Title: 2024 in retrospect Date: 2024-12-31 23:59 In 2024, I did, amongst other things: - [Left Google]({filename}/misc/leaving_google.md) - Donated blood - Donated some money: - $5000 to [NOYB](https://noyb.eu/) - 1337€ to [Nos Oignons](https://nos-oignons.net) - $5000 to [Médecins du Monde](https://en.wikipedia.org/wiki/M%C3%A9decins_du_Monde) - $5000 to [Médecins sans Frontières](https://en.wikipedia.org/wiki/M%C3%A9decins_Sans_Fronti%C3%A8res) - $5000 to [Planned Parenthood Federation of America](https://en.wikipedia.org/wiki/Planned_Parenthood) - $200 each, as a [Open Source Peer Bonus](https://opensource.googleblog.com/search/label/peer%20bonus), courtesy of Google, to - [andrewrk](https://github.com/andrewrk) for his work on [Zig](https://ziglang.org/) - [q66](https://q66.moe/) for his work on [Chimera Linux](https://chimera-linux.org/) - [Sam James](https://github.com/thesamesam) for his work on [Gentoo Hardened](https://wiki.gentoo.org/wiki/Hardened_Gentoo) - all the "premium points" from my Swiss credit card to the [UNHCR](https://unhcr.org/) - Read a couple of books: - [Alpinisme & anarchisme](https://nada-editions.fr/produit/alpinisme-anarchisme/) - Some [Warhammer 40,000](https://en.wikipedia.org/wiki/Warhammer_40,000): - [Fall of Cadia](https://wh40k.lexicanum.com/wiki/Fall_of_Cadia_(Novel)): really nice - [Siege of Vraks](https://wh40k.lexicanum.com/wiki/Siege_of_Vraks_(Novel)), Verdun in space. - [The Lords of Silence](https://wh40k.lexicanum.com/wiki/The_Lords_of_Silence_(Novel)), amazingly well written - [Fire Warrior](https://wh40k.lexicanum.com/wiki/Fire_Warrior_(Novel)): refreshing to read about the T'au - [Genefather](https://wh40k.lexicanum.com/wiki/Genefather_(Novel)): Belisarius Cawl and Fabius Bile are always hilarious. - [The Wicked and the Damned](https://wh40k.lexicanum.com/wiki/The_Wicked_and_the_Damned_(Anthology)): 3 nice novellas properly tied together - [Cypher: Lord of the Fallen](https://wh40k.lexicanum.com/wiki/Cypher:_Lord_of_the_Fallen_(Novel)), excellent: I love such a bullshit-rich character as main protagonist. - [Dante](https://wh40k.lexicanum.com/wiki/Dante_(Novel)): 25% generic science-fiction, 50% Blood Angel recruiting documentary, 25% emo introspection. - [Cult of the Spiral Dawn](https://wh40k.lexicanum.com/wiki/Genestealer_Cults_(Novel)) and [The Reverie](https://wh40k.lexicanum.com/wiki/The_Reverie_(Novel)): a bit too all over the place for my taste, but objectively great. - More of the [Dawn of Fire](https://wh40k.lexicanum.com/wiki/Dawn_of_Fire_(Novel_Series)) series, felt like a chore except the last book, [Sea of Souls](https://wh40k.lexicanum.com/wiki/Sea_of_Souls_(Novel)), which was a real treat. - [Deathwatch: Shadowbreaker](https://wh40k.lexicanum.com/wiki/Shadowbreaker_(Novel)), great start, devolving into bolter porn, ending on an lame reveal paired with heavy sequel-baiting in the span of the few last pages. - [The Horus Heresy: Siege of Terra: The End and the Death Vol. 3](https://wh40k.lexicanum.com/wiki/The_End_and_the_Death:_Volume_III_(Novel)), felt like an exercise of style in writing applied to a Dragon Ball fight spanning 512 pages. Still pretty good. - [Path of the Dark Eldar](https://wh40k.lexicanum.com/wiki/Dark_Eldar_(Novel_Series)), Drukhari aren't my favourite faction, but the omnibus is pleasantly written, witty and honestly quite refreshing amongst the sea of Imperium bolter-porn. - [The Faith Healers](https://en.wikipedia.org/wiki/The_Faith_Healers), so much rightful salt. - [Amusing ourselves to death](https://en.wikipedia.org/wiki/Amusing_Ourselves_to_Death): sick sad world. - Tried some mangas, on the advices from friends: - [Hunter x Hunter](https://en.wikipedia.org/wiki/Hunter_%C3%97_Hunter) - [Dragon Ball](https://en.wikipedia.org/wiki/Dragon_Ball), classic. - [Monster](https://en.wikipedia.org/wiki/Monster_(manga)), refreshing. - [Liar