kondbg | 3 years ago | on: Who pays for your rewards? Redistribution in the credit card market [pdf]
kondbg's comments
kondbg | 4 years ago | on: Set up a practically free CDN
Using Cloudflare to proxy B2 content seems like it directly violates Cloudflare's ToS.
https://www.cloudflare.com/terms/
> 2.8 Limitation on Serving Non-HTML Content
> The Services are offered primarily as a platform to cache and serve web pages and websites. Unless explicitly included as part of a Paid Service purchased by you, you agree to use the Services solely for the purpose of (i) serving web pages as viewed through a web browser or other functionally equivalent applications, including rendering Hypertext Markup Language (HTML) or other functional equivalents, and (ii) serving web APIs subject to the restrictions set forth in this Section 2.8. Use of the Services for serving video or a disproportionate percentage of pictures, audio files, or other non-HTML content is prohibited, unless purchased separately as part of a Paid Service or expressly allowed under our Supplemental Terms for a specific Service. If we determine you have breached this Section 2.8, we may immediately suspend or restrict your use of the Services, or limit End User access to certain of your resources through the Services.
If this was truly acceptable and not in some grey area, why doesn't Backblaze simply route all downloads through Cloudflare by default, rather than having each individual customer go through the hassle of setting this up?
kondbg | 5 years ago | on: Rocky Linux: A CentOS replacement by the CentOS founder
The git repository stores only the packaging related items (the specfile, the custom patches, etc.). The actual source is stored as a binary artifact that is downloaded by a `get_sources.sh` script.
The build process is documented here: https://wiki.centos.org/action/show/Sources?action=show&redi...
kondbg | 5 years ago | on: Rocky Linux: A CentOS replacement by the CentOS founder
Devil's advocate: why should I choose this yet-to-exist distribution over something already existing, such as Oracle Linux?
The most common argument (Oracle is evil and litigious. Therefore, using Oracle Linux will result in me being sued) honestly seems like FUD.
All RHEL downstream distributions rebuild the same SRPMs that RHEL provides. Doing a quick comparison over some common packages (kernel, httpd, openssl, etc.) between CentOS 8.3 (https://vault.centos.org/8.3.2011/BaseOS/Source/SPackages/) Oracle Linux 8.3 (https://yum.oracle.com/repo/OracleLinux/OL8/baseos/latest/x8...) shows that they are indeed byte identical (with the exception of certain spec files including debranding patches).
What is the value of having a separate RHEL derivative? It isn't as if the "community" can propose/submit any changes, since any changes will cease to make the downstream distribution a "bug for bug" compatible RHEL derivative. If I actually wanted to participate in the larger RHEL-derivative community, I would need to actually submit my changes to the CentOS stream project.
kondbg | 5 years ago | on: How to Setup FTP Server with Vsftpd on Raspberry Pi
OpenSSH's SFTP server is significantly slower than FTP over Wireguard (or FTP over TLS) without the OpenSSH HPN patches (which upstream refuses to merge) on connections with >100ms latency.
FTP has sendfile support for data transfers since there is no framing in the data connection. (OpenSSL 3.0 has sendfile support so FTP over TLS would also benefit as well).
kondbg | 8 years ago | on: Blizzard's Battle.net Updater Installs Root Certificate
This isn't a CA certificate -- it is missing the CA basic constraints as well as missing the "certificate sign" key usage from X509v3, so most TLS libraries will not validate a chain that is signed by this certificate.
kondbg | 8 years ago | on: Chrome 59 stable released
Running Linux and i3wm. After updating to 59, Chrome didn't seem to automatically detect my DPI settings, so I had to manually specify the scale with
--force-device-scale-factor
kondbg | 8 years ago | on: Telefonica Is Target of $600,000 Bitcoin Ransomware Attack
> “The origin of the infection is not confirmed at the moment, but sources close to the company point out that it is being treated as an attack originating in China,” El Mundo writes.
It's amazing how any organization can get away with poor security and backup practices by blaming either Russia or China, without showing any evidence to back their claim.
kondbg | 9 years ago | on: Ryzen is for Programmers
Yes, that log entry was from running 4.10.11.
kondbg | 9 years ago | on: Ryzen is for Programmers
Yes, MSI B350 Tomahawk
kondbg | 9 years ago | on: Ryzen is for Programmers
I also built a Ryzen machine for development. It's great when it works, but I've found that Ryzen is unstable on Linux (Ubuntu 16.04). Every once in a while, I get kernel errors like
NMI watchdog: BUG: soft lockup - CPU#9 stuck for 23s!
kondbg | 9 years ago | on: Caddy 0.10 Released
The authors of the original paper [1] identified that the set of client cipher suites advertised by each browser can be used to fingerprint and identify a browser.
