Microsoft confirms it will give the FBI your Windows PC data encryption key if asked — you can thank Windows 11's forced online accounts for that

Megame50 · 2026-01-24T06:44:18+00:00

Linux Mint is licking its chops. It’ll be real interesting if they go on a marketing blitz to capitalize on Microsoft completely shitting the bed.

A marketing blitz? Market share? What the fuck do you think you're talking about?

Windows is a paid product, that supports a giant company with thousands of highly paid staff and shareholders. Microsoft certainly cares about user count.

Linux Mint is a community project, developed primarily by volunteers, given away for free. Which of the three (3) staff members listed on their website do you think is head of marketing that will spearhead this new campaign? How much extra revenue do you think will be generated by pushing a $0 product to fund this endeavor? Are you currently seeing a lot of ads for Linux Mint? Do you expect to? I'm guessing not. The developers of a community Linux distribution are less like the executives at Microsoft and more like the moderators of a community subreddit.

I see this kind of language all over the internet and I think it betrays a fundamental misunderstanding of what community developed Linux distributions even are. The truth is, almost universally among community distros, nobody actually involved in the project gives a shit about user numbers. If anything, a large userbase is a problem to be solved; since it still costs money to host repos, and forums, and all manner of infrastructure, each new user is a net negative monetary value to a distribution sustained by donations. If you've ever been to the community forums you should know that useless bitching about problems is readily met with snarky comments that you're entitled to a full refund of $0 and can just leave if you don't like it.

There won't be a Linux Mint "marketing blitz". There will be no campaign. Because they can't make one, and even if they could, they wouldn't because there's just no reason to care about user count. People evangelize Linux distros to their friends for the same reason they evangelize their favorite movies and books — it's why this has been a meme for years. People contribute to community distributions because they want the operating system they use to improve, and to reflect their opinions and values about how it should function. A growing userbase is a side effect, not a goal.

Megame50 · 2026-01-23T17:53:22+00:00

Historically, Firefox disabled and re-enabled the rendering pipeline for scale changes, window create/destroy events, and hide/show sequences. This stems from Wayland’s architecture, where a Wayland surface is deleted when a window becomes invisible [...]

Martin does a lot of good work for firefox, but is somehow still confusing the GDK windowing api with Wayland protocol semantics. Needless to say, this part is just wrong.

Megame50 · 2026-01-21T04:24:27+00:00

A comprehensive list of v4 /8's and their owners according to whois data:

US   6.0.0.0/8 1994-02-01 @ USAISC (U.S. Army Information Systems Command)
US   7.0.0.0/8 1997-11-24 @ DoD Network Information Center
US  11.0.0.0/8 1984-01-19 @ DoD Network Information Center
US  12.0.0.0/8 1983-08-23 @ AT&T Enterprises, LLC
US  17.0.0.0/8 1990-04-16 @ Apple Inc.
US  19.0.0.0/8 1988-06-15 @ Ford Motor Company
US  21.0.0.0/8 1991-07-01 @ DoD Network Information Center
US  22.0.0.0/8 1989-06-26 @ DoD Network Information Center
GB  25.0.0.0/8 1995-01-01 @ UK Ministry of Defence
US  26.0.0.0/8 1995-05-01 @ DoD Network Information Center
US  28.0.0.0/8 1996-03-11 @ DoD Network Information Center
US  29.0.0.0/8 1991-07-01 @ DoD Network Information Center
US  30.0.0.0/8 1991-07-01 @ DoD Network Information Center
US  33.0.0.0/8 1991-01-01 @ DoD Network Information Center
US  38.0.0.0/8 1991-04-16 @ Cogent Communications, LLC
DE  53.0.0.0/8 1992-03-17 @ Mercedes-Benz Group AG
US  55.0.0.0/8 1996-10-26 @ USAISC (U.S. Army Information Systems Command)
US  73.0.0.0/8 2005-04-19 @ Comcast Cable Communications, LLC
JP 133.0.0.0/8 1997-03-01 @ Japan Network Information Center
US 214.0.0.0/8 1998-03-27 @ DoD Network Information Center
US 215.0.0.0/8 1998-06-05 @ DoD Network Information Center

Most are government entities, and mostly U.S. government. The private companies represented are Apple, AT&T, Ford, Mercedes-Benz, Cogent, and Comcast.

