Aaron Soto

@surefire@infosec.exchange
176 Followers
516 Following
6.1K Posts

Teaching was my first love. Packets were my second.

I make classes to teach people how to defend themselves against hackers. In my spare time, I teach college students to compete in cybersecurity competitions, or try to take back my home automation from the cloud.

he/him πŸ³οΈβ€πŸŒˆ β€οΈπŸ’œπŸ’™

(Profile banner is a sunset sky from underneath a bridge with kayakers and the edge of the Austin city skyline)

Twitter@_surefire_
Githubhttps://github.com/sure-fire
Aaron Soto34m ago
AAKL6h ago
Security Week: The Wild Wild West of Agentic AI – An Attack Surface CISOs Can’t Afford to Ignore https://www.securityweek.com/the-wild-wild-west-of-agentic-ai-an-attack-surface-cisos-cant-afford-to-ignore/ @SecurityWeek #AI #cybersecurity #infosec
Aaron Soto1h ago
Ryan Pollard7h ago

My daughter just asked me "Why would they call it 'sweet n low' and use a treble clef instead of bass?"

🀯

Decades. I've ignored this glaring #marketing fail for decades.

Aaron Soto1h ago
jad1h ago

Left in 1979

#california #photography

Aaron Soto1h ago
Reece Martin1h ago

All about a rut I’m going through right now:

https://cinqpersonnes.substack.com/p/anatomy-of-a-rut

Anatomy of a Rut.

Watch YouTube Creator, Proceed to Question Life Decisions.

Cinq Personnes.
Aaron Soto2h ago
Grendel84?3h ago

Someone's kindness made me cry today.

My son's been attending a kids sewing class at a local fabric store.

The owner saw how much he loves it, and had offered to sell us a machine at a discount for him to use at home, but it was still out of reach for us financially. I told her we'd save up for it for Christmas.

Today she gave us that sewing machine free. She said she wanted him to be able to continue to sew at home.

Enabling his passion is such a priceless gift and I'm incredibly thankful.

Aaron Soto2h ago
Trina Corey6h ago

Bookshop.org has free shipping July 8 - 11.
It's their Anti-Prime sale.

Every purchase supports local bookstores. You choose which bookstore.

https://bookshop.org/?bsbanner=1

#books #notbezos #notamazon

Aaron Soto2h ago
Fesshole 🧻5h ago
I email random strangers who are in positions of power with my unfiltered thoughts on their ability to bring change to those who aren't in that position. Occasionally it works and brings institutional change. If you have strong feelings you should try it.
Aaron Soto3h ago
Vee4h ago
This is exactly what the internet is for.
Aaron Soto3h ago
Show threadArtemis5h ago

Dear liberals (if any of you are reading), please for the sake of us all, we need you to get over your fear of "criminals" as a class of person.

We need you to trust that we can build a better society that deals with violence, when it occurs, differently. For that matter, we already know that "crime" decreases when poverty decreases, so our "crime" problem is primarily a poverty problem!

Aaron Soto3h ago
JessπŸ‘Ύ3h ago
Life pro tip. Need to get some anger at the world out of your system, and punching a pillow ain't doing it anymore? Get some work gloves and break sticks and branches for a while. It's completely free and remarkably cathartic to just break shit for a while and fantasize about it being someone you loathe.
Γ—
Evelyn  3d ago
so recently my server has unintentionally been inside a DDoS of my own making. any smaller webserver i point my domain at becomes instantly crippled. let me explain the situation...

so i make minecraft mods, right. well, at one point, i made this library mod called CICADA, that has a bunch of shared utilities i use. this is pretty common practice

then once i had that, i realized, hey! why not make a funny thing in this library mod that gives my own minecraft character a cape when anyone sees me! that would be kinda neat.

it couldnt just be simply hardcoded though of course, so i had a genius plan. i would put a simple "api" of sorts up on github pages that would have directories for all the players that i want to have capes. the mod can do a quick http request in the background, and if it doesnt return a 404, load the cape from the png thats returned to display on the player

now you might wonder, this is a perfect idea is it not? how could this possibly have caused any issues? ...yea i think you can roughly guess where this went

for the github pages thing, i used the one domain i had available at the time: enjarai.dev. now, you may notice that this currently hosts my personal website. which is no longer on github pages.

when i made this migration, i realized something quite concerning. my mods are popular.

