My favorite type of person is the guy you invite to the party because you feel bad that he’s socially isolated, then he acts like complete asshole and talks about how much the party sucks the whole time.
Yeah, we all know that guy.
I never give up on that guy and always invite him. I don’t know if it’s out of pity or survival instinct, because that guy is also the first one to be skinned and eaten alive by the rest of the group if they’re stranded on a island. He ensures I don’t go hungry.
nostr:npub1xpzrkaxt97zguqc5gj3xpkf6ymmxq363zp9xhgdw5h4arvhnr9wsancqs2 I'll read it at some point. Too busy writing and don't want to poison my brain with too much external influence.
nostr:npub18994crjwnldrukwym5lz3y2nae84s84v20m2rkngtjnyg549lr6qvxmd6m do you know where it was shot?
nostr:npub1pth7h6v9tkywagraddr80hpj24g0czy3fw0rkd4lny53vwynf4eqqy7hwl Probably Baltimore.
nostr:npub18994crjwnldrukwym5lz3y2nae84s84v20m2rkngtjnyg549lr6qvxmd6m I figured that’s be enough. https://youtu.be/IUc0R8bbWQE
nostr:npub1a0qxpztc73n47hp37wxfqt6thaakt97seu7satuv7uz65mnlq37sxu3tmr I'm Gen Z, I know very little prince music and have never seen his music videos, heh.
Regardless, I don't think that is it. It wouldn't have just been one bird like in the video, it would have likely been a sky shot of multiple birds released all at once - they were racing pigeons, so they would have been uncaged to fly home.
nostr:npub18994crjwnldrukwym5lz3y2nae84s84v20m2rkngtjnyg549lr6qvxmd6m wasn't there some birds flying in Take on me?
nostr:npub15tpf43qu4dmd6ql5dzjt6auh4ywuafca6ytvju0j3465hyr8e9aqcl649k I just scrubbed through it and I don't think so
nostr:npub1a0qxpztc73n47hp37wxfqt6thaakt97seu7satuv7uz65mnlq37sxu3tmr "Prince" isn't a music video
Music Video trivia for NAS.
My grandfather raced pigeons and once release pigeons from a warehouse for a music video used by a popular band at the time. Nobody alive in the family can remember who the band was. The best guess was The Police, but I haven't been able to find any music videos by The Police with pigeons.
Do you know of any music videos from the 80s that have a flock of pigeons (being released from a warehouse)?
nostr:npub109x0x9dlft64y4h9vz9mxu92qpqn752sd8p4xe2zkcanlzmk2fcq3pwvvl nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 nostr:npub1ycnhgr56efxcpvhu7q0er9gqjqttpwhgqgjfgjaj7gpfea5g6xhq4zgshs I mean you don’t need vault. The secrets file (on a tmpfs) just needs to be made inaccessible after application init.
At that point secrets can’t be read from the FD by an arbitrary file read vuln, be it directly from a file or from /proc/self/environ.
nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 nostr:npub1sat3yl2hv2df5xmuqj75gvzfmvyxs5x36vaur9jwvjzejtx7y2hskp27a4 nostr:npub1ycnhgr56efxcpvhu7q0er9gqjqttpwhgqgjfgjaj7gpfea5g6xhq4zgshs Where should secrets be stored if not in a file? Do you just mean use an encrypted file always, to store secrets in?
nostr:npub1halzvw4rckekndd3l6tv5mzyx9m07v60wnearrfw8x4arcjpm82styg05e nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 nostr:npub1ycnhgr56efxcpvhu7q0er9gqjqttpwhgqgjfgjaj7gpfea5g6xhq4zgshs file is fine as long as it’s a tmpfs (aka, written to ram and not disk) and also unmounted, deleted, or otherwise made inaccessible after init where it’s been read by the program.
nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 nostr:npub1ycnhgr56efxcpvhu7q0er9gqjqttpwhgqgjfgjaj7gpfea5g6xhq4zgshs oh, I see. I was only trying to pass along the general info that secrets in envvars is bad, I wasn’t interpreting it strictly in the context of Ditto.
Sounds like ditto doesn’t really have any secrets then, so the general advice doesn’t apply to that use case.
nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 nostr:npub1ycnhgr56efxcpvhu7q0er9gqjqttpwhgqgjfgjaj7gpfea5g6xhq4zgshs did you reply to the wrong thread? I don’t know what this has to do with not storing secrets in envvars
nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 nostr:npub1ycnhgr56efxcpvhu7q0er9gqjqttpwhgqgjfgjaj7gpfea5g6xhq4zgshs I’m on my phone and don’t have access to disgust.gif, but rest assured if I was at my desktop that’s what you’d be seeing.
