[ overboard / sfw / alt / cytube] [ leftypol / b / WRK / hobby / tech / edu / ga / ent / 777 / posad / i / a / R9K / dead ] [ meta ]

/tech/ - Technology

"Technology reveals the active relation of man to nature"
Password (For file deletion.)


IRC Chat




| Catalog | Home

File: 1630074799367.jpg ( 125.15 KB , 1240x840 , tumblr_mwbirxCG5Q1rso91mo1….jpg )


ITT post a tool or tools you find useful when attacking, maintaining access, bug hunting, recon or whatever else. I'll start:

Weevely3 is my favourite out of the box PHP/.htaccess web shell. Its payload is very small and you can sneak it in to many places and has many features that make the job faster, especially with its pivoting functionality
and lastly its modular allowing easy creation and sharing of new functionality such as adding privilege escalation methods and automated further backdoor and persistent access creation.

File: 1627879257222.jpeg ( 53.65 KB , 1200x630 , javascript.jpeg )


This guy wrote an interesting article on using popular sites with javascript disabled:


His experience was that news sites/blogs tended to "mostly" work while most other sites were utterly broken.


I know many on the channers totally disable js in the browser since Stallman wrote an article against javascript many years ago, additionally many are paranoid about browser zero days used by glow in the darks. Finally a ton of people just see javascript heavy sites as being bloated and overengineered, having slow load times and discriminating against minimalism and third world users with slower internet.

With more and more sites using SPA frameworks like vue, react, and angular, and less and less apps doing server side HTML rendering, javascript-disablers are quickly becoming a tiny minority.

What do we think about js vs nojs/noscript?
44 posts and 2 image replies omitted. Click reply to view.


>Why should the site have tracking functionality included, when it needs to load that from a tracking provider?
Consider a "4th-party" or "meta" tracker specialized in fingerprinting users through their adblocking filters. Yes, eventually this tracker would also be end up in blocking filters, but that's how it is, cat and mouse game.


That was a technical question. How could the site access tracking infrastructure, when it would need to hardcode it into every page and could not forward the data to the tracking provider over js/ajax.


The example I gave is of a not-yet-blocked provider, a new kid on the block, but yes, they technically could also hardcode it into every page, although why not just make the 1st party host the script file? The script just needs to send the raw data back to the website itself (so 1st party request), then their backend forwards the data to the provider to be analyzed. It's not that hard technically, the website just installs a server module that does all this automatically.

Maybe you're thinking why does this matter when filters will catch up sooner or later (although remember that the fingerprinting threat comes from users using different filters). It matters in the case of Tor browser due to how it defeats fingerprinting: it doesn't block trackers, it gives them fake data that is uniform for all Tor users or otherwise ensures uniform conditions (e.g. window size), so that everybody looks like the same person. But when you block a specific selection of those trackers instead, you introduce new bits of fingerprint data with that selection.

It's two different methods that right now kinda step on each other's toes in practice, and one (block filters) is always catching up with the million trackers out there, while the other (Tor browser) just has to keep the browser's mouth shut / feed the lines to it in a uniform and consistent way.

That doesn't mean they can't work well together. For example, there's things that Tor devs haven't discovered how to spoof yet without fundamentally breaking things. One such example is the scroll bar width, it can be calculated via window and viewport size difference. For such cases blocking trackers would be useful, but the only proper solution is for Tor browser to be bundled with adblocker by default without user being able to switch it off or change filter lists, so that uniformity is enforced. Unfortunately that doesn't look likely:


>Adblocking bundled with the browser would mean that the browser itself and not merely the user is antagonistic to various interests that make money from ads and trackers (websites themselves, ad networks, data brokers…). Just one concrete consequence of this is more websites would then block Tor users in return (there are other more complex things as well), but the project in general would be antagonistic to capital's interests, thus potentially losing some of its support, both financial and in terms of technical "tolerance" (cf. the war between Tor and Cloudflare).
Great point.
>I don't think the added attack surface you get from allowing all js is worth the risk of fingerprinting.

Browse in Whonix then. A tor dev (Matt Traudt) says this about JS exploits:
<setting the security slider to its highest setting:
>This is unnecessary for the majority of adversary models and will make the web significantly less usable.

>The only people who have had significant JavaScript exploits used against them in Tor Browser were pedophiles using Windows. This suggests to me (and security experts in general, AKA not people that read "tech news" and parrot everything they read) that these exploits are rare, expensive, and hard to replace. Thus they aren't going to be used against random people because the risk of the exploit being discovered and fixed is too great.

>Setting the security slider to its highest setting does remove JavaScript as a possible attack vector. So as long as you set it there consciously, are aware much of the web may break, I support your choice to disable it. I especially support it if you have legitimate concerns that JavaScript exploits may be used against you, not just dumb paranoia.


I use 'safer' in whonix but if 90% of tor users used 'standard' (which I Post too long. Click here to view the full text.


Whonix is really the ultimate solution if you still want to use a normal OS instead of Tails or Qubes. And if you still want to run Tor browser natively on host OS then there's firejail which runs the browser in a sandbox.

