David Leadbeater
@dgl.cx
Monitoring 📊, SRE, Open Source, Security 🔐. Emoji fan 🦸♂️. Just your average cynical Brit 🇬🇧 in 🇦🇺. He/him.
🌉 bridged from ⁂ https://infosec.exchange/@dgl, follow @ap.brid.gy to interact
🌉 bridged from ⁂ https://infosec.exchange/@dgl, follow @ap.brid.gy to interact
Interesting talk from 39c3: https://gpg.fail including my favourite classes of issues ANSI escape spoofing and abusing CR. A response from GnuPG is here https://www.gnupg.org/blog/20251226-cleartext-signatures.html — although there’s some other issues that do seem more fixable. IMO better to use […]
Original post on infosec.exchange
infosec.exchange
December 27, 2025 at 9:05 PM
Interesting talk from 39c3: https://gpg.fail including my favourite classes of issues ANSI escape spoofing and abusing CR. A response from GnuPG is here https://www.gnupg.org/blog/20251226-cleartext-signatures.html — although there’s some other issues that do seem more fixable. IMO better to use […]
Reposted by David Leadbeater
Here's a copy of the filesystem that has been extracted as a .tar file: http://squoze.net/UNIX/v4/
UNIX - v4
squoze.net
December 20, 2025 at 1:59 AM
Here's a copy of the filesystem that has been extracted as a .tar file: http://squoze.net/UNIX/v4/
Reposted by David Leadbeater
Here's the document release you were waiting for today!
The UNIX V4 tape!
https://archive.org/details/utah_unix_v4_raw
#retrocomputing
The UNIX V4 tape!
https://archive.org/details/utah_unix_v4_raw
#retrocomputing
UNIX V4 tape from University of Utah (raw) : Computer History Museum : Free Download, Borrow, and Streaming : Internet Archive
UNIX V4 tape from the University of Utah, received by Martin Newell circa June 1974 around when he modeled the Utah Teapot.This is the raw analog waveform and...
archive.org
December 19, 2025 at 10:29 PM
Here's the document release you were waiting for today!
The UNIX V4 tape!
https://archive.org/details/utah_unix_v4_raw
#retrocomputing
The UNIX V4 tape!
https://archive.org/details/utah_unix_v4_raw
#retrocomputing
Reposted by David Leadbeater
Unicode normalization.
November 26, 2025 at 10:03 PM
Unicode normalization.
Can I use has a strange entry for Zstandard on Safari (https://caniuse.com/zstd). I can’t find many references for it but indeed, if you serve Zstd to Safari >= 26 it does work. There doesn’t even seem to be a feature flag to turn on sending it in the Accept-Encoding header.
zstd (Zstandard) content-encoding | Can I use... Support tables for HTML5, CSS3, etc
caniuse.com
December 9, 2025 at 6:26 AM
Can I use has a strange entry for Zstandard on Safari (https://caniuse.com/zstd). I can’t find many references for it but indeed, if you serve Zstd to Safari >= 26 it does work. There doesn’t even seem to be a feature flag to turn on sending it in the Accept-Encoding header.
I’m experimenting with @bsky.brid.gy so this account is now bridged to Bluesky as @dgl.cx — there was a previous Bluesky account which that replaces (it now shows as “invalid handle”) and Bluesky doesn’t have a a Mastodon like way of migrating followers, so you will need to refollow.
December 6, 2025 at 9:50 PM
I’m experimenting with @bsky.brid.gy so this account is now bridged to Bluesky as @dgl.cx — there was a previous Bluesky account which that replaces (it now shows as “invalid handle”) and Bluesky doesn’t have a a Mastodon like way of migrating followers, so you will need to refollow.
Gcore.com are an interesting provider. It took two separate support tickets over a month to work out their docs are wrong. If anyone is using them, *some* API endpoints need the authentication token to be in mixed case, for example "Authorization: APIKey ..." which is against what their […]
Original post on infosec.exchange
infosec.exchange
November 23, 2025 at 9:20 AM
Gcore.com are an interesting provider. It took two separate support tickets over a month to work out their docs are wrong. If anyone is using them, *some* API endpoints need the authentication token to be in mixed case, for example "Authorization: APIKey ..." which is against what their […]
If you have a bash command line of "exec program ..." and you can control the "..." can you make it not run the exec and do something different? The answer is yes. Even if "..." is somewhat sanitised for shell metacharacters. If you can inject $+] it will make bash error on that line and run the […]
Original post on infosec.exchange
infosec.exchange
October 7, 2025 at 6:21 AM
If you have a bash command line of "exec program ..." and you can control the "..." can you make it not run the exec and do something different? The answer is yes. Even if "..." is somewhat sanitised for shell metacharacters. If you can inject $+] it will make bash error on that line and run the […]
For those of you who saw my BSides Canberra talk, here's a vulnerability I couldn't talk about in the talk, yet, but is very much in the spirit of it: https://dgl.cx/2025/10/bash-a-newline-ssh-proxycommand-cve-2025-61984
Bash a newline: Exploiting SSH via ProxyCommand, again (CVE-2025-61984)
dgl.cx
October 7, 2025 at 4:19 AM
For those of you who saw my BSides Canberra talk, here's a vulnerability I couldn't talk about in the talk, yet, but is very much in the spirit of it: https://dgl.cx/2025/10/bash-a-newline-ssh-proxycommand-cve-2025-61984
Did you know Cloudflare documents how to use DNS in Google Sheets? Because if you have a problem, DNS is clearly the answer. https://developers.cloudflare.com/1.1.1.1/additional-options/dns-in-google-sheets/
DNS in Google Sheets
1.1.1.1 works directly inside Google Sheets. To get started, create a Google Function with the following code:
developers.cloudflare.com
September 23, 2025 at 5:52 AM
Did you know Cloudflare documents how to use DNS in Google Sheets? Because if you have a problem, DNS is clearly the answer. https://developers.cloudflare.com/1.1.1.1/additional-options/dns-in-google-sheets/
I probably should have polished my @ComfyConAU talk. Instead I got sidetracked into wondering just how much I could tunnel over DNS: https://dgl.cx/2025/09/images-over-dns
Images over DNS
dgl.cx
September 20, 2025 at 2:01 PM
I probably should have polished my @ComfyConAU talk. Instead I got sidetracked into wondering just how much I could tunnel over DNS: https://dgl.cx/2025/09/images-over-dns
Noticed my SLAAC IPv6 address happens to end in :fade. Fade to black?
September 19, 2025 at 7:40 AM
Noticed my SLAAC IPv6 address happens to end in :fade. Fade to black?
I'll be speaking at BSides Canberra: https://cfp.bsidescbr.com.au/bsides-canberra-2025/talk/8TWF8X/ -- this will cover my recent find of an RCE in Git and how that and some other vulnerabilities could be used against developers. #bsides #security
July 31, 2025 at 1:05 AM
I'll be speaking at BSides Canberra: https://cfp.bsidescbr.com.au/bsides-canberra-2025/talk/8TWF8X/ -- this will cover my recent find of an RCE in Git and how that and some other vulnerabilities could be used against developers. #bsides #security