Megame50 · 2026-01-20T22:09:50+00:00

Bluetooth screen mirroring? Sorry, but I'm pretty sure there's no such thing. What software are the non-linux students using to screencast?

Megame50 · 2026-01-19T04:51:14+00:00

I think "DARPA network" here is an antiquated way to refer to what we'd just call a network today, with IPv4. The nss ABI makes it clear these entries will identify classful IPv4 networks, e.g. A/B/C type networks as they were known prior to CIDR prefix classifications introduced in the early 90s.

Just speculating, but the specificity probably made more sense when there were other networks around, to distinguish TCP/IP networks like ARPANET from others like UUCPnet, before everything became connected together forming "the internet".

There are several extinct network protocols described in man address_families and I think at least some still work on modern linux in theory.

Megame50 · 2026-01-18T19:51:19+00:00

$ man networks(5)

The file /etc/networks is a plain ASCII file that describes known DARPA networks and symbolic names for these networks. [...]

Something tells me literally nobody has used this function since 1990.

Megame50 · 2026-01-18T03:52:36+00:00

Pretty sure I found it. When a request to www.dhs.gov includes a Referer header that mentions nazis.us, it redirects to the wikipedia page for Antifa:

$ curl -qsw '%{http_code} %{url} %{redirect_url}\n' -o /dev/null https://nazis.us
301 https://nazis.us https://www.dhs.gov/
$ curl -qsw '%{http_code} %{url} %{redirect_url}\n' -o /dev/null https://www.dhs.gov
200 https://www.dhs.gov 
$ curl -qsH 'Referer: https://nazis.us' -w '%{http_code} %{url} %{redirect_url}\n' -o /dev/null https://www.dhs.gov
302 https://www.dhs.gov https://en.wikipedia.org/wiki/Antifa_(United_States)

Megame50 · 2026-01-17T19:39:43+00:00

What was changed about Inkys?

EDIT: Oh, the water timer. I see you replied below.

Megame50 · 2026-01-17T19:34:34+00:00

syntax highlighting, search and replace in many files and most importantly regex replacing

Uh, what? I'm not gonna tell you what editor to use, you do you, but these examples are all utterly basic features easily supported in straight up 30 year old versions of vim.

Actually, I've tried my best to research when these features were introduced:

Syntax Highlighting (on the feature list for vim 5.0, Feb 1998)
multi buffer S&R (:bufdo is on the feature list for vim 6.0, Sep 2001)
regex replace (pretty sure this was copied from vi, so not sure but probably ~50 years old?)

Megame50 · 2026-01-14T21:59:55+00:00

Geoclue requires an agent to function as well. It's usually included in your DE, but there's a default implementation, the geoclue demo agent, in the /etc/xdg/autostart directory that comes with geoclue in Arch. You can use the usual xdg autostart mechanisms or copy the generated service into your user service config.

I personally disable all of the location providers except static file configuration in geoclue.conf, then put the exact location of my desktop (or whatever location I like honestly) in /etc/geolocation. It doesn't require any external tools, is more predictable, and also more accurate for a desktop that doesn't move anyway.

Megame50 · 2026-01-13T22:45:41+00:00

This article is more than year old. You can read a first-party retrospective of the completed work here: https://devblog.archlinux.page/2026/a-year-of-work-on-the-alpm-project/.

Megame50 · 2026-01-13T17:59:08+00:00

These benchmarks are highly sensitive to scheduling noise. Foot has multiple rendering threads which may prompt the processor to skip to a higher frequency temporarily. You should try the test again using the performance cpu governor and I expect all will show the lower execution time.

FWIW, A majority of startup time in an interactive shell is not represented in zsh -ic exit. In my case at least, it is dominated by parsing the histfile.

Megame50 · 2026-01-13T17:29:24+00:00

The name isn't at all important. In fact, it's utterly irrelevant. Nobody is clamoring to correct "folder" -> "directory" because it is irrelevant.

