Home » 2023 » October

Monthly Archives: October 2023

Free public blockchains

For the people interested in blockchains the proposal is something like this: a shared database recording transferable credits is maintained by the introduction of rewards tied to the computational cost of producing them. In so doing, the cost of degrading trust within the system is tied to the cost of ever increasing computational complexity.

So with each successive reward prior transaction activity becomes more and more certain. The design here addresses the problem of allocating or minting credits within the system by making them the outcome of securing ledger activity. Perhaps implicit in this assumption is that a reward is needed for network participants to provide services. It’s a fair assumption, too. Why would people provide resources for free? But since this assumption also dictates how people use the transaction ledger its worth examining.

So I ask a very simple question: Are there any consensus-like systems out there that specifically don’t require fees to use? As it happens – the answer is yes. The closet system I’ve found so far is a project called OpenNIC. OpenNIC are an alternative authoritative registrar for domain names. So why is this important? Well, OpenNIC is doing something very similar to a blockchain system but they’re specifically NOT tying it to money, fees, or rewards. In OpenNIC there are different domain name servers to manage TLDs but lets simplify this and say that there’s still a level of consensus over the state of records in the system. OpenNIC are providing this service because:

(1) It’s literally a critically important service to the Internet
(2) Running an alternative that’s user-managed allows for more creativity
(3) It’s more open than the current system and costs nothing for users

This is provided for free by volunteers because they believe in the idea. Because they see value in it. Because it does provide value. So my question is: wouldn’t it also be possible to make a blockchain system that supports smart contracts that’s 100% free to use (no transaction fees required) using a similar model to OpenNIC. It would be much more useful for many apps because as stated already — even just DNS is a critical need for the Internet. A smart contract system that is free to use would be a better fit for the Internet than what exists.

Get Dell XPS 17 9730 setup with linux (and fix broken audio ‘dummy output’ and touchpad freezes)

I just bought the new Dell XPS 17 9730 laptop (and I really love it) but I had trouble (1) getting Linux installed on it (2) getting the audio working and (3) stopping the touchpad from freezing.

If you have these issues:

  1. Ensure ‘secure boot’ is disabled in the BIOS. For your own sanity you’ll probably also want to turn off ‘fast boot’ and set the delay to 5 seconds. Pressing F12 is how you get to the BIOS.
  2. Download OpenSUSE. On Windows you can use Rufus to make a bootable USB or Etcher for other OS’. The XPS only has USB C ports and if you try to boot from a smart card it will hang. You may need a dongle that gives you regular USB.
  3. Why OpenSUSE? Well, the simple reason is after wasting hours of my life OpenSUSE was the only OS where I got the audio working. So yeah, that’s what you get. Dell XPS 17 (the most recent version) has very new hardware and this has issues in current Linux distros.

Here’s the magic command on OpenSUSE to get your audio working:

sudo zypper install sof-firmware

After that’s installed reboot your system and your audio devices will show up. The last step is to click the speaker icon in the bottom right and select the output ‘Speaker (sof-soundwire Speaker)’ to use the speakers on your laptop. I haven’t checked bluetooth audio or the headphone port but I was able to get my airpods working on Ubuntu earlier so I don’t think it would be a big deal to use on OpenSUSE.

Overall this is a good laptop. The screen brightness matches a Mac Book Pro. The keyboard feels nice to type on and the hardware is very up to date. It is expensive but you always have to pay for quality.

Touchpad freezes or ‘sticking’

On OpenSUSE I’ve found that using the touchpad will cause the cursor to periodically get stuck. If you disable ‘hardware acceleration’ in your web browser the touchpad will function properly.

Edit: here’s how to get Airpods pro 2 working on OpenSUSE:

sudo zypper install blueman nano

sudo zypper install bluez-auto-enable-devices

sudo nano /etc/bluetooth/main.conf

DiscoverableTimeout = 0
ControllerMode = bredr
Experimental = true


sudo nano /etc/pulse/default.pa
find the line that says:

load-module module-card-restore

and change it to:

load-module module-card-restore load-module module-card-restore

To enable your Airpod pros microphone:

open blueman, right click airpods, and change the audio profile to hands free

When you restart your audio and mic may be disabled again.
Running this script will fix that.

sudo su -
pkill blueman-manage || 1
systemctl restart bluetooth || 1


Curls security announcement

Recently the curl project posted an announcement on Github that there was a severe vulnerability in curl and they would have a fix out in a week. Many people seemed to think that this notice was appreciated and gave people enough time to learn about the issue and know they would have to update in the future. But I’d argue the whole approach curl has taken is ultimately undesirable and put users at risk for no reason.

What is curl?

Curl is both a command-line tool and a library. It’s used widely for working with web requests – though I understand it supports other protocols. Curl is incredibly useful. It’s available on virtually every operating system. Many important projects use its library for working with common Internet protocols. Curl is a ubiquitous tool for today’s technologists.

Why was the notice bad?

When a security issue is found in software it’s common practice to keep knowledge about it internal until it’s fixed. This is done for several reasons:

  1. It avoids giving attackers knowledge of a vulnerability which they may use to exploit systems before a fix is available.
  2. It avoids creating unnecessary panic before a fix is out.
  3. It affords time to get patches out before a release is made.

What curl did was say there was a critical vulnerability while giving stakeholders nothing to protect themselves from it. While they didn’t publish details for a working exploit: for all we know they’ve motivated hoards of attackers to find an exploit and use it. There may also have been parties that already knew about the exploit for years and now they’re motivated to use it.

B-but it gave me time to prepare

People have said that the curl notice was appreciated because it gave affected parties time to prepare for the fix. But I don’t buy that. The reason is the timeframe – 1 week is not long enough to do anything. By saying there’ll be a patch available in a week they’ve forced a mandate on everyone that says ‘everyone currently using curl needs to update within a week or potentially get fuqt (not that severe – guessing it still requires interaction.)’

Unfortunately, it’s going to take time to get the fix out to users. Every distro will have to update packages. Entire tools will need to be written to scan for vulnerable versions of curl. Popular image hosting websites will need to update scores of images (that’s A LOT of builds.) They haven’t given people time to prepare. In fact, by publishing their little notice they’ve robbed them of time since the moment a fix is published in curl it will be possible to reverse-engineer an exploit and most systems still won’t be patched.

So in essence: with this notice they’ve decided on a deadline for all other vendors. Lest they leave their users vulnerable… and the dead line may not be sufficient. I would certainly consider that approach quite amateurish and negligent. A good case-study on how not to handle a security issue.

So what should curl have done?

The correct approach is simple. You privately take as long as you need to and write the fix FIRST. You privately message trusted parties at various mailing lists that include curl in their distros to coordinate the availability of a patched package on a certain date. You could also work with version control companies and image hosts to let them update tools to scan for vulnerable versions of curl and you wouldn’t even have to share the exploit specifics in such a scenario. THEN you write the notice… WITH a patch available.

People have pointed out the above already. But apparently having a different opinion to curls circle-jerk of spastics is considered trolling to them. Ironically, their very own security program asks that researchers report security problems privately. What a fucking joke. I think it’s safe to say you can ignore that.