David Leadbeater

Interesting talk from 39c3: https://gpg.fail including my favourite classes of issues ANSI escape spoofing and abusing CR. A response from GnuPG is here https://www.gnupg.org/blog/20251226-cleartext-signatures.html — although there’s some other issues that do seem more fixable. IMO better to use […]

Here's a copy of the filesystem that has been extracted as a .tar file: http://squoze.net/UNIX/v4/

UNIX V4 tape from University of Utah (raw) : Computer History Museum : Free Download, Borrow, and Streaming : Internet Archive UNIX V4 tape from the University of Utah, received by Martin Newell circa June 1974 around when he modeled the Utah Teapot.This is the raw analog waveform and...

Here's the document release you were waiting for today!

The UNIX V4 tape!

https://archive.org/details/utah_unix_v4_raw

#retrocomputing

@bagder maybe you could offer a fakecurl alternative for other platforms for people who really want it?

Works anywhere with Docker:
$ fakecurl() { docker run mcr.microsoft.com/dotnet/sdk:9.0 pwsh -CommandWithArgs "Invoke-WebRequest $@" }
$ fakecurl invoke-webrequest.haxx.se
StatusCode : 200 […]

A screenshot of a shell (on Mac) executing the program ßh. Due to normalization this gets translated to ssh, and indeed the shell calls the ssh binary.

Unicode normalization.

Can I use has a strange entry for Zstandard on Safari (https://caniuse.com/zstd). I can’t find many references for it but indeed, if you serve Zstd to Safari >= 26 it does work. There doesn’t even seem to be a feature flag to turn on sending it in the Accept-Encoding header.

I’m experimenting with @bsky.brid.gy so this account is now bridged to Bluesky as @dgl.cx — there was a previous Bluesky account which that replaces (it now shows as “invalid handle”) and Bluesky doesn’t have a a Mastodon like way of migrating followers, so you will need to refollow.

@whitequark feels like it needs a "Unwarranted chumminess with compiler." comment like Henry Spencer put in the original regexp code (1986) and which has been carried into various other versions (including perl) since…

Gcore.com are an interesting provider. It took two separate support tickets over a month to work out their docs are wrong. If anyone is using them, *some* API endpoints need the authentication token to be in mixed case, for example "Authorization: APIKey ..." which is against what their […]

@webmink the hardest hurdle is that CDNs primary purpose isn’t actually the content part anymore, but pushing DDoS mitigation as close to the edge as possible. That interacts poorly with HTTPS everywhere, as every node ideally needs the certs, meaning there isn’t an easy way to federate trust. I […]

If you have a bash command line of "exec program ..." and you can control the "..." can you make it not run the exec and do something different? The answer is yes. Even if "..." is somewhat sanitised for shell metacharacters. If you can inject $+] it will make bash error on that line and run the […]

For those of you who saw my BSides Canberra talk, here's a vulnerability I couldn't talk about in the talk, yet, but is very much in the spirit of it: https://dgl.cx/2025/10/bash-a-newline-ssh-proxycommand-cve-2025-61984

DNS in Google Sheets 1.1.1.1 works directly inside Google Sheets. To get started, create a Google Function with the following code:

Did you know Cloudflare documents how to use DNS in Google Sheets? Because if you have a problem, DNS is clearly the answer. https://developers.cloudflare.com/1.1.1.1/additional-options/dns-in-google-sheets/

I probably should have polished my @ComfyConAU talk. Instead I got sidetracked into wondering just how much I could tunnel over DNS: https://dgl.cx/2025/09/images-over-dns

Noticed my SLAAC IPv6 address happens to end in :fade. Fade to black?

I'll be speaking at BSides Canberra: https://cfp.bsidescbr.com.au/bsides-canberra-2025/talk/8TWF8X/ -- this will cover my recent find of an RCE in Git and how that and some other vulnerabilities could be used against developers. #bsides #security