Christian Lins

@bordfunk@norden.social
89 Followers
263 Following
869 Posts

#Professor of computer stuff; occasionally wires up lecture halls at Hamburg University of Applied Sciences (#HAWHamburg) and reports on commuting adventures by #train between #Oldenburg and #Hamburg.

Reposts random nerd and politics stuff in German or English. Posts are being deleted after 3 months.

Websitehttps://lins.me
PeerTubehttps://tube.lins.me
Christian Lins2h ago
Dorothea Zwölfer (sie)3h ago
Solarpunk und eine Steuer auf Solarenergie - wie geht das zusammen? Anscheinend gibt's entsprechende Pläne: >>[...] Während das Diskussionspapier sich jedoch größtenteils an Verbände und Unternehmen richtet, wird eine Personengruppe schnell übersehen. Nämlich all die privaten Haushalte, die die Energiewende mit ihren Anlagen in den kommenden Jahren bereits vorangetrieben haben. 4 von 6 der diskutierten Modelle könnten sich als schädlicher für das Stromnetz erweisen, als sie ihm dienen. Insbesondere für PV-Besitzer mit Bestandsanlagen.[...]<<
https://www.inside-digital.de/news/sonnensteuer-fuer-pv-anlagen-soll-kommen-alle-besitzer-sollen-zahlen
#solarpunk #klimakatastrophe #lobbyismus #fossillobby
@BlumeEvolution
Sonnensteuer für PV-Anlagen soll kommen: Alle Besitzer sollen zahlen!

Alle Besitzer von PV-Anlagen sollen künftig für ihre Anlagen zusätzliche Gebühren in Form einer Sonnensteuer zahlen.

inside digital
Christian Lins2h ago
Andrea K-S10h ago
„Es ist völlig normal, dass Menschen nach 40 Jahren Vollzeit direkt in Altersarmut landen. Oder dass jemand, der 50 Euro zum Geburtstag bekommt, dieses Geschenk dem Jobcenter zurückgeben muss. Während Millionen- und Milliardenvermögen steuerfrei die Generationen wechseln, Arbeit viel höher besteuert wird als Kapitalerträge (!!!), Steuern im großen Stil vermieden und hinterzogen werden und Gesetze von denen geschrieben werden, die hinterher auch von ihnen profitieren.“
https://www.fr.de/wirtschaft/helena-steinhaus-von-sanktionsfrei-wir-erleben-eine-gerechtigkeitskrise-93784679.html
Ungerechtes System: Bürgergeld reicht nicht für ein Leben in Würde – bei Steuerbetrug wird weggeschaut

Helena Steinhaus erhält das Marburger Leuchtfeuer für Soziale Bürgerrechte. Sie eine Gerechtigkeitskrise an – die nicht nur das Bürgergeld betrifft.

Christian Lins7h ago
Mark Holtom (aka Kingbeard)11h ago
His name is Simon Kjaer. He is an international Danish footballer and Milan player.
He is not a global star, he does not have gold shoes and huge personal following, nor is he one of the most expensive players in the world.
But `he went into the history of the sport, as a modern super hero. First he saved his teammate, Chris Eriksen, who fell unconscious on the field, giving him first aid in critical first seconds..
He then asked his teammates to form a ′′ shield ′′ of protection around his fallen co-worker to protect him from flash cameras and shocking highlights trending across social media.
As a captain and friend he took the time to go to the stand and give courage to the wife of the unfortunate Eriksen, who was shocked to see the husband and father of her two children, fighting for his life, As captured in the photo below.
Dear parent, starting today, don't pray for your son or daughter to be a young Messi or Ronaldo. Please become a Simon Kjaer !
Christian Lins7h ago
Show threadstephie 12h ago
Der ehemalige Chef der IAEA Mohammad El Baradei ist ziemlich angepisst über die Dreistigkeit mit der der deutsche Außenminister Wadepfuhl Völkerrecht - damit verbindliches Gesetz in Deutschland - in die Tonne kippt, wenns darum geht den Verbündeten bei seinem Angriffskrieg diplomatisch zu unterstützen.
Während Wadepfuhl die Reaktion des Irans verurteilt, verteidigt er die nach den Genfer Konventionen verbotenen Angriffe auf nukleare Anlagen.
Christian Lins9h ago
Christoph Buck2d ago

So ihr Lieben,

Dobrindt hat genug Leute, die in der Lage wären, die Zahlen korrekt darzustellen. Das ist keine Unfähigkeit, das ist Propaganda.

