Nostr notes by Wladimir Palant

Concerning Gitea I found ...

2026-03-27T09:12:50Z

In reply to nevent1q…n6gv
_________________________

Concerning Gitea I found https://about.gitea.com/resources/tutorials/gitea-mcp-server. This is not a core feature at the moment but I don’t really want to migrate to another service and have them start shoving this down everybody’s throat a few months later.

I cannot see any cloud offering for Forgejo.

So, where do the cool kids host their code these days? I went to ...

2026-03-27T09:02:38Z

So, where do the cool kids host their code these days? I went to GitLab and saw “Finally, AI for the entire software lifecycle” – ok, I guess this means no GitLab for me. Codeberg then? Or something else?

*Note*: no, I’m not self-hosting. Yes, I know how to do it, I’ve been doing it for a decade. But I still won’t.

#Github #GithubCopilot #GitLab

That’s news to me. I cannot immediately find anything, have a ...

2026-02-18T16:28:39Z

In reply to nevent1q…2u87
_________________________

That’s news to me. I cannot immediately find anything, have a link?

Edit: Or is this about their “secure value recovery” debacle?

I haven’t seen any comments about the Matrix community, only ...

2026-02-18T15:10:51Z

In reply to nevent1q…9w0x
_________________________

I haven’t seen any comments about the Matrix community, only about the project’s vulnerability response. Even if it’s one user, it’s the user handling security reports. If they reject legitimate vulnerabilities as “not relevant in practice” – that is very concerning. If Matrix is supposed to be considered secure, they need working processes for handling vulnerability reports. If on the other hand they have a hobbyist approach to security then their product cannot be considered secure.

Note: It may in fact be “not relevant in practice” *yet*. Still, an important building block of the protocol is compromised. It needs to be fixed, preferably *before* somebody figures out how to make this issue relevant in practice. Because somebody inevitably will.

Is there actually a name for the development model where you ...

2025-12-16T14:47:03Z

Is there actually a name for the development model where you don’t have a single codebase for all your clients/device model/whatever but rather fork the codebase whenever a new client/device model/whatever comes along? You then continue your development in the new codebase and occasionally cherry pick some of the improvements for the older variants of your codebase (of which you eventually accumulate dozens if not hundreds).

Yeah, I doubt that this will work. From what I have seen, ...

2025-12-15T15:29:08Z

In reply to nevent1q…4u9f
_________________________

Yeah, I doubt that this will work. From what I have seen, matching any kind of AST onto these binaries will produce lots of false negatives. They all have these one or two functions I want to look into (I think), but they are always somewhat different. The strings are the only factor that I’m reasonably confident to be stable, and even here I want to account for some variation.

Nah, diffing tools aren’t going to be of much use. These ...

2025-12-15T15:17:20Z

In reply to nevent1q…d49v
_________________________

Nah, diffing tools aren’t going to be of much use. These binaries are way too different. They aren’t being built from a shared code base, despite sharing much code.

But I didn’t know that Ghidra exposes an API which can be used by command line tools. That may be good enough.

Now the question is: how do I compare the logic in a few hundred ...

2025-12-15T15:03:11Z

Now the question is: how do I compare the logic in a few hundred similar but far from identical applications? So far the plan is:<li>Use pyelftools to parse the binaries.</li><li>Find a particular string in the data segment and calculate its address.</li><li>Use Capstone to disassemble the entire code segment.</li><li>Find the instruction accessing this string, indicating the function I’m interested in.</li><li>Identify the boundaries of the function containing this instruction.</li><li>Analyze other instructions of the function, finding out which global variables it accesses.</li><li>Check whether it passes any of these global variables to another function which can be identified by the parameters it receives.</li>

Don’t get me wrong, Capstone is a great tool. But here the steps starting with 4 are unnecessarily complicated. First of all, loading an address into a register takes two instructions on both ARM and MIPS, and Capstone won’t help me figure this out. And Capstone isn’t much of a help for finding function boundaries either.

I tried spimdisasm, and it solves both issues. Unfortunately, it only does MIPS and I don’t see anything comparable for the ARM platform.

As to proper decompilers, the scenario “decompile an entire file automatically and reasonably quickly, doesn’t have to be good” seems to be an uncommon one. RetDec for example works for ten minutes before simply giving up.

