Skip to content

Instantly share code, notes, and snippets.

View MagnaCapax's full-sized avatar

MagnaCapax

2 followers · 0 following
View GitHub Profile
@MagnaCapax
MagnaCapax / deluge-password-sync-advisory-gist.md
Last active February 11, 2026 08:37
Seedbox Providers Store SSH Passwords in Plaintext — Security Advisory

Seedbox Providers Store SSH Passwords in Plaintext

Summary

Most seedbox hosting providers and open-source seedbox management panels synchronize the customer's SSH/system password with the Deluge torrent client's daemon auth file (~/.config/deluge/auth). This auth file stores passwords in plaintext in all currently deployed Deluge versions.

The customer's SSH password is therefore stored in cleartext at a known, predictable path inside the user's home directory. Any vulnerability that allows reading files from the user's home directory — past, present, or future — immediately yields the SSH password.

This is not a new Deluge vulnerability. Deluge's plaintext auth file is a known, long-standing design choice (ticket #2442, opened 2014). The problem is the industry practice of placing the SSH password — the keys to the kingdom — into that file.

@MagnaCapax
MagnaCapax / gist-t14-elliptic-labs.md
Created January 30, 2026 08:00
Lenovo ThinkPad T14 Gen 3 Screen Locks After 1 Minute — Elliptic Labs Presence Detection + Webcam Shutter Fix

Lenovo ThinkPad T14 Gen 3 Locks Screen After 1 Minute — Elliptic Labs "Presence Detection" Gone Rogue

TL;DR

Your Lenovo T14 Gen 3 keeps locking the screen after about a minute, even though every single power and lock timeout is set to sane values? You've checked screensaver, display timeout, sleep timer, group policies — all fine? Yeah, it's none of those. It's a damn ultrasonic "presence sensor" called Elliptic Labs Virtual Lock Sensor that thinks you've walked away from your laptop. Oh, and if you have the webcam privacy shutter closed (the little slider with the red dot)? It definitely thinks you've left. Because apparently covering your webcam for privacy means you don't exist anymore.

Lenovo literally ships a privacy feature (ThinkShutter) that breaks another feature (presence detection). You can have webcam privacy or a usable laptop. Pick one. Unless you disable the presence detection entirely, which is what you should do.

@MagnaCapax
MagnaCapax / gist-gemini-cli-ipv6.md
Created January 30, 2026 07:58
Google Gemini CLI Authentication Fails Silently — IPv6 Root Cause Analysis & Fix

Google Gemini CLI Authentication Fails Silently — IPv6 Is The Culprit

TL;DR

Gemini CLI auth login opens browser, you sign in successfully, browser says "all good!" and then the CLI just... dies. No useful error message. Just failed, reason: with nothing after it. Spent way too long thinking it was token issues, credential problems, account permissions — turns out Node.js was trying IPv6 first, IPv6 was unreachable, and the Gemini CLI doesn't bother falling back to IPv4. The fix? One sysctl command. Or one environment variable. Seriously.

Oh, and Google's own error screen helpfully tells you to check "enterprise keys" and other nonsense. Thanks Google.

This isn't just a WSL2 issue either. Any system with flaky or broken IPv6 connectivity will hit this. And that's a lot of systems.