Not the best name for the article. My first guess was version changes, or software being added/removed from repo. Turns out this is about source code modification.
Readit NewsBonusPlay commented on Why does Debian change software? blog.liw.fi/posts/2025/wh... · Posted by u/tapanjk
BonusPlay commented on Writing your own C++ standard library from scratch nibblestew.blogspot.com/2... · Posted by u/JNRowe
A problem I encountered while writing custom stdlib, is that certain language features expect stdlib to be there.
For example, <=> operator assumes, that std::partial_ordering exists. Kinda lame. In the newer C++ standards, more and more features are unusable without stdlib (or at least std namespace).
BonusPlay commented on Zentool – AMD Zen Microcode Manipulation Utility github.com/google/securit... · Posted by u/taviso
Both AMD and Google note, that Zen[1-4] are affected, but what changed about Zen5? According to the timeline, it released before Google notified AMD [1].
Is it using different keys, but same scheme (and could possibly be broken via side-channels as noted in the article)? Or perhaps AMD notices something and changed up the microcode? Some clarification on that part would be nice.
[1] https://github.com/google/security-research/security/advisor...
Dave here, founder of ToDesktop. I've shared a write-up: https://www.todesktop.com/blog/posts/security-incident-at-to...
This vulnerability was genuinely embarrassing, and I'm sorry we let it happen. After thorough internal and third-party audits, we've fundamentally restructured our security practices to ensure this scenario can't recur. Full details are covered in the linked write-up. Special thanks to Eva for responsibly reporting this.
Honestly I don't get why people are hating this response so much.
Life is complex and vulnerabilities happen. They quickly contacted the reporter (instead of sending email to spam) and deployed a fix.
> we've fundamentally restructured our security practices to ensure this scenario can't recur
People in this thread seem furious about this one and I don't really know why. Other than needing to unpack some "enterprise" language, I view this as "we fixed some shit and got tests to notify us if it happens again".
To everyone saying "how can you be sure that it will NEVER happen", maybe because they removed all full-privileged admin tokens and are only using scoped tokens? This is a small misdirection, they aren't saying "vulnerabilities won't happen", but "exactly this one" won't.
So Dave, good job to your team for handling the issue decently. Quick patches and public disclosure are also more than welcome. One tip I'd learn from this is to use less "enterprise" language in security topics (or people will eat you in the comments).
BonusPlay commented on Security researchers identify new malware targeting Linux welivesecurity.com/en/ese... · Posted by u/heresie-dabord
Challenge accepted. "All files loaded" is probably not what you want to do however. It is much easier to just ask rpm directly which files under your library directory has been modified, and treat any files outside known library directories as suspicious.
Anyway, this is how you check which open files match ".so" and see if they are modified since installation:
lsof | grep -o "/[^ ]*\.so[^ ]*" | while read path ; do
pkg=$(rpm -qf "$path" 2>/dev/null)
if [ $? != 0 ] ; then
echo "$path does not belong to a package"
else
rpm -V $pkg | grep -F "$path"
fi
doneSeems like you assumed none of your tools got backdoored. I'd start bootstrapping from busybox.
BonusPlay commented on Abusing Ubuntu 24.04 features for root privilege escalation snyk.io/blog/abusing-ubun... · Posted by u/saltypal
Linux Local Privilege Escalation, but the attacker has to be in sudo group in the first place.
Great read, but this feels like academic research. Technically correct, but impractical at best.
BonusPlay commented on Show HN: Proxmox VE Helper Scripts community-scripts.github.... · Posted by u/BramSuurdje
Why is something like Proxmox a bad target for IAC?
If you want to manage VMs, then you're probably using terraform + provider. However, SDN (Software Defined Networking) is not yet supported [1], which makes any kind of deployment with network separation not feasible (using IAC only).
[1] https://github.com/bpg/terraform-provider-proxmox/issues/817
BonusPlay commented on Show HN: Proxmox VE Helper Scripts community-scripts.github.... · Posted by u/BramSuurdje
It is also worth mentioning that Proxmox uses ZFS making snapshotting quick and Proxmox also has a very good backup system.
If you want to treat your self-hosted applications as "sheep" (1) , then terraform k8s etc. is a better bet.
But if you are happy to manually restore from a backup or snapshot when something goes wrong, or automatically have your LXC container shifted to different hardware if you have a cluster, then Proxmox is for you. The reality is that in a home setup you will spend about as much or less time maintaining your "pets" than than you would your "farm".
(1) I write this from New Zealand
> Proxmox uses ZFS making snapshotting quick
Proxmox only supports linear snapshots using ZFS (so no tree-like snapshots). This might be a deal-breaker for some usages.
BonusPlay commented on Law Enforcement Undermines Tor marx.wtf/2024/10/10/law-e... · Posted by u/pantalaimon
GitHub is slowly rolling out feature over moe than a year [1], which will have positive impact on overall IT security.
Spending 1 minute setting up 2FA is really not a big deal.
[1] https://github.blog/news-insights/product-news/raising-the-b...