HackerTrans
TopNewTrendsCommentsPastAskShowJobs

neandrake

no profile record

comments

neandrake
·5 maanden geleden·discuss
Finding this one-page was great! It gave me a new term I didn't have before that leads to all sorts of new materials to go rifling through.
neandrake
·7 maanden geleden·discuss
>>This [...] vuln is not a breach or compromise of MongoDB

>IANAL, but this seems like a pretty strong stance to take? Who exactly are you blaming here?

You elide the context that explains it. It's a vulnerability in their MongoDB Server product, not a result of MongoDB the company/services being compromised and secrets leaked.
neandrake
·7 maanden geleden·discuss
Worktrees are useful particularly because they look like entirely separate projects to your IDEs or other project tooling. They are more useful on larger projects with lots of daily commits. If you just use branches then whenever you switch, in the worst case, your IDE has to blow away caches and reconstruct the project layout or build the project fresh. On large projects this takes significant time. But switching your IDE to a different project, there are now two project and build caches to switch between.
neandrake
·9 maanden geleden·discuss
There are OS-level settings for date and unit formats but not all software obeys that, instead falling back to using the default date/unit formats for the selected locale.
neandrake
·10 maanden geleden·discuss
Render to pdf or ebook to read from an ereader, at least that's what I prefer. I use Instapaper to quickly snag articles while browsing then later use my kobo to sit and read through them.
neandrake
·10 maanden geleden·discuss
The article presumes the reader is familiar with "malicious inbox rules" and doesn't elaborate or link to further info on it. From what I can find online it seems to be a scenario where an email account has already been compromised somehow and the malicious actor sets up inbox rules to e.g. auto-forward emails to another attacker-controlled email. I assume the intent is to effectively gain access to emails like 2FA and password recovery in the event the target changes their email account password.
neandrake
·11 maanden geleden·discuss
I'm a huge fan of uMatrix too, and have debated getting involved to help revive it.

Can you share more information on the bypass you mention?
neandrake
·11 maanden geleden·discuss
Looks like the source to Bitestring's blog is still up, maybe domain registration just lapsed?

https://github.com/bitestring/bitestring.github.io/blob/main...
neandrake
·11 maanden geleden·discuss
Thank you, I look forward to watching your presentation.
neandrake
·11 maanden geleden·discuss
Rust caught the lock being held across an await boundary, but without further context I'd hedge there's still a concurrency issue there if the solution was to release the lock before the await.

Presumably the lock is intended to be used for blocking until the commit is created, which would only be guaranteed after the await. Releasing the lock after submitting the transaction to the database but before getting confirmation that it completed successfully would probably result in further edge cases. I'm unfamiliar with rust's async, but is there a join/select that should be used to block, after which the lock should be unlocked?
neandrake
·11 maanden geleden·discuss
Same would be true for any resource that needs cleaned up, right? Referring to stop-polling-future as canceling is probably not good nomenclature. Typically canceling some work requires cleanup, if only to be graceful let alone properly releasing resources.
neandrake
·11 maanden geleden·discuss
They first disabled rubocop to prevent further exploit, then rotated keys. If they awaited deploying the fix that would mean letting compromised keys remain valid for 9 more hours. According to their response all other tools were already sandboxed.

However their response doesn't remediate putting secrets into environment variables in the first place - that is apparently acceptable to them and sets off a red flag for me.
neandrake
·3 jaar geleden·discuss
Haven’t checked availability but OnlyTV would be fitting.