This website exists mostly because t-online tends to block e-mails from mail servers that do not have a website and contact information attached. I probably won't post many articles here. The About Me page is still populated if you want to know more.
Did you also notice a repeating pattern with AI security reports lately? The attack chain just assumes a pre-existing breach, then continues to frame normal and expectable behavior as a security issue.
Some examples that were actually reported to me in the past:
BigBlueButton sometimes show an error with a 4-digit number but no further explanation. I could not find a complete list online, so I dug into the sources (1, 2) and collected all error codes I could find:
Connection or media decoding issues detected by the client …
The 'multipart' python library got an independent security audit and I only know about that because they found something -> CVE-2026-28356
This is great, actually! Someone looked into it so thoroughly that they found an obscure single-character issue in a regular expression ... and didn't find anything else! Which means I can …
My latest FOSS Project: BBBLB is a modern multi-tenant capable load balancer for large BigBlueButton clusters. Not ready for production yet, but on a good path. The aim is to have something fast and easy(er) to maintain that can fully replace scalelite (the reference implementation) and fixes some of …
The python aiohttp library uses yarl for URLs internally, and yarl normalizes URLs by default. It silently decodes some %-encoded characters in the query string that do not strictly need to be encoded.
Sounds harmless, but it isn't. Changing the URL breaks any protocol that signs important aspects of a …
The uv and uvx tools have a very particular way to make virtual environments
relocateable: they replace the shebang in python scripts with some polyglot magic, so that the executable is
both a valid bash script and a python script at the same time. Unfortunately this breaks with a
SyntaxError …
Go to https://fediwall.social/ and press 'w' :D
Sorry, no mobile support for this ultra useful feature, but it wouldn't look good on mobile anyway. Go touch some keyboards.
Coffee machine design flaw: My coffee maker has a floating magnet in its water tank and a reed switch to detect low water levels. The problem is that the machine stops immediately when this sensor is triggered, even in the middle of making a coffee and with enough water left …
Today is the day. Puppet is dead, long live OpenVox!
Background: Perforce bought Puppet in 2022, betrayed the FOSS community and changed the license. This resulted in a fork called OpenVoxProject, but old puppet releases still worked, so many admins did not care enough to switch.
Yesterday the release key …
I recently experimented with BigBlueButton
3.0-RC4 again and tried do find out why hasura-graphql-server and postgresql
are hogging half a CPU all the time on a fresh BBB server with just a single meeting and only one
participant. This seems to be less of an issue if you actually …
A while ago I found CVE-2024-47874 in starlette (and FastAPI). The same issue is also present in litestar and I repotted that as CVE-2024-52581 (CVSSv4 8.7). The reaction time from the team was very quick this time and a fix was published in less than a week. A new …
Werkzeug is a Web Server Gateway Interface (WSGI)
library used to develop python web applications or frameworks. Applications using
werkzeug.formparser.MultiPartParser to parse multipart/form-data requests (e.g. all
flask and quart applications) were vulnerable to resource exhaustion (denial of
service) attacks. A specifically crafted form submission request could …
I'm finally allowed to speak about this nice little DoS vulnerability I found in starlette (and FastAPI).
The FastAPI devs published an update 3 days before the security release of Starlette that widened …
Digging through the most popular password 'leak' compilations for a side project and it's >90% fake.
Only a tiny fraction of those passwords may have been used by a human at some point, the rest is computer-generated junk. Even the real passwords are probably stolen from other leaks.
The reason …
I did a thing! Fediwall is a configurable social media wall for the fediverse, similar to all the Twitter walls that no longer work. It's opensource and easy to self-host if you want, but you can also use the public instance on https://fediwall.social/ and configure it yourself. Click …