gchristensen changed the topic of #nixos-chat to: NixOS but much less topical || https://logs.nix.samueldr.com/nixos-chat
<joepie91> lol
<clever> infinisil: https://www.youtube.com/watch?v=CcZdwX4noCE "Why Web Filters Don't Work: Penistone and the Scunthorpe Problem"
<joepie91> that's a Tom Scott isn't it
<clever> joepie91: yes
<joepie91> always upvote Tom Scott
<joepie91> :P
<joepie91> anyway... I should get back to my project!
* joepie91 is building a chat thing
<infinisil> joepie91: What kinda chat thing?
<lejonet> joepie91: a skype killer? :P
<samueldr> why build a chat thing? slack's already way... can't keep the straight face here
<joepie91> infinisil: just a chat thing :P I'm sick of dealing with shitty XMPP clients, Matrix is currently not really in a frustration-free state, I want to stay in contact with $friend and I refuse to use proprietary messaging systems, so...
<joepie91> I'm rolling together a simple web-based chat thing
<joepie91> that will undoubtedly get out of hand over time
<srhb> Noooooo....
<joepie91> and using it as a project to experiment with a few new things
<srhb> :-)
<joepie91> like a design style I've never really worked with before: https://i.imgur.com/9bnXFFO.png
<joepie91> as well as starting out by defining all core data transformations
<infinisil> And the friend is going to use that just to stay in contact with you..?
<joepie91> yeah
<lejonet> joepie91: :D
<joepie91> yes, I've asked them lol
<infinisil> Lol alright
<joepie91> infinisil: I'll probably also end up using it for freelance customers over time tbh
<joepie91> right now I end up telling them to install Pidgin and register an XMPP account etc.
<infinisil> Huh, why not matrix though?
<joepie91> so I might as well point them at something that sucks less ¯\_(ツ)_/¯
<joepie91> infinisil: protocol is polling-based, reference homeserver implementation is unusably slow (*multi*-second delays on any remotely-busy server), clients all suck shit
<joepie91> protocol still poorly documented
<joepie91> parts of it at least
<infinisil> For the client thing, you can use weechat
<joepie91> anything terminal-based is an automatic no
<infinisil> Ah
<infinisil> Um
<joepie91> infinisil: so the thing with chat systems is, it's not actually *difficult* to build one
<joepie91> that's why there are so many
<infinisil> dtz just packaged fractal recently, which wasn't too bad https://github.com/NixOS/nixpkgs/pull/53106
<{^_^}> #53106 (by dtzWill, 4 weeks ago, merged): fractal: init at 4.0.0 !
<elvishjerricco> joepie91: Eh. I worked at a company whose product was a chat app. Difficult to do *well*
<joepie91> which means that for a non-proprietary federated thing to succeed, there is one and exactly one bar that it needs to meet:
<joepie91> it needs to be easier to use the federated thing than to roll your own
<joepie91> as of yet, I have seen zero federated systems that have met this bar
<joepie91> elvishjerricco: if you build it for a large audience, yes
<joepie91> elvishjerricco: but that is true for anything for a large audience
<joepie91> and within "things for a large audience", chat apps are one of the easier things
<elvishjerricco> How do you mean?
<infinisil> joepie91: I think it might be your tolerance for doing something on your own that is unusually high lol
<infinisil> joepie91: Wait, what's the problem with IRC?
<joepie91> infinisil: Fractal still looks pretty experimental :P
<elvishjerricco> infinisil: There's like a million problems with IRC
<elvishjerricco> security was an after thought.
<elvishjerricco> getting a persistent log is a nightmare
<elvishjerricco> Notifications are bad
<infinisil> Hmm yeah..
<joepie91> praise be to elvishjerricco, finally for once I don't have to be the one to list all the problems with IRC
<joepie91> lol
<elvishjerricco> IRC is terrible. It just so happens to be popular enough to be useful :P
<joepie91> not to mention multi-device support
<joepie91> or rather the lack thereof
<joepie91> yes, I know of bouncers, it's still a mess
<elvishjerricco> yea. I have to pay for proprietary IRCCloud to get the features I expect out of chat
<lejonet> elvishjerricco: and that you need like a 1kbps connection to successfully use it :)
<elvishjerricco> I've heard matrix can do all this though
<joepie91> elvishjerricco: in theory
* colemickens wishes Discord were oss
<joepie91> in practice not one Matrix client I've tried so far has passed my 10 minute test
<joepie91> not *one*
<lejonet> colemickens: me too
<joepie91> (ie. "can I use it for 10 minutes without running into a bug")
<elvishjerricco> Eventually I wanna give matrix and its IRC integration a shot. joepie91: What was wrong with them?
<infinisil> joepie91: I'd like to see the list you tested
<joepie91> see above; bugs
<joepie91> infinisil: haven't kept a list, pretty much went through everything on the Matrix site that didn't immediately look like a no-go (eg. terminal client)
<infinisil> I see
<joepie91> did this a few years ago, tried it again like a year ago
<joepie91> things had not improved much
<joepie91> and if I want to deal with bugs, I'll just continue to use Pidgin with XMPP :)
<infinisil> joepie91: You'd be looking for a web client?
<joepie91> I don't even specifically need a web client, so long as I can access my history from any of my devices and it all Just Works
<infinisil> (tm)
<infinisil> Yeah, that would be nice
<elvishjerricco> I really wanted to like ERC. IRC in my editor sounded neat :P And truthfully, it was pretty nice. But setting up a bouncer to get most of the features I actually wanted proved to be awful. Not to mention essentially no good way to get IRC with push notifications on my phone
* infinisil is off to bed
<elvishjerricco> infinisil: Aw I was about to pivot to factorio :P
<joepie91> but yeah, trust me, I've tried all the commonly-used options and various of the less common ones
<elvishjerricco> I started playing again
<joepie91> I have seen 0 things that meet my criteria
<elvishjerricco> and now I'm addicted...
<joepie91> hence: I will just build a chat thing
<joepie91> lol
<infinisil> elvishjerricco: I never played factorio
<srhb> elvishjerricco: Uh oh...
<joepie91> infinisil: there is still hope for you!
<infinisil> Hah
<elvishjerricco> infinisil: Hm must have been someone else on nixos-chat
<joepie91> it's basically Nerd Snipe: The Game
<infinisil> I don't think I can get addicted to a new game so easily
<srhb> elvishjerricco: I just opened up my beast of an angel+bobs spaghetti base a few hours ago and went "wait, I don't have time for this..."
<lejonet> infinisil: you and me both, I still haven't managed to play it :P
<elvishjerricco> srhb: Lol I spun up a new world today and suddenly it was 7pm
<joepie91> infinisil: so like, beneath the nice ambience and the snazzy wasteland graphics, Factorio is basically an endless stream of optimization problems that seem *just* within reach
<srhb> It's horrible :-P
<jackdk> elvishjerricco: have you noticed similarities between the circuit network and weird laggy FRP?
<srhb> Whatever you do, don't try sea block ever.
<elvishjerricco> jackdk: I've never gotten far enough to mess with circuits. But I do know there's a circuit-like library for FRP on Hackage, so that's not surprising
<infinisil> I really long for finally finishing my bachelors and getting to work. Having this worry of "I should really be studying now" All. The. Time. is really annoying, and it prevents me from doing fun things
<elvishjerricco> srhb: That sounds like a nightmare.
<jackdk> seablock is wonderful but I gave up on mine. Currently mucking around with AAI's programmable vehicles
<joepie91> infinisil: I had the same thing with work :P
<srhb> elvishjerricco: Yes.. You build everything from algeae and salt water, ever expanding... Balancing just power use is horrifying.
<infinisil> joepie91: I am still hooked on Minecraft, which I'll be playing again soon
<joepie91> infinisil: eventually had to force myself to take 2 days off a week minimum, regardless of circumstances, regardless of deadlines, regardless of work pressure
<joepie91> it's done wonders for me
<infinisil> Nice
<joepie91> and turns out the world /doesn't/ set on fire when you disappear for two days!
<srhb> elvishjerricco: How far in are you?
<elvishjerricco> infinisil: That's what it was! You were telling me I should get back into minecraft
<joepie91> (usually)
<srhb> Or are you like me and reset every time you get near to blue science >>
<infinisil> elvishjerricco: Ah!