Game](https://en.wikipedia.org/wiki/Liar_Game): amazing. - [Fullmetal Alchemist](https://en.wikipedia.org/wiki/Fullmetal_Alchemist), a tad too long - [Tokyo Ghoul](https://en.wikipedia.org/wiki/Tokyo_Ghoul), could have been interesting, but isn't. - [Sakamoto Days](https://en.wikipedia.org/wiki/Sakamoto_Days), had a neat Hunter x Hunter vibe, including an obnoxious yet boring antagonist. - [Death Note](https://en.wikipedia.org/wiki/Death_Note), a classic, should have stopped after the first arc with L, and could have been better with less sexualised schoogirls in it. - [Gunnm](https://en.wikipedia.org/wiki/Battle_Angel_Alita), first book was alright, the rest is trash, too bad as the themes could have been interesting. And of course: sexism. - [Assassination Classroom](https://en.wikipedia.org/wiki/Assassination_Classroom): amazing premise, the last third felt like unnecessary padding, and of course, a dispensable amount of sexism - [e: The Story of a Number](https://press.princeton.edu/books/paperback/9780691168487/e-the-story-of-a-number), full of tidbits about anything related to [e](https://en.wikipedia.org/wiki/E_(mathematical_constant)). - [Blackwater: The Rise of the World's Most Powerful Mercenary Army](https://en.wikipedia.org/wiki/Blackwater%3A_The_Rise_of_the_World's_Most_Powerful_Mercenary_Army) urgh. - [Dark Wire: The Incredible True Story of the Largest Sting Operation Ever](https://hachettebookgroup.com/titles/joseph-cox/dark-wire/9781541702691/): use Signal. - [Space Rogue: How the Hackers Known As L0pht Changed the World](https://spacerogue.net/wordpress/?p=869), felt like reading the script of [Hackers (1995)](https://en.wikipedia.org/wiki/Hackers_(film)) - [The Book of Melee](https://smashwords.com/books/view/937607), not a great book, and as tl;dr: various people "completely changed the metagame" and the top-players along with the community are a herd of despicable people. - [Grammaire descriptive de la langue des signes française: Dynamiques iconiques et linguistique générale](https://books.openedition.org/ugaeditions/15959), really nice if you're into linguistics, especially since the [LSF](https://en.wikipedia.org/wiki/French_Sign_Language) has some really atypical constructs that don't map well unto the French language. - [A City on Mars: Can We Settle Space, Should We Settle Space, and Have We Really Thought This Through?](https://en.wikipedia.org/wiki/A_City_on_Mars), witty, insightful, realistic and well-written, but with too many puns on [the complete tool that is](https://en.wikipedia.org/wiki/Views_of_Elon_Musk) Elon Musk. It would be weird to have lame puns on Thatcher in a book on Labor, or Bush in one about Middle East. - Played some video games: - On a computer: - [Space Marines 2](https://en.wikipedia.org/wiki/Warhammer_40%2C000%3A_Space_Marine_2)!!! - [Helldivers 2](https://en.wikipedia.org/wiki/Helldivers_2), great with friends - Finished [Hitman 3](https://en.wikipedia.org/wiki/Hitman_3)'s Freelancer mode in [hardcore difficulty](https://hitman.fandom.com/wiki/Freelancer#Difficulty), because I'm this petty. - [Prey](https://en.wikipedia.org/wiki/Prey_(2017_video_game)), felt like a modern [System Shock](https://en.wikipedia.org/wiki/System_Shock), with some touches of [art-deco](https://en.wikipedia.org/wiki/Art_Deco) à la [Bioshock](https://en.wikipedia.org/wiki/BioShock) but with a tedious late-game. - On a (glorious) [Steam Deck](https://en.wikipedia.org/wiki/Steam_Deck): - [Alan wake](https://en.wikipedia.org/wiki/Alan_Wake): not my jam - [Cassette Beasts](https://en.wikipedia.org/wiki/Cassette_Beasts): Pokemon done right - [Hogwarts Legacy](https://en.wikipedia.org/wiki/Hogwarts_Legacy), finished it 100%, because why not. - [Red Dead Redemption 2](https://en.wikipedia.org/wiki/Red_Dead_Redemption_2), [Rockstar