Aaron Soto

@surefire@infosec.exchange
176 Followers
516 Following
6.1K Posts

Teaching was my first love. Packets were my second.

I make classes to teach people how to defend themselves against hackers. In my spare time, I teach college students to compete in cybersecurity competitions, or try to take back my home automation from the cloud.

he/him πŸ³οΈβ€πŸŒˆ β€οΈπŸ’œπŸ’™

(Profile banner is a sunset sky from underneath a bridge with kayakers and the edge of the Austin city skyline)

Twitter@_surefire_
Githubhttps://github.com/sure-fire
Security Week: The Wild Wild West of Agentic AI – An Attack Surface CISOs Can’t Afford to Ignore https://www.securityweek.com/the-wild-wild-west-of-agentic-ai-an-attack-surface-cisos-cant-afford-to-ignore/ @SecurityWeek #AI #cybersecurity #infosec

My daughter just asked me "Why would they call it 'sweet n low' and use a treble clef instead of bass?"

🀯

Decades. I've ignored this glaring #marketing fail for decades.

All about a rut I’m going through right now:

https://cinqpersonnes.substack.com/p/anatomy-of-a-rut

Anatomy of a Rut.

Watch YouTube Creator, Proceed to Question Life Decisions.

Cinq Personnes.

Someone's kindness made me cry today.

My son's been attending a kids sewing class at a local fabric store.

The owner saw how much he loves it, and had offered to sell us a machine at a discount for him to use at home, but it was still out of reach for us financially. I told her we'd save up for it for Christmas.

Today she gave us that sewing machine free. She said she wanted him to be able to continue to sew at home.

Enabling his passion is such a priceless gift and I'm incredibly thankful.

Bookshop.org has free shipping July 8 - 11.
It's their Anti-Prime sale.

Every purchase supports local bookstores. You choose which bookstore.

https://bookshop.org/?bsbanner=1

#books #notbezos #notamazon

I email random strangers who are in positions of power with my unfiltered thoughts on their ability to bring change to those who aren't in that position. Occasionally it works and brings institutional change. If you have strong feelings you should try it.
This is exactly what the internet is for.

Dear liberals (if any of you are reading), please for the sake of us all, we need you to get over your fear of "criminals" as a class of person.

We need you to trust that we can build a better society that deals with violence, when it occurs, differently. For that matter, we already know that "crime" decreases when poverty decreases, so our "crime" problem is primarily a poverty problem!

Life pro tip. Need to get some anger at the world out of your system, and punching a pillow ain't doing it anymore? Get some work gloves and break sticks and branches for a while. It's completely free and remarkably cathartic to just break shit for a while and fantasize about it being someone you loathe.
Γ—
so recently my server has unintentionally been inside a DDoS of my own making. any smaller webserver i point my domain at becomes instantly crippled. let me explain the situation...

so i make minecraft mods, right. well, at one point, i made this library mod called CICADA, that has a bunch of shared utilities i use. this is pretty common practice

then once i had that, i realized, hey! why not make a funny thing in this library mod that gives my own minecraft character a cape when anyone sees me! that would be kinda neat.

it couldnt just be simply hardcoded though of course, so i had a genius plan. i would put a simple "api" of sorts up on github pages that would have directories for all the players that i want to have capes. the mod can do a quick http request in the background, and if it doesnt return a 404, load the cape from the png thats returned to display on the player

now you might wonder, this is a perfect idea is it not? how could this possibly have caused any issues? ...yea i think you can roughly guess where this went

for the github pages thing, i used the one domain i had available at the time:
enjarai.dev. now, you may notice that this currently hosts my personal website. which is no longer on github pages.

when i made this migration, i realized something quite concerning. my mods are
popular.

my servers cpu was consistently pinned at 100% over 4 cores, and i was getting...
checks notes thousands of GET requests a second. 24/7. neither me nor my server were very happy about this as you might imagine

for quite a while, i've honestly just kinda... put up with this. there didnt seem to be anything i could do, short of just not using my domain or migrating back to github, neither of which i wanted

its been getting worse and worse though, my disk is filling up with access logs within literal hours after clearing them (so i had to disable those) and im running out of bandwidth quota on my VPS every month. something needs to change

so i shared my problem with a bunch of friends last night, and we brainstormed the hell out of this. after a lot of ideas, including potentially sending malformed PNGs to crash people's games and force them to update the mod (which turned out not to be feasible), i landed on a pretty decent solution i think

everyone using an old version of CICADA will now see this cape. on every single player

i really hope this works, cause if not, im kinda out of ideas

will keep yall posted
@enjarai hey knowing people and how reluctant they are to update you'll get this number of requests for months on end πŸ™ƒ
@niko i find it really hard to imagine putting up with everyone wearing ugly as hell capes all the time... but you may be right ​​
@enjarai oh i know i would be able to ignore it fine
@niko at the very least it'll most likely get big modpacks to update the mod. and those are by far the biggest contributors of downloads
@enjarai now whether people will update their modpacks :3c
@enjarai i am not helping here sorry lmao
@niko dont worry, ill figure something out, im sure ​​
@niko @enjarai there's also an ultimate option (afaik), removing the briken version from modrinth (probably breaking a lot of modpacks, forcing them to update)
@maia @niko i can definitely do that on modrinth, though it'd be a lot of versions to delete (would need to make a script or smt)

the issue is that im pretty sure curseforge (where all the big packs live) just... doesnt let you delete files entirely. they want to prevent modpacks from breaking at any cost you see, so you fully cannot just remove your files, only "archive" them ;-;
@enjarai @niko Yeahhhh could see that happen too. If so it might be good to take a look at a caching layer. Though it sure must be a massive amount of requests given that the server just handles TLS & serves small images from what it sounds like ​​
@FamiliarDraco @niko oh yea for a while i had nginx just immediately drop the connection once it knew the path. no http response of any kind, just closing the tcp connection

