Tootfinder

Carelessness versus craftsmanship in cryptography
Two popular AES libraries, aes-js and pyaes, “helpfully” provide a default IV in their AES-CTR API, leading to a large number of key/IV reuse bugs. […] The aes-js/pyaes maintainer, on the other hand, has taken a more… cavalier approach.
🔓 https://…

Carelessness versus craftsmanship in cryptography
Two popular AES libraries (aes-js and pyaes) provide dangerous default IVs that lead to key/IV reuse vulnerabilities affecting thousands of projects. One maintainer dismissed the issue, while strongSwan’s maintainer exemplified proper security response by comprehensively fixing the vulnerability in their VPN management tool.

This was glorious, and it is now implemented in SwiftTerm by default.
While it is true that certain users in a dorm at Darmouth or MIT might carry with them the script to tune their color palette, I believe that users in the wild deserve to keep their retinas.
https://gist.github.com/jake-ste…

Terminals should generate the 256-color palette
Terminals should generate the 256-color palette. GitHub Gist: instantly share code, notes, and snippets.

“Brevity was always a discipline. Now it’s a statement. When everything around you is excessive by default, choosing fewer words takes courage. It says: I thought about this. I edited. I respected your time more than I needed to show my work.”
Wise words from @… 💙

Jeffrey Zeldman Presents - The Courage to Stop - State of the Web
Brevity was always a discipline. Now it’s a statement.

If you manage your code on Github, you might expect that you get an email notification if someone opens an issue for your code. But it appears that's no longer true for new repos.
The "Watch" settings are now, by default, "Participating and Mentions". That means unless someone tags your Github username in the issue report, you won't know about it. Yeah, even if it's your own repo in your own namespace. No, I don't know what they were thinking at Githu…

Last year my friend died. It was a rather public affair since he was much loved by people in the media and arts. Still, six months later people on Facebook sent him birthday wishes oblivious to the fact that he had died.
Last month another friend of mine died. It has been a much more private affair. His birthday is coming up later this month and I am dreading seeing people using Facebook's default emojis to wish him well.
If you are so out of touch with someone that they migh…

#WhatsApp’s ‘End-to-End Encryption by Default’ Claim Called Major Consumer #Fraud
https://cybersecuritynews.com…

from my link log —
Same-site cookies by default.
https://textslashplain.com/2019/09/30/same-site-cookies-by-default/
saved 2019-10-02

As a "safety measure," Discord will require a face scan or ID starting next month.
https://discord.com/press-releases/discord-launches-teen-by-default-settings-globally

Discord Launches Teen-by-Default Settings Globally
Discord is announcing enhanced teen safety features rolling out globally that reinforce its long-standing commitment to creating a safer and more inclusive experience for users over the age of 13.

Excited to share that the MITRE Fight Fraud Framework™ (F3) is now included in the default MISP galaxy and available across all MISP instances.
F3 is a curated knowledge base of tactics and techniques used by financial fraud actors, helping analysts structure, share, and enrich fraud-related intelligence more effectively.
A great step forward for the MISP community and for teams tracking financial fraud.
🔗

That ominous "if" at the end tells me only that even the Linux community doesn't know why these files were taken down. I could make a breakthrough in my YouTube puddle if I spin up some clickbait video right now 😀

#Discord Launches Teen-by-Default Settings Globally
https://discord.com/press-releases/discord-launches-teen-by-default-settings-globally

Discord Launches Teen-by-Default Settings Globally
Discord is announcing enhanced teen safety features rolling out globally that reinforce its long-standing commitment to creating a safer and more inclusive experience for users over the age of 13.

#WhatsApp’s ‘End-to-End #Encryption by Default’ Claim Called Major Consumer Fraud by Pavel Durov
https://c…

Discord plans to roll out age verification globally starting in March to access some content; all accounts will have a "teen-appropriate experience by default" (Stevie Bonifield/The Verge)
https://www.theverge.com/tech/875309/discord-age-verification-g…

Discord will require a face scan or ID for full access next month
Starting in March, all Discord users will have a “teen” experience by default unless they complete age verification using a video selfie or ID.

