HackerTrans
TopNewTrendsCommentsPastAskShowJobs

ptcrash

no profile record

Submissions

Texas Central and Amtrak Seek to Explore High-Speed Rail Service Opportunities

media.amtrak.com
2 points·by ptcrash·há 3 anos·0 comments

Chemex Brew Perfect

chemexthegame.com
1 points·by ptcrash·há 4 anos·0 comments

Slippery RansomExx Malware Moves to Rust, Evading VirusTotal

darkreading.com
2 points·by ptcrash·há 4 anos·0 comments

OWASP Damn Vulnerable Web Sockets

owasp.org
28 points·by ptcrash·há 4 anos·0 comments

comments

ptcrash
·há 2 anos·discuss
Happy to see the effort! Fresh blood in the authn space is always welcomed.

Without rehashing the other good points commenters have made already, I’ll just say that every project starts out immature. What makes a project great is how willing the maintainers will be to grow along with the project and incorporate feedback. I’m excited to see future evolutions of this one.
ptcrash
·há 2 anos·discuss
I think it's more of a logic problem. I suspect the engineers made a false assumption that bcrypt can hash a trivial amount of data like some other hashing algos.
ptcrash
·há 2 anos·discuss
If you want to validate a username/password authn attempt against a cache, then yes the username and password have to be someone in the mix.
ptcrash
·há 2 anos·discuss
Yes but PIV/CAC identity is not related to break-glass passwords. They both serve different purposes and it's safe to assume that the typical government worker will only ever need to use their smart card to authenticate into systems.
ptcrash
·há 2 anos·discuss
Ignoring obvious flame-bait, it sounds like the termination was an amicable feeling then, yeah?
ptcrash
·há 2 anos·discuss
Would you care to share for those of us who haven’t written a grant application before?
ptcrash
·há 3 anos·discuss
Both situations seem possible. I guess time will tell how Unity wants to move forward.

Others mentioned it earlier but it looks like Godot had a big boost in users from this fiasco. Perhaps Unity is concerned about real financial damages done to their bottom line because of all this? I’d expect them to try a lot of stuff and see what sticks to make sure they don’t miss their targets this year.
ptcrash
·há 3 anos·discuss
Well, the transition in leadership is uncommon but they don’t officially give us a reason, so we’re left to speculate until someone inside gives us more info.

But from a purely speculative standpoint, it seems very possible that they were ousted because of the pricing debacle. I could see a world where the stakeholders aren’t thrilled with the damage the pricing changes did to their brand and took action.
ptcrash
·há 4 anos·discuss
Non-paywall link: https://web.archive.org/web/20221215195859/https://www.washi...
ptcrash
·há 4 anos·discuss
Same here. I also switch to light mode when I'm in a very bright environment and it seems to have helped a lot with eye strain since last year. I feel like these studies are being a bit 1-dimensional... but then again, maybe that's my own confirmation bias.
ptcrash
·há 4 anos·discuss
I'd argue it's because the risk is not worth the reward. Pingback and Trackback is used to send a monsoon of spam and I'd wager site maintainers are not too keen on enabling the new version of an old problem.
ptcrash
·há 4 anos·discuss
I've read through the spec along with the FAQ that epeus so graciously shared here. The idea of mentioning beyond the scope of one website's walled garden seems like a very natural progression of ActivityPub and the new-found hype surrounding Mastodon. My concern is that I haven't seen much thought into the security implications.

The spec makes it clear that they're trying to simplify pingbacks but they don't address the fundamental security problems with pingbacks in the first place. And anyone who's maintained a Wordpress site will tell you, the first thing you do is turn off the Trackback and Pingback features [1] because not only does it attract the scummiest deluge of spam [2] but they've also been useful for disclosing internal network info and [3] leveraged to target other websites in DDoS attacks. [4]

The only thought given to preventing abuse is as follows from Section 4.1:

>The verification process SHOULD be queued and processed asynchronously to prevent DoS attacks per section 3.2.

>Receivers MUST verify Webmentions per section 3.2.2.

The first directive isn't a guarantee a DoS attack won't block all IO, it just means don't make it trivial to bring a site down with webmentions. The second directive sounds nice but if you read through section 3.2.2 of the recommendation, it just mandates that you should validate the application data that's submitted. [5] There's no mechanism to authenticate messages, validate the sender, nor limit mentions to a set of trusted parties.

Am I missing something or is this recommendation just splitting the pingback feature from the XML-RPC protocol? In my opinion, that's not providing a lot of value because the feature is still so very easy to abuse.

[1] https://www.wpbeginner.com/beginners-guide/what-why-and-how-...

[2] https://blog.hubspot.com/website/trackback-spam

[3] https://www.acunetix.com/vulnerabilities/web/wordpress-pingb...

[4] https://www.trustwave.com/en-us/resources/blogs/spiderlabs-b...

[5] https://www.w3.org/TR/webmention/#h-webmention-verification
ptcrash
·há 4 anos·discuss
Is this a new iteration in fail2ban? I gave it a cursory look and I couldn’t find any new features that make it a better tool than its predecessor
ptcrash
·há 4 anos·discuss
It's not just arcane it's a horrible idea from an infosec perspective. Thinking about all my wonderful developers having local trusted root CAs just sitting on their hard drives is making my blood pressure skyrocket.
ptcrash
·há 4 anos·discuss
I didn’t know what NeRFs were so I had to look it up. This article seems like a good introduction for anyone else that’s out of the loop like me: https://www.matthewtancik.com/nerf