Daher ist mal wieder Tortendiagrammzeit:

(Gibt es Zahlen über, rechtsextreme Körperverletzungsdelikte und linksextreme Körperverletztungsdelikte? Da würde ich gern mal ein Diagramm dazu machen. Falls du Zahlen dazu hast, her damit. - Falls nicht bitte boosten)

Christian Lins9h ago
Show threadZimmieFeb 2, 2024

@shortridge While working tech support, I got a call on a Monday. Some VPNs which had been working on Friday were no longer working. After a little digging, we found the negotiation was failing due to a certificate validation failure.

The certificate validation was failing because the system couldn’t check the certificate revocation list (CRL).

The system couldn’t check the CRL because it was too big. The software doing the validation only allocated 512kB to store the CRL, and it was bigger than that. This is from a private certificate authority, though, and 512kB is a *LOT* of revoked certificates. Shouldn’t be possible for this environment to hit within a human lifespan.

Turns out the CRL was nearly a megabyte! What gives? We check the certificate authority, and it’s revoking and reissuing every single certificate it has signed once per second.

The revocations say all the certificates (including the certificate authority’s) are expired. We check the expiration date of the certificate authority, and it’s set to some time in 1910. What? It was around here I started to suspect what had happened.

The certificate authority isn’t valid before some time in 2037. It was waking up every second, seeing the current date was after the expiration date and reissuing everything. But time is linear, so it doesn’t make sense to reissue an expired certificate with an earlier not-valid-before date, so it reissued all the certs with the same dates and went to sleep. One second later, it woke up and did the whole process over again. But why the clearly invalid dates on the CA?

The CA operation log was packed with revocations and reissues, but I eventually found the reissues which changed the validity dates of the CA’s certificate. Sure enough, it reissued itself in 2037 and the expiration date was set to 2037 plus ten years, which fell victim to the 2038 limitation. But it’s not 2037, so why did the system think it was?

The OS running the CA was set to sync with NTP every 120 seconds, and it used a really bad NTP client which blindly set the time to whatever the NTP server gave it. No sanity checking, no drifting. Just get the time, set the time. OS logs showed most of the time, the clock adjustment was a fraction of a second. Then some time on Saturday, there was an adjustment of tens of thousands of seconds forward. The next adjustment was hundreds of thousands of seconds forward. Tens of millions of seconds forward. Eventually it hit billions of seconds backwards, taking the system clock back to 1904 or so. The NTP server was racing forward through the 32-bit timestamp space.

At some point, the NTP server handed out a date in 2037 which was after the CA’s expiration. It reissued itself as I described above, and a date math bug resulted in a cert which expired before it was valid. So now we have an explanation for the CRL being so huge. On to the NTP server!

Turns out they had an NTP “appliance” with a radio clock (i.e, a CDMA radio, GPS receiver, etc.). Whoever built it had done so in a really questionable way. It seems it had a faulty internal clock which was very fast. If it lost upstream time for a while, then reacquired it after the internal clock had accumulated a whole extra second, the server didn’t let itself step backwards or extend the duration of a second. The math it used to correct its internal clock somehow resulted in dramatically shortening the duration of a second until it wrapped in 2038 and eventually ended up at the correct time.

Ultimately found three issues:
• An OS with an overly-simplistic NTP client
• A certificate authority with a bad date math system
• An NTP server with design issues and bad hardware

Edit: The popularity of this story has me thinking about it some more.

The 2038 problem happens because when the first bit of a 32-bit value is 1 and you use it as a signed integer, it’s interpreted as a negative number in 2’s complement representation. But C has no protection from treating the same value as signed in some contexts and unsigned in others. If you start with a signed 32-bit integer with the value -1, it is represented in memory as 0xFFFFFFFF. If you then use it as an unsigned integer, it becomes the value 4,294,967,296.

I bet the NTP box subtracted the internal clock’s seconds from the radio clock’s seconds as signed integers (getting -1 seconds), then treated it as an unsigned integer when figuring out how to adjust the tick rate. It suddenly thought the clock was four billion seconds behind, so it really has to sprint forward to catch up!

In my experience, the most baffling behavior is almost always caused by very small mistakes. This small mistake would explain the behavior.

Christian Lins9h ago
Hanno ZullaMar 17

Generative KI versaut mir das @ct_Magazin

Seit einiger Zeit findet man in c't weniger Nerd-Illustrationen und auch seltener die traditionell albern gestellten Aufmacherfotos mit Redakteuren statt Fotomodels.

Stattdessen heißt es nun "Bild: KI, Collage c't". Die KI-Bilder sind... okay. Hinnehmbar. Gut genug. Meh. Aber mehr auch nicht.