I’m having some fun with VStarcam firmware, so why shouldn’t ...

2025-12-15T14:27:18Z

I’m having some fun with VStarcam firmware, so why shouldn’t you? After downloading hundreds of their firmware updates I decided to document all these numerous proprietary formats. This even included figuring out a proprietary compression algorithm (not the one I asked about here a few days ago, that one is still a mystery).

https://palant.info/2025/12/15/unpacking-vstarcam-firmware-for-fun-and-profit/

#vstarcam #firmware #iot #IoTSecurity

That’s why the burden of speaking up cannot be on the women – ...

2025-12-06T19:59:24Z

In reply to nevent1q…cx4p
_________________________

That’s why the burden of speaking up cannot be on the women – the men need to be doing it, noticing, pointing out and correcting injustices in the current system. Because we can afford doing it. There is very little risk in it for us.

Now #Thunderbird is running a user survey asking whether ...

2025-09-22T19:30:08Z

Now #Thunderbird is running a user survey asking whether Thunderbird would benefit from “AI” features. Please don’t waste time on this crap, there is plenty of work to be done on improving Thunderbird but this isn’t it.

Drew DeVault ...

2025-09-17T09:58:31Z

Drew DeVault [writes](https://drewdevault.com/2025/09/17/2025-09-17-An-impossible-future-for-JS.html ):

> “Perhaps Google and Mozilla, leaders in JavaScript standards and implementations, will start developing a real standard library for JavaScript, which makes micro-dependencies like left-pad a thing of the past.”

There is an interesting logic flaw here. There is in fact String.prototype.padLeft built into JavaScript, it has been available for at least eight years. How often did you see that used in production code? Me, having reviewed lots of codebases over the past years – almost never. Meanwhile the cumulative downloads for various string padding libraries on NPM still go into millions per week. It’s not even that many software projects directly depending on them, but way too many projects having complicated dependencies that in some corner of their wide dependency tree aren’t too up to date with these “newfangled” language features.

And if something else is an indicator: I still regularly see jQuery being used in new projects, decades after it became obsolete thanks to browsers improving. No amount of pointing out how harmful it is to sane development patterns helped here.

So I’m not sure that I can see Drew DeVault’s proposed solution to the dependency hell succeeding even if we could get the industry behind it. The inertia behind JavaScript is enormous, and in many areas the usage barely moved beyond JavaScript 1.5. Yet most projects today use a whole array of linters and build tools to aid development, and these are really complicated beasts. Maybe it’s possible to shrink their dependency trees a bit but the complexity isn’t going away.

Maybe the real question is: why does my build process have the potential to compromise my system unless I do some crazy hacks that no sane person would normally bother with? The build result will typically run in some kind of sandbox with very limited damage potential, why doesn’t the build process?

> “Though the researchers claim they’ve anonymized the ...

2025-05-22T11:42:24Z

> “Though the researchers claim they’ve anonymized the data”

There we go again. There is no way to anonymize two billion messages, short of removing their content entirely.

https://www.404media.co/researchers-scrape-2-billion-discord-messages-and-publish-them-online/

Fedora

2025-02-18T09:22:57Z

In reply to nevent1q…c9s9
_________________________

Fedora

I have been introduced to the obscure Linux failure condition ...

2025-02-18T06:34:29Z

I have been introduced to the obscure Linux failure condition called “unbalanced btrfs filesystem.” That’s when you have more than 100 GiB free on your hard drive, yet the file system will refuse operations like renaming a file, claiming that you have no space left. Which comes out of the blue, without any kind of prior warning. And you first have to search past all the unhelpful articles explaining how to remove unused files, until you find that the issue is specific to the btrfs filesystem and with some luck can be cured by running some obscure commands (yet these commands also tend to refuse working because … 🥁🥁🥁 … you have no space left).

It’s 2025 and Linux still does that to people…

It seems that Cloudflare has only 6 data centers in Germany. ...

2025-01-22T01:06:59Z

In reply to nevent1q…x9qa
_________________________

It seems that Cloudflare has only 6 data centers in Germany. There is a single data center in all of North Rhine-Westphalia with its 18 million people. Yes, this isn’t exactly impressive position pinpointing.

I guess somebody on the run who doesn’t want to disclose which country they are in would be concerned about this issue. Then again, they probably wouldn’t want to expose their real IP address to the Signal infrastructure in the first place.

