profile
viewpoint
If you are wondering where the data of this site comes from, please visit https://api.github.com/users/KOLANICH/events. GitMemory does not store any data, but only uses NGINX to cache data for a period of time. The idea behind GitMemory is simply to give users a better reading experience.
KOLANICH KOLANICH KOLANICH inc. DeepTown

kaitaiStructCompile/kaitaiStructCompile.py 4

Compilation of *.ksy into *.py from python

KOLANICH/awesome-ppa 4

Must-have PPAs for *buntu

kaitaiStructCompile/synalysis2kaitai 3

Work in progress, it's not finished.

kaitaiStructCompile/kaitai2WxHexEditor.py 1

Creates "tags" for WxHexEditor for a given file

File2Package/appdirs 0

A small Python module for determining appropriate platform-specific dirs, e.g. a "user data dir".

File2Package/File2Package.py 0

A framework and a CLI tool for fast retrieving reverse mapping from files to packages (and maybe other package information) in order to discover dependencies automatically

File2Package/pkgman_triggers.py 0

A middleware to allow some interaction between distro-specific package managers and python packages

kaitaiStructCompile/Endianness.py 0

A library to compute endianness remapping

kaitaiStructCompile/kaitaiStructCompile.backend.CLI 0

CLI backend of kaitaiStructCompile.py

issue commentarkenfox/user.js

Migrating from old version

Note: this only applies to arkenfox, not anything else you have added from all those sources listed in your txt file

Onfroygmx

comment created time in 2 hours

issue closedarkenfox/user.js

Migrating from old version

user-overrides.txt

Hello,

I've been following you since quite some time but haven't updated in a while and got a bit lost. When I run a diff on the current version there are a lot of changes and most of them are deprecated settings, I think. Could it be possible to have a file containing only what has disappeared? (Deprecated does not mean disappeared) I can help test it on Mac and Linux if needed? Regards,

JB PS: not an Issue just a question.

closed time in 2 hours

Onfroygmx

issue commentarkenfox/user.js

Migrating from old version

everything deprecated prior to FF78

  • https://raw.githubusercontent.com/arkenfox/user.js/master/scratchpad-scripts/arkenfox-clear-deprecated.js

everything that has ever been in the user.js but is now removed (and not removed due to deprecation)

  • https://raw.githubusercontent.com/arkenfox/user.js/master/scratchpad-scripts/arkenfox-clear-removed.js

For both these

  • open about:config (privileged page)
  • go control-B to open multi-line editor
  • paste in the script
  • click run

This will clean up all old prefs, deprecated and removed up to ESR78

To reset deprecated ones in 78 or later, either go through the list at the end in the user.js, or run prefs cleaner

Onfroygmx

comment created time in 2 hours

issue openedarkenfox/user.js

Migrating from old version

user-overrides.txt

Hello,

I've been following you since quite some time but haven't updated in a while and got a bit lost. When I run a diff on the current version there are a lot of changes and most of them are deprecated settings, I think. Could it be possible to have a file containing only what has disappeared? (Deprecated does not mean disappeared) I can help test it on Mac and Linux if needed? Regards,

JB PS: not an Issue just a question.

created time in 3 hours

PR opened trimstray/the-book-of-secret-knowledge

add Alacritty

Alacritty is A fast, cross-platform, OpenGL terminal emulator

+1 -0

0 comment

1 changed file

pr created time in 3 hours

PR opened FredrikAugust/bulk-renamer

Bump lodash from 4.17.19 to 4.17.21

Bumps lodash from 4.17.19 to 4.17.21. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/lodash/lodash/commit/f299b52f39486275a9e6483b60a410e06520c538"><code>f299b52</code></a> Bump to v4.17.21</li> <li><a href="https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a"><code>c4847eb</code></a> Improve performance of <code>toNumber</code>, <code>trim</code> and <code>trimEnd</code> on large input strings</li> <li><a href="https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c"><code>3469357</code></a> Prevent command injection through <code>_.template</code>'s <code>variable</code> option</li> <li><a href="https://github.com/lodash/lodash/commit/ded9bc66583ed0b4e3b7dc906206d40757b4a90a"><code>ded9bc6</code></a> Bump to v4.17.20.</li> <li><a href="https://github.com/lodash/lodash/commit/63150ef7645ac07961b63a86490f419f356429aa"><code>63150ef</code></a> Documentation fixes.</li> <li><a href="https://github.com/lodash/lodash/commit/00f0f62a979d2f5fa0287c06eae70cf9a62d8794"><code>00f0f62</code></a> test.js: Remove trailing comma.</li> <li><a href="https://github.com/lodash/lodash/commit/846e434c7a5b5692c55ebf5715ed677b70a32389"><code>846e434</code></a> Temporarily use a custom fork of <code>lodash-cli</code>.</li> <li><a href="https://github.com/lodash/lodash/commit/5d046f39cbd27f573914768e3b36eeefcc4f1229"><code>5d046f3</code></a> Re-enable Travis tests on <code>4.17</code> branch.</li> <li><a href="https://github.com/lodash/lodash/commit/aa816b36d402a1ad9385142ce7188f17dae514fd"><code>aa816b3</code></a> Remove <code>/npm-package</code>.</li> <li>See full diff in <a href="https://github.com/lodash/lodash/compare/4.17.19...4.17.21">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~bnjmnt4n">bnjmnt4n</a>, a new releaser for lodash since your current version.</p> </details> <br />

