HackerTrans
TopNewTrendsCommentsPastAskShowJobs

ostif-derek

no profile record

comments

ostif-derek
·2 mesi fa·discuss
But you have to be super careful about defining the mitigations for this one, as for example Cloudflare passes malicious headers as-is without extra configuration, leaving hosts vulnerable when they are assumed to be protected.
ostif-derek
·2 mesi fa·discuss
You're relying on everyone in the world to set things up in a way that provides defense in depth. Not everyone is going to do that.

Which means there's going to be a lot of cases where people don't do the safe thing.

Especially, as other's have said, in the case of MCP servers, where the spec mandates exposed oauth.
ostif-derek
·2 mesi fa·discuss
This is a bad one. Rating it a medium understates how hard it hits thousands of downstream projects and billions of installs. People need to patch asap. I'm normally against the "giving a bug a name, logo, and website" trope, but this one is getting poor patch rates because of it being rated a medium and landing right before a big American holiday weekend.
ostif-derek
·2 mesi fa·discuss
Unfortunately that doesn't help much. LLMs are really really good at digging up known vulns, so much so that they often falsely declare known vulns as new and novel ones.

They have the CVEs in their training data, know how to look up ossfuzz logs, etc.
ostif-derek
·anno scorso·discuss
Hey there everyone!

Some friends just notified us that this is trending.

Let me know if you have any questions/comments/feedback about the work! It was a great project, I wish we had more budget so that we could spend some time with ruzzy and the C extensions as there's probably some things to be unearthed there with ASAN and UBSAN.

As for the comments on Spring/Elixir/Django/Phoenix, they're on our wish list every year but we're always limited by funding. It's about what the communities, foundations, and agencies can and will support. We are always working toward getting larger grants where we can work fully independently on whatever we want, but so far that hasn't materialized.

We'll keep trying!