needs, encouraging people to make their own.)

This approach could surely also be combined with #jenny, taking the place of (neo)mutt. For example mblaze’s mthread tool presents a threaded discussion with indentation.

@prologic@twtxt.net Do you have a link to some past discussion?

Would the GDPR would apply to a one-person client like jenny? I seriously hope not. If someone asks me to delete an email they sent me, I don’t think I have to honour that request, no matter how European they are.

I am really bothered by the idea that someone could force me to delete my private, personal record of my interactions with them. Would I have to delete my journal entries about them too if they asked?

Maybe a public-facing client like yarnd needs to consider this, but that also bothers me. I was actually thinking about making an Internet Archive style twtxt archiver, letting you explore past twts, including long-dead feeds, see edit histories, deleted twts, etc.

@quark@ferengi.one It does not. That is why I’m advocating for not using hashes for treads, but a simpler link-back scheme.

i feel like we should isolate a subset of markdown that makes sense and built it into lextwt. it already has support for links and images. maybe basic formatting bold, italic. possibly block quote and bullet lists. no tables or footnotes

@xuu@txt.sour.is Thanks for the link. I found a pdf on one of the authors’ home pages: https://ahmadhassandebugs.github.io/assets/pdf/quic_www24.pdf . I wonder how the protocol was evaluated closer to the time it became a standard, and whether anything has changed. I wonder if network speeds have grown faster than CPU speeds since then. The paper says the performance is around the same below around 600 Mbps.

To be fair, I don’t think QUIC was ever expected to be faster for transferring a single stream of data. I think QUIC is supposed to reduce the impact of a dropped packet by making sure it only affects the stream it’s part of. I imagine QUIC still has that advantage, and this paper is showing the other side of a tradeoff.

So this is a great thread. I have been thinking about this too.. and what if we are coming at it from the wrong direction? Identity being tied to a given URL has always been a pain point. If i get a new URL its almost as if i have a new identity because not only am I serving at a new location but all my previous communications are broken because the hashes are all wrong.

What if instead we used this idea of signatures to thread the URLs together into one identity? We keep the URL to Hash in place. Changing that now is basically a no go. But we can create a signature chain that can link identities together. So if i move to a new URL i update the chain hosted by my primary identity to include the new URL. If i have an archived feed that the old URL is now dead, we can point to where it is now hosted and use the current convention of hashing based on the first url:

The signature chain can also be used to rotate to new keys over time. Just sign in a new key or revoke an old one. The prior signatures remain valid within the scope of time the signatures were made and the keys were active.

The signature file can be hosted anywhere as long as it can be fetched by a reasonable protocol. So say we could use a webfinger that directs to the signature file? you have an identity like frank@beans.co that will discover a feed at some URL and a signature chain at another URL. Maybe even include the most recent signing key?

From there the client can auto discover old feeds to link them together into one complete timeline. And the signatures can validate that its all correct.

I like the idea of maybe putting the chain in the feed preamble and keeping the single self contained file.. but wonder if that would cause lots of clutter? The signature chain would be something like a log with what is changing (new key, revoke, add url) and a signature of the change + the previous signature.

# chain: ADDKEY kex14zwrx68cfkg28kjdstvcw4pslazwtgyeueqlg6z7y3f85h29crjsgfmu0w 
# sig: BEGIN SALTPACK SIGNED MESSAGE. ... 
# chain: ADDURL https://txt.sour.is/user/xuu
# sig: BEGIN SALTPACK SIGNED MESSAGE. ...
# chain: REVKEY kex14zwrx68cfkg28kjdstvcw4pslazwtgyeueqlg6z7y3f85h29crjsgfmu0w
# sig: ...

its sad all the links off that page are broken.

@mckinley@twtxt.net agevault uses age, allegedly very secure (aiming to replace pgp/gpg). Comparing it with gocryptfs, from the user perspective, agevault seems simpler, though CLI exclusive. As the repository states, “Like age, it features no config options, allowing for a straightforward secure flow”. It would also run in all major OS platforms out of the box.

But agevault is also very new. Though age has been around for a while now, I don’t see an “audited” link (neither on agevault, nor age).

@bender@twtxt.net Oh look at that, the same problem is still happening on twtxt.net too. I tested a different link but that one gave an error. Maybe that means my pod isn’t behaving different from twtxt.net after all.

@prologic@twtxt.net I believe you are not seeing the problem I am describing.