<infinisil> Any Redstoners in here?
<elvishjerricco> srhb: The farthest I've ever gotten was just after developing nuclear power for the first time.
<srhb> Nuclear power is fun!
<elvishjerricco> srhb: After that I usually lose sight of a reason to play
<srhb> It was actually my entry to circuits
<srhb> I wanted to build a steam battery that would be smart about when to reload the reactors
<srhb> (Pointless efficiency of course...)
<elvishjerricco> infinisil: I used to do redstone stuff. RedPower 2 was my favorite mod of all time until Project Red showed me that RP2 was a terrible, closed source implementation.
<joepie91> heh
<joepie91> licensing in Minecraft-land is... interesting
<infinisil> elvishjerricco: I personally prefer vanilla redstone, makes you really appreciate the three dimensions
<elvishjerricco> srhb: Eventually I stopped worrying about efficiency and just started overprovisioning EVERYTHING
<srhb> elvishjerricco: Yeah :P But I find that bores me quicker, really.
<srhb> I mostly do weird concept bases now..
<elvishjerricco> infinisil: RP2 / Project Red I felt were sufficiently faithful to the spirit of vanilla redstone
<elvishjerricco> srhb: Concept bases? Such as?
<joepie91> like I said: Factorio is an endless stream of optimization problems
<joepie91> remove the optimization and the game no longer works :D
<srhb> My latest was a "cell concept" where every production block is a same-sized train grid.
<infinisil> Ah, I haven't looked into it too much actually, might check it out for the server my friends and I are gonna start soon
<elvishjerricco> ooh that sounds satisfying
<srhb> Shipping resources and intermediates purely via train between them
drakonis has joined #nixos-chat
<infinisil> elvishjerricco: Regarding RP ^^
<srhb> Very!
<srhb> TONS OF WORK though xD
<joepie91> oof
<jackdk> my first rocket was cellbased too, but I used a bothive instead.
<joepie91> that sounds painful
<elvishjerricco> infinisil: Yea it basically just provides jacketed cables, bundles of jacketed cables, and just a few extra single-block logic gates
<elvishjerricco> srhb: How big are the blocks?
* infinisil is really off to bed now though
<srhb> elvishjerricco: About the size of a single roboport
<srhb> Its logistics range I mean
<elvishjerricco> That's a good choice
<elvishjerricco> I've barely touched robots...
<srhb> I like to use them for building _building_ materials.
<elvishjerricco> Belts are cooler :P But bots are nice for building ghosts that I place down in front of me
<srhb> I get bored of setting up huge malls..
<srhb> Oh yeah, that too. Next update should fix that
<lejonet> infinisil: have a nice sleep :)
<elvishjerricco> srhb: Fix?
<srhb> Well, they won't be placed for you, but if you ever run out of stuff you're placing down they will autoghost
<jackdk> I tend to use an "early bots" mod like fast start or nanobots, because to me the game is about the design, not the manual clicking
<srhb> I foresee just playing the game in my head, never actually placing any thing q_q
<srhb> nanobots is great, yeah
<srhb> In general, I really like construction bots and don't really like logistics bots...
<elvishjerricco> Still haven't even touched modded factorio yet
<elvishjerricco> I'm sure that's a whole new world of cool possibilities
<srhb> yup :P
<srhb> angelbob is really fun if you enjoy pipeline complexity.. I definintely recommend it for a long, long game..
<elvishjerricco> gonna go look that up...
<srhb> The basic premise is that most reactions produce a byproduct
<srhb> So now you have to do a lot more work to filter byproducts from your lines, and take them to where they're needed.
<elvishjerricco> Sounds like thermal expansion for minecraft. That was one of the best mods.
<srhb> (For instance, pure ores are crushed into stone and another meltable ore, which in turn is sorted, ...)
<srhb> I love it. It's grueling.
<iqubic> srhb: I own Factorio, but I have only played like 5 minutes of it.
<iqubic> Should I play more of it?
<clever> iqubic: yes
<clever> it also works perfectly on nixos, without steam
<srhb> iqubic: I'd say so. :) One of the games I've sunk most hours into ever.
<iqubic> Does that still reuqre you to purchase it on steam?
<srhb> Nope.
<srhb> You can get it from the producer directly.
<clever> iqubic: you can either buy it on steam, or buy it directly on the factorio site
<elvishjerricco> I switched to the steam install because the nixpkgs factorio package puts your password in the nix store
<srhb> ouch, 620 hours...
<clever> iqubic: if you did buy it on steam, you can get a key, that lets you get a "free" copy on the factorio site (which is required for nixos)
<srhb> I think only EU4 beats that. :-P
<iqubic> I have a steam version of factoria. Will that run well through steam?
<srhb> Yep.
<elvishjerricco> Before, I was using some hacky script that invoked the factorio derivation with nix-shell and called the script manually, after resetting $out and credentials env variables
<clever> elvishjerricco: i prefer the nixpkgs one, because it lets me pin the factorio version
<clever> elvishjerricco: its anoying when the client updates, and i cant get into the server anymore
<clever> or the client updates and breaks all my saves
<elvishjerricco> I had a bug in that script though so I just dropped it. Might fix it another time...
<srhb> clever: The steam properties beta tab will mostly let you do that too
<elvishjerricco> clever: Yea, not being able to choose (or even SEE) the version with Steam is frustrating
<clever> elvishjerricco: oh, the fetch script has since been fixed, it now uses a token, not the password
<srhb> clever: For games that actually let you choose the version (which Factorio does)
<elvishjerricco> clever: Oh. So the token is used for downloading, but you have to log in at runtime?
<clever> elvishjerricco: not sure, havent played it in a while
<clever> srhb: i recently discovered that space engineers has "closed" betas
<srhb> I must not get into that game.
<srhb> It is way too tempting.
<clever> srhb: they will post a blog, with the key to unlock the beta, and after a round of public testing, they delete the version
<srhb> Oh :P
<clever> so if your late, you cant play the new things
<srhb> That's... Weird...
<iqubic> srhb: Do you think that factorio is easy to learn for new players like myself?
<clever> srhb: try stationeers, its a better version of space engineers
<srhb> iqubic: There's a good tutorial :)
<iqubic> I see.
<srhb> iqubic: I'd say the basics are easy to learn, but the depth is.. Huge.
<clever> srhb: with space engineers, power just magically flows between all machines on a single grid of blocks
<iqubic> I played that a bit, and then got bored of that.
<srhb> As with many sandbox games.
<srhb> iqubic: Well, if it doesn't tickle your interests, maybe not :)
<clever> srhb: with stationeers, you need to actually run power cables from source to dest
<srhb> clever: Oh no, more realism to obsess over xD
<clever> srhb: and you have to be aware of the limits of those cables or they can burn up!
* srhb flees
<srhb> Sounds great though
<clever> srhb: with space engineers, there is very little atmosphere logic
<clever> a sealed volume just has a % of air, and thats it
<clever> if it ceases to be sealed, its all lost, instantly
<srhb> Only for Proton though?
<srhb> Stationeers, that is
<clever> the check for seal is also extremely cpu intensive, and off by default, so you cant even pressureize things
<clever> for stationeers, every cube of space has its own atmo, and it will mix with neighboring atmos
<clever> srhb: the proton stationeers runs great, only 2 very minor bugs
<srhb> OK :)
<srhb> Tempting, tempting..
<clever> stationeers also supports a mix of different gases, and temp, and ignition
<clever> so, you can mix H2 and O2 at the right ratio, to make fuel
<elvishjerricco> clever: I loved the concept of space engineer. But the implementation left a lot to be desired. I'll have to check out stationeers
<clever> and if you forget to turn off the mixer, it will burst the pipe its pumping into...
<iqubic> Clever: is the game free?
<clever> iqubic: single-time purchase on steam
<iqubic> Because I don't have a lot of money right now.
<clever> i think it was $17 or something like that
<iqubic> That's more than I want to spend right now.
<clever> srhb: after m fuel pipe ruptured, it flooded my entire base with an H2/O2 mix, without me noticing...
<iqubic> So I can confirm that Factorio runs without any hitches on Nixos.