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

+3 -3

0 comment

1 changed file

pr created time in 6 hours

issue commentopen-source-ideas/open-source-ideas

Book summary sharing social network website

Hi @MarshalOfficial , I really don't care about the platform since I've never actually used one. Anything is good to me, so we could use Trello as you said. I'm happy to adapt to your needs. Anything that fits our uses is fine.

Correct me if I'm wrong, so this project's goal will be to give people a place where they can describe what they learnt from a book? Your description about this project is just not fully clear to me.

Exactly, yes. the project goal is to let people share a summary of a book that they read in this. great. so we can start in Trello documenting. for the tech stack, what are your preferred backend framework and DB engine, and what for front-end?

MarshalOfficial

comment created time in 7 hours

issue commentarkenfox/user.js

tracking: HTTPS-Only mode

I'm done tracking this: you're going to get weird edge cases until the interwebs get their shit together and HTTP is outlawed

Thorin-Oakenpants

comment created time in 10 hours

issue commentarkenfox/user.js

Q: Canvas fingerprint when using RFP + CanvasBlocker

I don't use CB: but I would suggest just using the canvas protection with it's default settings


There's no need to send anything to the "Firefox team" - everyone is already aware of everything they need to know


It is important to protect the real value. It is not important to hide that you're lying. Blocking is a last solution, no one wants that. Faking is much better. Faking comes in two main flavors: static and randomized. All randomizing can be detected [there are some exceptions to this rule, but in a set of RFP or Brave or TB users, that doesn't apply: you can infer it]. You most certainly cannot hide that canvas is altered or randomized

Everything below is specifically about canvas

Faking like RFP used to do as a static result (all white canvas), is pretty much the same as blocking: totally unusable, you might as well block it

Randomizing as RFP does now is better, as it can fool naive scripts. RFP does this per execution. So two checks with different results reveals this. RFP is not trying to hide. The result is still unusable, as RFP also totally randomizes: all pixels, all channels, big changes in rgba values. It does this because when canvas protection was added there were most likely time constraints and engineering issues, and definitely real concerns over protecting any random seeding. RFP is built for Tor Browser after all. And canvas use four years ago wasn't the same as it is today: e.g. sites today even use canvas where they don't need to such as the ability to upload and display images. Just a fact of life out of anyone's control. At the time, RFP added a site exception (session or permanent) for canvas to alleviate this

RFP doesn't care about persistence (per eTLD+1) or protecting any random seed, so it's irrelevant to RFP

A canvas site exception is very granular. It doesn't affect other RFP measures even on that site. The "real" canvas would only leak on those few sites you allowed an exception: and over those sites, the scripts for canvas would need to be the same. The threat is somewhat minimized. There is a reason canvas does not have a default off.

Extensions, and Brave, that use subtle randomizing are trying to auto-solve the breakage. And that's good, because canvas use is growing and breakage sucks. This is where persistence per eTLD+1 and protecting the random seed come into play. Brave persists over a browser session. I think CB persists only as long as the site is open in any tab. This persistence is always detectable, i.e that it exists, not whether it is per session or per eTLD+1 or while an eLTD+1 is open. What channels are changed is detectable. What % of pixels is detectable. What range of subtleness in value changes is detectable. Even what canvas size you have exceptions for is detectable. Not that all scripts would check for all this: but you can absolutely fingerprint the noise (which is not an issue for built-in browser solutions like Brave: everyone is the same).