"‘Greener By Default’ Hospitals Reduced Food Emissions By 22% With Plant-Based Meals"
#Food #Hospitals #Emissions

'Greener By Default' Hospitals Reduced Food Emissions By 22% With Plant-Based Meals
A catering company has reduced hospital food emissions by 22 percent over the last year with “Greener By Default” plant-based meals

I should do some work with Authentik, but I keep getting sidetracked to find out where the default background for the SSO page is coming from
https://github.com/goauthentik/authentik/blob/main/web/src/assets/images/flow_background.jpg

My message to Gaggle Mail:

I just want to let you know that I decided not to continue evaluating your service after I noticed that you have a setting to use ChatGPT from OpenAI turned on by default.

Among many other things, OpenAI is Trump's biggest donor and used by ICE.

It is one of the most morally corrupt companies in operation today and it was hugely disappointing to me to see a company that embraced the classic listserv platform (yay!) also integrating the w…

#Sunstone browser now has a searchable history. The period to display can be set to the last hour, day, week, a custom timeframe or 'all'. There is also an option to group the results by host. By default, 50 results are displayed per page.
This is a WIP and subject to change. This biggest miss so far is a link in the page to navigate beyond the first page of results, although y…

from my link log —
Reducing Raspberry Pi 5's power consumption by 140x.
https://www.jeffgeerling.com/blog/2023/reducing-raspberry-pi-5s-power-consumption-140x
saved 2023-11-07

The reason why I preferred OSS deps over reimplementation is that by default, author of a nontrivial library spent more time with a problem than me, and hence I trust their judgment more.
This is another default that LLM breaks…

Great talk by @… of #GNU #Hurd fame, in a packed room, selling the the Hurd really well (in my not entirely unbiased opinion, of course) and starting with
It'…

🥳 New Kitten release
Several but fixes, thanks to wunter8 (https://codeberg.org/wunter8):
• Default socket doesn't work when testing with a local mobile device (https…

wunter8
Codeberg is a non-profit community-led organization that aims to help free and open source projects prosper by giving them a safe and friendly home.

🖥️ Less relevant for server environments using SSH keys – primarily affects desktop users
https://www.heise.de/en/news/sudo-rs-shows-password-asterisks-by-default-break-with-Unix-tradition-11193037.html

A look at the top 100 GenAI consumer apps: ChatGPT leads but the race for the "default AI" is on, global usage is splintering by product, and AI agents arrive (Olivia Moore/Andreessen Horowitz)
https://a16z.com/100-gen-ai-apps-6/

The Top 100 Gen AI Consumer Apps — 6th Edition
Which AI apps are people actively using? What’s actually making money, beyond being popular? We analyzed the data.

This might be a useful Obsidian tip. I tried Obsidian (again!) last year but I just couldn’t walk away from Bear because it’s so good. (Bear is macOS only but they did add web access last year.)
“I discovered Obsidian's core plugin "File recovery". Enabled by default, it saves the state of your files every five minutes and keeps that history for a whole week!”

Just in case anyone was hoping GrapheneOS would support face unlock, even as an option disabled by default, even for the Google Pixel devices with busted-by-design fingerprint sensors: lol keep fuckin' dreaming, noob. Much like Linux in 2026, GrapheneOS isn't about choice. It's about you quietly falling in line and adjusting your expectations, you ungrateful fuckhead leach deserving of mockery and derision and the questioning of your virility and political alignment.

still not sold on having to rely on new protocols (gemini) or very old protocols (gopher) instead of making a wiser use of the ones used at large (http). When the solution is to add more software I’m skeptical by default

Disappointing growth in EU biomethane production, growing by 'only' 12% from 'gas year' (Oct-Sep) 2023/24 to 2024/2025.
5 years to go to the REpowerEU target of 350 TWh; that would now require a 52% compound annual growth rate.
Tall order, but today's news shows how important it is to accelerate!

