libera/#devuan/ Wednesday, 2019-03-13

DocScrutinizer05highly recommended:     wget -O /usr/local/bin/ && chmod +x  /usr/local/bin/pwnedpasswords.sh04:34
DocScrutinizer05might even want to add this to passwd(1)04:36
furrywolfbecause wgetting and running a random file is so secure.  :)04:37
DocScrutinizer05for sure you won't add the wget part to passwd X-P04:38
DocScrutinizer05you however might ponder adding the script to passwd, after *checking it*04:38
DocScrutinizer05actually wget is somewhat deprecated under root's privileges04:39
furrywolfI just wrote a script for someone that not just wgets arbritary files, and not just then gets different files from the contents of that file, it saves to a fixed name in /tmp, making it utterly stupid to run as root.  :)04:41
furrywolf(highly insecure tmpfile usage)04:43
DocScrutinizer05wget itself is not secure04:50
DonkeyHoteithat script will send each actual password of yours to someone else's website. fail.04:51
DocScrutinizer05fail! it sends SHA hash04:51
DocScrutinizer05this been first thing I checked04:52
DocScrutinizer05since otherwise it would be not only "fail", it would be a brainfart04:52
furrywolfit seems fairly secure to me, in that it only sends them the first five characters of the hash, which gets a list of all hashes starting with those five characters, and then compares locally.04:53
DonkeyHoteimight as well be RC404:54
furrywolfagain, it only sends _the first five characters_.  anything other than plaintext is fine when used like that.04:54
DocScrutinizer05refer to
DocScrutinizer05>>It doesn't matter that SHA1 is a fast algorithm unsuitable for storing your customers' passwords with because that's not what we're doing here, it's simply about ensuring the source passwords are not immediately visible.<<04:55
furrywolfand to make sure you don't send the first five characters of every password you try.  heh.04:56
furrywolfthe first five characters of anything that remotely approximates a proper hash is not a security risk04:56
furrywolfthere are certainly algorithms you could use that do not remotely approximate a proper hash, but sha1 is more than adequate.04:57
DocScrutinizer05my root password had 6 hits :-S05:02
furrywolfhrmm, I could write an even simpler is-your-password-compromised script...  wget "$1" && echo "Your password has been compromised at least one time"  :P05:02
furrywolf(by sending it in plaintext, it itself compromises it, thus it's always right!  :)05:03
DocScrutinizer05reminds me on the battery-eye app that guaranteed to drain your battery within a few hours by constantly polling and logging its state ;-P05:09
djphDocScrutinizer05: this is why I disallow remote-root-anything :)10:13
DocScrutinizer05anyway watch out!  don't use the web interface10:15
sokanmy T420 has arrived! I only need to pick it up now :D12:17
sokanand tomorrow 1 more dev1 system out there! stability with no systemd :D12:17
RyushinIs there a mirror that is faster then others? is very slow.16:32
KatolaZRyushin: for US you can use devuan.c3sl.ufpr.br16:36
KatolaZthey have a fast connection to US16:37
RyushinKatolaZ: Thanks much.16:37
KatolaZwe are working on that as well16:37
RyushinAlways something.  LOL16:38
KatolaZalways too much to do :)16:39
RyushinIt said my apt update was going to take 4 hours.  I was thinking I need to find a mirror that has "ludicrous speed" for the connection.16:42
KatolaZRyushin: that mirror has 20Gb/s to FL17:06
RyushinI was reading that.  That is a nice mirror.17:15
RyushinMuch better.  37Mb/s17:15

Generated by 2.17.0 by Marius Gedminas - find it at!