New comment by terom in "ZDI-CAN-30207: Unpatched 9.8 RCE zero-day in Telegram"

terom — Mon, 30 Mar 2026 12:31:05 +0000

https://x.com/telegram/status/2038069726316834994 Telegram claims that exploitation of the vulnerability is blocked by server-side validation of stickers

New comment by terom in "Pricing Changes for GitHub Actions"

terom — Wed, 17 Dec 2025 19:56:09 +0000

I haven't seen a serialization exception, but I have run into plenty of footguns with YAML (ref GitHub Actions).

The DSL semantics can be weird with when things like params/env expansions in options block are evaluated.

New comment by terom in "Pricing Changes for GitHub Actions"

terom — Wed, 17 Dec 2025 17:16:40 +0000

Working with Jenkins CasC, JobDSL and declarative pipelines, I'm not sure where the million times comes from. Sure, there are some annoying parts, and GHA has the social network for reusable actions, but apart from that it's not that different.

Oldschool maven type jobs where you type shell script into a ``? Yeah, let's not talk about those, but we don't have a single one left anymore.</p> </article> <article> <h1>New comment by terom in "Cloudflare Down Again – and DownDetector Is Also Down"</h1> <p>terom — Fri, 05 Dec 2025 10:52:06 +0000</p> <p>downdetectorsdowndetector.com does not load the results as part of the HTML, nor does it do any API requests to retrieve the status. Instead, the obfuscated javascript code contains a `generateMockStatus()` function that has parts like `responseTimeMs: randomInt(...)` and a hardcoded `status: up` / `httpStatus: 200`. I didn't reverse-engineer the entire script, but based on it incorrectly showing downdetector.com as being up today, I'm pretty sure that downdetectorsdowndetector.com is just faking the results.<p>downdetectorsdowndetectorsdowndetector.com and downdetectorsdowndetectorsdowndetectorsdowndetector.com seem like they might be legit. One has the results in the HTML, the other fetches some JSON from a backend (`status4.php`).</p> </article> <article> <h1>New comment by terom in "First convex polyhedron found that can't pass through itself"</h1> <p>terom — Sun, 26 Oct 2025 05:15:41 +0000</p> <p>re-search :D</p> </article> <article> <h1>New comment by terom in "Preliminary report into Air India crash released"</h1> <p>terom — Sun, 13 Jul 2025 08:22:35 +0000</p> <p>Also with additional control difficulty due to reduced hydraulic pressure.<p>> On the Boeing 767, the control surfaces are so large that the pilots cannot move them with muscle power alone. Instead, hydraulic systems are used to multiply the forces applied by the pilots. Since the engines supply power for the hydraulic systems, in the case of a complete power outage, the aircraft was designed with a ram air turbine that swings out from a compartment located beneath the bottom of the 767,[10] and drives a hydraulic pump to supply power to hydraulic systems.<p>> As the aircraft slowed on approach to landing, the reduced power generated by the ram air turbine rendered the aircraft increasingly difficult to control.[16]<p>> The forward slip disrupted airflow past the ram air turbine, which decreased the hydraulic power available; the pilots were surprised to find the aircraft slow to respond when straightening after the forward slip.</p> </article> <article> <h1>New comment by terom in "GCP Outage"</h1> <p>terom — Thu, 12 Jun 2025 20:02:45 +0000</p> <p>From the Cloudflare incident:<p>> Cloudflare’s critical Workers KV service went offline due to an outage of a 3rd party service that is a key dependency. As a result, certain Cloudflare products that rely on KV service to store and disseminate information are unavailable [...]<p>Surprising, but not entirely unplausible for a GCP outage to spread to CF.</p> </article> <article> <h1>New comment by terom in "DDoSecrets publishes 410 GB of heap dumps, hacked from TeleMessage"</h1> <p>terom — Wed, 21 May 2025 12:22:49 +0000</p> <p>Based on [1] it seems like one `management.endpoints.web.exposure.include=*` is enough to expose everything including the heapdump endpoint on the public HTTP API without authentication. It's even there in the docs as an example.<p>Looks like there is a change [2] coming to the `management.endpoint.heapdump.access` default value that would make this harder to expose by accident.<p>Let's look for `env` next...<p>[1] <a href="https://docs.spring.io/spring-boot/reference/actuator/endpoints.html#actuator.endpoints.security" rel="nofollow">https://docs.spring.io/spring-boot/reference/actuator/endpoi...</a><p>[2] <a href="https://github.com/spring-projects/spring-boot/pull/45624">https://github.com/spring-projects/spring-boot/pull/45624</a></p> </article> <article> <h1>New comment by terom in "Curl: We still have not seen a valid security report done with AI help"</h1> <p>terom — Tue, 06 May 2025 22:52:06 +0000</p> <p>Going a bit further, it seems like there's a grain of truth here, HTTP/2 has a stream priority dependency mechanism [1] and this report [2] from Imperva describes an actual Dependency Cycle DoS in the nghttp implementation.