Which one is the right approach, who really knows. Maybe some hybrid tied to a slider, like Tor Browser could use standard (subtle) vs safer (full on), or like when you allow a site exception for canvas fall back to subtle random. Along with heuristics and user gestures (not keen on this), and discoverability (e.g. of the canvas urlbar icon)

Maybe RFP/TB will entertain the idea of using subtle randomizing, but it's risky IMO. Brave's first iteration went for over a year before someone told them it was too subtle. This is now fixed. But it is still probably susceptible to being averaged - this is probably OK for a mainstream browser user's threat model, but not for Tor Browser (which is what RFP is designed for). Don't get me wrong, breakage like canvas turns people off, and protection against very advanced scripts and determined attackers requires uptake: so Mozilla need to solve this canvas issue sooner rather than later. They're working on it, it's just slow and not super high priority given more immediate fixes and bigger payoffs elsewhere

quantizzed

comment created time in 10 hours

pull request commentkaitai-io/kaitai_struct_formats

Rendering formats from MMD (MikuMikuDance)

I just made a bunch of additional cleanup on this format spec, mainly changing the vector types to something a bit less alien but I also renamed 'constraint' to 'joint' to match what UIs call them and documented some other fields which were lacking a bit.

hakanai

comment created time in 11 hours

issue commentarkenfox/user.js

Q: Canvas fingerprint when using RFP + CanvasBlocker

In your oppinion, for web anonimity purposes, I want to ask:

  • Which is the better way between fake and block? And if it's the "fake one", which one between: none / non persistent / constant / persistent, do you suggest?

  • Also, is there any good reason to protect window API? Or is better off?

  • About "Canvas API" section, this is how do you suggest?

  • And my last question is about the "Fake the alpha channel" function. Should this be On or Off ?

ultimately we require built-in browser solutions to properly protect, and for those solutions to be enforced and shielded from end-users changing them, and for the browser solution to be used by large numbers - but that doesn't mean that RFP or other solutions are useless

I will send this to the Firefox team, and maybe it will be a reality in the future. Thanks for the explicit information.

quantizzed

comment created time in 11 hours

push eventarkenfox/user.js

Thorin-Oakenpants

commit sha ba9b3c217be47c752876d6b55166e52f2d315a8c

tweak 4600s: closes #1172

view details

push time in 12 hours

issue closedarkenfox/user.js

FYI: dom.enable_performance = false = AliExpress breakage

Internal pages in AliExpress are broken with user_pref("dom.enable_performance", false);

test: https://www.aliexpress.com/item/1005002571624344.html

I don't use resistFingerprinting.

closed time in 12 hours

Just-me-ghacks

issue commentarkenfox/user.js

FYI: dom.enable_performance = false = AliExpress breakage

confirmed in a new profile (well, almost new) with just user_pref("dom.enable_performance", false); works with just RFP (also pref is default true in TB)

section 4600 doesn't get a lot of attention :)

   // user_pref("dom.maxHardwareConcurrency", 2);
user_pref("dom.enable_resource_timing", false);
user_pref("dom.enable_performance", false);
   // user_pref("device.sensors.enabled", false);
user_pref("browser.zoom.siteSpecific", false);
   // user_pref("dom.gamepad.enabled", false);
user_pref("dom.netinfo.enabled", false); // [DEFAULT: true on Android]
user_pref("media.webspeech.synth.enabled", false);
user_pref("media.video_stats.enabled", false);
   // user_pref("dom.w3c_touch_events.enabled", 0);
user_pref("media.ondevicechange.enabled", false);
user_pref("webgl.enable-debug-renderer-info", false);
user_pref("ui.prefersReducedMotion", 0); // [HIDDEN PREF]
user_pref("dom.w3c_pointer_events.enabled", false);
user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF]
user_pref("layout.css.font-visibility.level", 1);

hardwareConcurrency as inactive seems out of place, I don't see that as breaking anything: maybe we made it inactive when RFP covered it, but never adjusted it when we made 4600

Looking at the uptodate https://www.w3.org/TR/navigation-timing/#privacy and the security section under that

  • note: timing (including RFP) can be bypassed, so this is more about the API
  • if RFP (which is for Tor Browser, and I have no idea of some of those concerns aren't mitigated by using Tor) doesn't block it, then I fail to see what this pref ultimately achieves (other than to make it harder) given the threat model and a determined attacker
Just-me-ghacks

comment created time in 12 hours

issue openedarkenfox/user.js

FYI: dom.enable_performance = false = AliExpress breakage

Internal pages in AliExpress are broken with user_pref("dom.enable_performance", false);

test: https://www.aliexpress.com/item/1005002571624344.html

I don't use resistFingerprinting.

created time in 13 hours

startedhelloSystem/hello

started time in 14 hours

startedhelloSystem/hello

started time in 14 hours

release pfalcon/pycopy

v3.5.7

released time in 19 hours

startedcsimmonds/procrank_linux

started time in 20 hours

startedHakkuraifu/PS4xploit

started time in a day

Pull request review commentWebBluetoothCG/web-bluetooth

Throw TypeError if dataPrefix is present and empty

 The result of <dfn for="BluetoothDataFilterInit" export>canonicalizing</dfn> the {{BluetoothDataFilterInit}} |filter|, is the {{BluetoothDataFilterInit}} returned from the following steps: +1. If <code>|filter|.{{BluetoothDataFilterInit/dataPrefix}}</code> is present and+    <code>|filter|.{{BluetoothDataFilterInit/dataPrefix}}.length === 0</code>,

