HackerTrans
TopNewTrendsCommentsPastAskShowJobs

epitactic

no profile record

comments

epitactic
·4 年前·discuss
> sshd on your shared university server

Another attack scenario applies if the shared server hosts a web server:

If you have a shell and can bind a port, listening for HTTP requests. Example: nc -vvl 8080

Trick a victim into visiting your malicious port: http://example.com:8080/

The attacker gets the victim's cookies for http://example.com:80/ (and https://example.com:443/, if the "secure" flag is not set). And all other ports.

This attack succeeds because "Cookies do not provide isolation by port" (RFC6265 Section 8.5).

What is the fix? If only the cookie spec allowed binding to specific ports...

But an alternate fix could be requiring web browsers to only connect to privileged ports. 80 and 443, or any port <1024, thwarting the unprivileged user from exfiltrating cookies.

Unfortunately this ship has sailed and web browsers now have to support unprivileged ports forever. A more practical defense, in practice, is to consider this scenario out of scope, and/or implement application-level authentication. I am with you, and would have advocated privileged ports to defend against these attacks (with http and ssh and other services), but am not optimistic it will gain any traction. The world has moved on, and even multi-user shell servers are becoming increasingly rare (as much as I use them - still a proud Super Dimension Fortress member)
epitactic
·4 年前·discuss
The first problem can be solved with curl-impersonate: https://github.com/lwthiker/curl-impersonate

"A special compilation of curl that makes it impersonate Chrome & Firefox", and it now can also impersonate Edge and Safari.

Previously discussed: https://news.ycombinator.com/item?id=30378562 _Show HN: Curl modified to impersonate Firefox and mimic its TLS handshake_ (21 days ago, 58 comments)
epitactic
·4 年前·discuss
MySQL uses `backticks` for quoting identifiers, ANSI SQL and PostgreSQL use "double-quotes", SQL Server and MS Access use [square brackets].

SQLite supports all three: https://www.sqlite.org/lang_keywords.html
epitactic
·5 年前·discuss
An interesting parallel, Facebook and Twitter also do not allow downvoting, which may also have similar negative effects as Spotify's lack of dislikes:

https://questioner.substack.com/p/our-violent-era

> So Twitter artificially removes all the negative feedback (the downvotes) and only shows the positive feedback (the upvotes), leading many of their users to the mistaken impression that their insane ideas are immensely popular.
epitactic
·5 年前·discuss
ESXi (free version), it works well though if I had to do it again from scratch today, I'd probably go with KVM
epitactic
·5 年前·discuss
This is why I've setup my homelab with a hypervisor, you don't have to choose and can run each of these operating systems, for specific purposes they are best suited for. This is what I do:

OpenIndiana: file server (ZFS)

OpenBSD: firewall, router, network services (DHCP, DNS, NAT)

DragonflyBSD: game server

FreeBSD: other general application services

I haven't found a personal use case for NetBSD yet, though I would like to (it is great for embedded systems).
epitactic
·5 年前·discuss
> But what can we do to treat the cause, instead of just the symptoms?

By affecting the bottom line, increasing expenses and/or decreasing profits.

> If they stop working (or rather work less – it's a spectrum)

AdNauseam is an interesting attempt in this space - a browser plugin to automatically "click every ad to fight surveillance" (their words). By clicking everything, clicks become less valuable, at least in theory, but it has not really caught on.

> I feel the fix will be more along the lines of improving individual psychology and mental wellbeing, rather than entering the arms race of adversarial technology to block packet traffic (or whatever).

I agree with this. Ad blocking, ad clicking, packet blocking, is all thinking too small, always trying to catchup. It will always be behind and while useful for a niche subset of users, these kinds of technologies are more bandaids than a real solution to trigger fundamental changes to the advertising tracking industry.

What is a real, impactful solution? I don't know, but an area I have not seen explored much, considering by analogy:

Internet : Web :: Big Tech : ???

That is, the web layered on top of the Internet, as a disruptively transforming application, extracting and providing value.

Can another technology be created to build on the foundations provided by Big Tech, delivering value they provide, while avoiding their tracking/advertising downsides? I have little idea what this would look like in practice (how do you disrupt a billion dollar industry?), but if someone can crack this nut, it may change the world. Startup idea elevator pitch: disrupt Big Tech.