Published a new article: Malicious extensions circumvent ...

2025-01-20T13:45:34Z

Published a new article: Malicious extensions circumvent Google’s remote code ban

https://palant.info/2025/01/20/malicious-extensions-circumvent-googles-remote-code-ban/

Looking at 60 malicious extensions belonging to three groups here, still running remote code despite Google banning it in Manifest V3. “Fun” fact: some of these extensions have been featured on my blog in 2023, others on McAfee’s in 2022.

Recurring pattern: downloading rules and adding them to declarativeNetRequest API. The abuse potential here is enormous, including injecting malicious scripts into websites.

Only one extension went for essentially a custom programming language, others settled with simpler approaches. Luckily for me because the latter allows better guesses about what this functionality is meant for. Spoiler: ads and affiliate fraud. Also: affiliate fraud and ads.

A bunch of years ago I recommended against the use of the Session ...

2025-01-15T22:38:25Z

A bunch of years ago I recommended against the use of the Session messenger (a Signal fork) but that wasn’t due to its technical merits. I found it concerning what kind of audience that messenger addresses. If the app is geared towards white nationalists, sexists and the like, then nobody else should help improve its image with their presence. Mind you, that was a long time ago and I don’t know whether they’ve improved.

But Soatok Dreamseeker (npub1wfp…w2m9) took apart their cryptographic approach now and… well, I better just quote him:

> “run, screaming, in the other direction from Session.”

Yes, it’s that bad.

https://soatok.blog/2025/01/14/dont-use-session-signal-fork/

I meant to publish a rant about Google and Chrome Web Store for a ...

2025-01-13T13:31:55Z

I meant to publish a rant about Google and Chrome Web Store for a while now, and now it is out: https://palant.info/2025/01/13/chrome-web-store-is-a-mess/

This details many of Google’s shortcoming at keeping Chrome Web Store safe, with the conclusion: “for the end users the result is a huge (and rather dangerous) mess.”

I am explaining how Google handled (or rather didn’t handle for most part) my recent reports. How they make reporting problematic extensions extremely hard and then keep reporters in the dark about the state of these reports. How Google repeatedly chose to ignore their own policies and allowed shady, spammy and sometimes outright malicious extensions to prevail.

There is some text here on the completely meaningless “Featured” badge that is more likely to be awarded to malicious extensions than to legitimate ones. And how user reviews aren’t allowing informed decisions either because Google will allow even the most obvious fakes to remain.

I’ve also decided to publish a guest post by a researcher who wanted to remain anonymous: https://palant.info/2025/01/13/biscience-collecting-browsing-history-under-false-pretenses/

This post provides more details on BIScience Ltd., another company selling browsing data of extension users. tuckner (npub16w0…zrr3) and I wrote a bit about that one recently, but this has been going on since at least 2019 apparently. Google allows it as long as extension authors claim (not very convincingly) that this data collection is necessary for the extension’s functionality. It’s not that Google doesn’t have policies that would prohibit it, yet Google chooses not to enforce those.

#google #cws #ChromeExtensions #privacy #ChromeWebStore

My research on how Chrome extensions spam Chrome Web Store search ...

2025-01-09T00:06:52Z

My research on how Chrome extensions spam Chrome Web Store search with irrelevant keywords has been picked up by Dan Goodin (npub1z3l…qvzu): https://arstechnica.com/security/2025/01/googles-chrome-web-store-has-a-serious-spam-problem-promoting-shady-extensions/

The article quotes me towards the end, something that is worth repeating:

> “It wasn’t > *that*> hard to notice, and they have better access to the data than me. So either Google isn’t looking or they don’t care.”

#cws #ChromeWebStore #google #ChromeExtensions #spam

Back in October I asked here why searching for “Norton Password ...

2025-01-08T13:55:23Z

Back in October I asked here why searching for “Norton Password Manager” on Chrome Web Store brings up five completely unrelated extensions which all show up before the actual Norton Password Manager. Now I know the answer: some extension authors figured out how to use translations in order to mess with the search results. https://palant.info/2025/01/08/how-extensions-trick-cws-search/

I found 920 extensions using this approach. Most of them fall into a few large extension clusters that are spamming Chrome Web Store. For example, I could attribute 122 extensions to the Kodice / Karbon Project / BroCode cluster that I covered in June 2023 originally. Another 100 extensions belong to the PDF Toolbox cluster that originally appeared on my blog in May 2023. The ZingFront / ZingDeck / BigMData cluster is one I also researched back in 2023 but didn’t publish – 223 extensions.