my servers cpu was consistently pinned at 100% over 4 cores, and i was getting... checks notes thousands of GET requests a second. 24/7. neither me nor my server were very happy about this as you might imagine

for quite a while, i've honestly just kinda... put up with this. there didnt seem to be anything i could do, short of just not using my domain or migrating back to github, neither of which i wanted

its been getting worse and worse though, my disk is filling up with access logs within literal hours after clearing them (so i had to disable those) and im running out of bandwidth quota on my VPS every month. something needs to change

so i shared my problem with a bunch of friends last night, and we brainstormed the hell out of this. after a lot of ideas, including potentially sending malformed PNGs to crash people's games and force them to update the mod (which turned out not to be feasible), i landed on a pretty decent solution i think

everyone using an old version of CICADA will now see this cape. on every single player

i really hope this works, cause if not, im kinda out of ideas

will keep yall posted
Show threadNiko3d ago
@enjarai hey knowing people and how reluctant they are to update you'll get this number of requests for months on end πŸ™ƒ
Show threadEvelyn  3d ago
@niko i find it really hard to imagine putting up with everyone wearing ugly as hell capes all the time... but you may be right ​​
Show threadNiko3d ago
@enjarai oh i know i would be able to ignore it fine
Show threadEvelyn  3d ago
@niko at the very least it'll most likely get big modpacks to update the mod. and those are by far the biggest contributors of downloads
Show threadNiko3d ago
@enjarai now whether people will update their modpacks :3c
Show threadNiko3d ago
@enjarai i am not helping here sorry lmao
Show threadEvelyn  3d ago
@niko dont worry, ill figure something out, im sure ​​
Show threadmaia // magmaus33d ago
@niko @enjarai there's also an ultimate option (afaik), removing the briken version from modrinth (probably breaking a lot of modpacks, forcing them to update)
Show threadEvelyn  3d ago
@maia @niko i can definitely do that on modrinth, though it'd be a lot of versions to delete (would need to make a script or smt)

the issue is that im pretty sure curseforge (where all the big packs live) just... doesnt let you delete files entirely. they want to prevent modpacks from breaking at any cost you see, so you fully cannot just remove your files, only "archive" them ;-;
Show threadmaia // magmaus33d ago
@enjarai @niko ah :c
Show thread~: Liera 3d ago
@enjarai @niko Yeahhhh could see that happen too. If so it might be good to take a look at a caching layer. Though it sure must be a massive amount of requests given that the server just handles TLS & serves small images from what it sounds like ​​
Show threadEvelyn  3d ago
@FamiliarDraco @niko oh yea for a while i had nginx just immediately drop the connection once it knew the path. no http response of any kind, just closing the tcp connection

still 100% cpu and filling up quotas. the amount of requests is staggering ;-;
Show threadsaxnot1d ago
@enjarai @niko even if it only reaches 50 % of players it's already a load reduction and thus cost reduction of 50 %.
I think this solution is very nifty and takes into account the social nature of using software
Show threadEvelyn  1d ago
@saxnot @niko yea i cant imagine it not doing anything. just hope it'll be enough ​​
Show thread~: Liera 3d ago
@enjarai Interesting problem this. Hope this little update cape is going to help! Both for your own and your servers sanity :3
Show threadevelynβ„’   2d ago
@enjarai this is the funniest thing I've ever seen
Show threadDearFox2d ago
@enjarai Why not ban java requests
Show threadEvelyn  2d ago
@DearFox i did. the http client has a very distinct user agent, so thats the first thing i tried. issue is that the overhead of handling that ban (opening tcp socket, ssl handshake, reading request) was still enough to bring the server to its knees
Show threadDearFox2d ago
@enjarai For this reason, I like to use different subdomains, and I never do such things on the main domain. Now I understand that this is a good practice   
Show threadEvelyn  2d ago
@DearFox oh yea i should've absolutely done that in the first place
Show threadCharlotte1d ago
@enjarai uh oh, good luck
your mods are really cool! keep it up! does kinda worsen the problem though
I’ll spread the word
Show threadnadja1d ago
@enjarai oh *you're* the gal behind CICADA. Funny seeing you here, I just read through some of your code yesterday 
Show threadEvelyn  1d ago
@dequbed awa hi! now im curious, what were you doing in there? ​​
Show threadnadja1d ago
@enjarai Trying to figure out how Do a Barrel Roll functions because Cobblemon is getting a riding feature with rollable camera too and there's no sense in reinventing the wheel ^^
Show threadlucielle1d ago
@enjarai gotta update it in my modpack then, thanks for the info ^^ by the way: you could filter the type of request 1:1 for people using the old version so you have less overhead or maybe also just blackhole it at layer 3 for even lesser overhead. also you can add a cape texture of your own as an asset inside of the mod so it just gets fetched locally in future versions. no more thousands of GET requests.
Show threadEvelyn  1d ago
@iouring@post.stellaris.fyi yea i've completely ditched the capes for the updated version, i really dont care enough honestly. it was a thing that young and naive me liked the thought of, and she's a little idiot ​​
Show threadlucielle1d ago
@enjarai fair approach ^^ and i don't think of you as an naive idiot in fact i would add cape textures myself in some of my mods (if i would have any) at some point i guess
Show threadEvelyn  1d ago
@iouring@post.stellaris.fyi yea it seemed like a fun idea at the time... optifine does it! what could be so bad?? <i dont have a clueless emoji but imagine it here>
Show threadlucielle1d ago
@enjarai you remind me that i still have to add a few blob and neo emoji packs
Show threadEvelyn  1d ago
@iouring@post.stellaris.fyi oh same! i only have the blobfoxes, neocats, and neofoxes