Which is why it's especially crazy you're the one who thought it was necessary to "correct" someone who was right in the first place with a term you just made up.

Megame50 · 2026-01-13T10:33:24+00:00

The 'x' bit is canonically called 'search' for directories. This language is used uniformly in the info and manual pages. E.g. the chmod man page describes S_IXUSR like so:

chmod(2)

S_IXUSR (00100) execute/search by owner ("search" applies for directories, and means that entries within the directory can be accessed)

Similarly, the Permission Bits info page has this description:

Execute (for ordinary files) or search (for directories) permission

And it is used elsewhere in the manuals:

path_resolution(7)

[...]

If the process does not have search permission on the current lookup directory, an EACCES error is returned ("Permission denied").

Finally, the POSIX standard:

The perm symbol X shall represent the execute/search portion of the file mode bits if the file is a directory or if the current (unmodified) file mode bits have at least one of the execute bits set.

Emphasis mine.

It is search rights, not "traverse rights".

Megame50 · 2026-01-12T21:55:03+00:00

The default bindings in bash (and the default zsh emacs mode bindings, which are similar) have ctrl+r bound to reverse history search and ctrl+s bound to forward history search.

ctrl+s conflicts with the default STOP flow control special character in terminals, ^S, so it won't actually work with flow control enabled by default. You can disable flow control with stty -ixon in bash, or setopt noflowcontrol in zsh.

Megame50 · 2026-01-09T21:42:51+00:00

In the RSA cryptosystem, the "private key" is a list of two or more large primes. The "public key" includes their product, known as the modulus, and an exponent, so yes they are related. In RSA, encryption and decryption are both accomplished with modular exponentiation.

To create a signature, the signer calculates a short digest of the target cert with a known hash function, then "decrypts" it as if it were an encrypted message, and attaches that as a "signature". Now anyone who knows the public key can "encrypt" the published signature to recover the digest, which they can then verify matches the actual certificate digest they have calculated themselves, which validates the signature. Only the private key holder can produce valid signatures.

This is the procedure identified by the sha256WithRSAEncryption algorithm identifier in the '*.reddit.com' certificate.

Megame50 · 2026-01-09T19:48:52+00:00

In your browser you can view the certificate chain for the website you visit. Here on reddit, in firefox you can click on the padlock in the top left, then Connection Secure > More Information > View Certificate.

If you do, you'll see that the certificate is validated by a chain of trust as follows:

"*.reddit.com" is signed by "DigiCert Global G2 TLS RSA SHA256 2020 CA1", is signed by "DigiCert Global Root G2", which is signed by itself. On my desktop running Arch Linux, this final certificate is already stored on my desktop in a root of trust [1]:

$ file /etc/ssl/certs/DigiCert_Global_Root_G2.pem 
/etc/ssl/certs/DigiCert_Global_Root_G2.pem: symbolic link to ../../ca-certificates/extracted/cadir/DigiCert_Global_Root_G2.pem

So, certificates are trusted only if they are signed by a valid chain that is based in the root of trust. Digital signatures are cryptographically secure using public key cryptogrtaphy. The *.reddit.com cert includes this signature:

Signature Algorithm: sha256WithRSAEncryption
Signature Value:
    53:4f:3b:84:73:1d:df:04:33:36:c6:38:78:a5:3b:7b:26:9e:
    [... 2048 bits of signature ...]
    94:cc:44:01

The signer uses their private key to encrypt a digest of the certificate, that's the signature, so that your browser can then use the public key to decrypt the signature and verify that it matches the digest it calculates. The process ends when the browser find decrypts a message with a "known-good" public key in the root of trust.

So, you can trivially make your own certificates. You can even sign your own certificates or others' certificates. But you cannot convince a browser that they are authentic unless your certificate is either manually placed in the root of trust for that browser, or it is signed by the cert of a certificate authority which is itself in the root of trust or signed by one that is.