<clever> srhb: if a fuel/air mix gets over 30c, it will auto-ignite....
<iqubic> Unlike the other games that I want to play right now.
<srhb> clever: That's great, disaster possibility is one of the most motivating things :D
<clever> srhb: my entire base turned into a rocket....
<srhb> hehehe
<iqubic> Anyways... I have to go right now.
<clever> it was so explosive, the game crashed!
<iqubic> Will certainly play more factorio later.
<clever> loading a quicksave left me with a base filled with fuel, but not yet exploded
<clever> so it was a race to evacuate the air, and store it for reuse later
<clever> half way thru that process, i notice an orange glow up the elevator shaft...
<elvishjerricco> lol what was the heat source for the explosion?
<clever> elvishjerricco: probably an electric space heater
<clever> red hot heating coils
<lejonet> clever: I will have to try stationeers then, the lack of explosion potential made me sad at oxygen not included :P
<elvishjerricco> clever: Oh you have to heat your air? This game seems very thorough
<clever> elvishjerricco: that map was on europa, the outside air is -280c
<clever> and when in such conditions, it drains the suit battery rapidly
<clever> then your fleshy meat-sack starts to freeze, and you die :P
<srhb> Silly weak meat sacks..
<srhb> But yeah, this definitely sounds interesting :P
<clever> which reminds me
<elvishjerricco> clever: Lol. What are the bugs in proton? I'll probably give it a try if they're not bad
<lejonet> Not that I don't like ONI, but I want to do explosions when doing stupid stuff like dumping a metric tonne of natural gas into lava :D
<elvishjerricco> "fleshy meat-sack starts to freeze" "Which reminds me." That can't be good
<clever> elvishjerricco: the only proton related bug, is that all mouse events cause the pointer to move down and right by 1 pixel
<clever> elvishjerricco: so if your rapidly clicking something, it slowly drifts down+right
<clever> a patch is available, but you need to build proton the FHS way
<clever> elvishjerricco: the game simulates organs, as seperate entities
<clever> elvishjerricco: your lungs contain an atmosphere
<clever> and they exchange air with whatever your inside
<clever> the suit contains an atmosphere
<srhb> Is this just sci fi dwarf fortress...
<clever> the suit systems filter that, and re-fill it, based on settings
<elvishjerricco> wow
<clever> if your suit is damaged, air can leak in and out
<clever> if you turn the welding torch on, then put it into your backpack ....
<clever> an open flame in a sealed box....
<gchristensen> srhb: plot twist: it *IS* df, just with an elaborate tile set.
<srhb> :D
<lejonet> gchristensen: :P
<clever> what i suspect happens, is that the welding torch heats up the air inside your toolbelt, to 30c+
<clever> then the fuel in the welding torch auto-ignites...
<clever> oh, and when gasses heat up, the pressure increases
<clever> which can cause a fuel bottle to rupture
<clever> imagine this, but in your toolbelt
<clever> and with fire spewing out of it :P
<lejonet> "I want to break free!"
<srhb> "Why was that person filming their security monitor with their phone at this point in time..."
<clever> srhb: you hear a click at the start, they clicked play on an old recording
<srhb> Ah, good :-P
<lejonet> clever: no fun, would've been more fun with the explanation that the one filming was the one that popped the valve :P
<clever> there are also a number of fun bugs in stationeers multi-player
<clever> your brain, is its own entity in the game, that you are normally "wearing" in a special inventory slot the UI wont show
<clever> due to multi-player bugs, another client can loose track of the fact your "wearing" it, and then it just gets stuck hovering in-world
<clever> and due to multi-player bugs, other people can then pick it up
<clever> and the server just goes "ok, i believe you" and yoiks the brain out of your skull :P
<clever> then you die!
<lejonet> so you can literally "pick someones brain"?
<clever> yes
<lejonet> :P
<lejonet> Hello Mr Literal :=
<joepie91> wait, which game is this
<clever> stationeers
<joepie91> ah
<clever> oh, and the 2nd bug it has under proton, is just some mscorefonts missing in the wine prefix
<clever> a fix is on the wiki, but involves running winetricks, which nixos complicates
<elvishjerricco> lol i'm surprised the brain has a model
<clever> cp -vir ~/stationeers/Fonts/ ~/.local/share/Steam/steamapps/compatdata/544550/pfx/drive_c/windows/
<clever> but i have fixed it with this
<clever> elvishjerricco: you can also leave your brain behind on the floor upon death
drakonis has quit [Quit: WeeChat 2.3]
drakonis has joined #nixos-chat
<samueldr> how's the outlook for your system?
<samueldr> fairly reproducible?
<gchristensen> it hasn't tested much yet -- https://gist.github.com/grahamc/c1f68cf02c88fd9536330a68654a8110 -- I'm testing some patches to perl now :)
<elvishjerricco> gchristensen: Shouldn't you check if any output exists, not just the out output?
<gchristensen> probably-yes
<gchristensen> since I keep a done-list, I could expand to that later :)
drakonis has quit [Quit: WeeChat 2.3]
drakonis has joined #nixos-chat
<gchristensen> should nix have a dowereproduceyet.com ?
<gchristensen> like arewewebyet.org
<drakonis> yes
<drakonis> debian has one already
<gchristensen> what is theirs?
<gchristensen> neat
<drakonis> been a thing for years now
<drakonis> by the way, stationeers eh?
<gchristensen> eelco has been working with them for some time now, as well
<drakonis> why not... space station 13...
<drakonis> very good
<gchristensen> (several years)
<drakonis> neat, didn't know that
<drakonis> his name doesn't come up a whole lot on the weekly reproducible build reports
<gchristensen> yep yep
<gchristensen> he's not in the day-to-day
drakonis has quit [Quit: WeeChat 2.3]
<iqubic> clever: How do you solve missing font issues on Steam games in NixOS?
<clever> cp -vir ~/stationeers/Fonts/ ~/.local/share/Steam/steamapps/compatdata/544550/pfx/drive_c/windows/
<clever> for proton, you can copy the fonts to the right directory in the prefix for that game
<iqubic> Like I'm not getting any errors, I'm just seeing nothing where the glyphs should be.
<clever> yeah, thats what i got in stationeers as well
<iqubic> clever: This is a game that's running through Steam without Proton.
<iqubic> So IDK how to fix it.
<clever> it should get any system fonts, so just set fonts.fonts in configuration.nix
<iqubic> I know it should, but it doesn't/
<clever> iqubic: which font is missing?
<iqubic> It's not an entire font, but just a few symbols.
drakonis has joined #nixos-chat
<iqubic> ↺ ↻ those two arrows, ∧ ∨ those two logical operators, and I think a few others too.
<iqubic> Which is weird, because they all show up fine in emacs and in firefox too.
<clever> it may be forcing the use of a certain font, which lacks those glyphs
<iqubic> I see.
drakonis has quit [Quit: WeeChat 2.3]
<gchristensen> clever: do we build multiple perls in bootstrapping?
<clever> gchristensen: not sure, but i could see it happening
<gchristensen> hrm. yes. seems it is not accessible
<iqubic> I'm not sure why my game is broken. This is odd.
<iqubic> clever: I have no idea how fix this at all.
<iqubic> NixOS is pissing me off.
<colemickens> :o
<iqubic> That's 2 games that claim to run on Linux failing to do so.
<iqubic> And one game that works rather well, except for several issues that I'm running into.
<iqubic> These games actually do run on Linux, just not on NixOS because IDK why.
drakonis has joined #nixos-chat
<gchristensen> fix for perl: https://github.com/NixOS/nixpkgs/pull/55158
<{^_^}> #55158 (by grahamc, 21 seconds ago, open): perl: make reproducible
drakonis has quit [Quit: WeeChat 2.3]
<colemickens> with the rpi discussion earlier, do folks know of an SBC that has a TPM onboard?
<colemickens> (cheapish)
lassulus_ has joined #nixos-chat
iqubic has quit [Remote host closed the connection]
lassulus has quit [Ping timeout: 250 seconds]
lassulus_ is now known as lassulus
iqubic has joined #nixos-chat
pie___ has joined #nixos-chat
pie__ has quit [Ping timeout: 245 seconds]
<elvishjerricco> At the end of November, they announced they could decrypt any iPhone or Android, regardless of passphrase conplexity. Considering the decryption key isn’t supposed to be stored on the device anywhere, that’s rather alarming.
