Hacker News: yrro

New comment by yrro in "Dead.Letter (CVE-2026-45185) – How XBOW found an unauthenticated RCE on Exim"

yrro — Thu, 14 May 2026 17:12:07 +0000

Debian builds Exim against GnuTLS because OpenSSL used to use a license with an advertising clause, making it incompatible with the GPLd Exim.

Since OpenSSL 3 is now available under a GPL-compatible license, I think it's long past time to switch. But judging by the sorry state of https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=446036 I don't think it's going to happen any time soon.

New comment by yrro in "Let’s Encrypt: Stopping Issuance for Potential Incident – Resolved"

yrro — Sat, 09 May 2026 18:47:19 +0000

Ask the CA/Browser forum what they will insist upon

New comment by yrro in "Copy Fail"

yrro — Thu, 30 Apr 2026 09:20:23 +0000

FYI RHEL's SELinux policy blocks AF_ALG socket creation for confined services out of the box. But disabling via RestrictAddressFamilies= unit option, or initcall_blacklist= kernel parameter, seems to be a good mitigation for unconfined services, users and containers.

New comment by yrro in "Copy Fail"

yrro — Thu, 30 Apr 2026 08:33:12 +0000

They've bumped the severity and 8/9/10 are now 'affected'. Hope a patch comes soon!

New comment by yrro in "Copy Fail"

yrro — Thu, 30 Apr 2026 08:24:55 +0000

Have you got any info about this. 'seinfo -c' shows there is an alg_socket class. I presume this permission is required to be able to create an AF_ALG socket:

    $ sesearch -A -c alg_socket -p createallow bluetooth_t bluetooth_t:alg_socket { accept append bind connect create getattr getopt ioctl listen lock read setattr setopt shutdown write };
    allow container_device_plugin_init_t container_device_plugin_init_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
    allow container_device_plugin_t container_device_plugin_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
    allow container_device_t container_device_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
    allow container_engine_t container_engine_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
    allow container_init_t container_init_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
    allow container_kvm_t container_kvm_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
    allow container_logreader_t container_logreader_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
    allow container_logwriter_t container_logwriter_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
    allow container_t container_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
    allow container_userns_t container_userns_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
    allow openshift_app_t openshift_app_t:alg_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
    allow openshift_t openshift_t:alg_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
    allow spc_t unlabeled_t:alg_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
    allow staff_t staff_t:alg_socket { append bind connect create getopt ioctl lock read setattr setopt shutdown write };
    allow sysadm_t sysadm_t:alg_socket { accept append bind connect create getopt ioctl listen lock read setattr setopt shutdown write };
    allow unconfined_domain_type domain:alg_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
    allow user_t user_t:alg_socket { append bind connect create getopt ioctl lock read setattr setopt shutdown write };

... that's a lot of domains, including container_t and user_t; and obviously anything unconfined_t can't be expected to be restricted.

(Maybe you & others are specifically thinking of Android's policy?)

New comment by yrro in "A deep dive into Apple's .car file format"

yrro — Tue, 17 Feb 2026 09:02:30 +0000

... and that is why all 'modern' software is incredibly memory and CPU intensive...

New comment by yrro in "Babylon 5 is now free to watch on YouTube"

yrro — Sat, 14 Feb 2026 10:16:59 +0000

Take it from someone who saw it when it first aired on standard definition analogue TV: it doesn't really matter all that much. The performance of the actors and the story is what's important!

New comment by yrro in "Babylon 5 is now free to watch on YouTube"

yrro — Sat, 14 Feb 2026 10:03:07 +0000

A _real_ web site!

When I first returned to it rewatching B5 a couple of years ago, I actaully found it difficult to navigate. It took me a while to realise that my brain was parsing the block of navigation buttons at the centre top of the screen as a banner ad and filtering it out!

New comment by yrro in "Babylon 5 is now free to watch on YouTube"

yrro — Sat, 14 Feb 2026 09:46:59 +0000

The "TKO" 'A' plot is silly but it has one of the most moving and memorable 'B' plots of the series!

New comment by yrro in "Windows Notepad App Remote Code Execution Vulnerability"

yrro — Wed, 11 Feb 2026 08:59:33 +0000

This is the same company that, back in the day, warned users to not click links in Internet Explorer. A web browser.

