Also, the Github enterprise code is "obfuscated" but it uses a trivially reversible method just meant to be a minor roadblock. After you get past that you get the full ruby source code, no minification or anything.
For a while the key was literally:
> This obfuscation is intended to discourage GitHub Enterprise customers from making modifications to the VM. We know this 'encryption' is easily broken.
Could you elaborate on this bit on why Github's secret masking doesn't work here:
> GitHub Actions' built-in secret masker matches registered values as exact substrings. When the exception message is rendered by Symfony Console it may wrap, embed in In BaseIO.php line N: framing, or interleave with ANSI control sequences. So the masker does not redact, and the plaintext token reaches the log.
What does this log rendering look like such that the token from that code snippet becomes interleaved enough to not be a substring match?
I'm not familiar with composer/Symfony but I would expect something like:
From what I can tell Symfony wraps these errors in a styled error block so it messes with GitHub's masking. For example, newlines breaking up the token are apparently enough to trick the masker since it's not a substring anymore.
For your example:
Line 34: <red>ghs_fdsafdsarewqfdsa...</red>
Is probably long enough in most cases to break to a new line.
Also, those blocks get "interleaved" like this:
<red>ghs_fdsafdsarewqfdsafdsa</red>
<red>fdsardsardsafdsafs......</red>
So there are now </red>'s within the token, also breaking the substring matching.
This is kind of eye-opening for me -- I have never thought about how styled output like this could cause logging leakages.
I haven't trudged through Chromium's commit statistics but has Microsoft been upstreaming many contributions? I'm skeptical that they are ready to take on the full brunt of Chromium maintenance on a whim, it would take a decent while to build up the teams and expertise for it.
Before they swapped Edge over to use Chromium they were capable of maintaining their own engine just fine. Probably not overnight, but in the past they have shown that they have the budget to support a browser engine if they want to.
Because no amount of money was going to solve the problem of people saying they think Microsoft's browser is slower/worse/etc. Switching to Chromium negated that in a way nothing else could.
When Microsoft beat Netscape with IE, it was by building a far better browser. Google is a stronger competitor than Netscape ever was though. Without Google dropping the ball (like Netscape), Microsoft would never exceed Chrome's performance by enough to be the fastest, most compatible (with Chrome), etc.
It is also just classic Microsoft when they are hungry. Like making Word use WordPerfect files and keyboard shortcuts. Only today it is that their browser is mostly Google, Linux is built into Windows 11, SQL Server ships on Linux, and their most popular IDE is open-source built on open tech (Electron) they didn't create.
When they get threatened, nothing is too sacred for Microsoft to kill or adopt.
I feel like they burnt enough browser goodwill with IE that no one who was on the internet back then wants to touch a microsoft browser regardless of the engine
They are on the record about why they switched to a chromium based browser. It’s been a while, but if I’m remembering correctly, at the time Google was making changes to YouTube to make it actively slower, and use more power on IE. Microsoft realized that while they could compete as a browser, they couldn’t compete and fight google trying to do underhanded things to sabotage their browser.
Because they could archive the same product using chromium with less cost. Should that change their investment in that area would probably increase as a consequence.
No, because using Chromium was the only way the could stay relevant in the browser space. They were just unable to build the same product with their own stack.
They were facing the same problem that everybody is—Google adds features too fast to keep up. If Google went in a bad direction with Chrome, they’d Microsoft would just have to keep up with Mozilla and Apple.
Microsoft lands many changes in Chromium first before they show up in Edge (logistically it's easier to do things this way for merging reasons), but they do also upstream changes to Chromium that show up in Edge first.
Glad this feature is built into most modern operating systems these days.
For MacOS (Sequoia+) you can just forget the network and reconnect to get a new MAC address [1].
Android's documentation for if it decides to generate a new address per connection is a little vague [2], but I'm guessing forgetting and reconnecting works as well, you may also need to flip the "Wi-Fi non-persistent MAC randomization" bit in developer settings.
On Windows, flipping the "Random hardware address" switch seems to cause it to generate a new seed/address for me.
Yeah I had to flip the developer setting toggle, but worked flawlessly for my flight (American Airlines has a watch an ad for 20 minutes of free internet that only works once per MAC)
Are you saying that on IOS 18 if you enable developer mode then each time you forgot the network it gets a new Mac? But without developer mode it does not get a new Mac each time you forget it? The Apple docs linked elsewhere in this thread suggest it only gets a new Mac once per 24 hours when you forget the network normally. I’m going on a long boat trip in the next week where this trick might work for me if so!
I have a generic Android phone from many years ago where the manufacturer didn't even bother to program the WiFi NVRAM, so every time you load and unload the driver, you get a new randomly generated MAC address. Interesting that that has become a feature these days.
> it includes instructions for stack manipulation, binary operations
Your example contains some integer arithmetic, I'm curious if you've implemented any other Python data types like floats/strings/tuples yet. If you have, how does your ISA handle binary operations for two different types like `1 + 1.0`, is there some sort of dispatch table based on the types on the stack?
> I'd prefer to move forward based on clear use cases
Taking the concrete example of the `struct` module as a use-case, I'm curious if you have a plan for it and similar modules. The tricky part of course is that it is implemented in C.
Would you have to rewrite those stdlib modules in pure python?
What you're proposing is reminiscent of Keybase's account verification system. You make a post or equivalent on each platform with cryptographic proof that it's you. (e.g here's mine for GitHub https://gist.github.com/ammaraskar/0f2714c46f796734efff7b2dd...).
This depends on the Python version, but if it has the specializing interpreter changes, the `COMPARE_OP` comparing the integers there is probably hitting a specialized `_COMPARE_OP_INT` [1].
This specialization has a ternary that does
`res = (sign_ish & oparg) ? PyStackRef_True : PyStackRef_False;`.
This might be the branch that ends up getting predicted correctly?
Older versions of Python go through a bunch of dynamic dispatch first and then end up with a similar sort of int comparison in `long_richcompare`. [2]
For a while the key was literally:
> This obfuscation is intended to discourage GitHub Enterprise customers from making modifications to the VM. We know this 'encryption' is easily broken.
reply