Hit this URL in your web browser:

https://twtxt.net/external?nick=lovetocode999&uri=https://socialmphl.com/story19510368/doujin

That’s your pod. I assume you don’t have a user named lovetocode999 on your pod. Yet that URL returns HTTP status 200, and generates HTML, complete with a link to https://socialmphl.com/story19510368/doujin, which is not a twtxt feed (that’s where the twtxt.txt link goes if you click it). That link could be to anything, including porn, criminal stuff, etc, and it will appear to be coming from your twtxt.net domain.

What I am saying is that this is a bug. If there is no user lovetocode999 on the pod, hitting this URL should not return HTTP 200 status, and it should definitely not be generating valid HTML with links in it.

Edit: Oops, I misunderstood the purpose of this /external endpoint. Still, since the uri is not a yarn pod, let alone one with a user named lovetocode999 on it, I stand by the belief that URLs like this should be be generating valid HTML with links to unknown sites. Shouldn’t it be possible to construct a valid target URL from the nick and uri instead of using the pod’s /external endpoint?

Lunduke Does Not Ban Any Tech Organization or News Outlet
GNOME bans anyone who links to Lunduke, OSNews threatens to kill Lunduke. ⌘ Read more

Official GNOME Policy: Link to Lunduke, Get Banned
“Posting links to content from Lunduke is an immediate ban on GNOME [sites].” ⌘ Read more

GNOME bans Manjaro Core Team Member for uttering “Lunduke”
The GNOME team has censored – and deleted the account – of the maintainer of Manjaro Linux GNOME Edition. Why? Because he linked to a Lunduke article. ⌘ Read more

The Lunduke Journal gets a little Political!
The Lunduke Journal adds political topics, simplifies subscriptions: https://lunduke.locals.com/post/5514785/the-lunduke-journal-adds-political-topics-simplifies-subscriptions Lunduke Journal Link Central: https://lunduke.locals.com/post/4619051/lunduke-journal-link-central-tm ⌘ Read more

Myth: “HTML was invented by Tim Berners-Lee”
Full article: https://lunduke.locals.com/post/5499910/myth-html-was-invented-by-tim-berners-lee Lunduke Journal Info: https://lunduke.locals.com/post/4619051/lunduke-journal-link-central-tm How to support the Lunduke Journal: https://lunduke.locals.com/post/5460921/how-to-support-the-lunduke-journal ⌘ Read more

“If this one guy got hit by a bus, the world’s software would fall apart.”
The Article: https://lunduke.locals.com/post/5477752/if-this-one-guy-got-hit-by-a-bus-the-worlds-software-would-fall-apart Lunduke Journal Link Central: http://lunduke.com How to support The Lunduke Journal: https://lunduke.locals.com/post/5460921/how-to-support-the-lunduke-journal ⌘ Read more

its a notebook tool like evernote. @sorenpeter@darch.dk linked it above: https://joplinapp.org/

Twtxt spec enhancement proposal thread 🧵

Adding attributes to individual twts similar to adding feed attributes in the heading comments.

https://git.mills.io/yarnsocial/go-lextwt/pulls/17

The basic use case would be for multilingual feeds where there is a default language and some twts will be written a different language.

As seen in the wild: https://eapl.mx/twtxt.txt

The attributes are formatted as [key=value]

They can show up in the twt anywhere it is not enclosed by another element such as codeblock or part of a markdown link.

@sorenpeter@darch.dk this makes sense as a quote twt that references a direct URL. If we go back to how it developed on twitter originally it was RT @nick: original text because it contained the original text the twitter algorithm would boost that text into trending.

i like the format (#hash) @<nick url> > "Quoted text"\nThen a comment
as it preserves the human read able. and has the hash for linking to the yarn. The comment part could be optional for just boosting the twt.

The only issue i think i would have would be that that yarn could then become a mess of repeated quotes. Unless the client knows to interpret them as multiple users have reposted/boosted the thread.

The format is also how iphone does reactions to SMS messages with +number liked: original SMS

I’m also more in favor of #reposts being human readable and writable. A client might implement a bottom that posts something simple like: #repost Look at this cool stuff, because bla bla [alt](url)

This will then make it possible to also “repost” stuff from other platforms/protocols.

The reader part of a client, can then render a preview of the link, which we talked about would be a nice (optional) feature to have in yarnd.

