HackerTrans
TopNewTrendsCommentsPastAskShowJobs

lohnjemon

no profile record

comments

lohnjemon
·قبل 3 سنوات·discuss
So this one integer overflow in sort, a command which is never ran as root is an issue somehow, because it can cause a denial of service(it crashes)? Am I missing something here. Can I use this to exploit someone's machine?

I can search uutils/coreutils for "overflow" and get way more hits, I don't see how this is a rational thing to be afraid of within GNU Coreutils considering it's a collection of tools, that have been developed and maintained for decades and used by millions over that time period.

https://github.com/uutils/coreutils/issues/1420 https://github.com/uutils/coreutils/issues/886 https://github.com/uutils/coreutils/issues/5149

To be clear, I don't see any problems personally with any of these issues, they don't seem very exploitable to me.

However, I think that relying on Rust to be the bastion of safety merely because the name "Rust" is mentioned is nothing but a fallacy.

To me, logic bugs are the far more egregious category in something like coreutils. Me making the assumption, that something works the way it's documented, but doesn't can lead to horrible things down the road. Much more so, than any integer overflow crash could ever dream to.
lohnjemon
·قبل 3 سنوات·discuss
What kinds of memory safety bugs do you really care about in coreutils? Genuinely curious.

Given how mature and well defined the GNU Coreutils are, how small their scope is, how they are used, I really don't see the supposed security upside here.

There simply has to be a better reason to me, than "Rust good".
lohnjemon
·قبل 3 سنوات·discuss
That's not how it works out in practice. For example, journalists who have insider info from sources and leak it on the regular don't do anything to prove they have insider information, they build up reputation based on how many predictions they make.

There's no point in outing your sources, that's how you lose them.
lohnjemon
·قبل 3 سنوات·discuss
Indexing trillions of messages is outrageous.
lohnjemon
·قبل 3 سنوات·discuss
Don't trust Signal for what? For communicating about illegal dealings, that intelligence agencies are interested in cracking down? Ok, sure, but then don't "trust" anything digital over the wire.

What about having E2EE traffic for your day-to-day communications? Why not, it seems reasonably protected and no government agency or third party would reasonably put the effort into looking into that.
lohnjemon
·قبل 3 سنوات·discuss
As I've been looking into freelance teaching and researching what kinds of services people provide, it's become astounding to me how poor most freelance teaching is.

There's a bunch of people with the skills of a first year CS student offering "learn to code" education out there.

But it sort of makes sense, those are exactly the kind of people who would want to make a quick buck on the side, not seasoned professionals who are making 6 figs already.

It's just unfortunate, that people get sold this idea of "becoming a coder in a few weeks" and go nowhere because of it.
lohnjemon
·قبل 3 سنوات·discuss
How does memory safety allow you to protect your personal information? How many binary exploits have actually lead to the exposing your personal information?

I can count with my fingertips exactly zero times that has happened to me. The times my personal information was compromised happened to me is when I downloaded malicious software. Malicious software doesn't care whether your process has "memory safety", it'll extract anything from the processes memory it wishes. Sure memory safety would at least rule out simple binary exploits, but to be targeted by one is not exactly common.

I don't get the narrative of an ever increasingly threatening world. If anything things have only been getting better, at least for the individual users. I remember individuals getting pwned very frequently in the old days. Now, not so much, with DEP, ASLR, and stack canaries. The attacks on businesses have increased, but those attacks are mostly just phishing or otherwise human error related.

Attack vectors for actual PI retrieval rarely incorporate some obscure memory bug in a program allowing RCE or remote access. Unless you're a high value target.
lohnjemon
·قبل 3 سنوات·discuss
When I had written my shell to the point where I could execute simple commands, this was the first thing that came to my mind using it.

Execute the shell -> Modify the source code of the shell with vim -> Remake the shell -> Execute the newly built shell with the old shell

Just for fun :)