The reasons to not use environment variables weren't super compelling. I'm coding ground-up support for envvars in Ditto, because it caused nostr:npub1ycnhgr56efxcpvhu7q0er9gqjqttpwhgqgjfgjaj7gpfea5g6xhq4zgshs a lot of pain trying to deploy Rebased in k8s as-is.
nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 nostr:npub1ycnhgr56efxcpvhu7q0er9gqjqttpwhgqgjfgjaj7gpfea5g6xhq4zgshs ok, but understand that means all the secrets are effectively on disk at /proc/self/environ. An arbitrary file read (like the two recent Pleroma issues) means full secret disclosure.
I would really recommend against it.
Since it came up in a thread re: Pleroma security, general reminder to dev friends:
NEVER STORE SECRETS IN ENVIRONMENT VARIABLES.
JUST DON'T DO IT.
seriously. don't.
https://forcesunseen.com/blog/stop-storing-secrets-in-environment-variables
nostr:npub18994crjwnldrukwym5lz3y2nae84s84v20m2rkngtjnyg549lr6qvxmd6m nostr:npub1yck44z5zqxmwpqzqs75ay6ffjdw843ng9p6mz0lzfff3fgz2djlsngujmw nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 nostr:npub108zt8c43ulvdwnax2txurhhr07wdprl0msf608udz9rvpd5l68ascvdkr5
> erlang is shit and immature
*disappointed armstrong noises
nostr:npub15phhes0c8vqr6pf4acy8fu3hreflpexcg3nujf3wrkc8qqql63asva2722 nostr:npub1yck44z5zqxmwpqzqs75ay6ffjdw843ng9p6mz0lzfff3fgz2djlsngujmw nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 nostr:npub108zt8c43ulvdwnax2txurhhr07wdprl0msf608udz9rvpd5l68ascvdkr5
Be disappointed at the language's shit ecosystem and shit libraries, not at me for pointing it out lmao
nostr:npub1yck44z5zqxmwpqzqs75ay6ffjdw843ng9p6mz0lzfff3fgz2djlsngujmw nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 nostr:npub108zt8c43ulvdwnax2txurhhr07wdprl0msf608udz9rvpd5l68ascvdkr5 Yeah, in this case I wouldn't blame Pleroma devs entirely, what I said was mostly a joke.
Erlang/Elixir is a shit and immature language, so the fact that "the most mature [XML parser] in the ecosystem" is vulnerable to vulns from the early 2000's comes as no surprise to me.
nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 nostr:npub108zt8c43ulvdwnax2txurhhr07wdprl0msf608udz9rvpd5l68ascvdkr5 XXE occurs when the XML parsing library evaluates external entities, often allowing referencing files on the local FS, though it's bad even if it only resolves remote resources (think, AWS metadata endpoints).
https://gist.github.com/Eriner/2118b0ec479c57f980e39d3763195266
In the XML above (sorry for gist, foiled by CF WAF), the external entity reads /etc/passwd and returns it in the response, replacing the evaluation with &xxe
nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 nostr:npub108zt8c43ulvdwnax2txurhhr07wdprl0msf608udz9rvpd5l68ascvdkr5 Exploitation is trickier if the response is blind, but sometimes still possible, dunno if that is the case here or not, but I assume it's not blind. But even if you can't read local files, SSRF via XXE is still dangerous (think, AWS metadata endpoints rather than file:/// uris).
nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 nostr:npub108zt8c43ulvdwnax2txurhhr07wdprl0msf608udz9rvpd5l68ascvdkr5 XXE occurs when the XML parsing library evaluates external entities, often allowing referencing files on the local FS, though it's bad even if it only resolves remote resources (think, AWS metadata endpoints).
https://gist.github.com/Eriner/2118b0ec479c57f980e39d3763195266
In the XML above (sorry for gist, foiled by CF WAF), the external entity reads /etc/passwd and returns it in the response, replacing the evaluation with &xxe
nostr:npub108zt8c43ulvdwnax2txurhhr07wdprl0msf608udz9rvpd5l68ascvdkr5 nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 yeah, XXE. Means anything that can submit an XML document that the server parses can read arbitrary files on the server, same as the other issue. Actually worse if this doesn’t require Auth. XXE is fixed by not using a shit and brain-damaged parsers, which nobody should be using. This is straight outta 2004.
Abandon hope, all ye who enter. Pleroma is fucked and was made by retards.