colonel_mortis

Moved to General Discussion

I think this is more likely to be an issue on the browser side than on the forum side, so unless you can repro this on a supported OS+browser combo I don't think there's much we can do.

We have to load the font from the web rather than your computer because Comic Sans MS is owned by Microsoft (hence the MS) and is therefore not installed by default on all other operating systems (it may be on some non-MS platforms, but not all). If we relied on a built-in font, it would not be blocked here - that's why the fallback font works fine.

The goal is not to be frustrating or unwanted... Just some April Fools fun.

The font is being downloaded from another website, and that site is likely blocked.

Probably. You're not missing out on much though.

This works if builds are reproducible (ie if two people building the same release will get the same bytes out), and that is a good thing to aim for, but in practice at the moment it is surprisingly common for the output to be affected by things like the versions of dependency libs you currently have installed, compiler version, current time, etc. Progress has been made towards reproducible builds in many languages, but that has taken a fair amount of work, so it seems unlikely that it can happen any time soon for everything. I hope we do start seeing reproducible builds in more critical infrastructure so that we can make progress towards this world, and maybe that's the best we can hope for, but it seems unlikely to me that a package like this, with a single maintainer that wasn't particularly motivated to work on it, would do that work. It's still not a silver bullet though - this attacker already demonstrated an ability to use sock puppet accounts to achieve their goals, so in this case it would likely have only represented a minor inconvenience for them. Of course, multiple minor inconveniences can quickly add up to a significant increase in the effort required to pull off an attack like this, especially doing so undetected, so it would still be valuable. Ah I see - yes, I agree that would clearly be a good thing. Again not a silver bullet - they did still sneak multiple changes into the repo itself in plain sight to set the groundwork for this attack, and it doesn't address any binary distribution avenues where simply taring a git repo is not sufficient - but clearly a good thing. It sounds like there are good reasons for the current setup, but that is definitely something we should be moving away from.

On the first idea (multiple signatures), that assumes there's some way for one stakeholder to prove to the other that the package is legitimate, which I don't think is possible - ultimately someone (or some CI build, which would make the attack look more like the SolarWinds attack) has to generate the package, and there needs to be trust there. I believe there is some sophisticated systems that could be built involving reproducible builds and stuff that could make that work, but that is not going to be feasible for most small OSS packages. Remember, this repo was previously only maintained by one (trustworthy) person. I'm not sure I understand the git comment.

Honestly I find this attack pretty terrifying - this is the second example (that we know of) of a very well implemented supply-chain attack (the first being SolarWinds), and it was only caught by chance by someone noticing that OpenSSH was being slow. It is entirely plausible that the perf regression could have gone unnoticed (or, although I don't have a deep understanding of what it was trying to do, I suspect it could also have been possible to write the payload in a way that doesn't cause such a perf regression at all), resulting in this malicious release making it out of the bleeding edge and into mainstream distributions. I hope this will lead to some changes in the industry, but I don't know what those changes could be. Now that the concept has been proven, I doubt that this will be the last time something like this is attempted. It's not a trivial attack to pull off, but nor is it overly difficult as long as you have time to burn (in this case the attacker started getting a foothold 2 years ago) - it would be a great choice for nation-state attackers, but could also be pulled off by solo attackers. The scariest thing to me is that this may not be the first time - for all we know, and with no way to verify, there may be other compromised libraries out there already.

It is a forum issue, but it's a bit awkward to fix because of how the special offline page works.

It is meant to work even when the topic is scheduled to be posted later, but there might be some edge cases. I'll look into it.

Yes, they are taken into account, but have less weight (and it decreases the longer it's been).

Your attachment storage is not full, there is no limit. Your screenshots are unreasonably large though (the two that you uploaded to that post were 17MB each, whereas a normal screenshot would be <1MB), and there is a 20MB per post limit, so it's possible that you're just trying to upload another unreasonably large image.

Did you see them in the editor when you were creating your topic, or only after submitting it?

Something did change yesterday. It will change back at some point, hopefully soon. That error will occur if cloudflare wants to challenge you during the edit submission.

It should only happen one every few hours, but yes this is expected.

Back in September 2015, the forum was breached. At the time, everyone was notified (via email, as well as discussion on either the wan show or the wan aftershow), and everyone's passwords were reset. We are looking into this further, but the initial indications are that this is just the data from that breach finally surfacing publicly. If anyone has data to suggest otherwise (eg accounts created after that date), please do let me know.

Ah damn I missed that part :/. It looks like that approach can still work though

If you don't actually care about a programmatic solution and just want the answer, wolfram alpha can do that for you - you can just ask for the next composite number after 7,500,000,000, then for the factorisation of that. In a spoiler just in case you were looking to find the solution yourself:

Summary Several paragraphs of text have been decoded from the inside of a scroll that was buried during the eruption of Mount Vesuvius in AD 79. These scrolls were too fragile to physically unroll, so researchers took high resolution CT scans of the scrolls, and released the data to the public, promising $700,000 to the first team to decode 4 passages from the inside of the scroll, based on the scan (along with a number of other prizes along the way), before the end of 2023. Quotes My thoughts This is an achievement that could only have been done with machine learning, and the technical feat here can't be understated. It has taken a lot of work to get this far, it's incredible to see what the community can achieve when it's given a goal like this. The $1M+ prize pool (donated by various mostly rich people) certainly helped to incentivise people to participate, and it will be interesting to see if this model gets adopted for any other projects in the future. If they are able to achieve their goal of extending this technology to read all 800 scrolls, this will be a big breakthrough in our understanding of Ancient Rome, let alone the other potential places where this technology could be used. Sources Official announcement: https://scrollprize.org/grandprize

If you refresh the page again, it works again. I believe this is related to a few other bugs around how browser history is managed. It looks like this may have been fixed by the latest forum software update though (but no ETA yet on when that will arrive here).