A BufferSource doesn't have a length attribute. Looking at https://heycam.github.io/webidl/#es-buffer-source-types it doesn't look like there is an existing algorithm to get the length of a buffer source so I would move this step to between when we use the "a copy of the bytes held" algorithm to create dataPrefix and when we set it to an empty sequence if the dictionary member is not present.

beaufortfrancois

comment created time in a day

starteddaffy1234/TWRP-T80D

started time in a day

startedmax-kammerer/orion-viewer

started time in a day

fork Chainfire/XKCP

eXtended Keccak Code Package

fork in a day

startedgoogle/zx

started time in a day

Pull request review commentgithub/site-policy

Exploits and malware policy updates

 We are committed to maintaining a community where users are free to express them    You may not post content that presents a distorted view of reality, whether it is inaccurate or false (misinformation) or is intentionally deceptive (disinformation) where such content is likely to result in harm to the public or to interfere with fair and equal opportunities for all to participate in public life. For example, we do not allow content that may put the well-being of groups of people at risk or limit their ability to take part in a free and open society. We encourage active participation in the expression of ideas, perspectives, and experiences and may not be in a position to dispute personal accounts or observations. We generally allow parody and satire that is in line with our Acceptable Use Polices, and we consider context to be important in how information is received and understood; therefore, it may be appropriate to clarify your intentions via disclaimers or other means, as well as the source(s) of your information.  - #### Active malware or exploits-   Being part of a community includes not taking advantage of other members of the community. We do not allow anyone to use our platform for exploit delivery, such as using GitHub as a means to deliver malicious executables, or as attack infrastructure, for example by organizing denial of service attacks or managing command and control servers. Note, however, that we do not prohibit the posting of source code which could be used to develop malware or exploits, as the publication and distribution of such source code has educational value and provides a net benefit to the security community.+   Being part of a community includes not taking advantage of other members of the community. We do not allow anyone to use our platform in support of active attacks that cause harm, such as using GitHub as a means to deliver malicious executables, or as attack infrastructure, for example by organizing denial of service attacks or managing command and control servers. +   Note, however, that GitHub supports the posting of content which is used for research into vulnerabilities, malware or exploits, as the publication and distribution of such content has educational value and provides a net benefit to the security community. We recommend that repository owners take the following steps when posting potentially harmful content for the purposes of security research:++   * Clearly identify and describe any potentially harmful content in a disclaimer in the project’s README.md file.+   * Provide a preferred contact method for any 3rd party abuse inquiries through a SECURITY.md file in the repository (e.g. "Please create an issue on this repository for any questions or concerns"). Such a contact method allows 3rd parties to reach out to project maintainers directly and potentially resolve concerns without the need to file abuse reports.++   We allow dual use content and assume positive intention and use of these projects to promote and drive improvements across the ecosystem. In rare cases of very widespread abuse of dual use content, we may restrict access to that specific instance of the content to disrupt an ongoing unlawful attack or malware campaign. Restriction is aimed at disrupting ongoing attack or malware campaigns and where possible takes the form of putting the content behind authentication, but may, as an option of last resort, involve a full removal where this is not possible (e.g. when posted as a gist) or if the content is posted by the account owner as part of a direct participation in unlawful attack or malware campaigns that are causing technical harms. We will contact the project owner in an effort to discuss and collaborate on any such response. The goal is to hinder the proliferation of a specific unlawful active attack or malware campaign that is causing technical harm, and does not serve the purpose of purging or restricting any specific dual use content, or copies of that content, from the platform in perpetuity. While we aim to make these rare cases of restriction a collaborative process with project owners, if you do feel your content was unduly restricted, we have an appeals process in place (See "Appeal and Reinstatement")++   *GitHub considers the npm registry to be a platform used primarily for installation and run-time use of code, and not for research.*

Is this intended to discourage research like "Dependency Confusion" or would this kind of research still be allowed under this policy change?

https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

GitHub will actively remove typosquatting and dependency confusion attacks from package registries to protect end users. The implication here is that researchers should not have an expectation to keep dependency confusion and typosquatting research up for any prolonged time in package ecosystems such as npm. GitHub is working in the next few months to increase the scope of our bug bounty program to include core npm infrastructure and services. This program will provide a clear path to share future research and vulnerabilities in the npm platform while also offering a way to reward researchers for their work.

vollmera

comment created time in a day