Hacker News: c0l0

New comment by c0l0 in "How Shamir's Secret Sharing Works"

c0l0 — Tue, 26 May 2026 08:46:40 +0000

We use this technique in our team to distribute passphrases for our secondary secret stores (that contain instructions on how to access our primary secret stores) in a "democratically secure and safe" manner.

https://packages.debian.org/trixie/ssss is a nice and rather straightforward implementation.

New comment by c0l0 in "Who Is That Knocking at My (SSH) Door?"

c0l0 — Thu, 30 Apr 2026 07:51:10 +0000

I recommend https://johannes.truschnigg.info/writing/2025-02-simple_effe... as an (imo) better approach than fail2ban parsing your logs to deal with the problem.

New comment by c0l0 in "Wire to Replace Signal as Standard in the Bundestag"

c0l0 — Wed, 29 Apr 2026 08:39:46 +0000

One of my most esteemed former co-workers used to say that whenever you succeed in making something idiot-proof, the universe will create a better idiot, undoing any progress you made.

Pgbackrest is no longer being maintained

c0l0 — Mon, 27 Apr 2026 10:56:34 +0000

Article URL: https://github.com/pgbackrest/pgbackrest

Comments URL: https://news.ycombinator.com/item?id=47919997

Points: 451

# Comments: 232

New comment by c0l0 in "Windows Server 2025 Runs Better on ARM"

c0l0 — Wed, 22 Apr 2026 06:57:13 +0000

Does Windows on ARM use VBS/Virtualization Based Security, and does ARM support nested virtualization to do so in a VM, too? Does it employ costly CPU vulnerability mitigation techniques that might hit two times in a VM (unless the Hypervisor is adequately set up, which I'd hope is the default for Hyper-V)? Those two things account for most of the common performance problems observed when putting modern Windows in a VM. I'd love to know more about it, but the article does not seem to mention either.

New comment by c0l0 in "IPv6 traffic crosses the 50% mark"

c0l0 — Thu, 16 Apr 2026 08:39:40 +0000

I'd say it's either because they're just having fun, or because they're dumb.

New comment by c0l0 in "WireGuard makes new Windows release following Microsoft signing resolution"

c0l0 — Sun, 12 Apr 2026 11:17:44 +0000

Thanks for this (and I actually learned about PS1's handy Unblock-File this very moment! :)), but I am aware of the "mark of the web"-stuff MSFT had introduced after realizing that an "attacker-controlled" filename extension alone is a poor safeguard against making a file executable ;)

For my specific problem/situation, the executable in question gets transferred to the target machine on a read-only UDF file system burnt onto a USB thumb drive. Other Golang executables from FOSS projects on the same filesystem execute just fine (I guess they have better "reputation", due to their hashes being registered with MSFT somewhere).

New comment by c0l0 in "WireGuard makes new Windows release following Microsoft signing resolution"

c0l0 — Sat, 11 Apr 2026 08:58:34 +0000

"works just fine on Windows as it always has" is just not true. These days, I cannot even run my own cross-compiled Go executables of a cross-platform tool that I am developing in private on Windows 10 or 11, because some blue popup from Windows Defender/"SmartScreen" prevents me from doing so, and tells me to contact the software publisher if I'd like to be able to do something about it. Outright disabling Defender/SmartScreen works around the problem (but the popup doesn't tell me that), and, presumably, signing these executables with a "trusted" developer certificate would make this outcome less probable - that is at least what people online have been telling me.

In my book (I started using computers during ther Windows 3.0 era), this clearly does not qualify as "working just fine on Windows as it always has", no matter how you spin it.

New comment by c0l0 in "WireGuard makes new Windows release following Microsoft signing resolution"

c0l0 — Fri, 10 Apr 2026 16:20:32 +0000

As a wireguard user myself (even on the lone Windows machine that I still begrundingly have), I am happy that this problem could have been resolved. I am just wondering - if there had not been this kind of public outcry and outrage that Mr. Donenfeld discounts in his announcement message, would the issue have been fixed by now?

What are individual developers of "lesser" (less important, less visible, less used) software with a Windows presence to do? Wait and pray for Goliath to make the first benevolent move, like all the folks who got locked out forever from their Google accounts on a whim? Ha!

