DEFCON 201 @defcon201@hostux.social

Zeek the Geek (Windows 3.x, 1995) #NotDOS

@SeanAloysiusOBrien

@technomancy @m455 Matrix is like whispering in class. Everyone can see you do it and knows exactly who you're talking to, and when. They just can't hear what you say.

Signal prevents a central server from knowing anything besides the recipient of a message (not a group; the actual recipient) and the approximate size, atl at the application protocol level. Briar and p2p messengers give similar benefits at the cost of complicating offline messaging and using much more battery.

Quick #Copywriting tip for software devs:

Most of the time when devs write up their "sales" pages they put a list of features.

This is extremely common but there's a better way:

List the benefits of the features.

Example:

"End to end encrypted" is a feature.

"Your communications are secure -- not even the developers can read your messages!" is a benefit.

Reply with some of your software's features and I'll do my best to write them into benefits for you :)

(I normally charge a lot for this service)

Current #InfoSec Badges:

#OSINT:

https://badgr.com/public/assertions/r9SB_HU6Thy_0bqKSCMKhw

https://badgr.com/public/assertions/Na3RqUMQSsm8bZjWFsj3hA

future lesbian

Software will always have as many bugs as users will tolerate before switching to something else. Therefore, the higher the cost to users of switching, the more bugs the software will have. This is why companies tend to devote significantly more resources to maximixing the cost to users of switching than they do to software quality.

Be the rust upon the gears.

Post your fails.

Pwn your imposter.

When we started a podcast about movies we didn't really anticipate that we would do a Very Special Episode prompted by the news, but here we are.

Content warnings: US politics, reproductive health and decisions, religious fanaticism, addiction

https://modern.technology/2022/06/24/modern-technology-watches-episode-303-citizen-ruth-1996/

Palo Alto Networks: New PAN-OS DDoS flaw exploited in attacks

https://www.bleepingcomputer.com/news/security/palo-alto-networks-new-pan-os-ddos-flaw-exploited-in-attacks/

FBI Raid Indicates One Thing: Trump & Trump Supporters Must Be Deleted. Only Uni Party Members Have Exclusive Right To Rule.

I’m confident that, “We the people,” can still take them. They’re panicked, weak and they’re really nothing like us.

Read More.

Hackaday Prize 2022: Solar-Harvesting ESP32 Camera Is Waterproof, Repeatable https://hackaday.com/2022/08/14/hackaday-prize-2022-solar-harvesting-esp32-camera-is-waterproof-repeatable/

Original tweet : https://twitter.com/hackaday/status/1558861128100347904

"Hearing Retraining

As we get older, our sensitivity toward the higher frequencies decreases. This phenomenon is called age-related hearing loss or presbycusis. Some theories state that we can re-train the ear by listening to these missing frequencies. A recent experiment on myNoise aimed at verifying that theory, with a natural sound generator that plays near ultra-sonic frequencies, mainly cicadas and bats. Some users reported that they started to hear frequencies they didn't hear when[…]"

Ok, I did all of the meme software-based web performance hacks I know. I’ve run out. I know this is overkill but it’s way too fun to stop now; I need something more to optimize.

What I’ve done:

Static site
Static Brotli compression
Static Efficient-Compression-Tool (ECT) Zopfli-based compression
ECT compression and palette-reduction of all PNGs
next gen image formats (WebP, AVIF, and ready for JPEG-XL when it rolls out)
Optimizing AVIFs with Butteraugli tuning (from libjxl)
Using zlib-ng instead of zlib for dynamic compression
Link rel=preload HTTP header for my avatar (only useful for really slow connections)
STS preloading
HTTP/3 support
HTTPS/SVCB DNS records for HTTP/2 and HTTP/3 APLN, with ipv4 and ipv6 hints
TLS 1.3 with 0-RTT (all requests are idempotent; everything except webmentions and search is static content)
session ticket keys with auto rotation for ticket-based resumption
nginx-quic patched with HPACK and dynamic TLS record sizing support
Compiling nginx and all its libs with -fomg-optimize
OCSP Must-Staple (HSTS Expect-Staple is a WIP)
ECDSA-based certs
Re-ordering some <head> elements and CSS rules so that they compress better
Making everything first-party (can re-use a single connection for the full load)
formatting my HTTP headers to match HPACK/QPACK dictionaries, or removing whitespace from them
Cache-busing assets so I can give them long + immutable Cache-Control headers
Inlining my stylesheet (my CSS is about 5kb before compression and it only increases page size by ~1kb after inlining + compressing; I use a CSP hash to allow it)
No JS or blocking assets
Aggressively using CSS containment on everything, and using content-visibility whenever possible
Async image decoding
All images well under 10kb so I don’t need lazy loading or progressive rendering
Tuning TCP Fast Open settings to improve my benchmarks
Ensuring enough free memory is reserved for Linux to cache the necessary files

Optimizations I’ve rejected:

Kernel-based TLS offload with OpenSSL (quictls fork) + Nginx kTLS. My benchmarks showed that this actually made things slower than Nginx + BoringSSL with TLS running in user-space. Things will likely improve in Linux 5.20.
Using a CDN
Speculatively preloading pages ahead-of-time
Minifying my markup (I want it to be readable)
Early Hints (basically useless with a fast back-end)
fetchpriority: browers are good enough at this already.
Lazy loading: I want the page to finish loading once; the user should be able to then disconnect and finish reading.
Removing unused inline CSS per page: I allow CSS with a CSP hash and set the header in my server configs. Having a unique stylesheet per page would cause this header to change, complicating my server workflow and offsetting size reductions by reducing HPACK and QPACK gains.

What’s left to do? I don’t care if it’s not worth the effort; it’s just fun to do.