Caddy records the cipher suite advertised by the client during the TLS handshake and then later examines the client's user agent. Using the fingerprinting techniques mentioned in the paper, Caddy then determines whether or not the advertised user-agent is compatible with the user-agent that it inferred through the client cipher suites.
TLS interception proxies establish their own TLS connection to the server. Depending on what underlying TLS library the proxy uses, it also has its own unique fingerprint. When the TLS proxy forwards the user's request, Caddy detects the mismatch and flags it as a MITM.
kondbg | 9 years ago | on: Using GPG to Encrypt Your Data
Is there a benefit in using symmetric encryption vs specifying yourself as a recipient?
kondbg | 9 years ago | on: Some DNS lookups causing 5xx errors due to leap second bug
Cloudflare posted a post-mortem [1]. They were measuring round trip time, and supplying the result of that into the golang rand.Int63n() function, which panics the process when given a negative number.
[1] https://blog.cloudflare.com/how-and-why-the-leap-second-affe...
kondbg | 9 years ago | on: 2017 is not just another prime number
> The sum of the cube of gap of primes up to 2017 is a prime number. That is (3-2)^3 + (5-3)^3 + (7-5)^3 + (11-7)^3 + ... + (2017-2011)^3 is a prime number.
For the non-mathematically inclined, how do mathematicians come up with these? Are these just observations that they happened to witness, or are there underlying theoretical properties that allow one to derive this claim?
kondbg | 9 years ago | on: Some DNS lookups causing 5xx errors due to leap second bug
I'm confused on why a DNS server would need to rely on a monotonic clock for its use cases. Is there a part of DNS that relies on the assumption of synchronized, monotonic time? (Perhaps TTL/expiry of records? But I still don't see why having a non monotonic clock source would harm if CF is using Go timers for expiry)
kondbg | 9 years ago | on: Bitcoin 0.13.0 Binary Safety Warning
As someone who does not follow Bitcoin news, what makes this release special enough to warrant an advance warning?
kondbg | 9 years ago | on: Ask HN: Why are sites now breaking login forms into stages (name then password)?
This also provides zero additional security for the end user. Offering security questions and/or images that a user selected does not prove that the site is legitimate, since a phishing site can literally be a reverse proxy to your bank's website that just logs all form values. You can accomplish this in < 15 lines of nginx configuration.
Adding "verification images" or security questions that you set up does not prove that a site is legitimate. A successfully established HTTPS connection to the bank's domain is necessary and sufficient to guarantee authenticity (and most banks use EV too, which browsers make extra obvious).
Users should be trained to look at the URL bar for the green EV indicator, instead of being trained to believe that a site is legitimate simply because it displays a picture that they select. Banks that encourage this behavior are actively encouraging users to become even more gullible to well-crafted phishing attacks.
kondbg | 9 years ago | on: Ask HN: Why are sites now breaking login forms into stages (name then password)?
I've never understood why this is seen as a form of verification. What is stopping a phishing site from simply taking a victim's username and fetching the victim's corresponding image from the bank's website via simple scraping?
kondbg | 10 years ago | on: Bypassing Antivirus with Ten Lines of Code
This is a common way of executing shellcode in a PoC.
Exec (before the cast) points to memory containing the shellcode data.
To actually start executing the shellcode, you just need to somehow cause the program counter to point to the address of the shellcode.
An easy way to change the program counter is by calling a function ... which is what this line does.
Read this as "cast exec to a pointer to a function that takes zero arguments and returns void and call the function with no arguments."
This is the same as:
typedef void (*some_func)();
some_func func = (some_func)exec;
func();
page 1
Using credit cards allows you to keep close to a zero checking account balance and manage your own cash flow, since credit card bill dates are deterministic.
Why would anybody want to keep _any_ amount of money in a non-interest bearing checking account right now especially when the risk free rate of interest (US treasury bills / equivalent money market funds invested in US treasuries) yields 4.00%+ APY now?