I have set up my Thunderbird to use plain text and "interleaved, quote under" style, which is also the recommendation of the Linux Kernel mailing list. By default, it doesn't quote at all. I'm sick of throwing huge chunks of HTML back and forth where any long conversation grows into a formatting mess.
#Email

Apple is losing the normals. At a superb owl gathering and everyone (all generations) is complaining about #iOS updates changing everything, and a specific example is enabling crossfade in Music by default.
Decision has been made not to update grandma's iPad going forward because that would render it effectively useless from her point of view. Have heard same complaint from my mother: &quot…

@… not rw by default in single user mode.
I usually:
mount -uw /
(I can't remember where I learnt that variant. Lost in the mists of time.)
@…

To be entirely fair, macOS and Windows are going down such clownchute that it is possible that they just won't work for people at all anymore, so it could be that Linux gets popular by default.

Zenlayer (#AS4229 and others):
"[...] new pricing policy for public IPv4 addresses will take effect on March 31, 2026, reflecting rising IPv4 costs [...]"
"All compute products will no longer include complimentary public IPv4 addresses by default."
"Customers are strongly encouraged to accelerate IPv6 adoption to support a sustainable long-term network architecture."

Instead of an "AI kill switch" like they promised, #Mozilla will provide "AI controls" buried deep in settings a #Firefox update which isn't out yet, until then the AI features which are already released and on by default can only be disabled by digging through about:co…

Easter test weekend, initial findings. 😎
:fedora: On Fedora 44 Beta GNOME Edition, the file manager crashes every time I try to access my NAS. There are also frequent freezes with apps that weren’t included by default and were installed later.
:ubuntu: Ubuntu 26.04 LTS also comes with GNOME 50, and unlike Fedora, it already includes kernel 7.0, which is great—especially for the latest hardware. This beta also seems to run more smoothly and stably than Fedora’s beta.
Howev…

In the interests of starting a more productive dialogue than yesterday's main character was interested in, let's make a #brainstorm thread about design changes to ActivityPub and/or client UI that could actually help address drive-by (often racist) harassment on the fediverse.
Feel free to discuss pros/cons but don't feel an idea needs to be perfect to suggest it. Also since this is a brainstorm don't worry about complexity/implementation cost. If you have a great-but-hard-to-implement idea someone else may think of a way to simplify it.
Note that the underlying problem *is* a social one, do there won't be a technological fix! But tech changes can make social remedies easier/harder.
I've got some to start:
1. Have a "protected mode" that users can voluntarily turn on. Some servers might turn it on by default. In protected mode, users whose accounts are less than D days old and/or who have fewer than F followers can't reply to or DM you. F and D could have different values for same-sever vs. different-server accounts, and could be customized by each user. Obviously a dedicated harasser can get around this, but it ups the activation energy for block evasion and pile-ons a bit. Would be interesting to review moderation records to estimate how helpful this might or might not be. Could also have a setting to require "follows-from-my-server" although that might be too limiting on private servers. Restriction would be turned off for people you mention within that thread and could be set to unlimit anyone you've ever mentioned. Would this lock new users out of engagement entirely? If everyone had it on via a default, you'd have you post your own stuff until someone followed you (assuming F=1). One could add "R non-moderated replies" and/or "F favorites" options to soften things; those experiencing more harassment could set higher limits. When muting/blocking/reporting someone who replied to your post, protected mode could be suggested with settings that would have filtered the post you're reporting.
2. Enable some form of public moderation info to be displayed when both moderator and local server opt-in. Obviously each server would be able to ignore federated public tags. I'm imagining "banned from X server for R reason (optional link to evidence)" appearing on someone's profile & an icon on their PFP in each post viewed by someone on server Y *if* the mods of server X decide it's appropriate *and* server Y opts in to displaying such tags from server X specifically. Alliances of servers with similar moderation preferences could then have moderation action on one server result in clear warning propagation to others without the other mods needing to decide whether to also take action immediately. In some cases different moderation preferences would mean you wouldn't take action yourself but would keep the notice up for your users to consider. Obviously the "Scarlet Letter" vibe ain't great, but in some cases it's deserved, and when there's disagreement between servers about that, mods on server Y could either disable a specific tag or disable federation of mod tags from that server in general. Even better shared moderation tools are of course possible.
3. Different people/groups have different norms around boosting. Currently we only have a locked/public binary. Without any big protocol changes, adding a "prefers boosts/doesn't" setting which would warn in the UI before a viewer chooses to boost if the preference is "doesn't" could help. This could be set per-post, but could also have defaults and could have different values for same-server or not, or for particular servers. For example, I could say "default to prefer boosts from users on my server but not from users on other servers" or "default to prefer boosting on all servers except mastodon.social." Last option might be harder to implement I guess.
#ActivityPub #Meta #Harassment

