That cks. Overcommitted sysadmin, photographer, bicyclist, and other multitudes. I write a lot of words for a programmer. he/him/they/them 🇨🇦
@dgl @JdeBP @lyda @ska Oh, nice. I tried to find something doing that in the net package but clearly didn't look deeply enough. That hopefully means fixing it for FreeBSD might be feasible for Go 1.26, or maybe 1.26.1.
(I was thinking it was going to need major changes which would definitely be a no-go for 1.26.)
The special case explains why my Go program worked, oops; I was assuming it used INADDR_ANY when Go is cleverer.
@mhoye I am maintaining a little mental timer of when work is going to have a security incident because of a researcher using some MCP agent that gets exploited. (I am sure researchers are using MCP agents already, installed personally on our shared Unix systems, somehow I still sleep reasonably soundly at night apart from the bit where I usually wake up at 6am for a bit for no apparent reason.)
RE: https://c.im/@dtauvdiodr/116021107300482971
Friday is #BandcampFriday 👇
@gnomon For bonus points I didn't speak up right away because this was in the era when "Linux laptop" combined with "wifi" was not a 100% reliable thing (and I didn't have a smartphone at the time, I'm not sure many people did). So at first I assumed it was a problem on my side and poked stuff and etc.
(The local AP was up but the wifi DHCP server was not, so I was getting on the wifi but not anything more.)
@gnomon Since I cannot just tease you with a footnote: my department is in multiple buildings (yes this is fun), with our central machine room in one particular one that also has my group's offices. At one point we had a weekly meeting of all of the sysadmins in the department, in a meeting room in a building other than the one with the machine room.
So there I was in the meeting, scratching my head about my Linux laptop not connecting to departmental wifi all of a sudden...
@gnomon You should not peek behind the curtain of my work's incident management process. Not that we have very many incidents, thankfully.
(Mostly it involves scratching our heads and poking things with sticks to try to figure out what's going on. Unless it's something obvious, like "the power is off"¹ or "the AC is off".)
¹ We once missed noticing that the power was off. True story!
@thatdawnperson The UofT has also moved to 'at most one day WFH' (so minimum 4 of 5) although I'm not sure on the timing institution-wide. It sounds like they would like 5 of 5 but are doing it one step at a time.
Our union contract is up for negotiation this summer and WFH stuff is going to be a big area of fighting, not just because people care but also because no sane union gives up a benefit that they got in the previous contract. So we'll see.
@dgl @JdeBP @lyda @ska Actually I believe connecting to 0.0.0.0 itself does still work on OpenBSD (or at least it does in testing for me). You need a tool and a tool environment that will do it (which stock OpenBSD SSH doesn't seem to), but given such a tool¹ it appears to work.
¹ I use https://github.com/siebenmann/call but that's because I wrote it, and also it's in Go so it bypasses some of the OpenBSD C library restrictions on what it will map to 0.0.0.0.
@mjd I have a paid subscription so I felt vaguely motivated, since I probably want some email from them.
@mjd I took another poke at this and I was eventually able to get them to accept my setting when I (temporarily) disabled both uBlock Origin (!) and Firefox's own anti-tracking stuff (!!). Did it actually take? I don't know, but I have my suspicions.
It turns out that 0.0.0.0 was already known as an issue for browsers; in 2024 there was a '0.0.0.0 Day' security issue that prompted Chrome and Safari to block access to it (and hopefully the IPv6 version too). One article from the time is from the Register (I know, but): https://www.theregister.com/2024/08/09/0000_day_bug/
Bonus round: this 'ssh 0' behavior also works for the IPv6 equivalent, 'ssh ::0' or 'ssh ::'. That means it will probably also work in browsers.
Surprise: blocking DNS rebinding to localhost requires screening out more than 127/8 and ::1 answers. This is my face.
For proper credit (or if you prefer, blame), I learned about 'ssh 0' from a comment @lyda left on my techblog. But now that I've seen it I can't unsee it. What else will accept '0' as a hostname? Feel free to try it today.
(Firefox will, it looks like.)
This is my face that you can do 'ssh 0' (assuming your machine runs a SSH daemon) and it will probably work. Well, unless you're on FreeBSD 15. Or OpenBSD, which laughs at you.
Another factor for North America (and maybe Europe as well) is that cycling safety laws and regulations are extremely selectively enforced. In practice they become tools for the police to harass cyclists they don't like, and often this will be poorer or minority cyclists (who face lots of obstacles as it is).
(This also holds true for requirements for bike lights.)
@ceejbot If you haven't heard it, "Learning to Flinch" is an extremely interesting Zevon album after you're familiar with enough of his pre-1993 studio albums. It was eye-opening to me to hear him perform his work stripped down to pretty much a guitar or a piano/keyboards plus his singing.
@nev Compelling watching is a good description, since they're kind of not the sort of thing I should 'like' as such given that they are about terrifying and often lethal industrial accidents.
(I still remember the one that started out talking about flushing pipes with natural gas and given that this was a USCSB video I knew there was only one place it could be going and the only two questions were how bad and how exactly did the disaster unfold.)
@ChrisJagged @mayintoronto My default favorite band¹ is Hawkwind and although I'm not sure I think they fall into the 'celebrated in certain circles' category (and probably a certain number of people have heard of them as 'the band Lemmy was in before Motorhead').
¹ I'm a fickle person but my home and work desktops are named after them² and I have a lot of their albums. It's complicated.
² There have been related spinoffs and complicated name changes over the years.
@smerp Inside, actual air temperature; outside, usually "feels like" but it can depend. (Partly because I don't always trust the feels-like estimations to correspond to how I feel.)
@iliana The potential source that occurs to me is test data for zip implementations. They might have weird corner cases and deliberate errors.
(Although I haven't looked at Go's zip test data in detail, some of the file names are suggestive: https://go.googlesource.com/go/+/refs/heads/master/src/archive/zip/testdata/ )