Da abonniert man seit Jahrzehnten ein Magazin, weil es Inhalte und Haltung über bloßes Füllmaterial stellt und dabei seine Autoren bekanntermaßen vernünftig behandelt. Und nun signalisiert der Verlag dem Leser, dass Gebrauchs-Illustration und -Fotografie für die Redaktion kein Geld mehr wert sind, denn die generative KI macht es ja preiswerter. Somit weiß ich: Für die Redaktion sind Aufmacherbilder nur Füllmaterial, wo es sich nicht lohnt, jemand für sein (foto)grafisches Handwerk zu beauftragen.

Wenn Inhalte also nur Füllmaterial sind, muss ich nun das gleiche langfristig für Texte in der c't erwarten. Denn parallel "experimentiert" man schon mit KI-generierten Texten in der Rubrik "Techstage", sorry, "bestenlisten" im Heise Newsticker.

Christian Lins11h ago
abgeordnetenwatch11h ago

Interne Unterlagen: Die BReg stellt sich im EU-Ministerrat gegen die geplante Anti-Korruptionsrichtlinie - zusammen mit Österreich und Ungarn

https://www.spiegel.de/politik/deutschland/eu-korruptionsbekaempfung-widerstand-der-bundesregierung-gegen-haertere-massnahmen-a-c0a04123-b25b-4c8c-b4b9-de5fc27bf5b7?sara_ref=re-so-app-sh

Bekämpfung von Amtsmissbrauch: Bundesregierung bremst bei härteren EU-Korruptionsregeln

In der EU wird derzeit eine harte Richtlinie zur Bekämpfung von Korruption verhandelt. Doch nach SPIEGEL-Informationen versucht vor allem die Bundesregierung, die Vorgaben abzuschwächen.

DER SPIEGEL
Christian Lins11h ago
Jan Wildeboer 😷11h ago

That story about an AI startup collapsing after it turned out to be 700 Indian developers in a Trenchcoat? It was a made up story by a crypto guy that became clickbait, published unchecked by tech media everywhere. Read the real story behind Builder.ai here: https://blog.pragmaticengineer.com/builder-ai-did-not-fake-ai/

1/3

Builder.ai did not “fake AI with 700 engineers”

The claim that the AI startup “faked AI” with hundreds of engineers went viral – and I also fell for it, initially. The reality is much more sobering: Builder.ai built a code generator on top of Claude and other LLMs; it did not build a so-called “Mechanical Turk.”

The Pragmatic Engineer
Christian Lins12h ago
crkⓋ21h ago
David Pope in Canberra Times
×
Show threadPatrick Breyer23h ago

🇬🇧I can't recommend the EU-funded DNS service #DNS4EU because access is logged. When you override warnings to access "harmful websites" they even log your IP address. https://www.techradar.com/vpn/vpn-privacy-security/the-eu-challenges-google-and-cloudflare-with-its-very-own-dns-resolver-that-can-filter-dangerous-traffic

There are government-free services that do not log: https://www.privacyguides.org/en/dns

Show threadFrehi22h ago

@echo_pbreyer I'm much more concerned by DNS4EU keeping logs of all DNS requests for up to 6 months, with an identifier for every /24 subnet which changes only every 24 hours. And this in hands of a private company.

Nice trove of data which you can correlate easily and surely the domain names will give lots of information about who is behind the identifier.

The question of the Quad9 CTO at the end is spot on: https://www.youtube.com/watch?v=rXpyUkBOw3A

DNS4EU for Public anonymization

YouTube
Show threadColm Donoghue22h ago
@frehi @echo_pbreyer what's the basis for processing personal data?
How are people informed about the processing?
Show threadFrehi22h ago

@ColmDonoghue @echo_pbreyer

From what I understand, saving the IP address when a user is dismissing the warning and wants to visit the site anyway, is a technical requirement to temporarily whitelist the domain for your IP. (Well, these 24 hours are arbitrarily chosen and this could definitely be shorter).

The other data with the anonymized ID which is saved for up to 6 months, strictly speaking is not PII, although in practice it can contain many hints to who is behind them.

