"Mutant Rob" Robert Rothenberg

@rrwo@infosec.exchange
85 Followers
689 Following
105 Posts

I was born on the Moon but kidnapped by astronauts and raised in the suburbs of Grumman. Eventually, I drifted along the Gulf Stream to Northern Europe.

#Perl #InfoSec

CPANhttps://metacpan.org/author/RRWO
GitHubhttps://github.com/robrwo
"Mutant Rob" Robert Rothenberg9h ago

I'm really happy with the Android "archive" feature for apps. It lets you uninstall apps without losing logins or settings.

It helps to interfere with the surveillance economy by preventing these apps from spying on you 24 hours/day.

"Mutant Rob" Robert Rothenberg9h ago
evacide9h ago
This is your regular reminder that if you are the smartest person in the room, go find another room. You are not going to run out of people or rooms.
"Mutant Rob" Robert Rothenberg1d ago
✧✦Catherine✦✧1d ago

the two genders of open source projects are "willing to break downstream code" and "unwilling to break downstream code"

i'm not sure there's much space in between. (one of those has a version 659.0.0, the other has version 0.0.659)

"Mutant Rob" Robert Rothenberg1d ago
Marcus Hutchins 1d ago
A programming fact that still amazes me is that the HTTP header which containers the referring url is called "referer", because the developer spelt "referrer" wrong and the spell checker didn't catch it, so it made it into the official standards and they just never changed it lmao
"Mutant Rob" Robert Rothenberg3d ago
Helen Czerski3d ago

If you're in or near Greenwich this Friday (July 11th), this (in the Ocean Court at the National Maritime Musuem) will be ace:

"Live music at the National Maritime Museum celebrating our ocean planet, its mythology, natural wonders and as-yet-undiscovered depths"

Do go!

https://www.rmg.co.uk/whats-on/national-maritime-museum/ocean-songs

"Mutant Rob" Robert Rothenberg3d ago
daniel:// stenberg://3d ago

"Arbitrary File Read via file:// Protocol in cURL"

Well, you see... 🤦‍♂️

"Mutant Rob" Robert Rothenberg4d ago
a beautiful bitch4d ago
The TESCREAL Housewives of Palo Alto
"Mutant Rob" Robert Rothenberg4d ago
It's one of those days, I guess. My laptop at home crashed. Tried the Terminal on my phone and got this.
"Mutant Rob" Robert Rothenberg4d ago
Emmanuele Bassi5d ago
I've said it before, but I have to say it again: my days of not taking the FSF seriously are certainly coming to a middle
"Mutant Rob" Robert Rothenberg4d ago
LouieJun 28

You know, I could write a whole blog post about this—and I might—but I think we need to start addressing the very likely possibility that the *entire thesis* that “UI should get out of the way” and “apps should focus on content” is wrong.

Apps aren’t just for looking at photos or videos. They’re for navigating through these things, organizing them, editing them. The tools to do those things should not get out of the way. They should be clearly defined and separate from the content.

×
Emmanuele Bassi5d ago
I've said it before, but I have to say it again: my days of not taking the FSF seriously are certainly coming to a middle
Show threadEmmanuele Bassi5d ago
The amount of pretzeling logic in that paragraph is staggering; I'm surprised the entire page didn't collapse under its own weight straight into a singularity
Show threadEmmanuele Bassi5d ago

"The calculations are the same kind of calculations done by crypto-currency mining programs"—so it's TLS, used by your web server.

"A program which does calculations that user does not want done is a form of malware"—I assume the FSF is switching to bare HTTP or Gopher, then, because I certainly didn't ask my web browser to use encryption to read that bunch of crap.

"Proprietary software is often malware"—where the hell does that sentence come from?

Show threadEmmanuele Bassi5d ago

"if we used Anubis, we would be pressuring users into running malware"—once again, where is that coming from?

1. Anubis is using computations
2. Other bad software is using similar computations
3. Proprietary software is bad
4. Some proprietary software is malware
5. Anubis is malware

This whole thing is intellectually bankrupt

Show threadEmmanuele Bassi5d ago
I mean, the FSF is a morally bankrupt organisation without a reason to exist outside the maintenance of the quality of life that RMS is accustomed to, but I half expected obsessive rule lawyers with nothing better to do to *at least* get syllogisms right
Show threadMarco Mastropaolo5d ago
@ebassi what you refer as morally bankrupt is in fact better referred as GNU/morally bankrupt or, as I prefer, GNU+morally bankrupt.
Show threadDavid Fleetwood - RG Admin5d ago

@ebassi So long as RMS is involved I can't take it seriously. Sex pests need to be excised.

Also I haven't a clue what Anubis is.