Funny how people, in light of the LiteLLM compromise, jump to the conclusion that the solution is to make your supply chain even more intransparent by vendoring in dependencies through an LLM's processing, rather than just using pinned and vetted dependencies by default over tools' defaults "yolo there has been an update and it claims to be semver compatible" attitude.

I'm waiting for a lawsuit against Waymo to pop-up about yesterday's April Fools easter egg. You should not make jokes about microphones when the T&Cs specifically say they are not on by default.

Amendment: this is dodgy. Consider this retracted.
Wow, if true this is big: Lenovo says they're losing money on every computer pre-installed with MS Windows 11 due to it comprehensively sucking. They are apparently moving to Ubuntu Linux installed by default. Windows will only be an extra-cost option... https://www.youtube.com/…

I almost signed up for Gaggle Mail even though it's US-based. I figured at least they seem to have good sense in seeing the value of email for discussion groups. And then while trialing I saw they have a function to summarise email discussions via ChatGPT that is *turned on by default*. I mean, wtaf.

So I'm deciding on self-hosting Mailman. It always seems to come back to self-hosting in the end, doesn't it... which is not nearly easy enough for most people to grapple with.

RE: https://social.coop/@cwebber/116295745357971471
100% this. But also sometimes it's okay. That's the weirdest part.
And we are not yet fully ready to make those decisions. It's gonna be messy as hell, and we need to choose better than a lot of us do by default.

I thought I'd killed my trusty #turrisomnia but it turned out my tinkering had left it and the recovery partition in a very old broken state. Fortunately after failing with a cheapo usb key I did get a more recent factory image on it. I now realise quite how fast back the system was because everything is dark mode by default now with a nice onboarding process.

Semantic Conventions for #GenAI agent and framework #spans
https://opentelemetry.io/docs/specs/se

My top debian-derived linux tip is to uncomment the bash completion bits in /etc/bash.bashrc
It enables tab completion for a bunch of commandline stuff that saves loads of time
No idea why this isn't enabled by default. Setting up a new linux mint install for me these days is basically just doing that and mapping caps lock to ctrl.

Reuse,
gut für die Fischerei
schlecht in der Kryptografie
https://blog.trailofbits.com/2026/02/18/carelessness-versus-craftsmanship-in-cryptography/

Microsoft provided the FBI with the recovery keys to unlock encrypted data on the hard drives of three laptops as part of a federal investigation, Forbes reported on Friday.
Many modern Windows computers rely on full-disk encryption, called #BitLocker, which is enabled by default.
This type of technology should prevent anyone except the device owner from accessing the data if the computer is …

Microsoft gave FBI a set of BitLocker encryption keys to unlock suspects' laptops: Reports | TechCrunch
The FBI served Microsoft a warrant requesting encryption recovery keys to decrypt the hard drives of people involved in an alleged fraud case in Guam.

