HackerTrans
TopNewTrendsCommentsPastAskShowJobs

Sjoerd

no profile record

comments

Sjoerd
·w zeszłym roku·discuss
What is the attack scenario here? Where are the security boundaries? How does the attacker gets their repository with a symlink in it to the victim? Is Helm typically run as a privileged user? How would this work? And why doesn't the vulnerability description give answers to these questions?
Sjoerd
·w zeszłym roku·discuss
To compensate for the US emissions of CO2 equivalent, you would need to create in the order of 4 cubic kilometers of charcoal every year. You could cover the whole of California with a layer of 1 centimeter (about half an inch) of charcoal every year.

So turning trees into charcoal scales up to a certain point, but not to the point that it "would even remotely make a difference for climate change", as OP said.
Sjoerd
·w zeszłym roku·discuss
Do you have a link to that Yahoo publication? Or any more information on it?
Sjoerd
·2 lata temu·discuss
I came to the same conclusion. Many string comparison implementations don't actually compare one character at a time. In one case strcmp seemed to compare eight characters at a time, so you would need to guess eight characters correctly to get a time difference. Glibc memcmp can compare 32 bytes at a time. In C# the timing of string compare depends on whether it does Unicode normalization or not. Even then, the difference is less than a nanosecond per compared character. It is not as straightforward that every string comparison between sensitive data and user input is at risk of timing attacks.

https://www.sjoerdlangkemper.nl/2024/05/29/string-comparison...