Games](https://en.wikipedia.org/wiki/Rockstar_Games) is really not my jam. - [The Invincible](https://en.wikipedia.org/wiki/The_Invincible_(video_game)): could have been a visual novel instead. Gave up before finishing it. - [Warhammer 40,000: Inquisitor - Martyr/Prophecy](https://store.steampowered.com/app/527430/Warhammer_40000_Inquisitor__Martyr/): Diablo-like in Warhammer 40.000, what's not to like. - [Hades](https://en.wikipedia.org/wiki/Hades_(video_game)). I usually *hate* rogue-lite, but this one is as engaging as it is beautiful. Until you finish the main quest, then it becomes ludicrously grindy to get to the end of the game. - [The Saboteur](https://en.wikipedia.org/wiki/The_Saboteur), the last game by [Pandemic Studios](https://en.wikipedia.org/wiki/Pandemic_Studios), a mix between Grand Theft Auto, Assassin's Creed and Splinter Cell. Truly a hidden gem, with a ton of neat small details and great ideas. - [Marvel's Spider-Man Remastered](https://en.wikipedia.org/wiki/Spider-Man_(2018_video_game)#Marvel's_Spider-Man_Remastered): gorgeous, although it made me question the representation of violence in video games, especially about the dehumanisation of the antagonists. - [Still Wakes the Deep](https://en.wikipedia.org/wiki/Still_Wakes_the_Deep): beautiful, amazing sound design, too bad it sometimes felt a bit artificial objective-wise. I wouldn't recommend playing it on the Steam Deck, since it's a tad underpowered to run it properly. - [Nier Automata](https://en.wikipedia.org/wiki/Nier:_Automata): 'was told it was an amazing game playing an android fighting in a war, with topics like cycles, empathy, rejecting gods, conflicts, humanity as a concept, …, but I gave up after 1h. Playing a teenage-looking mini-skirt-showing-the-panties blindfolded high-heeled-boots-wearing battle android is fucking ruining everything. The reason for her appearance isn't even justified via a bullshit reason like Metal Gear Solid V's Quiet, it's simply because the creator of the game "[just really like girls](https://dualshockers.com/yoko-taro-nier-automata-protagonist-2b-wears-high-heels-just-really-like-girls/)." [Medium is the message](https://en.wikipedia.org/wiki/The_medium_is_the_message) for fuck's fake. - Listened to [some music](https://listenbrainz.org/user/jvoisin/year-in-music/2024). - Got rid of plugins in my [vimrc](https://dustri.org/pub/vimrc) - Kept volunteering at a library. - Did a couple of job interviews: - [Rapid7](https://en.wikipedia.org/wiki/Rapid7), for a lead security researcher position : great process/experience, but the team/I wasn't a good fit; it's ok, it happens. - [Randorisec](https://randorisec.fr/en), for a senior security engineer position, which they offered me, but I declined as a got a way better offer somewhere else. - [Cloudflare](https://cloudflare.com), for a Linux engineer position, with a focus on secure-boot. They picked another candidate, but got really positive feedback. - [Canonical](https://en.wikipedia.org/wiki/Canonical_(company)), for an "ubuntu security technology manager position"; I should have trusted the internet, the experience was unbelievably terrible. - [Hex-Rays](https://hex-rays.com) suggested that I apply there, but my C/C++-fu was unsurprisingly way too weak and got rejected early, albeit to be honest, the interview process was so bleak and dry that I might not have been super-motivated. - ■■■■■■, for an amazing principal security engineer position, doing things at the intersection of hardware and software security. Unfortunately, towards the end of the process, the team realised that they couldn't hire in France, because of the *communist* labor laws reigning there. - [Back Market](https://backmarket.com/), for a Staff Security Engineer position, but was rejected as "while your application and technical skills are