Show threadOsma A 🇫🇮🇺🇦14h ago
European regulation does not discuss PII so there is no "strictly speaking" about it. What we have is a very, very wide definition of personal data which, among other things, includes anything which, when combined with data *collected by any other party* could be used to identify a person.
@frehi @ColmDonoghue @echo_pbreyer
Show threadSpeed demon 🇪🇺 🇳🇴🇺🇦22h ago
@echo_pbreyer
There is a valid technical explanation right there in the capture.
Show threadBikeTuBS11h ago
@hakona @echo_pbreyer The explanation shows a very serious flaw in their filtered resolvers:
Nearly all home installations use NAT and some carriers use CGNAT. As a result, multiple persons use the same IPv4 address, in case of CGNAT even multiple homes. Because of that only the first person using that address will receive the warning and all others will directly proceed to the website.
Show threadSpeed demon 🇪🇺 🇳🇴🇺🇦9h ago
@bike_bs True
@echo_pbreyer
Show threadSpeed demon 🇪🇺 🇳🇴🇺🇦8h ago
@bike_bs I've got dns-blacklisting set up on my router, but finding lists/curators to decide what to blacklist seems a full time job, so I disabled it. Should I consider pi-hole? How is maintaining those lists on pi-hole? I've got to trust *somebody* . @echo_pbreyer
Show threadSpeed demon 🇪🇺 🇳🇴🇺🇦8h ago
@bike_bs Anyway, the eu offering for unfiltered should be good for anonymising. Or? @echo_pbreyer
Show threadHenrik Kramselund - kramse 🍉5h ago

@hakona @echo_pbreyer
Can you point out exactly what you mean by "valid"?

At this point I am very curious

Show threadSpeed demon 🇪🇺 🇳🇴🇺🇦14m ago
@kramse
If a user wants an exception for a domain, the system will keep the exception in place for a reasonable time, during which time it will *have* to remember which clients want that exception.
@echo_pbreyer
Show threadMalte Engeler22h ago
@echo_pbreyer I find it worrying that "government-free" seems to be a feature in your statement. At least in theory services that are democratically governed should be framed as a goal not something to be avoided, no?
Show threadFrehi22h ago
@malteengeler @echo_pbreyer In my opinion a problematic thing is that DNS4EU is actually not really government managed but is managed by a private company (Whalebone). This company has access to the logs containing all DNS queries, and use this information for security research improving their commercial offerings.. Quad9 and DNS0 are at least managed by independent foundations and only share much more limited data with their security providers.
Show threadRalf Bendrath22h ago
@malteengeler @echo_pbreyer "government-free" = "does not contrain traces of state surveillance". I hope you both can agree on that.
Show threadMalte Engeler22h ago
@bendrath @echo_pbreyer It depends very much on what you call surveillance. The EFF thinks that looking at a Blockchain to collect taxes from crypto gambling is "state surveillance"
Show threadRalf Bendrath21h ago
@malteengeler @echo_pbreyer I don't see the link between a DNS service logging private user behaviour (bad) and the EFF or tax authorities looking at public blockchains (I could not care less).
Show threadDavid Culley21h ago

@malteengeler I guess what Patrick wanted to say is:

If you use a privately operated service, some will log you, to profit from you.

If you use a state-operated service, some will log you, to persecute you (if you pirate stuff protected by copyright).

This service logs you, and is apparently operated by the state. So he recommends services that don't log you (and happen to not be operated by the state).

Show threadDave14h ago

@malteengeler @echo_pbreyer since we all know the track record of the current president of the European Commission, I'm unwilling to touch any DNS service operated by the EU with a 10 mile pole.

I haven't forgotten the dumb stop sign campaign, I'm aware of the EU's hate for encryption, so off is the general direction in which I wish them to fuck.

Show threadmiiko22h ago
@echo_pbreyer Dude what? I expected a decent service from that.
Show threadArthur van der Harg21h ago
@echo_pbreyer “Logging”? As I read it, getting a warning is a service that you opt in to. And if you do, the DNS records when you choose to access a site anyway and keeps that record for 24 hours. Perfectly normal, desirable even, because if it didn’t, you’d get the warning every time a hostname resolves to that IP address. That would be annoying.
Show threadTerence Eden20h ago

@echo_pbreyer how would you implement a service which doesn't temporarily log an IP address in that case?

If I access badsite.example, and click through the warning, my browser will need to load multiple files from the domain. I can't click through a warning to download badsite.example/style.css

So it needs to know not to block me. How else would you do that other than by IP address?

Show threadvekkq17h ago

@Edent It is a rare case that a DNS server provides individual unblocking. Since this service requires tracking to do that, it should be avoided.

About the same blocking can be achieved from client/user-site without third-party tracking.

Show threadnoa7h ago
@Edent @echo_pbreyer If DNS4EU is actually doing that (showing a landing page and unblocking on request for particular user) it's just not what any DNS server should do ever. Won't work properly most of the time because of HSTS, ESNI etc. anyways and makes the UX actually worse than just plain blocking.
Show threadTerence Eden7h ago

@noa how else would you make a user-friendly DNS?

You either serve NXDOMAIN which means you need to be reasonably technical to unblock it (which is how nextdns works).