<elvishjerricco> But now “the third-party that we were working together with to complete these data recoveries is no longer available to work with”
<elvishjerricco> What does that mean? Did the exploits get patched? Did the third party get taken down? How was this even possible?
<clever> elvishjerricco: i can think of 2 things
<clever> either the crypto is crazy weak
<clever> or they are just reading the cyphertext off the flash memory, and then doing a brute-force of the pincode in a VM type env
<clever> where they can just ignore the "max 10 tries" rule
<clever> elvishjerricco: ive also seen a blog post on how to break encrypted USB sticks, and it involved just soldering the write-enable pin on the flash chip, to a constant level
<clever> effectively turning the usb stick read-only
<elvishjerricco> It’s not weak. Apples got a publication describing their encryption, and it’s pretty good. And brute forcing isn’t possible because DriveSavers claimed it worked with arbitrarily complex pass phrases, including alphanumeric phrases with symbols and length > 12
<elvishjerricco> The key is *supposedly* not stored on the device anywhere. When you boot up, it needs your passphrase before it can decrypt the home screen
<clever> what if it was more like luks
<clever> where the passphrase decrypts the real key?
<elvishjerricco> clever: It’s a combination
<simpson> Indeed, if the device supports quick reassignment of passphrases...
<elvishjerricco> There’s device specific code that would require intense electrical engineering to recover, but it is infused with your passphrase, so it effectively doesn’t matter
<clever> i'm also reminded of how the PS3 hdd crypto worked
<clever> the PS3 has a per-cpu key, burned into the cpu die itself
<clever> which is used to encrypt the hdd
<elvishjerricco> There’s a* device specific key
<clever> so you cant transfer hdd's between PS3's (without a reinstall)
<clever> and you have to root the ps3 if you wanted to read/write its drive externally
<elvishjerricco> Oh actually yea it ALSO just uses this infused key to encrypt the actual key for passphrase reassignment
<elvishjerricco> So it’s all dependent on your passphrase, and basically does what LUKS does, with extra steps
<clever> it sounds like you would need to replace the firmware (either via usb or physically), to be able to leak the unique device id, and allow brute-forcing the header without limits
<elvishjerricco> Yea but that brute forcing really shouldn’t be possible. Apple’s not using random custom key derivation functions; it’s pretty standard and well tested stuff
<clever> stuff that takes a reasonable amount of time to convert 1234 into key and decrypt things?
<elvishjerricco> clever: Yea I mean obviously it’s trivial to brute force weak passphrase once you figure out the device key and image the disk. But the problem is that they said they could beat strong passphrase a
<elvishjerricco> This autocorrect does not like the plural of “passphrase” :P
<clever> i think there are also rules, that you must use a passphrase/pin# after booting, and that touchid/faceid wont work on bootup?
<elvishjerricco> clever: Yea. Since it doesn't know the decryption key, it needs your passphrase to do anything. Once you enter it, it mangles it and caches it in memory so that biometrics can unmangle it and use it to unlock the phone. But there are several ways to tell iOS to discard this mangled key, even remotely (and several hardware-level measures to ensure it doesn't leak afterward).
<elvishjerricco> And there are several time-sensitive conditions under which it will discard the key and require your passphrase again
<clever> elvishjerricco: i was thinking its more like the fingerprint data and facedata are just stored on the encrypted rootfs
<elvishjerricco> but if you have no biometrics enabled, the key is only cached while the phone is unlocked
<clever> and it needs the real passphrase/pin to unlock that at bootup
<clever> before it can continue the boot
<elvishjerricco> Well, the biometric data is encryped and stored in the secure enclave coprocessor
<clever> and that the pin when unlocking normally, is just a software lockout, not a crypto lockout
<elvishjerricco> and needs the passphrase-based decryption key to decrypt
<elvishjerricco> the passphrase lockout is in fact a crypto lockout. It's biometrics taht are software lockouts
<elvishjerricco> hence why discarding the biometric-based caches of the key is an important ability
<clever> but what about unlocking it with only a fingerprint?
<clever> after boot has finished
<elvishjerricco> clever: You cannot unlock the phone after first booting using a fingerprint. You have to enter the passphrase at least once. Then it caches the key, and discards it under a variety of conditions (requiring your passphrase to enable biometrics again)
<clever> yeah, passphrase once at bootup, and then fingerprint for the rest of the runtime, until it reboots or something clears it
<elvishjerricco> right
<elvishjerricco> so like LUKS+luksSuspend
<clever> theres also something ive been wanting to try on my laptop
<clever> configuring the initrd, to use a luks keyfile on the SD card, if present
<clever> and if not present, ask for a passphrase, as normal
<clever> so when in a secure location, i leave the SD card in, and it just boots
<clever> when in insecure locations, i take the card out, and it has a passphrase
<elvishjerricco> I read the ios security guidelines in hopes of finding an obvious crypto error from Apple that DriveSavers could have used (assuming unlimited access to information in any way publicly visible, even if it requires the ability to observe individual electrons perfectly). But I didn't see anything. So their program was very concerning to me :P
<elvishjerricco> clever: It's arguably best to use some TPM based solution, so that you're much less vulnerable to keylogger attacks.
<elvishjerricco> Like, if we assume memory is encrypted with a random key secured in the CPU with security as strong as the TPM, and if we assume that Linux is good at preventing unauthorized software access, then it's much more difficult to break that hardware root of trust than it is to install a keylogger
<clever> but then you need measured boot, or somebody can just swap out my initrd
<elvishjerricco> right
<clever> and measured boot wont play nicely with nixos-rebuild
<elvishjerricco> clever: I've got some ideas
<clever> enless you encrypt the grub config, and the measured boot unlocks that as well
<clever> and measurement stops there
<elvishjerricco> clever: But then you still have to re-measure when grub changes
<clever> yeah, but that happens less often
<elvishjerricco> clever: You can measure specific PCRs that only include the firmware and public key used for secure boot. So if you just have activation sign your boot loader, then this PCR should remain constant unless you change your firmware
<clever> ah, that could work
<clever> ive not done any TPM stuff yet, so i'm half guessing based on what makes sense
<elvishjerricco> clever: Yea I believe this is the only way to ensure someone can't beat secure boot by simply disabling it in the BIOS, as the secure boot spec for x86 requires that any person with physical access can disable secure boot
<elvishjerricco> but doing that would affect the TPM measurement in PCR 7(? i think?)
<clever> ive also noticed secure boot support to vary wildly
<clever> my laptop secureboot allows me to enroll my own keys, or to just whitelist efi binaries by hash, so i dont even need keys
<elvishjerricco> true. Apple's requires a user password to change anything at all, for instance, which breaks spec
<clever> my desktop secure boot, only has on&off
<clever> i think on is M$ keys
<elvishjerricco> yea microsoft pushed a lot of hardware manufacturers to only allow their keys :P
<elvishjerricco> I think that was mostly for prebuilts though
<clever> the laptop is by a company that advertises linux support and open software
<clever> they even sell a variant with ubuntu pre-installed, and all unfree software just gone
<elvishjerricco> My desktop has TPM, and pretty customizable Secure Boot. But when I contacted ASRock about TPM not working under Linux (some driver error), they just said "Sorry, we don't support Linux for this product."
<clever> lol
<elvishjerricco> So I'm never buying an ASRock motherboard again :P
<clever> i think my nas is asrock
<elvishjerricco> clever: What company made that laptop?
<clever> that firmware config was nuts, it has an animated twinkling star background
<clever> the laptop is from system76
<elvishjerricco> o_O mine does not do any animation lol.
<elvishjerricco> oh system76 seems cool
<clever> i think the nas firmware is also able to update itself, without anything external
<clever> the uefi just goes on the internet by itself, downloads updates, and flashes itself
<clever> idiot proof, until it bricks itself :P
<simpson> clever: I have a NAS-like machine with boot firmware like that.
<clever> i call it a nas, but its just a mini-atx board with a pile of hdd's
<elvishjerricco> oh no. I avoid updating firmware like the plague. Doing it *automatically* sounds like a recipe for a dead motherboard
<clever> oh, the nas also has hdmi in!