There is also a cluster that was new to me and which I couldn’t really tie to a company name (apart from finding two red herrings). There seems to be a Ukrainian/Russian language part and a Farsi (?) language part here, and it’s hundreds of extensions despite only 55 of them qualifying for the list in this article.

Now that this is out, are you as excited as me to see what Google will do about this?

#google #cws #ChromeExtensions #chrome #ChromeWebStore #spam

John @npub16w0…zrr3 sent me on an interesting wild goose chase. ...

2024-12-31T00:30:05Z

John tuckner (npub16w0…zrr3) sent me on an interesting wild goose chase. He is investigating the Cyberhaven extension compromise, trying to find out more. And he found something that he considered another campaign compromising browser extensions, related to the sclpfybn[.]com domain: https://secureannex.com/blog/cyberhaven-extension-compromise/#a-new-thread-to-pull-on

One of the extensions that used to contain the code in question was Visual Effects for Google Meet – which brought him to me because I recently covered that extension in my Karma Connection article: https://palant.info/2024/10/30/the-karma-connection-in-chrome-web-store/

I checked my data but couldn’t find sclpfybn[.]com domain mentioned in any extensions other than the ones tuckner (npub16w0…zrr3) found already. I then looked for similar code and immediately found it in Urban VPN Proxy.

First thought: Urban VPN Proxy has the legitimate version of a library that was trojanized elsewhere. Taking a look at the communication of Urban VPN Proxy disproved that theory almost immediately – not only was it communicating in exactly the same way, but also to an unknown domain, namely ducunt[.]com. Yet the same endpoint existed on the official urban-vpn[.]com domain as well.

So not only did Urban VPN Proxy contain essentially the same code, it was likely added there by the developers themselves. Further investigation increased the suspicion that all these extensions haven’t been compromised, that this was rather some monetization SDK.

At which point tuckner (npub16w0…zrr3) found the sales pitch for that SDK, detailing how it would add ad blocking functionality to the extension at the cost of exfiltrating very detailed browsing data (of course anonymized and aggregated before being sold to everyone asking for it, we know the drill). And explanations on how to make sure Google won’t object.

And that explains it all: before the Visual Effects for Google Meet developer sold their extension to Karma, they tried to monetize it with this “ad blocking library.” The sales pitch doesn’t mention who develops the library but everything points to Urban VPN.

According to Urban VPN privacy policy, they are selling the data they collect from their users via BIScience Ltd. Who are most likely the hidden owners of Urban Cyber Security Inc., a company registered to a virtual address in the USA.

I just replied to a blog comment, and I thought that I post my ...

2024-12-16T20:54:47Z

I just replied to a blog comment, and I thought that I post my reply here as well:

I think that I have good reasons to be “against Avast,” having published seven articles on them so far. The security issues alone are bad enough. But Avast abused their position to collect and sell users’ browsing profiles. After they were caught they claimed the data to be anonymized, they claimed to only sell aggregated data – and they continue lying to this day, despite there being conclusive evidence to the contrary. While the company has been bought, it’s still the same people in charge. This sort of undermines any trust in them for anything related to security.

As the security of antivirus software goes, I’m not very fond of any as the articles in the “antivirus” category of my blog show. With Kaspersky it wasn’t only the security issues but also how they handled them, pushing out half-hearted fixes only for these to be circumvented shortly afterwards. McAfee and BullGuard had massive security issues stemming from being careless about security and not following best practices.

I’ve found a critical security issue in Bitdefender’s solution as well, but with them I at least had the impression that they were trying. Unfortunately, that’s currently the bar in the antivirus industry – at least trying to make their product secure.

Security-wise, one good thing about Windows Defender is that it only needs to do one job. It doesn’t need all the extra functionality as a selling argument. It doesn’t need to be a banking browser, it doesn’t need to be a phishing protection, it only needs to be an antivirus solution. It can keep a very small attack surface compared to all those antivirus suites, and so it does (yes, I checked).