still 100% cpu and filling up quotas. the amount of requests is staggering ;-;
@enjarai @niko even if it only reaches 50 % of players it's already a load reduction and thus cost reduction of 50 %.
I think this solution is very nifty and takes into account the social nature of using software
@saxnot @niko yea i cant imagine it not doing anything. just hope it'll be enough ​​
@enjarai Interesting problem this. Hope this little update cape is going to help! Both for your own and your servers sanity :3
@enjarai this is the funniest thing I've ever seen
@enjarai Why not ban java requests
@DearFox i did. the http client has a very distinct user agent, so thats the first thing i tried. issue is that the overhead of handling that ban (opening tcp socket, ssl handshake, reading request) was still enough to bring the server to its knees
@enjarai For this reason, I like to use different subdomains, and I never do such things on the main domain. Now I understand that this is a good practice   
@DearFox oh yea i should've absolutely done that in the first place
@enjarai uh oh, good luck
your mods are really cool! keep it up! does kinda worsen the problem though
I’ll spread the word
@enjarai oh *you're* the gal behind CICADA. Funny seeing you here, I just read through some of your code yesterday 
@dequbed awa hi! now im curious, what were you doing in there? ​​
@enjarai Trying to figure out how Do a Barrel Roll functions because Cobblemon is getting a riding feature with rollable camera too and there's no sense in reinventing the wheel ^^
@enjarai gotta update it in my modpack then, thanks for the info ^^ by the way: you could filter the type of request 1:1 for people using the old version so you have less overhead or maybe also just blackhole it at layer 3 for even lesser overhead. also you can add a cape texture of your own as an asset inside of the mod so it just gets fetched locally in future versions. no more thousands of GET requests.
@iouring@post.stellaris.fyi yea i've completely ditched the capes for the updated version, i really dont care enough honestly. it was a thing that young and naive me liked the thought of, and she's a little idiot ​​
@enjarai fair approach ^^ and i don't think of you as an naive idiot in fact i would add cape textures myself in some of my mods (if i would have any) at some point i guess
@iouring@post.stellaris.fyi yea it seemed like a fun idea at the time... optifine does it! what could be so bad?? <i dont have a clueless emoji but imagine it here>
@enjarai you remind me that i still have to add a few blob and neo emoji packs
@iouring@post.stellaris.fyi oh same! i only have the blobfoxes, neocats, and neofoxes

where does one even find the other packs?
@enjarai This Unpleasant Gradient Shows Up in Your Minecraft World
@enjarai did you update the mod for every Minecraft version where you had this functionality in? If not, what about players that cannot upgrade Mc for whatever reason?
@kura i make use of a multiversion framework which lets me push out updates for all mc versions i've ever supported. i wouldnt do something like this if there were people who wouldnt be able to update, that'd just be malicious ​​

@enjarai the solution is really funny

but ngl the original impl was really naive. instead of downloading it once and caching checksums of all players with cape at first start (or just hardcoding it in the binary since it's really not super important or urgent) you query yourself on every event separately.

i wonder if your server will ever recover when it's down once ans everyone retries at once

@saxnot i completely agree. i made this impl over a year ago and its extremely naive. past me was a bit of an overeager fool (still am sometimes tbh)

the server has been holding on, but i am getting more and more worried about it. hence why im finally fixing my mistake

@enjarai how come was it not feasible to send crash PNGs?

couldn't you do something like spark.png from https://www.bamsoftware.com/hacks/deflate.html

Biggest image in the smallest space

@enjarai also, if you're feeling silly, you could probably set your mod up to DDOS the servers of some alt-right organization or something. cause this pain to the people deserving of it. would there actually be a problem with that?
@soop @enjarai for one, it’s illegal to DDoS people on purpose
@_r @enjarai the question is whether you can get away with it cuz then it doesn't matter does it :3
@soop @enjarai I don’t think putting oneself at risk for petty bs like this would be worth it either way
@_r @enjarai eh i wouldn't call it "petty". ddosing fascists is always based
@soop @_r@donotsta.re im not really a believer in vigilante justice. i wont be intentionally ddossing anyone
@soop hmmm... we mostly looked into gzip stuff for http requests, but this looks promising. might look into that as a last resort, though i'd really prefer not to use it honestly
@enjarai WAIT YOU MAKE CICADA AND DO A BARREL ROLL ??
@enjarai i've downloaded your mods so many times i've lost count
@jessew awa! haii

im glad you like them :3
@enjarai hi everyone the crash png was my idea. as for the feasibility, i suspect it's possible to make a png that has ~4000x compression ratio without using http compression, so it's not completely infeasible
@enjarai well, not actually 4000x compression. the compression would actually be pretty terrible at 125x ideal compression, but it would cause the game to try to allocate a buffer that's 4000x the size of the png file
@enjarai for context you can usually achieve 1000x ideal compression with zlib deflate streams, which a huge black rgba png file would hit
@enjarai this would allow us to allocate 16 GiB (!!!) *per player in the server* on the client, which wouldn't clear until a restart
@enjarai is there a mod that puts this cape on every player without crashing your servers? for the lols
@tertle950 if there's demand, I could make that quite easily

it would be really funny

@enjarai "will keep yall posted" please do this is the funniest shit ive read today

also good luck :p

@enjarai You know, next time I have to explain to someone why Software Development is hard, I might just link this post.
@enjarai this is so deeply funny to me you don't even understand. thank you so much for the entertainment