<p>Unfortunately that's where it seems to end... I'm not that familiar with QUIC and HTTP/2, but I think the closest it gets is that the GitHub repo exists and has a `class QuicConnection` [3]. Beyond that, the QUIC protocol layer doesn't have any concept of exchanging stream priorities [4] and HTTP/2 priorities are something the client sends, not the server? The PoC also mentions HTTP/3 and PRIORITY_UPDATE frames, but those are from the newer RFC 9218 [5] and lack the stream dependencies used in HTTP/2 PRIORITY frames.<p>I should learn more about HTTP/3!<p>[1] <a href="https://blog.cloudflare.com/adopting-a-new-approach-to-http-prioritization/" rel="nofollow">https://blog.cloudflare.com/adopting-a-new-approach-to-http-...</a><p>[2] <a href="https://www.imperva.com/docs/imperva_hii_http2.pdf" rel="nofollow">https://www.imperva.com/docs/imperva_hii_http2.pdf</a><p>[3] <a href="https://github.com/aiortc/aioquic/blob/218f940467cf25d364890a602b8fc451ca635062/src/aioquic/quic/connection.py#L236">https://github.com/aiortc/aioquic/blob/218f940467cf25d364890...</a><p>[4] <a href="https://datatracker.ietf.org/doc/html/rfc9000#name-stream-prioritization" rel="nofollow">https://datatracker.ietf.org/doc/html/rfc9000#name-stream-pr...</a><p>[5] <a href="https://www.rfc-editor.org/rfc/rfc9218.html#name-the-priority_update-frame" rel="nofollow">https://www.rfc-editor.org/rfc/rfc9218.html#name-the-priorit...</a></p> </article> <article> <h1>New comment by terom in "Curl: We still have not seen a valid security report done with AI help"</h1> <p>terom — Tue, 06 May 2025 22:09:22 +0000</p> <p>The git commit hashes in the diff are interesting: 1a2b3c4..d4e5f6a<p>I think my wetware pattern-matching brain spots a pattern there.</p> </article> <article> <h1>New comment by terom in "Widespread power outage in Spain and Portugal"</h1> <p>terom — Mon, 28 Apr 2025 12:54:03 +0000</p> <p>Portugal has an even bigger relative drop in load, from 5852MW at 11:00 hours -> 613MW at 13:00 hours - these seem like 1 hour averages.<p>[1] <a href="https://transparency.entsoe.eu/load-domain/r2/totalLoadR2/show?name=&defaultValue=false&viewType=GRAPH&areaType=CTY&atch=false&dateTime.dateTime=28.04.2025+00:00|CET|DAY&biddingZone.values=CTY|10YPT-REN------W!CTY|10YPT-REN------W&dateTime.timezone=CET_CEST&dateTime.timezone_input=CET+(UTC+1)+/+CEST+(UTC+2)" rel="nofollow">https://transparency.entsoe.eu/load-domain/r2/totalLoadR2/sh...</a></p> </article> <article> <h1>New comment by terom in "Reports of widespread power cuts in Spain and Portugal"</h1> <p>terom — Mon, 28 Apr 2025 12:19:45 +0000</p> <p>That graph doesn't seem to make a very clear distinction between historical, real-time and predicted values... I think the event happened at 12:30 local time or so.<p>There seems to be some kind of recurrent daily pattern where the French - Spanish interconnect switches from Spain -> France imports to France -> Spain exports at around that time, and then back again in the late afternoon.</p> </article> <article> <h1>New comment by terom in "Widespread power outage in Spain and Portugal"</h1> <p>terom — Mon, 28 Apr 2025 12:03:35 +0000</p> <p>It looks like the Iberian peninsula is relatively isolated from the rest of the CESA synchronous grid, with only 2% cross-border capacity compared to local generation. [1]<p>There's a map at [2]<p>> The Spanish electricity system is currently connected to the systems of France, Portugal, Andorra and Morocco. The exchange capacity of this interconnection is around 3 GW, which represents a low level of interconnection for the peninsula. The international interconnection level is calculated by comparing the electricity exchange capacity with other countries with the generation capacity or installed power.<p>[1] <a href="https://www.ree.es/en/ecological-transition/electricity-interconnections" rel="nofollow">https://www.ree.es/en/ecological-transition/electricity-inte...</a><p>[2] <a href="https://www.entsoe.eu/data/map/" rel="nofollow">https://www.entsoe.eu/data/map/</a></p> </article> <article> <h1>New comment by terom in "Oracle attempt to hide serious cybersecurity incident from customers"</h1> <p>terom — Mon, 31 Mar 2025 16:22:26 +0000</p> <p><a href="https://news.ycombinator.com/item?id=43486945">https://news.ycombinator.com/item?id=43486945</a> related</p> </article> <article> <h1>New comment by terom in "Malware found on NPM infecting local package with reverse shell"</h1> <p>terom — Thu, 27 Mar 2025 08:09:45 +0000</p> <p>Yeah, you have to move it off-planet to achieve an actual security boundary.<p>In our threat model the upper bound on the useful lifetime of the system is limited by the light-distance time from the nearest adversary.