SDF is cool, I commend their efforts of keeping a pub unix going! To me it feels like a stronghold of the "old school" web, similar to certain builtin board systems.
I regularly visit and enjoy reading the phlogs of their members as well.
Named after the Super Dimension Fortress from the Macross anime series. If you like mecha i recommend checking out the original series (it might look dated in some regards but still worth a watch. And the Do You Remember Love is a must watch after you finished the series, a grandiose animated spectacle, one of the most impressive animated films I've seen)
If you are not feeling like watching a long series, I recommend checking out Macross Plus, from the author of Cowboy Bebop and Samurai Champloo
The series is known as Robotech in the USA. The original series is not available legally in the USA to my knowledge but should be available on Japanese blu rays with english subtitles or on your favorite Linux ISO sharing website. The rest of the entries are on Disney+ or the aforementioned websites.
I found a way to escape their shell (so you can run whatever you want), if you're not verified, it involves multiple steps to archive this. I mailed them 2x to their membership address, but since today no reaction. I asked also in their IRC.
Just a question to HN: should I wait more, try again? Or should I simply publish the vulnerabilities somewhere? If yes, where? It's my first time that I found a vulnerability at my own, not sure how to deal with that.
You shall wait. It's a volunteer powered system and while the ops are silent and terse in their mails, they're nice people.
Their plate is already quite full and they operate a whole universe of services, so cut them some slack.
It's not an ordinary service which is exposed to internet trying to turn a profit. They run SDF, two Mastodon instances, a mail server, a Git server, trying to salvage/keep alive living computer museum (SDF Vintage Systems), etc. etc.
I get that it's a volunteer system, but having donated for 2 years to help support their Lemmy instance, it's frustrating it's been down for 2 weeks without much of an update, just a hint "there's a good chance" it will come back. To me that seems lacking of transparency, not terse. How much disk space is it using? Maybe others in the community could help? How can they if they don't respond to emails? It was a nice thing while it lasted, but for federated social media, that kind of downtime hurts communities the most.
Don't publish. You already notified them, your shell escape isn't a big deal, publishing it will only be a pain for the volunteers running the service.
I think you should create some visible but harmless nuisance using this shell escape, so that it's likely to get noticed, but doesn't damage anyone's valuable data.
Perhaps just run "bash -c 'stress --cpu 64 ; echo fix your shell escape'"l " or something like that.
Well, ruining everyone's day on that particular host is not a nice way to "bring this to attention".
If I ever experienced something like that, I'd be banning the person (or limiting their resources drastically) for 60 to 90 days to bring the impact of this matter to their attention.
Anything affecting users on a system is not harmless.
I did it too but TBH as I used small tools such as tcc, jimsh, eforth+muxleq, sacc, smu, catpoint+pointtools, compilers from https://t3x.org... I didn't care a lot on the rest, I'm pretty happy with my current account.
You can do a lot with S9 Scheme and the Unix API/syscalls it supports.
just got my stickers from there yesterday! :-) i wish my less cs-oriented friends could see how cool i think the sdf is, lol; and, that some kind of "small-web" system, complete with the self-expression the sdf offers via web-hosting, a radio station(!), etc., was accessible to more people (not at the fault of anyone; just that there's a lot to the internet that most people will never see). :>
I had an account there years ago but never really saw the point. I was already SSHing in from a shell, just to end up at another, different one. Kind of whimsical I guess, but ultimately of scant practical use.
SDF is cool, I commend their efforts of keeping a pub unix going! To me it feels like a stronghold of the "old school" web, similar to certain builtin board systems.
I regularly visit and enjoy reading the phlogs of their members as well.
Their section on Plan 9:
https://sdf.org/plan9/
Side note: here's my workflow for running Plan 9 on Windows:
https://youtu.be/IzEa2L_Pgw0?si=unM5l2-_i_g-NYKP
Previously...
SDF Public Access Unix System - https://news.ycombinator.com/item?id=32340635 - Aug 2022 (29 comments)
SDF Public Access Unix System - https://news.ycombinator.com/item?id=31076886 - April 2022 (46 comments)
SDF Public Access Unix System - https://news.ycombinator.com/item?id=14940790 - Aug 2017 (29 comments)
SDF – Public Access Unix System - https://news.ycombinator.com/item?id=14134798 - April 2017 (51 comments)
Finally got to log into a vms system! I was looking to do that over 20 years ago but never could find one.