>I use 'safer' in whonix but if 90% of tor users used 'standard' (which I think is unlikely?) then I would switch to that

Idk, I think a huge majority of users are allergic to sacrificing any usability, so it might be close to 90%. But a lot of them also do stupid shit that makes them less uniform. When letterboxing was introduced you had a mass of people complaining on Tor's blog about "grey borders", meaning they were all resizing and maximizing their windows prior to that. It really showed how uniformity is really poorly maintained by users in practice, which fucks it up for everybody.

Btw, on fingerprint tests I get best results at "safest" security level, while "standard" and "safer" come out exactly the same. Although I doubt these tests are that good. EFF's one claims to test with real trackers yet I get same results even with or without uBlock Origin with all filter lists enabled.

Should be mentioned though that security levels are not meant to defeat fingerprinting but reduce browser's security vulnerabilities.

File: 1625128444089.png ( 98.49 KB , 1200x1200 , fediverse.png )


hi /tech/ , have you seen the federated chans that are coming along?

https://fchan.xyz is 4chan + ActivityPub. It's a bit rough around the edges, but it's going to be able to connect to other ActivityPub projects like Lemmy and Mastodon later.

https://0chan.vip is a tag-based textboard that will soon gain a scraper. It also has user-managed boards with stickies, permasage, and a "soft delete" that hides threads in board view, but doesn't delete them from the server. see http://0chan.vip/b/meta/

NNTPchan was kind of cool but it was pretty busted. It fizzled out after a year.


File: 1625130399158.png ( 19.11 KB , 600x200 , cloudflare.png )

I spent a fair bit of time trying to understand NNTPchan when 8ch was shut down because I see decentralized federation as the only real way to fight back against the CDN-DDoS racket and resist censorship. It was disappointing to me when so many diaspora communities went and decided to just clone the old traditional image board site model all over again without seeking to address how they lost their community in the first place. It was even more disappointing to find out how unpopular NNTPchan was.


>because I see decentralized federation as the only real way
if you want that than make a general decentralization layer protocol, that everybody can use to build on top, add something to the general purpose network stack, instead of making specialized applications.


Might as well bump this too


The two sites ought to develop and adopt an fchan fork and then follow each other. But of course they never would because the ability for users to move to another server without creating an isolated community would directly threaten janny privilege.


what happened to 0chan.vip?

File: 1624224280351.png ( 198.34 KB , 512x337 , hacker.png )


Please dump any resource I can use to teach myself, including online communities I can join for questions.

Is Python optimal?

Thanks in advance
12 posts omitted. Click reply to view.




Off topic this is, but somewhat relevant.
So some of these are targeted at Linux.
Is this a problem.


Interesting. Thank you.


This blog really cant be overstated in its quantity of quality work.


bumping this epic bread.

File: 1628763320531.jpg ( 27.27 KB , 479x361 , getinhere-debian.jpg )


4 posts and 1 image reply omitted. Click reply to view.


File: 1628946103856.png ( 31.52 KB , 1392x714 , upgrade.png )

upgrading my server RIGHT NAO


Debian really is the worst distro for KDE. KDE has a rapid pace of 3 releases per year. You're going to be stuck with 5.20 and KDE window manager had major rework in 5.21 and is being massively pumped by valve right now. And many new improvements are coming soon with 5.23


Well, same goes for a lot of other packages in general, on Ubuntu LTS as well. If you really need some patch or a feature then you have to edit and compile that package yourself, which is not always possible due to dependencies. But sometimes it's just a case of maintainers compiling packages without some shockingly basic flag - like libcurl without brotli support (now commonly used by servers to compress web pages, so you need it to decompress). The good side is that packages are rarely updated so you don't have to do this regularly, but it's still a pain in the ass.

Debian Testing is actually pretty stable itself though, but the drawback is that security patches are not backported like they are to Stable, so you have to wait until they're transferred from Sid the regular way. If something else blocks that package from arriving at Testing then your system is left vulnerable. So now you have to follow their security announcements and patch things yourself if it's something serious. Also pain in the ass.


>What are backports
>What is testing
How do people still not know about this


How stable is KDE wayland at this point? I remember reading there were still some problems with "plasma-wayland" ~half a year ago.

File: 1619377509123.jpg ( 118.58 KB , 700x700 , 4540b074107d531f234c09f3f8….jpg )


What are some good, lightweight and regularly updated music players I can download?
7 posts and 1 image reply omitted. Click reply to view.


I just use mpv.


I still use audacious because it has a very clean and simple old school interface that can be customized and cleaned up further. Everything else I find too cluttered or/and lacking.
I only play local files, but maybe it supports more advanced shit, I don't know.


File: 1629033323831.png ( 46.31 KB , 913x509 , 2021-08-15_14-14.png )

cmus. nothing else needed


Audacious also supports http, proxies and most winamp skins. A selectio of plugins plugins is maintained alongside it and you may even get XMMS plugins to compile against it.