#antivirus #security #avast #McAfee #BullGuard #Bitdefender #WindowsDefender

That’s a new one. Website complains about the password I ...

2024-11-21T16:24:27Z

That’s a new one. Website complains about the password I entered: “Please enter no more than 15 characters.” Then why did it let me register with a 16 character password before? 🤔

I change maxlength on the password field to 16 characters. Login successful! 😂

And the second instance confirms the ruling. 🙄 There will be ...

2024-11-09T08:51:18Z

In reply to nevent1q…d356
_________________________

And the second instance confirms the ruling. 🙄 There will be more instances but this is disappointing.

Apparently, the matter of the publicly available password wasn’t discussed at all. It was all about illegitimate access to data, regardless of inadequate data protection. Guilty in the sense of the law.

This law was about to be adjusted, defusing it for security researchers. Unfortunately, with the German government breaking up it’s unclear whether that change can still happen. It’s pretty much a given that the next government won’t be interested in fixing this issue.

Source: https://www.heise.de/news/Modern-Solution-Berufungsgericht-bestaetigt-Schuld-des-Sicherheitsforschers-10007090.html

I’ve seen too many bad takes recently, many of them very ...

2024-10-16T12:07:44Z

In reply to nevent1q…8e6m
_________________________

I’ve seen too many bad takes recently, many of them very typical. So please excuse my long rant, I have to get them out of my system.

“It’s not a crime”: No shit, Sherlock! Are you saying that anything short of committing a crime won’t trigger your moral compass? Then you need to get your moral compass seriously adjusted. But I suspect that you are merely hiding behind the legislative system, well knowing that it cannot (shouldn’t) possibly prohibit each possible kind of wrongdoing, and even if it does many people will never be convicted , and even if they are the process will take years. Giving you lots of opportunity not to care about an issue that you don’t want to care about.

“He has a right to have this opinion”: Yes, he does, and freedom of speech guarantees that he won’t be persecuted for it by the government. This doesn’t mean that he is entitled to a platform for this opinion however, and neither does it mean that you have to accept it. In fact, it was still your choice not to find that opinion repugnant and not to voice your disagreement – freedom of speech doesn’t let you off the hook there. And deplatforming is a perfectly valid consequence for people voicing harmful opinions, we should all support that. Those of us who aren’t complicit of course.

So if let’s say someone vocally advocates for adults having sex with minors, does it many times over decades and only somewhat retracts their statements – you don’t hide behind freedom of speech instead of calling this disgusting and a blatant abuse of the person’s position. They can continue having this opinion in private, but no person and no organization should enable them to share it. So if out of a whole bunch of accusations you choose to refute this one (because most defensible? most relatable?), that’s telling a lot about you.

“He is old and sick”: Yes, maybe. He is also in a position of power. He can still continue being old and sick after being removed from a position where he does considerable harm. Did you check whether any of the people he harmed are old and sick or are you merely using it as an excuse?

“This is a FUD campaign against him, paid by big money”: Like big money would bother. No campaign can do more damage to his cause than he does by staying exactly where he is. But this is a very convenient argument: if the accusations are anonymous, you can refuse believing them. And if there is a name attached, you (and others like you) can attack that person and make sure they regret ever speaking up. Either way, you’ll defend your hero because he is your hero and heroes can never be wrong.

“I want people in charge who fight for the cause instead of doing politics”: Yes, we got it. Other people’s safety is “politics” and irrelevant to you. I’m not going to say what other people think of this stance since you clearly don’t care. But your cause can always benefit from more people fighting for it. Having a person there who alienates a large part of the community and pushes people out isn’t really helping the cause. But it helps this person’s standing, them having less competition and particularly getting rid of the people who can think for themselves.

“But he does great work”: Maybe. And he also prevents lots of other people from doing great work. Please drop this cult of a lone genius who is worth more than thousands of other people. Unique abilities are far less common than you seem to believe, yet toxic personalities pushing out anybody who might contradict them are pretty common.

“Look, this isn’t against trans people at all”: Sure, like you would know. One typical strategy of anti-trans movements is that they claim to care about trans people. “Look, we are all for trans people, but this will hurt women! This will hurt children! Better use *this* solution that will do better for everyone.” And if this isn’t about your life, this argumentation might even seem logical. So please, when it comes to groups other than your own – you don’t pass judgement about what is or isn’t harming them, you listen to *them*. No, not the likely false flag comment pretending to be trans but actual trans people please.