Securing our home labs: Frigate code review
This blog post describes two linked vulnerabilities found in Frigate, an AI-powered security camera manager, that could have enabled an attacker to silently gain remote code execution.

The post Securing our home labs: Frigate code review appeared first on The GitHub Blog. ⌘ Read more

Lunduke Journal prices going up (to match inflation)
All the details in the video – changes happening on January 1st. How to grab a Lifetime or Yearly Triple Pass: https://lunduke.locals.com/post/4619051/lunduke-journal-link-central-tm Or grab a Monthly or Standard Yearly subscription here: https://lunduke.locals.com/support ⌘ Read more

When Apple built MacOS… for Solaris and HP-UX. In 1994.
Listen now (16 mins) | Back in 1994, Apple released the Macintosh Application Environment for UNIX. And it was kind of amazing. Read the full article (with links to documentation and screenshots) at The Lunduke Journal: https://lunduke.locals.com/post/4812552/remember-when-apple-built-a-mac-os-running-on-top-of-solaris-and-hp-ux-seriously-it-happened ⌘ Read more

I just received this email and I have some questions:

This email is from a trusted sοurce.

You received this abucci@bucci.onl because you have been disconnected from sending and receiving emails.

To continue using this email address we urge you to re-confirm if your account is still active on bucci.onl to officially unlock it to our default settings.

Re-confirm account (a link; removed)

※ This process is very important to help us protect your internet and fight malicious activities.

Since I administer bucci.onl myself, I’m a little confused. I don’t recall disconnecting myself from sending and receiving emails. I don’t even know how you disconnect someone from that. I also have never created the email address this email appears to be coming from, but maybe I should trust it anyway since they told me it’s a trusted source? Most puzzlingly, I’ve been sending and receiving emails just fine all morning, so I do not appear to be disconnected from anything? I want to help protect the internet and fight malicious activities, but what should I do??? 🤔🤔🤔🤔🤔

An official FBI document dated January 2021, obtained by the American association “Property of People” through the Freedom of Information Act.

This document summarizes the possibilities for legal access to data from nine instant messaging services: iMessage, Line, Signal, Telegram, Threema, Viber, WeChat, WhatsApp and Wickr. For each software, different judicial methods are explored, such as subpoena, search warrant, active collection of communications metadata (“Pen Register”) or connection data retention law (“18 USC§2703”). Here, in essence, is the information the FBI says it can retrieve:

• Apple iMessage: basic subscriber data; in the case of an iPhone user, investigators may be able to get their hands on message content if the user uses iCloud to synchronize iMessage messages or to back up data on their phone.

• Line: account data (image, username, e-mail address, phone number, Line ID, creation date, usage data, etc.); if the user has not activated end-to-end encryption, investigators can retrieve the texts of exchanges over a seven-day period, but not other data (audio, video, images, location).

• Signal: date and time of account creation and date of last connection.

• Telegram: IP address and phone number for investigations into confirmed terrorists, otherwise nothing.

• Threema: cryptographic fingerprint of phone number and e-mail address, push service tokens if used, public key, account creation date, last connection date.

• Viber: account data and IP address used to create the account; investigators can also access message history (date, time, source, destination).

• WeChat: basic data such as name, phone number, e-mail and IP address, but only for non-Chinese users.

• WhatsApp: the targeted person’s basic data, address book and contacts who have the targeted person in their address book; it is possible to collect message metadata in real time (“Pen Register”); message content can be retrieved via iCloud backups.

• Wickr: Date and time of account creation, types of terminal on which the application is installed, date of last connection, number of messages exchanged, external identifiers associated with the account (e-mail addresses, telephone numbers), avatar image, data linked to adding or deleting.

TL;DR Signal is the messaging system that provides the least information to investigators.

<darch> how about #markdown links: darch.dk

<darch> is posts with links okay? http://darch.dk

<SP> name and link

<SP> no link

<Anonymus> no name or link

There’s a link to the blog post, but they extracted a summary in hopes of keeping people in Google properties (something they’ve been called out on many times).

I was never contacted to ask if I was OK with Google extracting a summary of my blog post and sticking it on the web site. There is a very clear copyright designation at the bottom of each page, including that one. So, by putting their own brand over my text, they violated my copyright. Straightforward theft right there.

Introducing npm package provenance
How to verifiably link npm packages to their source repository and build instructions. ⌘ Read more

@prologic@twtxt.net yeah. I’d add “Big Data” to that hype list, and I’m sure there are a bunch more that I’m forgetting.