>regularly updated
It plays music. What's there to update?

File: 1629052907973.jpg ( 35.44 KB , 467x354 , steamboy.jpg )


A short while ago Valve announced and demoed a functional gaming handheld, that uses a AMD labtop CPU with a very powerfull iGPU and a beefed up memory-bus for about 500 money.

The big wow was that it was running Arch Linux as operating system under the hood, with access to a desktop mode, that would actually be usable as a PC. Most of the people (including me) in the Free Software and Linux scene were excited about this because it means more people using Linux and maybe better driver support.

I have only ever used steam once and i managed to buy a game and then somehow invalidate my license key or user account that was attached to it. I'm pretty sure this was user-error, but still i felt like i was being punished for legally buying a game. I kinda gave up on gaming, although i do sometimes still follow technical news about video game engines.

My experience with DRM systems in general is that it's a fickle bitch and proprietary software doesn't just mean that it's violating the 4 User Freedoms bequeathed to us by Saint Stalllman, it also means that it's probably going to stop working at some point. At least in my case I managed to wrench quite a number of DRMed programs i payed for. I basically think that Intellectual property enforcement is some kind of political, ideological or religious terror, that can only be explained by an unreasonable amount of evilness. I know this sounds a little silly but consider that it feels like unpredictable unexplainable punishment when drm wigs out. Stallman really can feel like a angel descending from the sky telling you a transcendental truth. (Figuratively speaking)

And here is where my doubts come about, steam uses DRM for most of it's games, and Linux users in general really don't like DRM, or proprietary software, and there might be a lot of friction, about it. However I don't think Valve will switch to windows, because Microsoft has it's own videogame-store on windows as well as their own console that is the arch nemesis of Valve and steam. Their dependence on Microsoft is an existential risk and they need something like the steamdeck that is independent of MS to survive as a company. But i fear that there will only be a honeymoon period after which Linux ends up as a battered wife.

I was re-considering my game-abstinence and getting a steamboy, because it looks like you could use it while lying on a sofa and there are a number of puzzel games like the ones from ZachtrPost too long. Click here to view the full text.


>I was re-considering my game-abstinence and getting a steamboy, because it looks like you could use it while lying on a sofa
Bad idea to sacrifice your abstinence for this. For a few games here and there a laptop on a sofa should do - since you say you'll install Arch anyway and go to GOG instead. Among popular puzzlers most work natively on Linux, and many of them are also on GOG. How large is the screen on this thing anyway? Most Zachtronics would be unplayable on a very small screen, and at least 3 of them have you write code which would also be a pain in the ass on this thing.


maybe you are right, I'll reconsider


If you would buy a laptop or handheld for playing games on a sofa, consider getting an armchair (with a footrest) for your pc instead. It's really comfy :-)

File: 1628691384476-0.png ( 443.52 KB , 600x532 , terry.png )

File: 1628691384476-1.jpg ( 213.74 KB , 900x600 , 1504559976101.jpg )


He died 3 years ago today, bros.

5 posts and 2 image replies omitted. Click reply to view.


Terry A. Davis was the soul of programming. You must be a deranged schizo to do eveything he did. The Platonic ideal of a programmer


i just thought he died of age but damn i googled and his end was even sadder

homeless and hit by a train
sad end.


>arch below 'buntu


>BSD above GNU/Linux
I don't think so buddy


File: 1628857592150.jpg ( 186.69 KB , 600x900 , 1505571593820.jpg )

He probably had lucid moments and saw no way to escape his illness. It's also sad how dumbasses trolled him online and contributed to his illness worsening, he had a cult following but some people just saw him as a lolcow. Dude had so much potential. Making TempleOS by himself is already an incredible feat, but without the schizophrenia he could've been much bigger.

File: 1628786928158.jpg ( 71.51 KB , 768x960 , ppjebupc1p871.jpg )


I swear to god, the ONLY reason to use paint.net is that its lightweight. If they start trying to change it now and bloat it it will fucking fail. After the last update its taking so long to startup I might as well have opened photoshop. Why would they do this?


why the fuck tom holland never says shit like this, it would be fun

is paint.net the best photoshop alternative


GIMP is open-source

File: 1628662368153.jpg ( 314.82 KB , 2508x1672 , .jpg )


Does anybody know how to return the css back to Yotsuba B? Seems like an update happened and now for some reason I can't return it back to Yotsuba.


Ok nvm, I just noticed it in the bottom

Delete Post [ ]
[ overboard / sfw / alt / cytube] [ leftypol / b / WRK / hobby / tech / edu / ga / ent / 777 / posad / i / a / R9K / dead ] [ meta ]
[ 1 / 2 / 3 / 4 / 5 / 6 / 7 / 8 / 9 / 10 / 11 / 12 / 13 / 14 / 15 / 16 / 17 / 18 / 19 / 20 / 21 / 22 / 23 / 24 / 25 / 26 / 27 / 28 / 29 / 30 / 31 / 32 / 33 / 34 / 35 / 36 ]
| Catalog | Home