New comment by yrro in "The RCE that AMD won't fix"

yrro — Fri, 06 Feb 2026 14:20:48 +0000

Doesn't this break CRL fetching and OCSP queries?

New comment by yrro in "The RCE that AMD won't fix"

yrro — Fri, 06 Feb 2026 09:29:53 +0000

Of course not, the vulnerability is in "AMD’s AutoUpdate software" (i.e., vendor trash).

New comment by yrro in "How not to securely erase a NVME drive (2022)"

yrro — Thu, 05 Feb 2026 09:29:15 +0000

That won't overwrite pages not allocated to a namespace (which can happen due to wear levelling/underprovisioning, or because the controller has decided to stop using that page because it's unhealthy).

Flash looks like a simple array of blocks, but under the hood there is a controller that allocates writes to different pages. You need to tell the controller to erase all pages if you want to guarantee data destruction.

New comment by yrro in "How not to securely erase a NVME drive (2022)"

yrro — Thu, 05 Feb 2026 09:10:49 +0000

What's the difference between this and sanitize? Should we be doing both?

[edit] sanitize runs on the controller level while format works on the namespace level. So I suppose formatting won't touch any pages not allocated to a namespace.

I wish there was _any_ way to find out which NVME controllers supported which operation before you buy them!

New comment by yrro in "How not to securely erase a NVME drive (2022)"

yrro — Thu, 05 Feb 2026 09:09:49 +0000

I suppose arguably the kernel, or at least some component of the OS, should be freezing/locking drives as they come online. The firmware doing so as one-off operation during boot is a workaround for the lack of this being done by the OS.

New comment by yrro in "How not to securely erase a NVME drive (2022)"

yrro — Thu, 05 Feb 2026 08:56:41 +0000

I've lost faith that Linux distros will ever fix the problem where some PCR changes and the TPM refuses to unseal the key... the user is left with a recovery passphrase prompt & no way to verify whether they have been attacked by the 'evil maid', or whether it was just because of a kernel or kernel command line or initrd or initrd module change, etc.

New comment by yrro in "How not to securely erase a NVME drive (2022)"

yrro — Thu, 05 Feb 2026 08:43:29 +0000

> So I connected it to the computer with the USB to NVME M.2 converter

> blkdiscard: /dev/nvme0n1: BLKSECDISCARD ioctl failed: Operation not supported

I've got a USB-to-NVME adapter that exposes the NVME namespaces as SCSI disks. `blkdiscard` did not work with these by default, however it worked fine after I changed the `provisioning_mode` attribute of the disk.

This can be done by identifying the SCSI device ID of the disk (lsscsi) and then changing it with:

    # echo unmap > /sys/class/scsi_disk/a:b:c:d/provisioning_mode

`lsblk -D` will show which block devices support the discard operation; run it before and after changing provisioning_mode to see the difference.

This is absolutely not to be used as an alternative to a real 'sanitize' operation directly sent to the NVME controller. If you actually need to securely erase your data, and the drive dosesn't support the sanitize operation, then you should physically shred the drive and demand a refund from the retailed (goods as sold are not fit for purpose).

Overall, I've found dealing with nvme a frustrating experience. In theory it's nice to have NVME controller firmware be responsible for executing commands from the host (sanitize! change LBA size! underprovision by 30%!) but in practice, it's complete hit or miss whether controllers support a command or will reject it, or maybe they claim to support it but it doesn't work because the controller firmware is buggy shit.

I would like to have raw NAND devices and have the kernel be in charge of everything, but sadly that wouldn't work for Windows so we're stuck in proprietary firmware hell.

New comment by yrro in "We will ban you and ridicule you in public if you waste our time on crap reports"

yrro — Thu, 22 Jan 2026 11:48:39 +0000

Somehow, I knew this would be curl before finishing reading the headline. Good on them!

New comment by yrro in "An Elizabethan mansion's secrets for staying warm"

yrro — Sun, 18 Jan 2026 17:46:20 +0000

In the UK it's minimum code and we don't bother to inspect. We trust the building firms to self-certify, with predictable results...

New comment by yrro in "Why is there a tiny hole in the airplane window? (2023)"

yrro — Fri, 09 Jan 2026 14:13:39 +0000

How much easier would it be to design build & maintain aircraft if we did away with (passenger) windows?