impressive and relevant for the position, the team felt there was a lack of alignment in terms of motivation to join Back Market and make an impact as a Staff Engineer in our organization.", which I found odd, but oh well. - The [Tor Project](https://torproject.org), for a Network Health Engineer position. They went for "another candidate whose skill set and experience more closely matches what we are looking for in this position.", which is understandable as I didn't really fit the profile. But, I've been told that "people were really excited about your interview and some of the ideas you brought up there... I hope there will be another position you will apply for because you are an obvious fit :D" - Contributed to a couple of projects: - [OSS-Fuzz](https://github.com/google/OSS-Fuzz/pulls?q=is%3Apr+author%3Ajvoisin+created%3A2024) - improved a bit [isoalloc](https://github.com/struct/isoalloc/pulls?q=is%3Apr+author%3Ajvoisin+created%3A2024)'s testsuite - helped to translate [navidrome](https://navidrome.org) in French - [recog](https://github.com/rapid7/recog/pulls?q=is%3Apr+author%3Ajvoisin+created%3A2024), if only to improve [runZero](https://runzero.com/)'s accuracy. - [fortify-headers](https://github.com/jvoisin/fortify-headers/), trying to [get it updated in Alpine Linux](https://gitlab.alpinelinux.org/alpine/aports/-/issues/16200) - [snuffleupagus](https://github.com/jvoisin/snuffleupagus), mostly bugfixes and merge-request reviews. - [Alpine Linux](https://alpinelinux.org), by [sending patches](https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests?scope=all&state=all&author_username=jvoisin), but also being a [package maintainer](https://pkgs.alpinelinux.org/packages?name=&branch=edge&repo=&arch=&maintainer=Julien+Voisin). - [fuzzilli](https://github.com/googleprojectzero/fuzzilli), by [upstreaming](https://github.com/googleprojectzero/fuzzilli/pull/406) support for [Ladybird](https://ladybird.dev/)'s [LibJS](https://github.com/SerenityOS/serenity/tree/master/Userland/Libraries/LibJS), as I might use this browser one day. - Alexander Popov's [kernel-hardening-checker](https://github.com/a13xp0p0v/kernel-hardening-checker/pulls/jvoisin), resulting in the following requests in Fedora: - [Missing MTE-accelerated KASAN: CONFIG\_KASAN\_HW\_TAGS]( https://bugzilla.redhat.com/show_bug.cgi?id=2281022 ): accepted - [Missing IOMMU hardening: enable CONFIG\_IOMMU\_DEFAULT\_DMA\_STRICT=1](https://bugzilla.redhat.com/show_bug.cgi?id=2280152): rejected - [Missing randomized slab caches for normal kmalloc: enable CONFIG\_RANDOM\_KMALLOC\_CACHES=y](https://bugzilla.redhat.com/show_bug.cgi?id=2276375): accepted - [Missing automatic memory initialization: enable CONFIG\_INIT\_ON\_ALLOC\_DEFAULT\_ON=y ](https://bugzilla.redhat.com/show_bug.cgi?id=2279678): accepted, and prevented at least [this issue](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3c0da3d163eb32f1f91891efaade027fa9b245b9). - [gcc: CONFIG\_ARM64\_BTI\_KERNEL is disabled due to BTI instruction not being inserted for cross-section direct calls](https://bugzilla.redhat.com/show_bug.cgi?id=2274882), due to [BTI instruction are not inserted for cross-section direct calls](https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106671) in gcc. - [OpenMW](https://openmw.org), by being the main sysadmin of the project, as well as [interviewing](https://openmw.org/category/interview/) a lot of its contributors. - [metasploit](https://github.com/rapid7/metasploit-framework/pulls?q=+is%3Apr+author%3Ajvoisin+created%3A%3E2023+), adding encoders for php payloads and various php-related improvements, as well as minor bugfixes/refactoring/enhancements. - [PHP](https://php.net) by helping [detect heap freelist corruption](https://github.com/php/php-src/pull/14054) land, and landing [add two checks for zend\_mm\_heap's