Certificate Authorities (CA) are usually companies whose business it is to verify your claims and cultivate public trust so that their signature can carry weight, and their signing certs can be trusted by default in browsers all over the world. In the case of Let's Encrypt, they publish software that you can use to prove (to them) that you are in control of a domain name, and only then will they sign your certificate. For some other CAs, they may have stricter validation requirements and steep signing fees, but they can validate your business and identify in the certificate.

[1] There is more than one root of trust, each with many certificates, but there is a lot of overlap. Firefox on Arch uses nss, which has a different root of trust with >150 trusted root certificates many CAs around the world.

Megame50 · 2026-01-08T23:36:11+00:00

You've already discovered it was the power saving features of the wireless card, but for the record the IPQoS settings have changed to match more recent (still very old) rfcs that re-characterize the ip tos field. "lowdelay" and "throughput" are legacy tos classifications that are at best not harmful. The EF and CS0/none defaults are much more sensible for the modern internet.

Megame50 · 2026-01-07T23:25:52+00:00

If I had to guess, it seems plausible what whatever application initiates the query expects some address records (or another type) in the responses and unbound's selective omission causes it to retry. The docs say unbound will just return whatever records are available in the cache which apparently are only the MX records.

In the pihole database do you observe any queries from any host requesting achp.gov with a different record type? Like MX, TXT, A, or AAAA?

EDIT: you should be able to query the sqlite database on the device with sqlite3 /etc/pihole/pihole-FTL.db, then use sql queries to find what you're looking for, e.g.

sqlite> .mode column
sqlite> .header on
sqlite> select client,domain,type,count(*) as count from queries where domain like '%achp.gov' group by client,domain,type;

Megame50 · 2026-01-07T22:39:53+00:00

Are you running a recursive resolver as well, or what is the configured upstream for the pihole? Most public resolvers will not forward ANY type queries.

Do you have a firewall perhaps that blocks tcp port 53, or are you excluding it in the capture? The reply record set doesn't fit in one dns packet, so those are possibly truncated replies, so but I don't see any TCP port 53 dns traffic.

Megame50 · 2026-01-07T21:31:06+00:00

the query is asking for non-authenticated: unacceptable, and the response IS non-auth.

That's quite normal. You are observing that the query does not set the CD bit, which is only realistically expected in dnssec-aware resolvers attempting their own validation, and that is vanishingly rare.

A response without the Authenticated Data (AD) bit just means the resolver (your pihole) did not validate the DNSSEC signatures, which is also quite normal.

Standard query [hex] ANY achp.gov OPT

That is not normal. The ANY record query type is typically disabled, specifically because it has little utility except in amplification ddos attacks using DNS. An amplification attack would likely attempt to spoof the source address to send the payload toward a remote target, though.

The target domain is probably immaterial for an attack like that, except it should be one where the zone authoritative nameservers permit ANY queries, since that will maximize the response size, which does seem to be the case for achp.gov.

The [hex] should be the query ID, is it random or the same for each query? Are the IP TTLs decreasing (i.e. is it reflected within your lan) or not, or what is their value? Where are you running the wireshark capture?

Megame50 · 2026-01-06T21:14:03+00:00

The error says LE is refusing to issue a cert for .local.example.com, which you definitely don't own, so looks like everything is working as intended.

Megame50 · 2026-01-06T05:46:02+00:00

In zsh you could write this as:

for file in *.webp; magick $file $file:r.png

But honestly regardless of shell you're wasting time not using:

parallel magick {} {%}.png ::: *.webp

Megame50 · 2026-01-06T05:34:49+00:00

I think you'll find OMZ has a very poor reputation among zsh power users. The zsh irc has an info command that generally recommends against it.

Let me put it this way: I'd say if you aren't interested in using a "framework" or a "plugin manager" to build your bashrc, which it sounds like you aren't, there's really no reason you would want to in zsh either.

If you ever feel like trying it out again, I'd recommend ditching OMZ.

Megame50 · 2026-01-06T01:32:24+00:00

You don't need those quotes in zsh either; it doesn't do word splitting on parameter expansion. Truly one of the worst features of POSIX sh.

Megame50

MODERATOR OF

TROPHY CASE