Show threadMarcin SJ 5d ago
@reflex It's an anti-spam filter, used for example by the GNOME GitLab instance:
https://anubis.techaro.lol/
Anubis: self hostable scraper defense software | Anubis

Weigh the soul of incoming HTTP requests using proof-of-work to stop AI crawlers

Show threadDavid Fleetwood - RG Admin5d ago
@manualcookie Oh my lord the FSF is nuts.
Show threadǝʌɐp5d ago
@ebassi heaven forbid we do some computations to make things a little less bad
Show threadrose 5d ago

@ebassi not to defend the FSF, or the argument they're trying to make here (i use anubis myself), but anubis does use proof of work, which is indeed the same algorithm used by many cryptocurrencies. i don't think it's really fair to say that TLS is basically the same as anubis.

i think this speficially is a fair critique of anubis, not for the reasons that the FSF is suggesting, but because ideally we shouldn't be fighting wasteful, irresponsible usage of compute by requiring more wasteful compute from real clients. but unfortunately it's the best solution there is right now

Show threadElias Mårtenson5d ago
@ebassi I'm not agreeing with them, but they have a very wide definition of malware. In fact, I'm not sure how their definition excludes any proprietary software at all.
Show threadLeaflet5d ago

@loke @ebassi

They don’t consider preincluded microcode and firmware to be unacceptable. However, updating the microcode and firmware is unacceptable.

So they would rather you use old proprietary firmware rather than new proprietary firmware.

Show threadle petit printf 🇺🇦🇨🇿👃💨5d ago

@ebassi > "Proprietary software is often malware"—where the hell does that sentence come from?

possibly things like the most popular proprietary document reader stealing every document you open?

Show threadflere-imsaho 🇺🇦5d ago
@lkundrak @ebassi which is not relevant in case of anubis, like, at all.
Show threadEmmanuele Bassi5d ago
@lkundrak content aside, which still doesn’t apply but whatever, it’s the non sequitur that makes me wonder what on earth is that about
Show threadElias Mårtenson5d ago
@ebassi @lkundrak if you read the statement, removing the word 'often'n it makes sense. It's not correct, but it at least becomes a statement that makes sense and can be refuted.
Show threadle petit printf 🇺🇦🇨🇿👃💨5d ago
@loke @ebassi the statement is indeed out of place, but given how prevalent stealing data from the proprietary apps got, it's sort of easy to prove right as it is, isn't it?
Show threadint*domi;*domi=05d ago

@ebassi their point (which i don’t agree with fully) was that PoW is also used for cryptocurrency. TLS computes a hash, but not necessarily a million of them from each other.

however, the rest of their argumentation is properly insane and devoid of any logic. which is not surprising coming from FSF

Show threadMaRIa_MaJ5d ago
@ebassi oh boy 🙄...
Show threadPhil5d ago
@ebassi yeah nah, that statement makes just about no sense from them.
I highly appreciate the dev for what they contributed and the FSF Takes the time out of their day to accuse them of developing "near" proprietary software for bs reasons? That feels so disrespectful
Show threadben5d ago
@ebassi “even though it’s free software, it’s far too similar to proprietary software to be acceptable” is a weird stance from an organisation which was effectively founded to do free-software reimplementations of proprietary software.
Show threadhalva 5d ago
@ebassi i think i just had an aneurysm reading that
Show threadAutumn (Literally a Fops)5d ago
@ebassi "uses the same algorithms as crypto" by that logic, the interner is bad because it uses stuff made by the US military
Show threadRoss Burton5d ago
@ebassi HAHAHAHAHA oh god
Show threadEmmanuele Bassi5d ago
@ross somebody spent actual time typing that. The mind boggles.
Show threadstd::mem::justsoup5d ago
@ebassi "It is proprietary software! Yes, it is open-source, but it has the vibes!!!1!" Absolutely delusional. I have never liked the FSF and probably never will. (The FSF Europe is sometimes alright though.)
Show threadGary "grim" Kramlich5d ago

@ebassi If I may utter a common phrase to the FSF.. Patches Welcome! 🤣

All things aside, until the FSF actually does something to fight AI bots that is aligned with their stated ethics they can just STFU.

Show threadJeder  5d ago
@ebassi average fsf moralising paragraph
Show threadbiiiiig scary monster  5d ago
@ebassi wtf what a transparently stupid piece of text
Show threadEfi (nap pet) 🦊💤5d ago
@ebassi a human wrote that??!?
Show threadLisPi5d ago
@ebassi @Seirdy Mandating Javascript on a site is an undue trust requirement.

Even with a Free license there is no guarantee it is benign and no particular reason to risk it.
Show thread Tired Bunny  5d ago
@lispi314 @ebassi @Seirdy

That way it makes sense.

- Anubis requires JS
- JS is a security risk for a lot of reasons

FSF post was looking more like throwing every plausible and made up reason together to justify hating on that particular piece of software...
Show threadLisPi5d ago
@untsuki @ebassi @Seirdy They would have been better off just claiming it is actively disrespectful of the user and their resources in nearly the same way that JS webworker miners are.

