HackerTrans
TopNewTrendsCommentsPastAskShowJobs

entuno

no profile record

Submissions

YellowKey Bitlocker Bypass Vulnerability

github.com
87 points·by entuno·há 2 meses·20 comments

Gen Z staff cut in half at tech companies as the average age goes up by 5 years

fortune.com
6 points·by entuno·há 10 meses·0 comments

comments

entuno
·há 11 dias·discuss
In most cases I'd think it's more of a deterrent for commercial entities, because spending money create complexity. Most employees are not in a position to just directly spend their organisation's money, so that $0.05 will often mean needing to get approval, purchase orders, deciding which cost centre it comes from, needing an invoice, etc, etc.

Very few people are going to invest that much effort when they're trying to do the company that they're reporting to a favour.
entuno
·há 17 dias·discuss
There's an assumption in here that every developer is spending a load of money on the latest and most capable LLMs to scan for bugs in their code before every release.

But the last couple of decades have shown us that huge numbers of developers aren't even following basic and free secure development practices, let alone pouring money into expensive scanning tools.
entuno
·há 17 dias·discuss
There is a history of companies and organisations threatening legal action against security researchers when they report vulnerabilities in their systems or products.

Sometimes even when the testing has been completely offline - I know people who have downloaded some software, carried out testing against a local copy of it, and then faced legal threats when they tried to report serious security vulnerabilities to the vendor.

It's one of the reasons that some researchers don't bother trying to talk to the vendors and just go straight to full disclosure, or if they do report to vendors they do so anonymously. But if you have to pay, that's creating a link back to yourself which makes the latter much harder.
entuno
·há 17 dias·discuss
If I've stumbled across what I think is a security issue in your systems, there is zero chance that I'm going to get out my credit card and pay you for the privilege of responsibly disclosing it to you. Especially if it's the vulnerability is in the site hosting the contact form.
entuno
·há 18 dias·discuss
Historically there have been vulnerabilities in various applications due to HTTP method tampering, and in the days of people accidentally leaving WebDAV enabled then methods like PUT and DELETE could be very damaging. Plus the issues with TRACK and TRACE.

Given that most websites only ever use a handful of methods (even once you account for REST APIs using PUT, PATCH and DELETE now), and that list very rarely changes, the WAF developers tend to look at this question from the opposite angle: when you know there are only half a dozen widely used methods, why would you allow anything else by default?
entuno
·há 18 dias·discuss
AWS CloudFront blocks GET requests with a body, so it doesn't even have to be a particularly strict setup or an explicit WAF.
entuno
·há 25 dias·discuss
It would be very dependent on the exact circumstances - who made a complaint, what exactly they're accusing you of, what evidence there is, how high profile it is, the current diplomatic position (which changes by the hour), etc, etc. I don't think you can really get a simple answer for this kind of question.
entuno
·há 25 dias·discuss
Legally speaking, no - it would still be a criminal offence.

Practically speaking, there is zero chance that the USA would extradite someone to Iran, even if they weren't currently at war with them. Whether they did anything about it would probably depend on exactly what the situation was - there's a big of difference between targeted IRGC or defence systems and ransomwaring an Iranian hospital or scamming random citizens.

Where they'd probably get you is if you tried to monetise it, and get stolen/extorted cryptocurrencies (or whatever) into your bank account. But that could easily fall under tax evasion laws rather than computer misuse ones, because they'd be a lot easier to prove in court.
entuno
·há 27 dias·discuss
The Daily Mail is a trashy tabloid, so it's not surprising. Weird to see it posted here as though it's a credible source for anything.
entuno
·há 30 dias·discuss
They can be pretty shitty if you're a pedestrian or cyclist, because quite a lot of them don't "see" you, so you just get blinded by the full beams.
entuno
·há 2 meses·discuss
There's been a lot of nice quality of life changes in the 3.7 builds (which has now become 5.0.0) that make going back to the older versions a bit painful.

