• 7 Posts
  • 27 Comments
Joined 1Y ago
cake
Cake day: Sep 21, 2021

help-circle
rss

I thought of something similar, but that again doesn’t save me from having to plug in the disks one by one.

I just plug all disks in my server, then run the following script to get the mapping GPTID -> partition -> disk serial:

#!/bin/sh

glabel status | awk '/^gptid/ { print $1, $3 }' | while read -r gptid part; do
        disk="/dev/${part%p*}"
        serial="$(smartctl -i "$disk" | awk '/^Serial Number:/ { print $3 }')"
        printf '%s\t%s\t%s\n' "$gptid" "$part" "$serial"
done

Then, when a disk fails, I just check with zpool status which one is unavailable or completely missing, and see to which serial it corresponds in the previously stored output of the above script.

This script is for FreeBSD and assumes you add disks using their GPTID in your ZFS pool (default on TrueNAS), but it can easily be adapted to Linux with a mix of lsblk --nodeps -o +WWN,SERIAL and the symlinks in /dev/disk/by-id/.

Don’t know what I expected though, because you can’t make a hard drive suddenly beep or turn a light on. ^^

You can create random read to try to identify a disk (using badblocks for instance). If the bad disk is not completely dead, create random read on it and try to “feel” which disk is constantly spinning and creating vibration. If disk is completely dead, do the same on all other disks and feel which one is inactive.

But writing down the disk ID -> serial mapping, if the serial is written on the hard drives is a lot easier and more reliable.


Trail of Bits is publicly disclosing critical vulnerabilities that break the soundness of multiple implementations of zero-knowledge proof systems, including PlonK and Bulletproofs. These vulnerabilities are caused by insecure implementations of the Fiat-Shamir transformation that allow malicious users to forge proofs for random statements.

You can get the disk serial with smartctl -i /dev/.... Serial should be written on disk. Keep a mapping of disk ID -> serial.

If serial is not visible without taking all disks apart, it’s a good idea to put a sticker with a copy of it on the side of the disk or disk tray depending on your NAS form factor.


Setting webgl.disabled to false in about:config allows to display the map.

I’ll let you research the attack surface of webgl and see how this fits in your threat model.


TL;DR - OpenBSD on Apple M1 is more accessible - httpd supports static gzip compression - Many wifi performance improvements - Webzine new Questions and Answers section - Webzine is being translated into German and French

Heap Overflow in OpenBSD's slaacd via Router Advertisement
In this blog post we analyze a heap overflow vulnerability we discovered in the IPv6 stack of OpenBSD, more specifically in its `slaacd` daemon. This issue, whose root cause can be found in the mishandling of Router Advertisement messages containing a DNSSL option with a malformed domain label, was patched by OpenBSD on March 21, 2022. A proof-of-concept to reproduce the vulnerability is provided.

1984 hosting. They don’t required any personal info other than an email address, accept monero, have very affordable KVM VPS (starting at €4.50/month), and you can ask support to add an ISO if your desired distro is not already on the list. My only complaint is the lack of IPv6.


Interesting article, thanks a lot for sharing!

So the guy gave Xerox more than 2 years to fix a critical bug, that they acknowledged existed, and they still haven’t done anything. This tells me all I need to know about how Xerox values the security of their customers. And the VersaLink are not exactly cheap printers ($700 to ~ $10k depending on model), not that this would be an acceptable response even on the cheapest, not network connected, printer.


On LibreWolf (and other Firefox based browser), you should be able to force the normal context menu with Shift + right click. But I don’t know if moodle is using additional tricks to also block that.


Switzerland voted on a 12x initiative a few years ago: https://www.businessinsider.com/switzerlands-112-initiative-why-executives-are-worried-2013-11

Unfortunately it got rejected after big companies threatened to fire their employees and leave Switzerland if this was accepted, that this would destroy the economy, and so on…

Others disagree. According to World Radio Switzerland, Novartis, Nestle, Bobst, and SBB sent thousands of employees letters asking them to vote no to the 1:12 initiative, arguing that it would make Switzerland a less desirable place to do business. Earlier this year the CEO of commodities giant GlencoreXstrata said the company would consider leaving Switzerland if the law passed. “I can’t believe that Switzerland would cause such great harm to its economy,” Ivan Glasenberg said in an interview with the SonntagsZeitung. “And I say that not just as the head of a company, but as a Swiss citizen.”


In Orbot, you have a “VPN mode” toggle, when enabling it, it will create an Android VPN connection which “torify” the traffic of all apps you have selected in the “Tor-Enabled Apps” section. You can select all apps, but still need to remember to go add new apps each time you install them (I don’t think there is an automated way to do it).

Unless this changed recently, Android only supports a single active VPN connection at a time, so unfortunately this Orbot mode cannot be used in conjunction with a standard VPN.


In case no postmarketOS developer checks Lemmy in the next few days, and you know how to use git, you could then open a merge request on their website git repo: https://gitlab.com/postmarketOS/postmarketos.org/-/blob/master/config/mirrors.py



It’s a PineCone (RISC-V BL602 dev board) with a BME280 atmospheric sensor. The picture comes from LEE Lup Yuen’s website, which has a lot of very interesting articles, mainly related to Pine64 RISC-V / Lora products.