In that sense, I don’t want to deny you this quote from a Terry ...

2024-10-15T10:39:32Z

In reply to nevent1q…dkr6
_________________________

In that sense, I don’t want to deny you this quote from a Terry Pratchett book:

> “…and then Jack chopped down the beanstalk, adding murder and ecological vandalism to the theft, enticement and trespass charges already mentioned, but he got away with it and lived happily ever after without so much as a guilty twinge about what he had done. Which proves that you can be excused just about anything if you’re a hero, because no one asks inconvenient questions.”

It’s this time of year again: we can witness thousands of ...

2024-10-14T22:22:28Z

It’s this time of year again: we can witness thousands of people (mostly men of course) come up with ridiculous excuses to defend a powerful man who has been (once again) accused of misconduct.

And you know what, this exact behavior is part of the reason why men in power (yes, in our society it’s almost universally men) are so often ignoring the boundaries of socially acceptable behavior. It’s because everyone around them is only telling them how great they are. All their flaws are politely ignored or even actively denied, so they never bother doing anything about them.

But your heroes are mere human beings. Regardless of their great achievements, they will have flaws. And without anyone telling them to stop, they will just keep doing the same harmful things over and over again until decades later the whole thing blows up publicly. “Hey, what happened, this was always fine?” Well, maybe not quite like that in this particular case, I’m reading that many people did tell him to stop.

Either way: you *can* be grateful for the person’s achievements without idealizing that person and ignoring the harm it is doing. Please by default believe the people speaking out against powerful men – it’s a fight that will typically achieve little while costing them dearly, so your knee-jerk reaction “they are probably lying” is very wrong 99% of the time. No, the remaining 1% isn’t itself a valid reason to distrust testimonies.

I want to live in a world where people in the positions of power use that power responsibly. This isn’t going to happen unless their peers hold them responsible.

If people loosing access to their books when the vendor goes out ...

2024-10-09T18:06:55Z

If people loosing access to their books when the vendor goes out of business was already bad, now the same thing is happening to cars: https://arstechnica.com/cars/2024/10/connected-car-failure-puts-kibosh-on-sale-of-3300-fisker-oceans/

I know, it is happening all over the place, merely with pieces of technology not quite as expensive. Maybe, just maybe, having basic functionality depend on external components isn’t such a great idea?

And since I don’t see “the market” ever discovering this, maybe some regulation is in order? Just so the next tech startup going out of business (or merely unwilling to support “outdated” hardware) isn’t an occasion to throw away tons of products in perfect working order.

Ok, I found the hotel on booking.com but I restarted my browser ...

2024-09-26T10:05:31Z

Ok, I found the hotel on booking.com but I restarted my browser and now it shows up with a much higher price… I see, coming from the search as opposed to opening the hotel page directly gives you a discount… And pretending to be a mobile browser (via Firefox’ Responsive Mode) gives you another discount… Ah, screw booking.com and their attempts to overcharge me, I can just book directly on the hotel website which is still cheaper.

German law is making security research a risky business. Current ...

2024-01-18T12:25:12Z

German law is making security research a risky business.

Current news: A court found a developer guilty of “hacking.” His crime: he was tasked with looking into a software that produced way too many log messages. And he discovered that this software was making a MySQL connection to the vendor’s database server.

When he checked that MySQL connection, he realized that the database contained data belonging to not merely his client but all of the vendor’s customers. So he immediately informed the vendor – and while they fixed this vulnerability they also pressed charges.

There was apparently considerable discussion as to whether hardcoding database credentials in the application (visible as plain text, not even decompiling required) is sufficient protection to justify hacking charges. But the court ruling says: yes, there was a password, so there is a protection mechanism which was circumvented, and that’s hacking.

I very much hope that there will be a next instance ruling overturning this decision again. But it’s exactly as people feared: no matter how flawed the supposed “protection,” its mere existence turns security research into criminal hacking under the German law. This has a chilling effect on legitimate research, allowing companies to get away with inadequate security and in the end endangering users.

Source: https://www.heise.de/news/Warum-ein-Sicherheitsforscher-im-Fall-Modern-Solution-verurteilt-wurde-9601392.html