The fact of the matter is, the code signing requirements on Windows are a serious threat to Free and Open Source Software on the platform. Code signing requirements are a threat to FOSS on all platforms that support this technique, and infinitely more so where it's effectively mandatory. I firmly believe that these days, THIS is the preferred angle/vector for Microsoft to kill the software variety their C-levels once publicly bad-mouthed as "cancer", and zx2c4 is one of the poor frogs being slowly boiled alive. Just not this time - yet.

New comment by c0l0 in "LibreOffice and the art of overreacting"

c0l0 — Thu, 26 Mar 2026 11:22:23 +0000

I am already donating the rough equivalent of the cheapest Microsoft 365 subscription to The Document Foundation each year, and won't stop now just because they're increasing the visibility of their donation-based funding model. I hope they succeed, and many more people start contributing financially as a result.

New comment by c0l0 in "Microsoft's "fix" for Windows 11"

c0l0 — Tue, 24 Mar 2026 11:07:08 +0000

Thanks, but no thanks. The only winning move, long-term, is to excise everything this wretched company makes from your life as vigorously as possible. It's been true 20 years ago, and it's even more true today.

New comment by c0l0 in "How to install and start using LineageOS on your phone"

c0l0 — Fri, 06 Mar 2026 07:40:11 +0000

None of the missing ones have proper, official, upstream LineageOS support. If you install LineageOS on these, you install somebody's own, personal fork of LineageOS. Which might be totally fine, of course. But because of the necessarily different signing keys alone, it's a (potentially) very different thing.

New comment by c0l0 in "Felix "fx" Lindner has died"

c0l0 — Mon, 02 Mar 2026 17:19:41 +0000

A true hero and legend. RIP.

New comment by c0l0 in "LineageOS 23.2"

c0l0 — Sun, 08 Feb 2026 08:41:24 +0000

I disagree. If LineageOS builds were actually unsigned, I would have no way of verifying that release N was signed by the same private-key-bearing entity that signed release N-1, which I happen to have installed. It could be construed as the effective difference between a Trust On First Use (TOFU) vs. a Certificate Authority (CA) style ecosystem. I hope you can agree that TOFU is worth MUCH more than having no assurance about (continued) authorship at all.

New comment by c0l0 in "LineageOS 23.2"

c0l0 — Sun, 08 Feb 2026 08:30:22 +0000

LineageOS isn't unsigned, it just happens to be signed by keys that are not "trusted" (i.e., allowed - thanks for the correction!) by the phone's bootloaders.

New comment by c0l0 in "Lennart Poettering, Christian Brauner founded a new company"

c0l0 — Wed, 28 Jan 2026 16:19:00 +0000

No.

New comment by c0l0 in "Gnome and Mozilla Discuss Proposal to Disable Middle Mouse Paste on Linux"

c0l0 — Tue, 06 Jan 2026 15:56:17 +0000

Yeah, they can fuck right off with that kind of shit idea.

New comment by c0l0 in "TP-Link Tapo C200: Hardcoded Keys, Buffer Overflows and Privacy"

c0l0 — Sat, 20 Dec 2025 16:55:42 +0000

Yeah, I can see why that is a show-stopper for people. However, the thingino project has people among them who care deeply about ease of installation - so with these security issues discovered in the TP-Link device, chances are an installation method that relies on a vulnerable stock firmware will be provided in time :)

New comment by c0l0 in "TP-Link Tapo C200: Hardcoded Keys, Buffer Overflows and Privacy"

c0l0 — Fri, 19 Dec 2025 20:37:11 +0000

I came here to post this, too :) What the thingino community managed to do with their firmware for these cameras is nothing short of amazing - if you happen to have a compatible camera, you really, really should give it a whirl!

New comment by c0l0 in "Vm.overcommit_memory=2 is the right setting for servers"

c0l0 — Fri, 19 Dec 2025 20:13:46 +0000

I realize this is mostly tangential to the article, but a word of warning for those who are about to mess with overcommit for the first time: In my experience, the extreme stance of "always do [thing] with overcommit" is just not defensible, because most (yes, also "server") software is just not written under the assumption that being able to deal with allocation failures in a meaningful way is a necessity. At best, there's an "malloc() or die"-like stanza in the source, and that's that.

You can and maybe even should disable overcommit this way when running postgres on the server (and only a minimum of what you would these days call sidecar processes (monitoring and backup agents, etc.) on the same host/kernel), but once you have a typical zoo of stuff using dynamic languages living there, you WILL blow someone's leg off.