<simpson> Cannot: boot without manual intervention, control fans
<clever> there is a windows util, to either output the GPU, or to passthru hdmi directly
<simpson> Can: mouse
<clever> and i think hdmi passthru happens when "off"
<clever> but, its imposible to google for linux drivers of that
<clever> all you get is hdmi capture cards
<jasongrossman> clever: As you may know, there's been some fuss in online forums about System76 refusing to take advice from FOSS people about making their firmware updateable by standard methods.
<clever> jasongrossman: ah, i hadnt heard that
<elvishjerricco> jasongrossman: What are "standard methods"?
<clever> elvishjerricco: flashrom is one
<jasongrossman> clever: I've forgotten all the details, but I remember that when I read the details I didn't find System76's replies reasonable.
<jasongrossman> elvishjerricco: That's what I don't remember.
<clever> i think flashrom can read 2 of my machines
<clever> and a 3rd machine (that is too old to bother with) supports read/write
<jasongrossman> But I do remember that System76's reply only made sense on the premise that they were going to be around, and doing the right thing with their firmware, for the life of your machine.
<jasongrossman> And that's the most charitable interpretation.
<jasongrossman> OTOH, I don't know which manufacturers do any better, for laptops.
<jasongrossman> Also it's possible that there's a better reply to the criticism than the replies I actually saw.
endformationage has quit [Quit: WeeChat 2.3]
<elvishjerricco> On the issue of trusting TPM based boot: If you assumed the hardware root of trust wasn't broken, how trustworthy would the typical Linux OS be for securing software authorization? e.g. is LightDM a bigger security risk than a keylogger?
<clever> elvishjerricco: if you trust Xorg, there is always the secure keyboard mode
<elvishjerricco> have not heard of that
<clever> elvishjerricco: in xterm, hold control, and hold left mouse
<clever> there is a secure-keyboard option
<clever> when enabled, xterm gets 100% of the keyboard input
<clever> alt+tab wont work
<jasongrossman> How cute!
<clever> keyloggers (using the x11 api) wont work
<clever> ssh agents and gpg agents also use this automatically
<clever> the only way to bypass that, is to have root, then you can read things like /dev/input directly, or just replace xorg with a variant that ignores the rules
<elvishjerricco> Odd. Though I'm more concerned about things like my screen locker not actually locking. Did you know that a lot of screen lockers just change VTs? You can f7 to get back to the desktop in a lot of them
<clever> X based screenlocks can do things like secure-keyboard, to block alt+tab
<clever> and then all input goes to the lock program
<elvishjerricco> light-locker extends the default locker of lightdm by covering your desktop with a black UI, grabbing the keyboard (I guess secure keyboard) and automatically switching back to the login VT
<clever> the "login VT" isnt something you can just switch to
<clever> ive implemented a display manager from scratch before
<clever> basically, display-manager.service, will run the display-manager (gdm, kdm, slim, lightdm, hsdm) as root
<clever> the dm will then run Xorg, based on its config file, wait for X to come up
<clever> and then connect to X as a normal x11 client (without any window manager)
<clever> then it renders the login page
<clever> after you login, the DM will run the desktop-manager (in nixos, its a bash script, that then runs the real DM)
<clever> and the display manager will drop root before doing that
<elvishjerricco> clever: Yea I'm not really sure how lightdm and light-locker bring you to a login screen on lock. But once there, you can ctrl+alt+f7 to get back to the desktop, and you have to have light-locker to secure the desktop and switch you back to the login screen
<clever> so you cant really go backwards to the login screen
<clever> that sounds more like the quick-user-switching
<elvishjerricco> probably
<clever> like its spawning a 2nd xorg, on a new vty, so a 2nd user can login
<clever> something else you can do to play around, `chvt 7` (ran as root) will switch to tty7
<elvishjerricco> but the point was more about lightdm thinking that leaving that vty there unsecured was secure enough
<clever> ssh in, and have fun forcing it to change around!
<elvishjerricco> i.e. I worry that the software authorization in the typical Linux distro has dumb issues like that
<clever> elvishjerricco: another thing, ctrl+alt+backspace, tells xorg to shutdown immediatelly
<clever> elvishjerricco: oh, and theres also the sysrq stuff
<clever> elvishjerricco: alt+printscreen+e, i believe, will send a sigterm to every single process on the machine
<clever> systemd will then restart most things, and your back at the login screen
<clever> alt+printscreen+k is the secure-login thing i think, treat it like ctrl+alt+del to login on windows
<clever> sak was meant for text-mode days, when it was trivial to emulate a login screen
<clever> it will kill everything on the current tty
<elvishjerricco> Ah, well I'm willing to assume that if an attacker has their own software running on my machine, then I'm probably pwned :P
<clever> its more for multi-user machines
<clever> what if i login, start a program that prints "login: ", and then walk away
<clever> then you sit down, and type in your name+pw!
<clever> the solution, is that you hit the sysrq to kill everything on the tty, and then init will re-spawn the getty and login process
<elvishjerricco> Hm. I don't typically think much about multi-user systems. But I guess if you trust a hardware root of trust, then multi-user systems become much more practical from a security perspective
<clever> the design of nix also takes multi-user into account
<clever> and makes it safe to allow anybody to install anything
<elvishjerricco> yea that is really nice
<elvishjerricco> though "safe" in Nix really just means "This is what the .drv says it is". Obviously malicious .drv files are easily overlooked
<clever> but that safety only holds, as long as you are not digging around in /nix/store/ and running the first ls you can find :P
<elvishjerricco> right :P
<clever> of note, i have a proof of concept expression, that runs a reverse shell, in a fixed-output derivation
<clever> so, if you try to nix-build that, i gain a shell, inside your nix sandbox
<elvishjerricco> whoa what? How?
<clever> then i am free to burn your cpu for crypto-coins, or prod anything on your LAN
<clever> fixed-output derivations have full network access
<clever> they can connect out to anything
<elvishjerricco> oh, yea that makes sense
<elvishjerricco> does a reverse SSH exist?
<clever> and there are utils to get a reverse shell without having to setup port forwarding
<clever> exactly what i used
<elvishjerricco> what's it called?
<clever> tmate
<clever> in normal use, you just run tmate, and it shows a special ssh url
<clever> then you pass that to somebody else, and when they ssh in, they land in the same shell, on your machine
<clever> after that, its just normal tmux
<elvishjerricco> Ah, I've used this, or something like it, before. Coworker loved tmux, so he'd "screenshare" by giving a URL that shows a readonly view of his tmux
<clever> yeah, tmate has a read-only version, and both http and ssh interfaces
<elvishjerricco> i imagine it can do read-write
<elvishjerricco> yea, so probably tmate
jackdk has quit [Ping timeout: 250 seconds]
iqubic has quit [Ping timeout: 264 seconds]
jasongrossman has quit [Quit: ERC (IRC client for Emacs 26.1)]
__monty__ has joined #nixos-chat
__monty__ has quit [Client Quit]
__monty__ has joined #nixos-chat
__monty__ has quit [Client Quit]
__monty__ has joined #nixos-chat
__Sander__ has joined #nixos-chat
hedning has joined #nixos-chat
jasongrossman has joined #nixos-chat
<gchristensen> nix-profiles-as-web-roots
ninjin has joined #nixos-chat
<clever> gchristensen: https://github.com/NixOS/nix/issues/2665 i went a bit nuts in here last night, and i think i found a way to improve the performance of nix, for certain expressions
<{^_^}> nix#2665 (by cleverca22, 1 day ago, open): adjust `Expr::maybeThunk` to reuse `Value` objects
<gchristensen> wow!
<gchristensen> yes please :)
<clever> basically, { args }: let foo = expr; in body, will create a new thunk for `expr` every time the function is called
<clever> and then (if expr is constant), there is no way to share the result of computing it
<gchristensen> we have a lot of code that does that.
<clever> moving the let block up shaved 2gig off the cardano-sl release.nix eval
<clever> but, it can take hours to find everything like this, and imrove it
<clever> adjusting maybeThunk should automatically fix everything
<gchristensen> 2gig ram??