Somehow I still remembered most of the shell syntax in a book I read about it probably in 2001. Don't ask me ... I don't know how either.
Got bored in about 10 minutes but still, another box checked off!
Named after the Super Dimension Fortress from the Macross anime series. If you like mecha i recommend checking out the original series (it might look dated in some regards but still worth a watch. And the Do You Remember Love is a must watch after you finished the series, a grandiose animated spectacle, one of the most impressive animated films I've seen)
If you are not feeling like watching a long series, I recommend checking out Macross Plus, from the author of Cowboy Bebop and Samurai Champloo
The series is known as Robotech in the USA. The original series is not available legally in the USA to my knowledge but should be available on Japanese blu rays with english subtitles or on your favorite Linux ISO sharing website. The rest of the entries are on Disney+ or the aforementioned websites.
I wrote a bit on the SDF if you are interested: https://rz01.org/sdf/
I found a way to escape their shell (so you can run whatever you want), if you're not verified, it involves multiple steps to archive this. I mailed them 2x to their membership address, but since today no reaction. I asked also in their IRC.
Just a question to HN: should I wait more, try again? Or should I simply publish the vulnerabilities somewhere? If yes, where? It's my first time that I found a vulnerability at my own, not sure how to deal with that.
You shall wait. It's a volunteer powered system and while the ops are silent and terse in their mails, they're nice people.
Their plate is already quite full and they operate a whole universe of services, so cut them some slack.
It's not an ordinary service which is exposed to internet trying to turn a profit. They run SDF, two Mastodon instances, a mail server, a Git server, trying to salvage/keep alive living computer museum (SDF Vintage Systems), etc. etc.
I get that it's a volunteer system, but having donated for 2 years to help support their Lemmy instance, it's frustrating it's been down for 2 weeks without much of an update, just a hint "there's a good chance" it will come back. To me that seems lacking of transparency, not terse. How much disk space is it using? Maybe others in the community could help? How can they if they don't respond to emails? It was a nice thing while it lasted, but for federated social media, that kind of downtime hurts communities the most.
Don't publish. You already notified them, your shell escape isn't a big deal, publishing it will only be a pain for the volunteers running the service.
I think you should create some visible but harmless nuisance using this shell escape, so that it's likely to get noticed, but doesn't damage anyone's valuable data.
Perhaps just run "bash -c 'stress --cpu 64 ; echo fix your shell escape'"l " or something like that.
Well, ruining everyone's day on that particular host is not a nice way to "bring this to attention".
If I ever experienced something like that, I'd be banning the person (or limiting their resources drastically) for 60 to 90 days to bring the impact of this matter to their attention.
Anything affecting users on a system is not harmless.
Definitely wait at least a few months if you've not already. There are legal risks with these kinds of things and some orgs move slowly.
I did it too but TBH as I used small tools such as tcc, jimsh, eforth+muxleq, sacc, smu, catpoint+pointtools, compilers from https://t3x.org... I didn't care a lot on the rest, I'm pretty happy with my current account.
You can do a lot with S9 Scheme and the Unix API/syscalls it supports.
I've been fortunate enough to know Stephen Jones of SDF through his running of the local Seattle retro computing event (now rebranded as VCF PNW)
He's an absolutely kind soul who is deeply interested in all kinds of retro projects. I wish there were more folks like him in tech generally
just got my stickers from there yesterday! :-) i wish my less cs-oriented friends could see how cool i think the sdf is, lol; and, that some kind of "small-web" system, complete with the self-expression the sdf offers via web-hosting, a radio station(!), etc., was accessible to more people (not at the fault of anyone; just that there's a lot to the internet that most people will never see). :>
I had an account there years ago but never really saw the point. I was already SSHing in from a shell, just to end up at another, different one. Kind of whimsical I guess, but ultimately of scant practical use.
Still going strong. I started there when they were still on DEC alphas.
"this page was generated using ksh, sed and awk"
I've been on it forever, it's such a great resource
Yesterday was NetBSD's 33rd Birthday. Nice time to share it :)
A great webhost, too. You can log in and edit html/index.html directly or scp stuff up.
I love SDF. Super reliable and awesome community.