</p> </article> <article> <h1>New comment by terom in "A Comment on Mozilla's Policy Changes"</h1> <p>terom — Fri, 28 Feb 2025 14:31:26 +0000</p> <p>Yeah, and that makes sense in the context of an acceptable use policy for Mozilla services that are not your use of the Firefox browser.<p>But the same AUP for the services is now explicitly referenced in the TOS for the browser. How are you supposed to read it - the AUP only applies to your use of the browser to access the services? Isn't that already implicit if you're using the services? Surely it can't be attempting to apply the services AUP to any non-service use of the browser?<p>Very confusing, it seems badly written to me.<p>Same thing with the "Some Services in Firefox Require a Mozilla Account" and then the "Termination" with a notification to the (optional) account. Somewhat disconcerting.<p>[1] Mozilla can suspend or end anyone’s access to Firefox at any time for any reason, including if Mozilla decides not to offer Firefox anymore. If we decide to suspend or end your access, we will try to notify you at the email address associated with your account or the next time you attempt to access your account.<p>[1] <a href="https://www.mozilla.org/en-US/about/legal/terms/firefox/#mozilla-can-update-or-terminate-this-agreement" rel="nofollow">https://www.mozilla.org/en-US/about/legal/terms/firefox/#moz...</a></p> </article> <article> <h1>New comment by terom in "A Comment on Mozilla's Policy Changes"</h1> <p>terom — Fri, 28 Feb 2025 13:46:48 +0000</p> <p>Wait, Mozilla is banning the use of their Firefox browser for porn? That's going to hurt adoption.<p>What's with the mixup of their browser and services policies?<p>[1] Your use of Firefox must follow Mozilla’s Acceptable Use Policy, and you agree that you will not use Firefox to infringe anyone’s rights or violate any applicable laws or regulations.<p>[2] You may not use any of Mozilla’s services to:<p>* Upload, download, transmit, display, or grant access to content that includes graphic depictions of sexuality or violence,<p>[1] <a href="https://www.mozilla.org/en-US/about/legal/terms/firefox/#you-are-responsible-for-the-consequences-of-your-use-of-firefox" rel="nofollow">https://www.mozilla.org/en-US/about/legal/terms/firefox/#you...</a> [2] <a href="https://www.mozilla.org/en-US/about/legal/acceptable-use/" rel="nofollow">https://www.mozilla.org/en-US/about/legal/acceptable-use/</a></p> </article> <article> <h1>New comment by terom in "DigiCert: Threat of legal action to stifle Bugzilla discourse"</h1> <p>terom — Tue, 25 Feb 2025 08:04:44 +0000</p> <p>It's fascinating that we've built a system that has expended perhaps several million dollars of engineering, legal and admin etc time over the issue of a single letter not being capitalized [1], without any demonstrable impact beyond a failure to meet ambiguous specifications.<p>I do hope that dealing with all of the underlying issues around revocation etc makes the time and effort spent useful, and the Web PKI doesn't just mire itself in squabbling that blocks progress on actually meaningful issues.<p>[1] <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1894560" rel="nofollow">https://bugzilla.mozilla.org/show_bug.cgi?id=1894560</a></p> </article> <article> <h1>New comment by terom in "Germany outfitted half a million balconies with solar panels"</h1> <p>terom — Sat, 05 Oct 2024 10:08:43 +0000</p> <p>These are technically kinda crazy, because they use a normal schuko plug (with male pins) to output power. It allows loading the circuit with a higher total ampacity than the circuit breaker protecting the wiring at the distribution panel. It takes a very specific set of regulations to make these legal, and those don't apply elsewhere in Europe.<p><a href="https://www.vde.com/de/fnn/themen/tar/tar-niederspannung/erzeugungsanlagen-steckdose" rel="nofollow">https://www.vde.com/de/fnn/themen/tar/tar-niederspannung/erz...</a><p><a href="https://tukes.fi/-/ala-kayta-pistorasiaan-kytkettavaa-aurinkopaneelia" rel="nofollow">https://tukes.fi/-/ala-kayta-pistorasiaan-kytkettavaa-aurink...</a> Finnish national authority says: NO</p> </article> <article> <h1>New comment by terom in "SAML: A Technical Primer"</h1> <p>terom — Sat, 28 Sep 2024 07:37:16 +0000</p> <p>Renewing the certificates seems technically pointless, but some organizations/federations require it.<p>Rotating the keys would make some sense, but just swapping the cert for a new one issued against the same keys doesn't. It's the easiest way to fulfill those requirements, because you don't need to synchronize the metadata updates, the signatures are always valid with both the old and new cert.</p> </article> </main></body></html>

Hacker News: terom

New comment by terom in "ZDI-CAN-30207: Unpatched 9.8 RCE zero-day in Telegram"

New comment by terom in "Pricing Changes for GitHub Actions"

New comment by terom in "Pricing Changes for GitHub Actions"