<clever> yes
<gchristensen> :o ok, can you try patching nix? :o :o :o
<clever> i plan to
<clever> i mostly made the ticket incase i forget
<gchristensen> amazing
<clever> gchristensen: and while digging thru all that, i discovered that a simple 5*5 expression, is 5 nodes in the AST, after parsing
<gchristensen> ok where are the other 2
<clever> each int, turns into an ExprInt node
<clever> then the * has to lookup __mul in the current scope
<gchristensen> lol.
<clever> and then there is 2 ExprApp nodes, to apply each int to the __mul primop
<clever> gchristensen: scopedImport can make 5*5 == "boo!"
<gchristensen> hilarious
<clever> maybeThunk also impacts the lazyless of the above
<gchristensen> Nix is so cool
<clever> if you do { x = 5; }, then the attrset code will call Expr::maybeThunk (which is a virtual function)
<clever> the ExprInt version, doesnt bother making a thunk, and directly gives a Value of 5
<clever> but, if you do { x = 5 * 5; }, there is no ExprApp::maybeThunk, so it falls back to Expr::maybeThunk, which does create a thunk
<clever> and the expression: (__mul 5) 5, is defered until later
<joepie91> [14:14] <clever> basically, { args }: let foo = expr; in body, will create a new thunk for `expr` every time the function is called
<joepie91> this is sounding an awful lot like a prime candidate for Nix' memory usage issues :P
<clever> joepie91: thinking about it, that statement will even apply to let foo = 5*5; in ...
<joepie91> I mean, in a language that's pretty much made of isolated lexical scopes, "does not reuse scope contents for identically produced scopes" is going to affect a *lot* of stuff
<clever> joepie91: 5*5 will depend on what __mul is in the current scope
<clever> which is why you need a map from Env* to Value
<clever> the Env* is the scope its being evaluated in
<gchristensen> ok, talking to a friend, this sounds hard to fix clever
<gchristensen> "Unless we put in some work to either check for a reference to the internal scope or somehow ensure we don’t reduce it?"
<clever> when creating a thunk, the scope (the env pointer) and the expression, are shoved into a Value object
<clever> and the expr can later be ran within that scope
<clever> which turns the Value from a thunk into a concrete type
<clever> if i just make a map, from Env to Value, containing pre-made Value's (which are either thunks or results)
<clever> then i can lookup the result of evaluating it within a given Env
<clever> but, for cases where it doesnt memoise, it would be retaining a reference to every single Value it has created...
<__monty__> So you want to implement a lazy language by being super eager? : >
<clever> __monty__: rather then being eager, i want to share the thunk when possible
<clever> so when it does eventually force the thunk, it can save the result longer term
<__monty__> Oh, misread.
<joepie91> clever: an Env is a representation of a scope here, right?
<clever> joepie91: thats my understanding
<joepie91> clever: have you considered a dead simple "keep the most recently used N scopes around" implementation?
<clever> i was thinking i could limit the map to N elements
<joepie91> that would be cheap to track and clean up internally, and probably at least save a lot on commonly used scopes
<elvishjerricco> clever: Sharing constant lets is something that GHC does sometimes, and it can often *lead* to space leaks when people write the let binding with the intention for it to be garbage collected and not shared
<elvishjerricco> So GHC is very picky about when to do this, IIUC
<joepie91> the major caveat would be that - presumably - every invocation of a function, even with the same arguments as before, would produce an entirely *new* scope/env, and you'd need to identify reusable scopes there; I don't know if Nix already does anything like this
<elvishjerricco> Maximal laziness + garbage collection is IMO the way to go for Nix specifically. But I'm sure eelco had a good reason for not putting maximal laziness in Nix.
<sphalerite> oooh, nixos.tech was available.
<elvishjerricco> There are too many TLDs now :(
<sphalerite> I've bought it and set it up to redirect to .org
<__monty__> How can there be too many?
<sphalerite> I came up with the idea because I typed "nixos/nixpkgs" into my address bar, it opened nixos.com/nixpkgs, and I was relieved to find that the porn site no longer exists
<__monty__> The exhaustion of .com is super annoying imo.
<sphalerite> the domain isn't available though :p
<__monty__> So I'm glad .io got popular through startups to the point that non tech people no longer think .com's the only one.
<sphalerite> really? People thought that?
<__monty__> Yes, many.
<sphalerite> huh
<sphalerite> but .org is pretty common too
<__monty__> Maybe not brits because of the silly .co.uk stuff but belgium/holland, definitely.
<__monty__> How many .org's do the facebook/IG addicts visit though? .net's also kinda disappeared.
<sphalerite> but .be and .nl!?
<sphalerite> also as a German I'm familiar with .de
<__monty__> Well yeah, .com + ccTLDs.
<joepie91> huh? we're quite aware of the existence of non-.com here :P
<joepie91> oh, in that sense
<sphalerite> isn't .io a ccTLD too?
<joepie91> .net is also fairly well known and understood in NL though
<joepie91> sphalerite: technically yes
<joepie91> but it got appropriated
<sphalerite> The Internet country code top-level domain (ccTLD) .io is assigned to the British Indian Ocean Territory.[1]
<__monty__> But, really, .be has never been an interesting part of the internet.
<sphalerite> __monty__: lol
<__monty__> sphalerite: .tv and .sh are other ccTLDs that got similar "mis"use.
<sphalerite> oh yeah I think I saw that at some point
<sphalerite> tv = Tuvalu?
<__monty__> Yeah, and saint-helens.
<__monty__> hellens?
<sphalerite> oh wow
<__monty__> I like it though, the idea of ccTLDs is silly for tiny countries imo.
<gchristensen> .be is super shady to buy
<gchristensen> I tried to buy one in '10 or so, and I was going to have to wire money to the BE govt. I went to the bank to do it, and they told me that I could do it if I really wanted to, but my life would come under scrutiny
<joepie91> lolwat?
<sphalerite> whaaaat
<sphalerite> oh right you don't live in the EU
<sphalerite> yeah I think it's significantly easier if you live in the EU :p
<sphalerite> or just have an address there
<sphalerite> oh wait no .be seems to be different from .de
<gchristensen> yes
<joepie91> gchristensen: you can just register one with a normal registrar like internetbs nowadays anyway :P
<joepie91> .be that is
<gchristensen> nice
<joepie91> it's cheap, too
<joepie91> 4.70 EUR/yr
<__monty__> What scrutiny are you referring to? Is it just trying to determine you're a belgian citizen/legal entity?
<gchristensen> oops, not .be
<gchristensen> .by
<__monty__> I mean, that's practically russia... : >
<gchristensen> but more importantly, it is a great set of nice domain names :)
<sphalerite> hm, so, on the one hand, my ISP seems to terminate my connection every night at 23:33, so I have 6 seconds of downtime per day, which is annoying
<sphalerite> on the other hand, it sends an LotR reference.
<sphalerite> Sun Feb 3 23:34:06 2019 daemon.info pppd[31842]: Remote message: Pedo mellon a minno : ######DEU.DTAG.GGH35# - <unknown>
<__monty__> Doubt the ISP management knows. Doubt they'd let anyone send the word "pedo" on a daily basis.
<gchristensen> definitely not
<sphalerite> hm, is it a bad idea to set a custom search domain?
hedning has quit [Quit: hedning]
<sphalerite> My router has lots of messages about "possible DNS rebind attacks"
<sphalerite> aah I just need to put a rebind-domain-ok for the domain in the dnsmasq config
<gchristensen> don't set your searc domain to a domain with a wildcard DNS
<sphalerite> I think the issue is that the IPv4 addresses are in private networks
<sphalerite> see for example lugn.sphalerite.tech
<__monty__> Do search domains still work? Wouldn't modern browser submit a search query to whatever your search engine is?
<gchristensen> they query DNS first
<gchristensen> and yes, they work
<sphalerite> yeah it submits the query to the search engine first
<sphalerite> but if I type http://lugn for example it works
<gchristensen> weird, here it does the opposite
<sphalerite> oh wait
<sphalerite> yeah no
<sphalerite> which browser?
<gchristensen> firefox
<sphalerite> huh, same \:|
<gchristensen> is that a wireguard network?
<__monty__> Maybe it's because those smart searches are probably implemented with regexes? And there's an edge case here?
