Nostr notes by Tod Beardsley

Breaking news: Max Headroom, one of the greatest TV shows ever ...

2026-02-21T02:41:04Z

Breaking news: Max Headroom, one of the greatest TV shows ever made, is free on Tubi.

I find the terrible Tubi ads really enhance the dystopia.

Computers are great. What a time to be alive. ...

2026-01-28T18:40:15Z

Computers are great. What a time to be alive.

January 1 came and went and Texas’s AI regulation went into ...

2026-01-12T13:23:18Z

January 1 came and went and Texas’s AI regulation went into effect.

There are a couple things to like about Texas’s attempt here. There are many things to dislike.

One aspect in particular: The definition of AI seems to cover just about any software application, right?

> TRAIGA broadly defines an “artificial intelligence system” as “any machine-based system that, for any explicit or implicit objective, infers from the inputs the system receives how to generate outputs, including content, decisions, predictions, or recommendations, that can influence physical or virtual environments.”

Maybe it’s the legalese, but I’m trying to figure out what machine-based system doesn’t function like this. Does it all hinge on “infer” rather than another verb like “calculate?”

https://www.gtlaw.com/en/insights/2025/6/traiga-key-provisions-of-texas-new-artificial-intelligence-governance-act

This bit makes me think it’s a different bug: “Users who ...

2025-12-08T13:43:48Z

In reply to nevent1q…wlkh
_________________________

This bit makes me think it’s a different bug:

“Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable.”

Sounds like two different vectors. Incomplete fixes often lead to multiple CVEs, a la rule 4.1.10: “To help determine whether separate Vulnerabilities exist, CNAs SHOULD consider whether the Vulnerabilities are Independently Fixable.”

I just noticed that ../ looks like eyes and an outreaching arm, ...

2025-11-14T21:08:13Z

I just noticed that ../ looks like eyes and an outreaching arm, as if it's a victim drowning in quicksand.

I'm sure this is trenchant, somehow. cc cR0w :cascadia: :gayint: 🏴‍☠️ (npub1s6e…n008)

Hey y'all don't sleep on this one. **Agency Information ...

2025-08-21T04:53:54Z

Hey y'all don't sleep on this one.

**Agency Information Collection Activities: Vulnerability Reporting Submission Form**

#CISA wants to know what your ideal vulnerability reporting system would look like.

"CISA previously published this ICR in the Federal Register on October 30, 2024, for a 60-day public comment period. **CISA received one comment.** The purpose of this notice is to allow an additional 30-days for public comments."

Man, remember October, 2024? Things were looking pretty great back then. What a time to be alive.

Anyway, thanks for the extension, Kevin, ya big lug!

https://www.federalregister.gov/documents/2025/08/20/2025-15887/agency-information-collection-activities-vulnerability-reporting-submission-form

#defcon badge fixed ...

2025-08-08T15:44:27Z

#defcon badge fixed

Last night at about 11:30pm, I took a practice ham radio ...

2025-07-21T17:46:10Z

Last night at about 11:30pm, I took a practice ham radio Technician test. I fell asleep twice. I guessed most answers (I know jack all about radio, slightly more about electrical engineering). I got 63%.

I suspect I can study up enough in time to pass a the exam at DEF CON (npub1dqd…8xy4) ham .

https://hamvillage.org

Thanks to That Texas Country Music Guy at DC512 for encouraging this side quest!

It's not just me, right? Post-quantum crytography aka #PQC, ...

2025-06-09T18:58:37Z

It's not just me, right? Post-quantum crytography aka #PQC, especially quantum-resistant cryptography, smells an awful lot like snake oil.

I cannot figure out how people sell this stuff with apparent sincerity when it's clearly impossible to test in production.

Say, what's the first major-release film to mention either ...

2025-05-24T01:33:15Z

Say, what's the first major-release film to mention either "the internet" or "the world wide web?"

(Or, alternatively, "DNS" or "SMTP" or "TCP/IP" or other uniquely internet technology, though that seems doubtful.)

And I mean mention as in, either in dialogue or printed and shown on screen in a newspaper or something.

There's a kind of [annoying reddit thread](https://www.reddit.com/r/movies/comments/o98hkx/what_was_the_earliest_reference_to_the_internet/ ) about this that's not very helpful and is fixated on WarGames which definitely doesn't talk about the internet (all the comms in that movie are over dialup).

A timestamp reference would be just great if you have it.

#CISA adds CVE-2025-47729 to the #KEV -- which is for the crazy ...

2025-05-12T19:10:07Z

#CISA adds CVE-2025-47729 to the #KEV -- which is for the crazy hacked up version of Signal used by high-ranking US government officials.

Wowzo. That's something.

https://www.cve.org/CVERecord?id=CVE-2025-47729

#CISA ends RSS for #KEV. Sigh. ...

2025-05-12T15:56:01Z

#CISA ends RSS for #KEV. Sigh.

https://www.cisa.gov/news-events/alerts/2025/05/12/update-how-cisa-shares-cyber-related-alerts-and-notifications

so close #CISA. ...

2025-05-07T18:56:15Z

so close #CISA.

Welp. Let’s see which way this room goes. ...

2025-04-29T20:25:35Z

Welp. Let’s see which way this room goes.

The linked article doesn’t appear to mention the Internet ...

2025-04-21T12:59:02Z

In reply to nevent1q…8v7g
_________________________

The linked article doesn’t appear to mention the Internet Archive.

It doesn’t make the NEH cancellations any less tragic, but I don’t see the linked article drawing a link between the San Francisco Art Institute, which does perform archiving functions, and The Internet Archive.