TIL: Incremental selection is available by default in Nvim 0.12, see `:help v_in`.
#neovim

from my link log —
Understanding systemd-resolved, split DNS, and VPN configuration.
https://blogs.gnome.org/mcatanzaro/2020/12/17/understanding-systemd-resolved-split-dns-and-vpn-configuration/
saved 2020-1…

So SF public school teachers had to go on strike and it was considered a historic win when their strike resulted in 5% raises, but SF cops just waltz in and get a 14% raise by default.
The cops are robbing our city blind. Stop voting for pro-cop "moderates" who enable this!

Adobe launches Firefly Custom Models in public beta, letting users train AI image generators on their own assets; the custom models are private by default (Jess Weatherbed/The Verge)
https://www.theverge.com/tech/897243/adobe-firefly-ai-custom-models-ima…

Adobe’s AI image generator can now be trained on your own art
Adobe is launching customizable AI image generators that can mimic specific artistic styles and character designs.

Ubuntu will be adopting ntpd-rs as the default time sync client/server if all goes according to plan for release 27.04 (~2027). For most this means replacing chrony.
https://discourse.ubuntu.com/t/ntpd-rs-its-about-time/79154/1

Seems like this could be useful for some #Selfhosted / #HomeLab folks. https://m.vinduv.app/@VinDuv/115940541

Are you kidding me. I couldn't make Decky Loader work no matter what and I just learned that Syncthing overrides the port it uses by default 💀

So I am now at 10% battery, with the machine connected to the power adapter… I wonder what happens when it gets to 0, but is still connected. Losing a percentage point every few minutes at this stage.
Almost seems like it uses the battery by default, and the power going in only goes to charging the battery, not actually running the machine?
And what would happen if I set topaz to do upscaling overnight?

Just finished "If You'll Have Me" by Eunnie. A wonderful and very sweet sapphic romance graphic novel. I love the fact that it's set in a world where gay is the unremarkable default (there's a subtle token hetero couple that appear on a single page, IIRC).
#AmReading #ReadingNow

🤖 AI-native #CMS: built-in #MCP server, CLI & Agent Skills — let agents handle migrations, schema changes and content updates programmatically.
🔑 Passkey auth by default — no passwords, no brute-force vectors. Role-based access for admins, editors,
authors & contributors.
📦 Im…

#games #kek

#Sunstone browser now has a start page, with default search provided by DuckDuckGo. All of Sunstone's internal pages are going to be linked through the menu bar provided in the default page template. I am no web designer, but I've taken time to make the design responsive and hopefully nice and cleanly functional. Shrink the page down past a certain level and the sidebar becomes a top…

I Love You, #Redis, But I’m Leaving You for #SolidQueue
https://www.simplethread.com/redis-solidqueue/…

I find it perplexing that after 5 and a bit years of Trump in the Whitehouse that the media don't treat anything he says as a lie by default until and unless they corroborate the details via other less tainted sources. His pronouncements seem less about manifesting the result he wants and more about manipulating the markets to grow his own wealth.

Adobe launches Firefly Custom Models in public beta, letting users train AI image generators on their own assets; the custom models are private by default (Jess Weatherbed/The Verge)
https://www.theverge.com/tech/897243/adobe-firefly-ai-custom-models-ima…

Adobe’s AI image generator can now be trained on your own art
Adobe is launching customizable AI image generators that can mimic specific artistic styles and character designs.

#sudo-rs breaks with 46 years of #Unix tradition: The #Rust-based sudo replacement now shows password asterisks *** by default

The AI features are "Optional by default" which is a mad thing to say. What?
If you want to turn them off then just flip the "off" switch to the "on" position 😆
https://www.youtube.com/watch?v=iD4LspntEmI

Defaults at AtSite will shape place. Scope the world to fit the moment. Rate-limit week by default.