__Sander__ has quit [Ping timeout: 240 seconds]
__Sander__ has joined #nixos-chat
__monty__ has quit [Ping timeout: 244 seconds]
__monty__ has joined #nixos-chat
endformationage has joined #nixos-chat
<sphalerite> gchristensen: tinc :)
<gchristensen> ah
<sphalerite> blaaaaargh stupid stock firmwares.
<sphalerite> There's no *technical* reason not to allow it, but my TP-Link DSL modem doesn't allow operating in bridging DSL<->ethernet and also as a SIP/DECT bridge at the same time.
<sphalerite> and there's no openwrt for it, and even if there were it wouldn't support the DSL modem functionality nor the DECT base station functionality. >_<
hedning has joined #nixos-chat
hedning has quit [Read error: Connection reset by peer]
hedning has joined #nixos-chat
__Sander__ has quit [Ping timeout: 246 seconds]
__Sander__ has joined #nixos-chat
hedning_ has joined #nixos-chat
hedning_ has quit [Remote host closed the connection]
hedning_ has joined #nixos-chat
hedning has quit [Ping timeout: 250 seconds]
hedning_ is now known as hedning
edef has left #nixos-chat [#nixos-chat]
hedning has quit [Client Quit]
<joepie91> sphalerite: I bet there's an upgraded model with the exact same hardware that *does* allow it
<joepie91> :p
<clever> System.TypeInitializationException: The type initializer for 'System.Console' threw an exception. ---> System.TypeInitializationException: The type initializer for 'System.ConsoleDriver' threw an exception. ---> System.Exception: Magic number is wrong: 542
<clever> now its time to figure out why >/dev/tty totally breaks a mono program, lol
<sphalerite> joepie91: not that I know of
<sphalerite> oh yeah, one more thing I need to try, see if I can't get in via SSH after all
hedning has joined #nixos-chat
<clever> else if (magic == 0x21e)
<clever> the 542!
hedning has quit [Quit: hedning]
<clever> aha, and things differ in the mono source here
<clever> i think mono is barfing over the terminfo files being too new
<clever> oh!
<clever> stdout WAS a pipe, so it didnt need terminfo
<clever> but, when i fixed stdout, then it needed terminfo!!
iqubic has joined #nixos-chat
iqubic has quit [Remote host closed the connection]
hedning has joined #nixos-chat
iqubic has joined #nixos-chat
<sphalerite> so tp-link has an android app that apparently uses SSH to access the routers. Can anyone suggest how I might go about finding out how it authenticates? :^)
<gchristensen> throw a MITM in there?
<samueldr> launch it to another host, see which user it tries to login as?
<samueldr> I think there may even be ssh servers made specially to harvest information?
iqubic has quit [Remote host closed the connection]
iqubic has joined #nixos-chat
<sphalerite> idk how to get the app to connect to anything other than the actual router
<gchristensen> how does it find the router?
<sphalerite> idk
<sphalerite> it's tcpdump time I guess
<gchristensen> figure that out first ;)
<sphalerite> hmm how can I sniff the complete traffic though :/
<sphalerite> because the app wants me to connect to the tp-link device's wifi, but I don't know how to sniff that
__Sander__ has quit [Quit: Konversation terminated!]
tilpner has quit [Ping timeout: 268 seconds]
<sphalerite> sooo after some fiddling with bridging and such I've managed to get a packet capture
<sphalerite> it seems to start with the phone discovering the router via a packet sent to the broadcast address, followed by a small exchange of UDP packets, followed by an SSH session
<sphalerite> anyone think they can work this out? :p
<gchristensen> open the capture in wirshark?
<sphalerite> yep, that's how I got those conclusions
<sphalerite> samueldr: do you know of such an SSH server?
<sphalerite> hm there's a blog post from someone who modified openssh to log the attempted passwords
<samueldr> sadly no, only kinda remembers it exists (if it didn't, it would be a good idea)
<sphalerite> https://github.com/cowrie/cowrie looks relevant
<__monty__> Maybe look for honeypot setups?
<sphalerite> blargh first I need to get it to try to connect to my honeypot SSH server
<__monty__> Would your host act like a router on an adhoc wifi network?
<sphalerite> __monty__: no
<sphalerite> not by itself anyway
<sphalerite> the app seems to discover the router via UDP broadcasts on port 20002
<sphalerite> I've managed to trick it into thinking my laptop is one of the routers, but not into actually trying to connect
<joepie91> wtf. so Action, a discount store in NL, has been expanding internationally - and whereas they had a total of "more than 1200" stores back in September across countries, they're now up to 1340...
<joepie91> this is some ridiculous growth
<__monty__> It's like Spar, ridiculous spread for such a small brand imo.
<joepie91> well, yeah, but at least Spar is a supermarket / corner store
<joepie91> there's a continuous demand for those
<joepie91> whereas Action is competing against online stores
<joepie91> like, the closest description I can think of for Action is "it's like a brick-and-mortar AliExpres"
<joepie91> AliExpress*
<joepie91> (and it's notable for having more useful/durable stuff and less junk than most discount stores)
<sphalerite> joepie91: is your field of interest called "cryptoeconomics"? :D
<joepie91> sphalerite: no :) and as far as I can tell, "cryptoeconomics" is giving a new marketable name to an old concept
<joepie91> (see also: cloud, big data, machine learning, ...)
<sphalerite> anybody good with reverse-engineering magic? I have some requests and corresponding responses that I'm trying to work out the connection between (i.e. how the request affects the response).
<__monty__> sphalerite: Cheat and just MitM the connection?
<__monty__> I.e. pass on the questions to your router and replace any mention of its IP?
<sphalerite> easier said than done
<__monty__> Yes, that's why I'm on this end of the interaction : >
* infinisil is just learning for a network security exam
tilpner has joined #nixos-chat
<__monty__> Hmm, krops seems pretty cool.
tilpner has quit [Quit: WeeChat 2.3]
iqubic has quit [Ping timeout: 250 seconds]
tilpner has joined #nixos-chat
<sphalerite> https://sphalerite.org/dump/request-response.tar.gz if anyone likes puzzles, I'd be glad for any insights into how the request (>) corresponds to the response (<) :p
drakonis has joined #nixos-chat
tilpner has quit [Quit: WeeChat 2.3]
<infinisil> sphalerite: How big is this that you targzipped it?
<sphalerite> not big at all.
<infinisil> Then why targzip it
<sphalerite> I just realised I should probably have concatted the files and just made it a single file
<sphalerite> because tar cz rolls off the fingers so nicely.
<infinisil> Ah
<infinisil> Oh, I expected like 1000 hard to read lines lol, that's much simpler
<__monty__> tar cz even has all the characters cat does, and it's twice as long.
<infinisil> sphalerit: I think if you're going to reverse-engineer this, you're gonna need like 1000 samples, not just 6
<sphalerite> ssshhhhh :p
<sphalerite> infinisil: you think? For such a small bit of data?
<infinisil> I guess I don't know how complex it is, what is this anyways?
<infinisil> There's lots of potential functions that map 64bit -> 64bit, especially if it's non-deterministic
<infinisil> :P
tilpner has joined #nixos-chat
<__monty__> There's also missing info probably. Since it's not pure.
<__monty__> Time? The request's header?
<sphalerite> The request always gets the same response
<sphalerite> a given request*
<__monty__> Not unless your file's lying.
<sphalerite> oh oops
<infinisil> Yeah, the first one is a counterexample..
<sphalerite> damn I accidentally removed some important information then
<sphalerite> whoops.
<sphalerite> Will correct… tomorrow probably
<samueldr> sphalerite: maybe share the app name / link from the store; might be easier to gather intel from the apk
<samueldr> cursory glance, did you have to create an account on some tp-link cloud service?
<samueldr> might be using that
<samueldr> I mean, to do the actual auth after the initial one, and the initial one is used as an identifier
<samueldr> their source seems littered with debug strings
<samueldr> with the phone connected to a computer, maybe adb logcat could give insight
<samueldr> (I'm doing an assumption based on https://wap-gw.tplinkcloud.com being used, there's also an oauth endpoint)
<colemickens> is there nix(os) content at fosdem?
<joepie91> from what I've heard, there's primarily queues at fosdem
<__monty__> colemickens: Didn't see anything this year. A little bit of Guix.