Also some pretty major gameplay and balance changes, some of which are pretty controversial. But overall, I think that it's a big improvement, and although I don't necessarily agree with all the changes it certainly makes the mid and late game a lot more interesting and varied (not to mention dangerous) than it was in 3.6.7.
entuno
·há 3 meses·discuss
Against the Storm (and excellent rouguelite city-builder) does this in a really cool way. Pausing is a core mechanic of the game, and you frequently pause while you place building or things like that - and all the visual animations stop (fire, rain, trees swaying, etc).

But when you find a broken ancient seal in the forest, the giant creepy eyeball moving around in it keeps moving even when you pause the game, which helps emphasise how other-worldly it is.
entuno
·há 3 meses·discuss
> The reason that the rich were so rich, Vimes reasoned, was because they managed to spend less money.

The "boots" item feels less true, because expensive doesn't seem to be as correlated with "good quality" as it used to. But the general statement still very much stands.

Things like financial products that charge higher interest rates to poorer people, or services that offer discounts for paying annually rather than monthly are great examples of this. And less direct things, like being able to drive to cheaper shops and buy in bulk, or being able to do preventative maintenance to avoid a cheap fix turning into an expensive one.

It can still apply to individual items, as long as you're careful about what you buy and do your research to make sure you're actually buying high quality boots, and not just cheap ones with an expensive logo on the side.
entuno
·há 3 meses·discuss
Expensive doesn't guarantee high quality, but very cheap almost always means low quality. A £200 pair of boots might be great and last for a decade, or might be overpriced and fall apart after six months. But a £5 pair are definitely going to be crap.
entuno
·há 3 meses·discuss
Financial costs won't solve the problem for companies, because they're hard to enforce. You'd be weighting up the cost of dealing with the fallout of getting hacked against the cost of paying the random and the chance that you might get caught and fined. If that former cost is existential for the business, then it'd always be worth paying and taking the risk.

The only real way around that would personal consequences for the owners/directors of the company - "get caught paying a ransom and the whole board goes to jail" would certainly discourage people. And also provide a wonderful opportunity for blackmail when people did.

Not to mention all the problems of fining public sector organisations, and how counter-productive that usually is.
entuno
·há 3 meses·discuss
Plus it gives the ransomware gangs a whole new angle they can use.

So, remember how you illegally paid us a ransom a few months ago? Unless you want to go to prison, then you better...

We're already seeing this against companies who pay ransoms and fail to report the breaches when they're legally required to - but it would be much worse if it's against individuals who are criminally liable.
entuno
·há 3 meses·discuss
It's one of those ideas that sounds nice in theory, but doesn't survive contact with the real world. In the same way that many people would say that you shouldn't negotiate with terrorists or kidnappers; but if it's their loved one who's being held and tortured they'll very quickly change their mind.

Getting to a world where no one pays ransoms and the ransomware groups give up and go away would be the ideal, and we'd all love to get there. But outlawing paying ransoms basically sacrificing everyone who gets ransomwared in the meantime until we get to that state for the greater good.

And where companies get hit, they'll try hard to find ways around that, because the alternative may well be shutting down the business. But if something like a hospital gets hit, are governments really going to be able to stand behind the "you can't pay a ransom" policy when that could directly lead to deaths?
entuno
·há 4 meses·discuss
I've also seen roads that have these kind of signs, but they only apply during busy hours.

However, as with any traffic controls they're useless if they're not actually enforced. Which is a shame, because it'd be absolutely trivial to automate that detection with cameras.
entuno
·há 5 meses·discuss
If that'd been the design from the start, then sure. But it's not at all obvious that setHTML is safe with arbitrary user input (for a given value of "safe") and innerHTML is dangerous.
entuno
·há 5 meses·discuss
It's certainly an improvement over people trying to homebrew their own sanitisers. But that distinction of being XSS-safe is a potentially subtle one, and could end up being dangerous if people don't carefully consider whether XSS-safe is good enough when they're handling arbitrary users input like that.