Our great sponsors
|2 days ago||1 day ago|
|BSD 3-clause "New" or "Revised" License||GNU General Public License v3.0 or later|
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Google ads malvertising is targeting open source software
2 projects | news.ycombinator.com | 7 Mar 2023
We had a close call with malvertising ourselves, so we wrote an osquery query to alert on .dmg/.iso/.pkg downloads from unknown sources:
This query should not be your only line of defense, but can provide an early heads up before the package is opened. You can deploy this query with Kolide, as it uses osquery under the hood.
It was once possible to have a query like this that worked on Linux using the user.xdg.origin.url extended file attribute, but Chromium dropped support for it in 2019 for privacy reasons: https://chromium.googlesource.com/chromium/src/+/a9b4fb70b43...
Please Help Improve Magit
7 projects | news.ycombinator.com | 26 Feb 2023
Steps to reproduce:
1. Clone <https://chromium.googlesource.com/chromium/src>.
2. Navigate to this directory in Emacs dired.
3. Run magit-status.
4. Observe how long it takes for Emacs to become responsive again. For me it's 28 seconds, while running git status in the terminal takes 6 seconds.7 projects | news.ycombinator.com | 26 Feb 2023
The FBI now recommends using an ad blocker when searching the web
8 projects | news.ycombinator.com | 23 Feb 2023
The last one is very anglo-centric (or at least centric to fully latinized languages). Do you not find the rules in for example chrome working?
New Malware Abuses Microsoft IIS Feature to Establish Backdoor
2 projects | news.ycombinator.com | 16 Feb 2023
I don't think "airtight hatchway" applies here because what is to say the entry point isn't exploiting w3wp.exe remotely and executing code from the stack. Then let's say a memory page containing FREB code has permission PAGE_EXECUTE_READWRITE set (a plausible possibility for JIT compiling akin to eBPF), providing a convenient (and plausibly deniable) location for an extended amount of malicious code to be stored and executed from. Or w3wp.exe has permission to create a new memory page with PAGE_EXECUTE_READWRITE set and again this is plausibly deniable because FREB may need to do similar for JIT compiling. It it were almost any other process, a memory page set to PAGE_EXECUTE_READWRITE would sound alarm bells (or at least it should).
The second aspect is how well is w3wp.exe isolated? Can and does it use "AppContainer" isolation and is it strict? For example, could code executed by w3wp.exe create a new network socket, execute another process, write to a file in any path even though it shouldn't have a need to do so? Perhaps a different process sample123.exe is compromised, which by itself isn't too much of a problem due to its high degree of isolation. However, sample123.exe has permission to write to a pipe shared with w3wp.exe and can use this permission to exploit a bug in w3wp.exe (not exposed remotely) to allow code to execute with different/higher permissions of w3wp.exe, or using a plausibly deniable PAGE_EXECUTE_READWRITE memory page of w3wp.exe to store and execute code from without immediately sounding alarm bells.
_If_ strong process isolation was in place and working for w3wp.exe and/or sample123.exe, the "airtight hatchway" may not have been breached because whilst malicious code may have been executable from a stack, the malicious code wouldn't have been able to achieve much or anything of concern (can't read files from disk, can't access memory of other processes, can't login to a SQL database and start pulling data of other users, etc, etc).
I'm not sure what the equivalent of "systemd-analyze security" is for Windows, but it'd be well worthwhile for Windows system owners to demand similar easy-to-use tools for auditing the level of isolation of and required interfaces between applications (spoiler: just like a typical Linux system, the results will not be comforting, but seemingly with Windows you wouldn't know). Windows process isolation features introduced over the years are poorly documented, hard to use due to lack of tooling and often not used except for a few high profile applications such as Chromium and Adobe Acrobat. Chromium possibly has one of the best overviews of how sandboxing/process isolation can be achieved in Windows because they would have gone through a lot of pain in being amongst the first to figure it out.
I Use C When I Believe in Memory Safety
5 projects | news.ycombinator.com | 5 Feb 2023
I am more paranoid and cautious than, say, 95% of the programmers I've known. Maybe more. I still don't trust myself to write safe C.
Specifically, I do not think I'm smart enough to violate the Chrome team's Rule of 2: https://chromium.googlesource.com/chromium/src/+/master/docs...
> The Rule Of 2 is: Pick no more than 2 of untrustworthy inputs; unsafe implementation language; and high privilege.
I do know of a few C programmers I'd trust: DJB, many of the OpenBSD team, the Dovecot maintainers, and a few others with long track records of security.
But I don't trust myself because I've used fuzzers on my Rust code, trying billions of inputs. And I've found DDOS bugs that would have been crashing bugs in C.
What's more damning, the most careful C code I ever wrote has an enormous, sneaky test suite. It was tested with every sanitizer I could find. It used carefully designed error handling conventions. Still, in the last 20 years, it has been the subject of several CVEs. You see, I relied on a high-quality 3rd party XML parser, and that parser had a handful of bugs.
Out of 7 billion people on this planet, the number that I'd personally trust to reliaby write CVE-free C code is in the low triple digits. I'm not one of them.