<__monty__> I learned about nix at fosdem though.
<__monty__> joepie91: Last year was particularly bad. This year the content was a little worse.
<sphalerite> samueldr: nope, didn't have to
<samueldr> then it must be for their connected lights and plugs
<sphalerite> it was able to log into the device without an internet connection on either as well]
<samueldr> (when finding fun looking urls, always google them, others might have found fun stuff)
<samueldr> sphalerite: that's good confirmation that it wouldn't be using that part of the codebase
<samueldr> sphalerite: still, the adb logcat suggestion stands
<samueldr> (if you never used that, be ready, it's like drinking from the firehose)
<samueldr> if you want to unpack the apk in the most useful manner I know (pretty sure there are better ones) apktool is in nixpkgs
<sphalerite> oh I didn't see the logcat bit
<samueldr> the logcat bit might be useful if it prints useful tidbits, with the smali decompiled apk
<samueldr> (which apktool does)
<tilpner> sphalerite: Are you sure you never used Tether on any Android device before?
<tilpner> sphalerite: After your mention earlier, I installed Tether and it asked me for a password
<samueldr> it might work differently if you don't have compatible hardware on the network
<tilpner> Sure, just trying to make sure he didn't input the password on another device years ago
jackdk has joined #nixos-chat
<tilpner> (Which could maybe be synced via Google, I don't know if they also do that for newly-installed apps)
drakonis has quit [Quit: WeeChat 2.3]
jasongrossman has quit [Ping timeout: 246 seconds]
<infinisil> https://github.com/CZ-NIC/knot-resolver seems like a great option for when I want to use a local resolver with DNSSEC and other cool things
<gchristensen> also vcunat is an author
<infinisil> And vcunat seems to be a maintainer!
<infinisil> Ohh yeah, very nice
<infinisil> Having learned a lot about how screwed our internet is makes me want to go full in on securing everything as good as possible
<__monty__> Have you heard about DNS over HTTP?
<__monty__> It worries me tbh.
<__monty__> Or how about the statefulness of new protocols like QUIC? Tracking anyone?
<infinisil> __monty__: I haven't looked deep into those, but I did hear about them
<infinisil> Also DNS over HTTPS
<infinisil> Doesn't sound like a bad idea tbh, what worries you about it __monty__ ?
<__monty__> Oh, sorry, forgot the S.
<__monty__> It's a layer violation!
<__monty__> Also technicalities though. Certs for IPs? Dear god what a cashcow that's gonna be.
<__monty__> And cashcows never beget better security.
<infinisil> Hmm yeah, certs for IPs is a bit weird
<__monty__> Disclaimer: I don't know if that's what they're suggesting with DoH but I don't see how they'd do HTTPS for DNS otherwise?
<infinisil> Hmm, yeah actually
<infinisil> With DNSSEC you just need the root servers keys as a root of trust
<gchristensen> dnssec is basically worthless anyway
<infinisil> But with DNS over HTTPS, you'd need all root CA's
<infinisil> gchristensen: Because it's not used?
<gchristensen> and won't be used
<__monty__> Knowing about the integrity of the DNS response isn't useless imo?
<infinisil> Yeah that's pretty neat imo
<gchristensen> sure
<infinisil> I guess you don't have encryption with DNSSEC though, which would be neat
<__monty__> infinisil: Note that they have different purposes btw. DNSSEC doesn't hide *what* queries you make for example.
<gchristensen> how many of the domains you care about support dnssec?
<infinisil> gchristensen: Yeah, but I mean, a protocol isn't bad just because it's not widely deployed
<gchristensen> I'm not saying it is bad
<infinisil> Ah, but I guess it is worthless, which is what you said
<__monty__> Network effect's a bitch.
<__monty__> Though it's not like nix is widely deployed and we still like that.
<__monty__> ¯\_(ツ)_/¯
<infinisil> Aw man, everything sucks
<gchristensen> yea
<infinisil> There's a bunch of super smart people at my university that are developing a new internet baselayer, which replaces the BGP crap and provides a bunch of neat things
<gchristensen> ice
<infinisil> I think I mentioned it before, https://www.scion-architecture.net/
<__monty__> Will ISPs be insentivized to adopt it though?
<infinisil> __monty__: It's already being deployed
<infinisil> It has neat advantages like DoS protection
<infinisil> And it's faster apparently
<__monty__> You're at ETH?
<infinisil> Yea
* __monty__ 's very jealous
<__monty__> Any haskell companies you could hook me up with? ; )
<infinisil> I had a network security lecture from one of the professors that is developing SCION, I know a bit more about it now
<infinisil> __monty__: Nope :)
<infinisil> There is some event soon where companies look for getting graduates to work for them, but I doubt there will be many Haskell or Nix ones, so I probably won't go
<infinisil> Also I still need another semester..
<__monty__> You know what I've wondered about? Things are getting more and more complicated, take this networking business for example, and people's average computer experience is getting simpler, pretty sure many younger folks nowadays hardly ever use anything more than a smartphone. How the hell are they gonna make up for that disadvantageous starting position with the bar rising so fast?
<__monty__> If you had a great recorded talk about scion that'd be nice btw.
<infinisil> __monty__: Yeah, but nobody needs to be a specialist from the lowest layer to the topmost layer
<infinisil> People can specialize on different things
<infinisil> __monty__: I do have a talk, and slides, but I can't share it I don't think :(
<__monty__> Can they though? Why do we know all this then? I'm by no means a networking dev.
<__monty__> Not saying we're experts. But usually devs have a pretty broad knowledge.
<infinisil> Know all what?
<__monty__> Just thinking about starting all over learning what I know now makes me weary.
drakonis has joined #nixos-chat
<infinisil> Ah yeah, most people don't have deep knowledge of the things they use, and they don't need to. But there's always the people that do know about it, and those are the ones that push things forward
<__monty__> infinisil: random things about HTTPS and DNS and network layers and BGP, etc.
<infinisil> There sure is lots of stuff to know about
<infinisil> I hope we can discard BGP sometime in the future though, along with another bunch of stuff that shouldn't exist anymore
<infinisil> __monty__: If you have a specific question about how the internet works (especially in regards to security), now's the time to ask me, because I have the exam about it this week, and after it I'll forget about everything xD
<gchristensen> how do bonds work?
<__monty__> Hmm, only thing that comes up rn is TLS vs SSL.
* gchristensen 's always wanted to look that up
<infinisil> gchristensen: Um, what bonds?
<gchristensen> I guess that isn't so much how The internet works
<__monty__> Jammed bonds.
<gchristensen> like LACP bonds
<infinisil> __monty__: TLS is like an SSL 2.0
<infinisil> gchristensen: I don't know about that :3
<infinisil> (And never heard about them either)
<gchristensen> me either :P no worries
<__monty__> Yeah but there's DoH vs Do*T*, so what's the deal? Because that sounds a lot like SSL vs TLS.
<gchristensen> 2x 10gbps links -> 1x 20gbps connection
<__monty__> And DoH's being pushed as a better alternative to DoT.
<andi-> gchristensen: hashing modes, based on those the outgoing interfaces is decided. Need more details ? :P
<infinisil> __monty__: You can just forget about SSL really, TLS is its successor
<gchristensen> ...oh :)
<__monty__> infinisil: Then WTF is up with this DoH v. DoT thing?
<infinisil> HTTPS vs TLS
<infinisil> Um
<infinisil> I think HTTPS just has some more standardized request format
<infinisil> But other than that those seems pretty much the same
<infinisil> HTTPS uses TLS underneath
<__monty__> gchristensen: I've wondered about bonding too. I figured it's only the source that needs to keep track of things, the destination wouldn't even notice? Is that wrong?
{^_^} has quit [Remote host closed the connection]
iqubic has joined #nixos-chat
{^_^} has joined #nixos-chat
<infinisil> There's so many protocols involved in the internet, man
<gchristensen> only 255 builds left before I can publish a thing
<infinisil> I didn't hear about LACP, but there's like 5 other protocols on that layer too
<infinisil> which I did hear about
<__monty__> Cisco acquired openDNS? o.o
<__monty__> infinisil: I still don't get the advantage of the HTTP part of DoH. Afaik the biggest advantage is it's not a seperate port and can therefore not be blocked as easily.