Direct Rendering Manager != Digital Rights/Restrictions Management


OpenBSD webzine issue #5
TL;DR - The webzine is now single column! A poll on Mastodon shown that more than half the readers preferred a single column display - cland-tidy and clazy imported into the ports tree - syspatches released for 6.9 and 7.0 - RFC6840 integration

There is already an issue opened about this problem: https://github.com/krawieck/lemmur/issues/287

The problem is due to flutter checking the clipboard to determine if the paste button should appear in text fields. The fix should be available in the next version of flutter, but they don’t seem in a hurry to release it: https://github.com/flutter/flutter/issues/74139#issuecomment-938146498


TL;DR - Loongson architecture support dropped - Many commits during the h2k21 [hackathon](https://www.openbsd.org/hackathons.html) - We have [mastodon](https://bsd.network/@webzinepuffy) and [Twitter](https://twitter.com/webzinepuffy) bots relaying news



Looking at the install script, they seem to be using the linux-lts kernel from void which has very few patches applied on top of upstream.

But the README indicates that this is a work in progress. It would be nice if, once done, they upstreamed and maintained it in void as a kernel-hardened package.


TL;DR - OpenBSD 7.0 released! ([Announcement](https://marc.info/?l=openbsd-announce&m=163422237101753&w=2)) - No more packages updates for 6.9, syspatch will still be published - No more syspatches for 6.8, it is now end of life and shouldn't be used any longer - OpenBSD 7.0 song [released](https://www.openbsd.org/lyrics.html#70) as well!

Telemetry and Suggest are two completely separate things.

The only different between “online” and “offline” is that in “offline” mode what you type in your URL bar is not included in the telemetry sent after you have selected a suggestion. But this changes absolutely nothing to what is sent to the Suggest API endpoint when you type in your URL bar.

I’ve repeatedly provided clear evidence of what I said, you just keep mentioning a random code comment and interpreting it in a way which completely contradicts the actual code and what countless people have observed. So at the risk of repeating myself:

  • A code comment does not prove anything.
  • Your completely wrong interpretation of it even less so.
  • Link to code supporting your claims or GTFO.

@nlfxtoFirefoxRemoved
link
fedilink
010M

Telemetry and Suggest are two completely separate things.

The only different between “online” and “offline” is that in “offline” mode what you type in your URL bar is not included in the telemetry sent after you have selected a suggestion. But this changes absolutely nothing to what is sent to the Suggest API endpoint when you type in your URL bar.

I’ve repeatedly provided clear evidence of what I said, you just keep mentioning a random code comment and interpreting it in a way which completely contradicts the actual code and what countless people have observed. So at the risk of repeating myself:

  • A code comment does not prove anything.
  • Your completely wrong interpretation of it even less so.
  • Link to code supporting your claims or GTFO.

And how would that support your claim that this post is:

misinformation. No data is sent by default, you have to opt in.

The relevant parts from this code comment about the “offline” mode are:

Firefox Suggest suggestions are enabled by default.

The onboarding dialog is not shown.

Which correspond to the code I’ve already linked to.

      case "offline":
        enabled = true;
        defaults.setBoolPref("quicksuggest.shouldShowOnboardingDialog", false);
        defaults.setBoolPref("suggest.quicksuggest", true);
        defaults.setBoolPref("suggest.quicksuggest.sponsored", true);
        break;

The code you cited just says that users with locale “en-US” are enrolled in the “offline” mode.

Basically:

  • locale = “en-US” => “offline” => opt-out
  • locale != “en-US” => “opt-in” with all possible dark patterns to trick the user into accepting it: user has to click the small “Not now” text which does not look like a button on the top right corner to disable Suggest.

To summarize, the “offline” / “online” Suggest Scenario have absolutely nothing to do with the fact that Firefox sends data to Mozilla or not, it only defines if the Suggest feature is opt-in or opt-out. Is this naming extremely confusing? Absolutely! But at this point it’s clear that Mozilla has done everything possible to mislead users about what their “suggestions” really are.

So please, stop spreading misinformation while claiming that people trying to bring awareness about this awful “feature” are the ones providing false information. A code comment is not proof, your completely wrong interpretation of it even less so. If you don’t agree, please link to the relevant source code which would contradict the one I’ve linked to.


@nlfxtoFirefoxRemoved
link
fedilink
110M

And how would that support your claim that this post is:

misinformation. No data is sent by default, you have to opt in.

The relevant parts from this code comment about the “offline” mode are:

Firefox Suggest suggestions are enabled by default.

The onboarding dialog is not shown.

Which correspond to the code I’ve already linked to.

      case "offline":
        enabled = true;
        defaults.setBoolPref("quicksuggest.shouldShowOnboardingDialog", false);
        defaults.setBoolPref("suggest.quicksuggest", true);
        defaults.setBoolPref("suggest.quicksuggest.sponsored", true);
        break;

The code you cited just says that users with locale “en-US” are enrolled in the “offline” mode.

Basically:

  • locale = “en-US” => “offline” => opt-out
  • locale != “en-US” => “opt-in” with all possible dark patterns to trick the user into accepting it: user has to click the small “Not now” text which does not look like a button on the top right corner to disable Suggest.

To summarize, the “offline” / “online” Suggest Scenario have absolutely nothing to do with the fact that Firefox sends data to Mozilla or not, it only defines if the Suggest feature is opt-in or opt-out. Is this naming extremely confusing? Absolutely! But at this point it’s clear that Mozilla has done everything possible to mislead users about what their “suggestions” really are.

So please, stop spreading misinformation while claiming that people trying to bring awareness about this awful “feature” are the ones providing false information. A code comment is not proof, your completely wrong interpretation of it even less so. If you don’t agree, please link to the relevant source code which would contradict the one I’ve linked to.


The Insane Innovation of TI Calculator Hobbyists
In the mid-to-late 2000s, you either knew, or were, that kid in grade school. You know. The one who could put games on your graphing calculator. You may be surprised to learn that some of these people didn’t exist totally in a vaccuum. There was in fact a thriving scene of hackers who had bent these calculators to their will, writing games, math software, and more generally hacking on the platform just for the sake of it.