HackerTrans
TopNewTrendsCommentsPastAskShowJobs

rany_

no profile record

Submissions

$1900 Bug Bounty to Fix the Lenovo Legion Pro 7 16IAX10H's Speakers on Linux

github.com
295 points·by rany_·8 mesi fa·135 comments

comments

rany_
·2 mesi fa·discuss
Could this be used to root Android devices? Does Android ship with algif_aead?
rany_
·4 mesi fa·discuss
The page looks promising but how can I try it out?
rany_
·7 mesi fa·discuss
Not if it's their own car industry. They'll only throw the book at foreign companies.
rany_
·7 mesi fa·discuss
There are lots of different scenarios you can conjure up. Another could be that Israel assassinated him after he refused to support their nuclear program OR to silence him.
rany_
·7 mesi fa·discuss
First thing that came to mind is that he might have been secretly working for Israel's nuclear program but this is all very speculative. It does feel plausible though given that Israel has already assassinated plenty of Iranian nuclear scientists; so there is some precedent for it.
rany_
·7 mesi fa·discuss
He is a nuclear scientist so he might have been working for some country's nuclear program?
rany_
·7 mesi fa·discuss
I can't spot anything conspiratorial in that article, though?
rany_
·7 mesi fa·discuss
> As part of our ongoing work to protect customers using React against a critical vulnerability, CVE-2025-55182, we started rolling out an increase to our buffer size to 1MB, the default limit allowed by Next.js applications.

Why would increasing the buffer size help with that security vulnerability? Is it just a performance optimization?
rany_
·7 mesi fa·discuss
I've seen lots of weird tricks malware authors use, people are creative. My favorite is that they'd load up a text file with a modified base64 table from Dropbox which points to the URL to exfiltrate to. When you report it to Dropbox, they typically ignore the report because it just seems like random nonsense instead of being actually malicious.
rany_
·7 mesi fa·discuss
This is a great idea but I'm a bit concerned about your bandwidth costs and illegal/malicious content being hosted used under your domain.

For the second point, you might want to implement some kind of browser warning similar to what Ngrok does.
rany_
·10 mesi fa·discuss
Huh, my image viewer claimed it's HEIC specifically. My camera also seems to conflate HEIC and HEIF in the settings. It provides HEIF as a format option, when I guess it should be specifying which codec is actually being used. I had no idea HEIF isn't tied to just HEIC though.
rany_
·10 mesi fa·discuss
The image is actually HEIF not AVIF :)
rany_
·10 mesi fa·discuss
Of course they would. Regulatory capture.

In my opinion, regulating AI companies/models is the WRONG way to go. Instead, we should regulate HOW companies/major stakeholders use AI.
rany_
·2 anni fa·discuss
That JiaT75 account is also suspended, if you check https://github.com/Larhzu?tab=following you'll see that they're suspended as well. It's pretty weird that it's that hard to find out whether a user is suspended.
rany_
·2 anni fa·discuss
Also git actually stores the timezone information. You could see it is consistently China time (GMT+8).

P.S. could be Taiwanese as China and Taiwan share the same timezone.

Below are links to the git mailbox files where you could see the timezone.

From 2022:

- https://github.com/tukaani-project/xz/commit/c6977e740008817...

- https://github.com/tukaani-project/xz/commit/7c16e312cb2f40b...

From 2024:

- https://github.com/tukaani-project/xz/commit/af071ef7702debe...

- https://github.com/tukaani-project/xz/commit/a4f2e20d8466369...
rany_
·2 anni fa·discuss
I don't think that's what they meant. The idea is to find information about their personal life, not OSS contributions. Something that proves they're a real person.
rany_
·2 anni fa·discuss
Searching for my real name on Google doesn't return anything either, I don't think this means anything.
rany_
·2 anni fa·discuss
It's not ironic, this change is really sinister IMO. They want you to waste more time after you've submitted the security report and maximize the amount of back and forth. Basically the hope is that they'd be able to pester you with requests for more info/details in order to "resolve the issue" which would give them more time to exploit their targets.
rany_
·2 anni fa·discuss
It's actually not an advantage. The reason why the exploit wasn't included is because the attacker specifically decided to only inject x86_64 Debian and RHEL to reduce the chances of this getting detected.
rany_
·2 anni fa·discuss
I think the reason is pretty obvious. They want you to waste more time after you've submitted the security report and maximize the amount of back and forth. Basically the hope is that they'd be able to pester you with requests for more info/details in order to "resolve the issue" which would give them more time to exploit their targets.