As a planned follow-up to the splitting of sshd-session out of the sshd(8) binary, sshd-session has be further split into a new sshd-auth binary to handle user authentication.

djm@ modified src/usr.bin/ssh/*: Split per-connection sshd-session binary

This splits the user authentication code from the sshd-session binary into a separate sshd-auth binary. This will be executed by sshd-session to complete the user authentication phase of the protocol only.

Splitting this code into a separate binary ensures that the crucial pre-authentication attack surface has an entirely disjoint address space from the code used for the rest of the connection. It also yields a small runtime memory saving as the authentication code will be unloaded after the authentication phase completes.

Joint work with markus@ feedback deraadt@

Tested in snaps since last week

Also only on #OpenBSD, this new sshd-authd binary gets relinked on boot, as with sshd-session and sshd.

deraadt@ modified src/etc/rc: sshd-auth also has a relink kit

#OpenSSH

The @internetarchive’s Wayback Machine resumed in a provisional, read-only manner.

Sorry, no Save Page Now yet.

Safe to resume but might need further maintenance, in which case it will be suspended again.

Please be gentle https://web.archive.org

More as it happens.

[RSS] Casio says ransomware attack exposed info of employees, customers and business partners

https://therecord.media/casio-ransomware-attack-exposed-emplyee-customer-data

First the IA, now Casio - nothing is sacred for these punks!

What is the longest sentence you can form from names of programming languages?

(Bonus points for not using the Esolang wiki)

Painted by a homeless man: https://streetartutopia.com/2024/10/13/painted-by-a-homeless-man/

@drahardja @SteveBellovin What is this *not* good for?

Doing my weekly update of TeXLive, I spotted this as a new feature. Just what I want—SQL injection in document source…

@muneef This PNG could've been a HTML table...

Writing things down isn't just good science; it's the ultimate kink. 😝

the zendesk hack, for anyone interested

https://gist.github.com/hackermondev/68ec8ed145fcee49d2f5e2b9d2cf2e52

@asicc I have no clue how this should/could be resolved unfortunately.

People getting more familiar with the infrastructure around them would probably help, but technology goes in a direction that hides these details, hence its popularity.

@asicc My point is exactly that the contents of an URL doesn't seem to matter _at all_ because many people have no idea what trustworthy domains are (or how they would like like as part of an URL).

In other words you don't have to register n<very weird e-like character>tflix[.]com for your scam because people will just trust PayForYourTV[.]so.

@tara @bitzero TIL about elinks, it looks awesome!

The current chaos in WordPress caused by Matt seems like a good time to remind folks that the Mastodon “community” websites and trademarks are 100% owned by one man, despite pleas from current and former project members to make Mastodon a foundation with a board.

gm fedi

sometimes the answer is not "have you tried turning it off and on again" but "have you tried using the physical power switch while sacrificing a goat"

Now that I look at it, Empire of Ghidra has strong Mordor vibes...

I decided to document this weekend's debugging adventure

#rpg #therapy

@bfjvii @mjd The moment that word appears you know you are being scammed.

[RSS] Every bug/quirk of the Windows resource compiler (rc.exe), probably

https://www.ryanliptak.com/blog/every-rc-exe-bug-quirk-probably/