integrity](https://github.com/php/php-src/pull/13943), since I told in 2022 to [real](https://github.com/cfreal) that I'll look into [making it harder](https://github.com/php/php-src/issues/14083) to [exploit php's heap](https://youtube.com/watch?v=-FXvUe0tySM). I got a [mention during an OffensiveCon talk](https://youtu.be/dqKFHjcK9hM?t=2802) about this. - [miniflux](https://github.com/miniflux/v2/pulls?q=is%3Apr+author%3Ajvoisin), with more than 100 commits, since it became my RSS reader: made it *significantly* faster, profiled it to death via [Google Cloud Profiler](https://cloud.google.com/profiler/docs/), removed as many dependencies as possible, reduced database usage/queries, improved OPML import from Thunderbird, significantly reduced memory consumption, reduced the binary's size, reduced webpage sizes, [reduced the time/resources taken by the continuous integration](https://github.com/miniflux/v2/issues/3029), added fuzzers to improve/prove robustness, added some [rewrite rules](https://miniflux.app/features.html#content-manipulation), added [trusted-types](https://web.dev/articles/trusted-types) support, as well as various improvements/simplifications/refactoring/… - Started to write a (technical) book. - Made some new friends, and [lost some](https://lunar.anargeek.net/). - Helped a friend with his slides for [KazHackStan](https://kazhackstan.com/en) - Gave a small talk with [lila](https://lila.ink/) about Stalkerware for [Echap](https://echap.eu.org) - Kept contributing a bit to Wikipedia, in [English](https://en.wikipedia.org/wiki/Special:Contributions/jvoisin) and in [French](https://fr.wikipedia.org/wiki/Sp%C3%A9cial:Contributions/jvoisin) - Attended a single concert, [Fear Factory](https://en.wikipedia.org/wiki/Fear_Factory) with [Bad Situation](https://facebook.com/badsituationband/) as first part. - Finally got a permanent [OP](https://en.wikipedia.org/wiki/IRC_operator) status on [smashthestack](https://smashthestack.org)/[overthewire](https://overthewire.org/)'s `#social`! - Got an advertisement for Snuffleupagus in [PagedOut #4](https://pagedout.institute/download/PagedOut_004_beta1.pdf), as well as [an article]({filename}/security/carrot_disclosure.md) - Added more possible subtitles to this blog, bringing the number above 1300. - [Gave a talk at Blackhat]({filename}/security/blackhat_2024.md) about [Modern Anti-Abuse Mechanisms in Competitive Video Games](https://blackhat.com/us-24/briefings/schedule/index.html#modern-anti-abuse-mechanisms-in-competitive-video-games-38972) - Learned to disengage, so that I could spend my meagre free time in better ways. This includes: - not engaging anymore in one-way-conversations, especially about topics that I hold dear - reporting bugs to software without a bug tracker, and sending patches/fixes/… to software without a forge: email-based development can go die in a fire. This includes [musl](https://blahaj.social/@q66/112473785909475901) and Linux. - Took part in the [Global Encryption Day: Distribute(d) trust -- The key to global encryption access](https://blog.torproject.org/event/2024-global-encryption-day-key-to-global-encryption-access/) round table. - Bought an electric bike, as a nice middle-ground between a regular one and something more powerful, like a car. - Kept being on the board and maintaining [Nos Oignons](https://nos-oignons.net/)'s infrastructure with [corl3ss](https://corl3ss.com/), still handling [a bit more than 2% of the total exit traffic](https://metrics.torproject.org/rs.html#aggregate/ascc/country:fr%20flag:exit%20contact:adminsys@nos-oignons.net%20) of the tor network. - Caved in and bought myself an Apple M2 as a personal computer, after more than 15 years using [ThinkPads](https://en.wikipedia.org/wiki/ThinkPad); but as I find OSX insufferable, I put [AsahiLinux](https://asahilinux.org/) on it.