On the topic of a GPU cluster, the optimal design is going to depend a lot on what workloads you intend to run on it. The weakest link in these things is the data transfer rate, but that won’t matter too much for compute-heavy workloads. If your workloads are going to involve a lot of data, though, you’d be better off with a smaller number of high-VRAM cards than with a larger number of interconnected cards. I guess that’s hardware engineering 101 stuff, but still…

I’m not super a fan of using json. I feel we could still use text as the medium. Maybe a modified version to fix any weakness.

What if instead of signing each twt individually we generated a merkle tree using the twt hashes? Then a signature of the root hash. This would ensure the full stream of twts are intact with a minimal overhead. With the added bonus of helping clients identify missing twts when syncing/gossiping.

Have two endpoints. One as the webfinger to link profile details and avatar like you posted. And the signature for the merkleroot twt. And the other a pageable stream of twts. Or individual twts/merkle branch to incrementally access twt feeds.

RT by @mind_booster: No âmbito do 20º aniversário da Convenção de Salvaguarda do Património Cultural Imaterial, é amanhã lançada a campanha Wiki Loves Living Heritage. Vejam como assistir ao lançamento no link:
https://meta.wikimedia.org/wiki/Event:Wiki_Loves_Living_Heritage/Wiki_Loves_Living_Heritage_launch_event #Patrimonioimaterial #Portugal @cultura_pt
No âmbito do 20º aniversário da Convenção de Salvaguarda do Património Cultural Imaterial, é amanhã lançada a campanha Wiki Loves Living Heritage. Vejam … ⌘ Read more

@prologic@twtxt.net short version: context is a linked list that is passed down a call stack that can share timeout, cancellation, or other data as needed by lower functions in the call stack.

so in effect it would look something like this:

---
subject: acct:me@sour.is
aliases:
  - salty:me@sour.is
  - yarn:xuu@ev.sour.is
  - status:xuu@chaos.social
  - mailto:me@sour.is
---
subject: salty:me@sour.is
aliases:
  - acct:me@sour.is
links:
  - rel:    self
    type:   application/json+salty
    href:   https://ev.sour.is/inbox/01GAEMKXYJ4857JQP1MJGD61Z5
    properties:
        "http://salty.im/ns/nick":    xuu
        "http://salty.im/ns/display": Jon Lundy
        "http://salty.im/ns/pubkey":     kex140fwaena9t0mrgnjeare5zuknmmvl0vc7agqy5yr938vusxfh9ys34vd2p
---
subject: yarn:xuu@ev.sour.is
links:
  - rel: https://txt.sour.is/user/xuu
    properties:
        "https://sour.is/rel/redirect": https://txt.sour.is/.well-known/webfinger?resource=acct%3Axuu%40txt.sour.is
---    
subject: status:xuu@chaos.social
links:
   - rel: http://joinmastodon.org#xuu%40chaos.social
     properties:
        "https://sour.is/rel/redirect": https://chaos.social/.well-known/webfinger?resource=acct%3Axuu%40chaos.social
---
subject: mailto:me@sour.is
...

@prologic@twtxt.net That was exactly my thought at first too. but what do we put as the rel for salty account? since it is decentralized we dont have a set URL for machines to key off. so for example take the standard response from okta:

# http GET https://example.okta.com/.well-known/webfinger  resource==acct:bob
{
    "links": [
        {
            "href": "https://example.okta.com/sso/idps/OKTA?login_hint=bob#",
            "properties": {
                "okta:idp:type": "OKTA"
            },
            "rel": "http://openid.net/specs/connect/1.0/issuer",
            "titles": {
                "und": "example"
            }
        }
    ],
    "subject": "acct:bob"
}

It gives one link that follows the OpenID login. So the details are specific to the subject acct:bob.

Mastodons response:

{
  "subject": "acct:xuu@chaos.social",
  "aliases": [
    "https://chaos.social/@xuu",
    "https://chaos.social/users/xuu"
  ],
  "links": [
    {
      "rel": "http://webfinger.net/rel/profile-page",
      "type": "text/html",
      "href": "https://chaos.social/@xuu"
    },
    {
      "rel": "self",
      "type": "application/activity+json",
      "href": "https://chaos.social/users/xuu"
    },
    {
      "rel": "http://ostatus.org/schema/1.0/subscribe"
    }
  ]
}

it supplies a profile page and a self which are both specific to that account.