Or you temporarily redirect to a page which let's the user choose to unblock or not.

Which would you think gets more users?

Show threadnoa6h ago

@Edent IMO: There is no user-friendliness concern at the DNS level. If unblocking of pages by the user should be possible, that needs to be solved at other levels of the stack.

Even ignoring any privacy concerns, trying to serve landing pages just doesn't work properly with encrypted protocols without MITM, and for better or worse that's 99 % of what we're speaking today.

If MITM is an acceptable scenario, then yes there are fewer technical concerns and landing pages can be a solution.

Show threadTerence Eden6h ago

@noa how do you go from "this site isn't available" to "please unblock this site"?

And, let's suppose you have a non-DNS level way of doing that. Where do you record that this specific user doesn't want that specific domain blocked?

At some point you have to save their IP and the domain.

Show threadHenrik Kramselund - kramse 🍉5h ago

@Edent @noa

How can you redirect when using HSTS?

Show threadTerence Eden4h ago
@kramse @noa
You can't.
But most sites aren't on HSTS.
Show threadHenrik Kramselund - kramse 🍉4h ago

@Edent @noa a third or so, according to
https://www.ssllabs.com/ssl-pulse/

We can discuss this, but IMHO the concept of inserting a page in between, is unreliable at worst, and harmful to teach users too.

And edit, as Schneier said, give the user a choice to see a pink elephant and they will select it, today we have taught people that clicking through will get on with their task

Unsure about the precise quote, but users don't read warnings and don't know how to react, so it is not helpful

Qualys SSL Labs - SSL Pulse

Show threadTerence Eden4h ago
@kramse @noa
Hmmmm. That doesn't match my experience of looking inside it.
https://shkspr.mobi/blog/2024/01/a-quick-look-inside-the-hsts-file/
But there will be multiple ways to measure it.
A quick look inside the HSTS file

You type in to your browser's address bar example.com and it automatically redirects you to the https:// version. How does your browser know that it needed to request the more secure version of a website? The answer is... A big list. The HTTP Strict Transport Security (HSTS) list is a list of domain names which have told Google that they always want their website served over https. If the user …

Terence Eden’s Blog
Show threadHenrik Kramselund - kramse 🍉4h ago

@Edent @noa asking for the web page and reading the answer in the headers IS the way.

Preload list is nice, but not really indicative of the use of HSTS

We have seen quite a shift into most sites being HTTPS today, and I imagine HSTS use will go up with it, as most testing sites like internet.nl etc check for it.

Show threadFazal Majid5h ago

@Edent @echo_pbreyer in an era of Carrier Grade NAT, using the IP address to identify the user makes no sense

You could do DoH or DoTLS with a personal URL, but that is not something most users can configure on their systems.

Show threadSeedymofo15h ago
@roninkensho above 👆
Show threadRonin Kensho4h ago
@Seedymofo Thanks!
Show threadRonin Kensho4h ago
@mbootsman @vaneeten ik kreeg bovenstaande nog als tip!
Show threadMarcel Bootsman1h ago
@roninkensho Thanks!
Show threadMartin Boller 🇬🇱 🇺🇦     11h ago
@echo_pbreyer Or get your nearest geek to install a RDNS on your home network such as PiHole. DNS was built to be decentralized.
Show threadBen Tasker8h ago

@echo_pbreyer That doesn't seem to say that they log the IP?

It sounds like they keep your IP* in memory so you don't get reprompted about a site that you've chosen to bypass warnings on.

IMO, that's a *good* thing because it means average consumers won't simply switch away from the service if it accidentally overblocks

*In fact, not your IP, they've gone to quite extreme lengths to anonymise - they're not just masking octets, it all gets HMAC'd with a rotating key: https://142290803.fs1.hubspotusercontent-eu1.net/hubfs/142290803/DNS4EU%20Public%20DNS%20Resolver%20policy%202025.docx.pdf

Show threadMallory 🏳️‍⚧️6h ago
@echo_pbreyer Another reason: they offer an option called "Protective resolution with child protection". Putting aside for one moment the question of whether it's ethical to even try to create a blocklist of sites "inappropriate" for children, I think we can all agree that websites helping opioid addicts find naloxone or sterile syringes/needles are good, and we can agree that sometimes children are addicted to opioids, and that therefore it's totally unacceptable to block children from accessing a website like this: https://harmreduction.org/ (and that's literally just the first result for harm reduction on DuckDuckGo)
National Harm Reduction Coalition

National Harm Reduction Coalition works to increase access to evidence-based harm reduction strategies like overdose prevention and syringe access programs.

National Harm Reduction Coalition