Are they connected?

l feel like i’m going to be using this a lot ...

2025-04-16T01:39:34Z

l feel like i’m going to be using this a lot

Trying to articulate levels of invasiveness with typical network ...

2025-02-14T18:24:11Z

Trying to articulate levels of invasiveness with typical network scanning with metaphors that don't come with the implied violence of "rattling doorknobs."

How's this grab you:<li>Port Scanning - Waving at passersby, seeing who waves back.</li><li>Protocol Scanning - Waving and saying "Good morning," noting if the reply is in English, Spanish, or something else.</li><li>Vulnerability Scanning - Chatting up strangers to see if they'll reveal their birthday.</li><li>Active Exploitation - Hypnotizing victims into handing over their ATM card and PIN.</li>

Archived version of the quoted The Atlantic article is here: ...

2025-02-07T15:39:39Z

Archived version of the quoted The Atlantic article is here:

https://archive.ph/2025.02.07-140733/https://www.theatlantic.com/technology/archive/2025/02/elon-musk-doge-security/681600/

Unrelated: If you believe there has been an intrusion in a US government system, you are encouraged to report it at https://cisa.gov/report
https://journa.host/@w7voa/113963205109936094

So check it out. KEV data is now available on GitHub, in the ...

2025-01-28T21:49:52Z

So check it out. KEV data is now available on GitHub, in the proper cisagov organization. I know other people mirror KEV for their projects, but who can say if they're fiddling with it along the way? With https://github.com/cisagov/kev-data, you can rest assured that it's the Real and True mirror of KEV.

https://cisa.gov/kev is still the actual authoritative source, but this GitHub mirror is a pretty close second.

I posted about this on [LinkedIn](https://www.linkedin.com/posts/todb_github-build-and-ship-software-on-a-single-activity-7290122220230623234-q92i?utm_source=share&utm_medium=member_desktop ) since that's what people do with work stuff, apparently.

98 KEVs to go until KEV #1337 Hopefully it'll be a good one.

2025-01-02T16:44:53Z

98 KEVs to go until KEV #1337

Hopefully it'll be a good one.

Near as I can tell, the activity around the #Struts2 bug, ...

2024-12-23T13:52:07Z

Near as I can tell, the activity around the #Struts2 bug,
CVE-2024-53677, is just ham-handed runs of some generalized PoC, and nobody's actually exploiting this yet (since exploitation would be very application/path specific).

Most of the news last week was all "exploitation happening, patch and rewrite everything now!" but not seeing any reports of successful (or even possibly successful) this morning.

Tell me I'm wrong!

(The PoC identified by SANS at https://isc.sans.edu/diary/31520 isn't specific to some particular application -- it's on the user to define upload_endpoint and assumes no auth or session or anything.)

That’s a nice bit of CVE lore! We should make these more ...

2024-12-01T14:59:24Z

In reply to nevent1q…4kpe
_________________________

That’s a nice bit of CVE lore! We should make these more obvious and prominent than a single blog post.

And yes, having a small set of always-valid-but-test CVEs would be nice to publish. That’s a neat idea.

Hey would it be cool to make them Luhn-formula-like so you can detect truncation?

Something like

CVE-2024-12342
CVE-2025-12343
CVE-2026-12340

(all the digits add up to modulo 0)

cc zmanion :verified: (npub1wug…ghe4)

Nostr event nevent1qqs0lkw0nea8gzgxmas4d3znlv3fnvze032lgyp0d0tjzygwd8l8k8gzyqqtjm263chkfnaddfxng9qj3t3e4kpxjxdrvgqthfqk8t6gnqlrw2dk6hr

2024-11-27T23:53:26Z

I’m not pirating movies, I’m just training my model.

Weirdly, all NCSC employees also have licenses to kill. Seems a ...

2024-10-15T17:43:16Z

In reply to nevent1q…8rv0
_________________________

Weirdly, all NCSC employees also have licenses to kill. Seems a little excessive.

depends on what you’re testing though doesn’t it? Sounds like ...

2024-10-15T00:07:04Z

In reply to nevent1q…uw5x
_________________________

depends on what you’re testing though doesn’t it?

Sounds like DNS CNAME + Apache vhosts is the way to go. Mastodon apparently doesn’t do well with non-443 since fediverse things all assume 443 is where it’s at.

https://github.com/mastodon/mastodon/discussions/20279

Man. The archive.org outage is really chapping my hide. Good job, ...

2024-10-11T18:50:26Z

Man. The archive.org outage is really chapping my hide. Good job, jerks.

Hey zmanion :verified: (npub1wug…ghe4) we should think about reviving the CVE reference archival effort again. It's almost as if someone predicted this exact circumstance.

internetarchive (npub1umd…wfr7) , good luck.

Agreed. 2FA is becoming a real disappointment.

2024-09-04T01:16:56Z

In reply to nevent1q…7eta
_________________________

Agreed. 2FA is becoming a real disappointment.

So this is neat. 1) Some (all?) antispam/counterphishing email ...

2024-09-02T13:39:28Z

So this is neat.

1) Some (all?) antispam/counterphishing email scanners are blind to #QRCode content.

2) You can draw working QRCodes with Unicode character sets, thus avoiding an image parser entirely, even if the scanner could process images in the first place.

3) By providing QRCode links, the attacker encourages the victim to use their personal device rather than the workstation, making defensive tracking more complicated.

I think it’s hilarious that a format designed SPECIFICALLY for machine vision is being used to evade machine interpretation.
https://infosec.exchange/@patrickcmiller/113067302631450126