Understanding Rust is a cakewalk compared to understanding "undefined behavior" in the C standard, or to making sure a large C program never overflows an addition, or accesses memory out of bounds. But Rust is not the only option.
As an industry, we need to stop making the same endless security mistakes. It's not OK.
Forking Chrome to Render in a Terminal
11 projects | news.ycombinator.com | 27 Jan 2023
Time to dig out my Wyse 50 again! https://chromium.googlesource.com/chromium/src/+/HEAD/docs/o...
ZeroSSL: XSS to session hijacking, stealing a private key (and password hash)
4 projects | news.ycombinator.com | 19 Jan 2023
A Programmable Markup Language for Typesetting [pdf]
9 projects | news.ycombinator.com | 18 Jan 2023
Thanks. Yes, rendering and shaping are distinct but some of the linked libraries did one, the other, or both and the parent commenter singled out rastering which is how I ended up putting FreeType and HarfBuzz in the same sentence. Even then both are commonly used in tandem (see -) and have a few overlapping functionalities.
> it does support BiDi, complex script shaping
Hey, that is indeed quite good. Would you mind if I ask you how well is the support for popular Asian languages?
> linking C and Rust in WASM is unfortunately not really possible
Damn. I am not very experienced in Rust but I would not have guessed that. I apologize if I misrepresented difficulties related to targeting WASM.
2 projects | reddit.com/r/browsers | 17 Jan 2023
Which file/folder encryption tool do you use under Android?
2 projects | reddit.com/r/fdroid | 13 Mar 2023
Hello i like Linux too . and check https://github.com/termux/termux-packages/issues/15579
3 projects | reddit.com/r/termux | 26 Jan 2023
Please begin to use https://termux.dev instead, since termux.org is uncontrolled
2 projects | reddit.com/r/termux | 23 Jan 2023
and link: https://github.com/termux/termux-packages/wiki/Termux-and-Android-102 projects | reddit.com/r/termux | 23 Jan 2023
When Google announced changes introduced in Android 10 and raised SDK requirements of Play Store, it became obvious that further Termux existence on Play Store is questionable. Basically at the same point Fornwall reduced development activity on the project but still was present in discussions regarding the Android 10 problem until finally disappeared. Fornwall made few appearances later, but totally ignored all our requests to unpublish the app from Play Store.
best alternative to "XmrigforAndroid"?
2 projects | reddit.com/r/MoneroMining | 14 Jan 2023
You can run XMRig through Termux.
Run x86 (32-Bit) & x86_64 (64-Bit) Windows Apps in a Proot Environment with Box86, Box64, and Wine 7.2.2 on Aarch64 version of Ubuntu 22.04.
5 projects | reddit.com/r/termux | 22 Dec 2022
I'm pretty sure this is possible, and would appreciate confirmation/direction.
4 projects | reddit.com/r/termux | 13 Dec 2022
Is there still any way to import my wish history to external sites (Paimon.moe etc) on Android?
3 projects | reddit.com/r/Genshin_Impact | 26 Nov 2022
Termux on Android 5 or 6
10 projects | news.ycombinator.com | 21 Nov 2022
Initially Android 5/6 was dropped since 2020-01-01, but this year it was decided to bring Android 5/6 support back.
 https://github.com/termux/termux-packages/issues/446710 projects | news.ycombinator.com | 21 Nov 2022
Termux has an open source repository of packages. It's similar to arch, debian, alpine, etc. https://github.com/termux/termux-packages
Termux doesn't get special privileges unless you root your device. It can't go messing with your phone data unless you granted it permission to do so (but even then it doesn't have access to everything). It's no worse than any other Android app IMHO.
What are some alternatives?
ungoogled-chromium - Google Chromium, sans integration with Google
Code-Server - VS Code in the browser
UserLAnd - Main UserLAnd Repository
WebKit - Home of the WebKit project, the browser engine used by Safari, Mail, App Store and many other applications on macOS, iOS and Linux.
xmrig - Monero (rx/0, rx/wow, rx/loki, defyx, rx/arq, rx/sfx, rx/keva, cn/0, cn/1, cn/2, cn/r, cn/fast, cn/half, cn/xao, cn/rto, cn/rwz, cn/zls, cn/double, cn/gpu, cn-lite/0, cn-lite/1, cn-heavy/0, cn-heavy/tube, cn-heavy/xhv, cn-pico, cn-pico/tlo, argon2/chukwa, argon2/wrkz, astrobwt) CPU/GPU miner
bromite - Bromite is a Chromium fork with ad blocking and privacy enhancements; take back your browser!
brave-browser - Next generation Brave browser for Android, Linux, macOS, Windows.
termux-app - Termux - a terminal emulator application for Android OS extendible by variety of packages.
android-tools - Android tools built for Android devices.
AllHackingTools - All-in-One Hacking Tools For Hackers! And more hacking tools! For termux.
syncthing-android - Wrapper of syncthing for Android.
proot-distro - An utility for managing installations of the Linux distributions in Termux.