HackerLangs
TopNewTrendsCommentsPastAskShowJobs

rany_

no profile record

Submissions

$1900 Bug Bounty to Fix the Lenovo Legion Pro 7 16IAX10H's Speakers on Linux

github.com
295 points·by rany_·8 месяцев назад·135 comments

comments

rany_
·2 месяца назад·discuss
Could this be used to root Android devices? Does Android ship with algif_aead?
rany_
·4 месяца назад·discuss
The page looks promising but how can I try it out?
rany_
·7 месяцев назад·discuss
Not if it's their own car industry. They'll only throw the book at foreign companies.
rany_
·7 месяцев назад·discuss
There are lots of different scenarios you can conjure up. Another could be that Israel assassinated him after he refused to support their nuclear program OR to silence him.
rany_
·7 месяцев назад·discuss
First thing that came to mind is that he might have been secretly working for Israel's nuclear program but this is all very speculative. It does feel plausible though given that Israel has already assassinated plenty of Iranian nuclear scientists; so there is some precedent for it.
rany_
·7 месяцев назад·discuss
He is a nuclear scientist so he might have been working for some country's nuclear program?
rany_
·7 месяцев назад·discuss
I can't spot anything conspiratorial in that article, though?
rany_
·7 месяцев назад·discuss
> As part of our ongoing work to protect customers using React against a critical vulnerability, CVE-2025-55182, we started rolling out an increase to our buffer size to 1MB, the default limit allowed by Next.js applications.

Why would increasing the buffer size help with that security vulnerability? Is it just a performance optimization?
rany_
·7 месяцев назад·discuss
I've seen lots of weird tricks malware authors use, people are creative. My favorite is that they'd load up a text file with a modified base64 table from Dropbox which points to the URL to exfiltrate to. When you report it to Dropbox, they typically ignore the report because it just seems like random nonsense instead of being actually malicious.
rany_
·7 месяцев назад·discuss
This is a great idea but I'm a bit concerned about your bandwidth costs and illegal/malicious content being hosted used under your domain.

For the second point, you might want to implement some kind of browser warning similar to what Ngrok does.
rany_
·10 месяцев назад·discuss
Huh, my image viewer claimed it's HEIC specifically. My camera also seems to conflate HEIC and HEIF in the settings. It provides HEIF as a format option, when I guess it should be specifying which codec is actually being used. I had no idea HEIF isn't tied to just HEIC though.
rany_
·10 месяцев назад·discuss
The image is actually HEIF not AVIF :)
rany_
·10 месяцев назад·discuss
Of course they would. Regulatory capture.

In my opinion, regulating AI companies/models is the WRONG way to go. Instead, we should regulate HOW companies/major stakeholders use AI.
rany_
·2 года назад·discuss
That JiaT75 account is also suspended, if you check https://github.com/Larhzu?tab=following you'll see that they're suspended as well. It's pretty weird that it's that hard to find out whether a user is suspended.
rany_
·2 года назад·discuss
Also git actually stores the timezone information. You could see it is consistently China time (GMT+8).

P.S. could be Taiwanese as China and Taiwan share the same timezone.

Below are links to the git mailbox files where you could see the timezone.

From 2022:

- https://github.com/tukaani-project/xz/commit/c6977e740008817...

- https://github.com/tukaani-project/xz/commit/7c16e312cb2f40b...

From 2024:

- https://github.com/tukaani-project/xz/commit/af071ef7702debe...

- https://github.com/tukaani-project/xz/commit/a4f2e20d8466369...
rany_
·2 года назад·discuss
I don't think that's what they meant. The idea is to find information about their personal life, not OSS contributions. Something that proves they're a real person.
rany_
·2 года назад·discuss
Searching for my real name on Google doesn't return anything either, I don't think this means anything.
rany_
·2 года назад·discuss
It's not ironic, this change is really sinister IMO. They want you to waste more time after you've submitted the security report and maximize the amount of back and forth. Basically the hope is that they'd be able to pester you with requests for more info/details in order to "resolve the issue" which would give them more time to exploit their targets.
rany_
·2 года назад·discuss
It's actually not an advantage. The reason why the exploit wasn't included is because the attacker specifically decided to only inject x86_64 Debian and RHEL to reduce the chances of this getting detected.
rany_
·2 года назад·discuss
I think the reason is pretty obvious. They want you to waste more time after you've submitted the security report and maximize the amount of back and forth. Basically the hope is that they'd be able to pester you with requests for more info/details in order to "resolve the issue" which would give them more time to exploit their targets.