where does one even find the other packs?
Show threadfops1d ago
@enjarai This Unpleasant Gradient Shows Up in Your Minecraft World
Show threadKureon 1d ago
@enjarai did you update the mod for every Minecraft version where you had this functionality in? If not, what about players that cannot upgrade Mc for whatever reason?
Show threadEvelyn  1d ago
@kura i make use of a multiversion framework which lets me push out updates for all mc versions i've ever supported. i wouldnt do something like this if there were people who wouldnt be able to update, that'd just be malicious ​​
Show threadsaxnot1d ago

@enjarai the solution is really funny

but ngl the original impl was really naive. instead of downloading it once and caching checksums of all players with cape at first start (or just hardcoding it in the binary since it's really not super important or urgent) you query yourself on every event separately.

i wonder if your server will ever recover when it's down once ans everyone retries at once

Show threadEvelyn  1d ago
@saxnot i completely agree. i made this impl over a year ago and its extremely naive. past me was a bit of an overeager fool (still am sometimes tbh)

the server has been holding on, but i am getting more and more worried about it. hence why im finally fixing my mistake
Show thread HyperSoop 1d ago

@enjarai how come was it not feasible to send crash PNGs?

couldn't you do something like spark.png from https://www.bamsoftware.com/hacks/deflate.html

Biggest image in the smallest space

Show thread HyperSoop 1d ago
@enjarai also, if you're feeling silly, you could probably set your mod up to DDOS the servers of some alt-right organization or something. cause this pain to the people deserving of it. would there actually be a problem with that?
Show threadLisa Magdalena Riedler πŸ³οΈβ€βš§οΈπŸ‡¦πŸ‡ΉπŸ‡ͺπŸ‡ΊπŸ΄β€β˜ οΈ1d ago
@soop @enjarai for one, it’s illegal to DDoS people on purpose
Show thread HyperSoop 1d ago
@_r @enjarai the question is whether you can get away with it cuz then it doesn't matter does it :3
Show threadLisa Magdalena Riedler πŸ³οΈβ€βš§οΈπŸ‡¦πŸ‡ΉπŸ‡ͺπŸ‡ΊπŸ΄β€β˜ οΈ1d ago
@soop @enjarai I don’t think putting oneself at risk for petty bs like this would be worth it either way
Show thread HyperSoop 1d ago
@_r @enjarai eh i wouldn't call it "petty". ddosing fascists is always based
Show threadEvelyn  1d ago
@soop @_r@donotsta.re im not really a believer in vigilante justice. i wont be intentionally ddossing anyone
Show thread HyperSoop 1d ago
@enjarai @_r that's fair
Show threadEvelyn  1d ago
@soop hmmm... we mostly looked into gzip stuff for http requests, but this looks promising. might look into that as a last resort, though i'd really prefer not to use it honestly
Show threadJesse πŸ‡«πŸ‡· 1d ago
@enjarai WAIT YOU MAKE CICADA AND DO A BARREL ROLL ??
Show threadJesse πŸ‡«πŸ‡· 1d ago
@enjarai i've downloaded your mods so many times i've lost count
Show threadEvelyn  1d ago
@jessew awa! haii

im glad you like them :3
Show threadslonk "Have you tried Logseq?" zoid1d ago
@enjarai hi everyone the crash png was my idea. as for the feasibility, i suspect it's possible to make a png that has ~4000x compression ratio without using http compression, so it's not completely infeasible
Show threadslonk "Have you tried Logseq?" zoid1d ago
@enjarai well, not actually 4000x compression. the compression would actually be pretty terrible at 125x ideal compression, but it would cause the game to try to allocate a buffer that's 4000x the size of the png file
Show threadslonk "Have you tried Logseq?" zoid1d ago
@enjarai for context you can usually achieve 1000x ideal compression with zlib deflate streams, which a huge black rgba png file would hit
Show threadslonk "Have you tried Logseq?" zoid1d ago
@enjarai this would allow us to allocate 16 GiB (!!!) *per player in the server* on the client, which wouldn't clear until a restart
Show threadTertle950 - Scrolling WMs da best1d ago
@enjarai is there a mod that puts this cape on every player without crashing your servers? for the lols
Show threadEvelyn  1d ago
@tertle950 if there's demand, I could make that quite easily

it would be really funny
Show threadari, robo-bnnuy1d ago

@enjarai "will keep yall posted" please do this is the funniest shit ive read today

also good luck :p

Show threaddragonfi1d ago
@enjarai You know, next time I have to explain to someone why Software Development is hard, I might just link this post.
Show threadRiptide1d ago
@enjarai this is so deeply funny to me you don't even understand. thank you so much for the entertainment