HackerTrans
TopNewTrendsCommentsPastAskShowJobs

kaeso

no profile record

Submissions

DNSpooq – Kaminsky attack is back

jsof-tech.com
1 points·by kaeso·5 jaar geleden·0 comments

comments

kaeso
·vorig jaar·discuss
I think this may lack a bit of context, so I'll try to fill in.

This is a demo that was just showcased live by the author as part of their talk at FOSDEM'25: https://fosdem.org/2025/schedule/event/fosdem-2025-5496-brin...

The talk was centered on Ratatui (a TUI library in Rust, https://ratatui.rs/) now targeting terminals and web browsers with a shared approach. Video recording of the talk should appear online soon.
kaeso
·4 jaar geleden·discuss
Nice post @javierhonduco, really interesting read!

As you mention that you are looking into loosening the minimum kernel requirements, what is currently the primitive(s) that is dictating the minimum required version? And how do you plan to sidestep that?
kaeso
·4 jaar geleden·discuss
In a funny twist of events, the author of the grandparent comment above yours was indeed building that OS (Container Linux) at CoreOS :)
kaeso
·5 jaar geleden·discuss
> So we were already potentially vulnerable to the DOS [...]

> the security org at the big tech company I worked at and reported this to

I'm confused about these two statements, because I did not find any recent CVEs for log4j in the DoS category, nor related to format lookup (other than CVE-2021-44228 of course).

Perhaps I misread it, but are you basically saying that (after you reported the issue to them internally) the security team at your previous company could not successfully report a DoS vulnerability in the default configuration of a widely used (by them, at least) Apache library and make sure a CVE got assigned to track it?

If so, it would be interesting to know where the CVE/vuln-reporting chain broke, possibly to reduce the blast radius for similar future cases.

Hypothetically speaking, a CVE in March for a DoS in a problematic design/feature could have resulted in flipping the default setting earlier. Instead of chasing live RCE in the wild in December.