Because even if it were to be verifiably benign, the above remains.
Show threadSeirdy5d ago

@untsuki @ebassi @lispi314 yeah “we would be pressuring users into running malware” was like. wow.

i agree that forcing JS is a really awful solution but unless there’s a Web standard for remote-JS-free anti-LLM measures with comparable efficacy, I don’t see any good alternatives.

Show threaderi 5d ago
@Seirdy@pleroma.envs.net @ebassi @lispi314@udongein.xyz @untsuki@udongein.xyz go-away includes a bunch of js-free challenges, which only trigger if you are on a browser UA
Show threadSeirdy5d ago
@untsuki @ebassi @lispi314 perhaps a standalone tool to hash an input string provided by the site could work, with custom difficulty levels. submit the result via POST if JS is turned off.
Show threadm045d ago
@Seirdy @ebassi @lispi314 @untsuki i remember seeing that anubis actually has a no-js mode that uses meta refresh tags, but i'm not sure how effective it is
Show threaddelta  3d ago
@Seirdy@pleroma.envs.net @ebassi @lispi314@udongein.xyz @untsuki@udongein.xyz i thought about it a little on and off, and i kinda wonder if instead of relying on cookies or w/e to present that it has a pass, what if the server instead kept a TTL database of currently allowed IPs, where you could then run the challenge from anything on your network (including a cli tool if you wanted) and have that access pass apply to everything else under the same IP

and then once its done it requires nothing from whatever browser or application is accessing it for however long the pass lasts, not even a cookie or auth token
Show threadSeirdy3d ago
@delta @ebassi @untsuki @lispi314 scrapers with rotating IPs shared with robots (or users!) you actually want make this difficult. you’d need more data, at which point you’ve reinvented services like Cloudflare.
Show threadWolf480pl5d ago

@Seirdy @ebassi @lispi314 @untsuki

I'd go a step further:

Any software that does proof-of-work on the user's computer, that you run on that user's computer without the user's consent, is malware.

Now, if the user had to manually run proof-of-work software on their choice, then it'd probably not be malware anymore, just a nuisance.

Show threadkhm5d ago
we don't need standards for this, we need common sense.

there's no compelling reason to put compute-heavy repository views bare-assed on the internet.

require login for compute-heavy views. ban accounts that abuse access. mercilessly rate-limit unauthenticated access. problem solved forever

CC: @ebassi@mastodon.social @lispi314@udongein.xyz @untsuki@udongein.xyz
Show threadoutsidecontext 🇺🇦🕊️5d ago
@khm @Seirdy @ebassi @lispi314 @untsuki Requiring an account to access this site is I think even more limiting to users than running something like Anubis.
Show threadOwOday5d ago
@untsuki @ebassi @Seirdy @lispi314 they certainly make it sound like someone is using it to mine crypto or something, which doesnt seem to be the case. its ridiculously sad as a culture we need to do artificial workloads to defend against ai scapers. I wish there was some layer of the web that worked for the users and could help protect from this kind of thing without the wasted cycles from anubis--or maybe we just put folding @ home in anubis and fund protein folding at metas $
Show threadLisPi5d ago
@OwOday @Seirdy @ebassi @untsuki For a lot of use-cases a mix of distributed and p2p schemas (particularly with peer reputation mechanisms) would answer the problem appropriately.

For the rest the main options remaining are aggressive rate-limiting and authentication & authorization.

In a lot of cases, abandonning low-latency/synchronous interaction models would help both reducing the load on endpoints as well as perceived latency & functional limitation by users (message-based remote interaction with focus on local user-agent interaction instead of low-latency bytestreams with a remote endpoint, for example).
Show threadgrillchen5d ago
@lispi314 @ebassi @Seirdy i understand where they are coming from. you request a http site, you get a javascript thingie wasting your cpu time.

properietary software is pretty much always malware from the perspective of free software enjoyers.

anubis is a radical answer to a huge problem but to my understanding also heavily overrated. (see this thread for alternative approaches)
Show threadLeaf Eriksen5d ago
@ebassi I wish the fsf would stay off the internet and just focus on building emacs, gcc and coreutils. they never have anything smart to say about anything.
Show threadarihi   5d ago
@ebassi basically all users would agree that tls is a good thing and actively seek out having a tls connection to websites, it's beneficial. many users (myself included) don't like that if i want to for example view a git diff through a web interface or view an html website i must run a script whose sole purpose is to waste the user's resources.
i don't see any users who would actively want their browsers to run such scripts or benefit from it, they either allow and accept it because they're forced to if they want to continue or they leave the website.

with how focused the fsf is on user freedoms i expected them not to support this kind of thing.
Show threadCarlos Solís4d ago
If there was a way to run the required calculation straight from the HTTPS handshake protocol though, I'd say go for it