|
yoloer420 posted:Are you using the IMEI as a unique identifier for each device? You're not really supposed to do that, but all the alternatives kind of suck. it is not a seriously utilised unique identifier, we primarily use pii for that. just a few interesting cases we discovered recently, with newly appeared flavour of undesired customers that all share lack of imei recorded by our app, either as missing or blank imei. thankfully it’s a microscopic trickle so far so it’s likely safe to be lazy about this and ban that type of thing altogether. thanks for the links!
|
#
?
Jul 16, 2019 12:58
|
|
|
|
| # ? Apr 25, 2024 20:51 |
|
|
Shitfest the Clown posted:havent read this thread but is the huawei 5g spy poo poo for real? every time i've heard or read about the CEO addressing concerns he always like, re-frames it specifically about them writing back doors, and swears in suspiciously legally precise language that they would never intentionally program a back door into their software. since this is what the media has latched on to as the only possible security boogeyman it goes un-questioned a lot which is kinda getting on my nerves. like yeah i don't think most companies would do that, it would be obvious and stupid. you'd either have modified firmware pushed to specific targets without your knowledge by the state security agency since they definitely have your signing key, or you'd do stuff like conveniently not fix security vulnerabilities found by said state security agency, or other plausibly deniable things like that. e: he also says stuff like "if the chinese government asked us to put a back door in our software, we would refuse and close down the company!" like dude they don't ask
|
|
#
?
Jul 16, 2019 15:02
|
|
|
Shame Boy posted:like yeah i don't think most companies would do that, it would be obvious and stupid. you'd either have modified firmware pushed to specific targets without your knowledge by the state security agency since they definitely have your signing key, or you'd do stuff like conveniently not fix security vulnerabilities found by said state security agency, or other plausibly deniable things like that. https://finitestate.io/finite-state-supply-chain-assessment/?mod=article_inline this report came out in june came out a few weeks ago and suggested that this is essentially what Huawei has been doing. They did some algorithmic analysis and found a whole bunch of security issues, including some that had actually been introduced by later patches. the report doesn't outright claim that they are intentional, but calls attention to the fact that there's so many.
|
|
#
?
Jul 16, 2019 15:40
|
|
|
Shame Boy posted:you'd do stuff like conveniently not fix security vulnerabilities found by said state security agency, or other plausibly deniable things like that. yeah this really seems like how it works, see https://en.wikipedia.org/wiki/Zerodium
|
|
#
?
Jul 16, 2019 15:53
|
|
|
Ur Getting Fatter posted:https://finitestate.io/finite-state-supply-chain-assessment/?mod=article_inline
|
|
#
?
Jul 16, 2019 16:43
|
|
|
Shitfest the Clown posted:havent read this thread but is the huawei 5g spy poo poo for real?
|
|
#
?
Jul 16, 2019 16:48
|
|
|
there's a lot of backdoored vpn appliances these days: https://devco.re/blog/2019/07/17/attacking-ssl-vpn-part-1-PreAuth-RCE-on-Palo-Alto-GlobalProtect-with-Uber-as-case-study/
|
|
#
?
Jul 17, 2019 16:50
|
|
|
Wiggly Wayne DDS posted:there's a lot of backdoored vpn appliances these days: https://devco.re/blog/2019/07/17/attacking-ssl-vpn-part-1-PreAuth-RCE-on-Palo-Alto-GlobalProtect-with-Uber-as-case-study/ This one is particularly awesome because Palo doesn't even bother to CVE, rate, or disclose vulnerabilities they discover and fix themselves 🤔 code:
|
|
#
?
Jul 17, 2019 17:44
|
|
|
ewiley posted:This one is particularly awesome because Palo doesn't even bother to CVE, rate, or disclose vulnerabilities they discover and fix themselves For a lot of opensource projects you mostly have to pay careful attention to the commit log (if they provide one that's detailed enough) - sometimes you get a hint from Coverty ID, syzbot uuid, or something, although that's fairly recent. And then there are the counter-examples like Linus; who is famous for not disclosing security issues at all. BlankSystemDaemon fucked around with this message at 17:57 on Jul 17, 2019 |
|
#
?
Jul 17, 2019 17:51
|
|
|
quote:He concluded by saying “I'd like to think I did learn something, since I fixed up this series _before_ you yelled at me. man linus is such a dick
|
|
#
?
Jul 17, 2019 18:50
|
|
”
|
Krankenstyle posted:man linus is such a dick Someone's gotta keep your average kernel contributors in line.
|
|
#
?
Jul 17, 2019 18:50
|
|
|
not necessarily a secfuck but pretty funny https://twitter.com/mistydemeo/status/1151567133970579456
|
|
#
?
Jul 17, 2019 22:27
|
|
|
CommieGIR posted:Someone's gotta keep your average kernel contributors in line. 
|
|
#
?
Jul 17, 2019 22:45
|
|
|
D. Ebdrup posted:The average kernel contributor is someone working for one of the companies who're funding the 501C6, so it really did become a hostile work environment because of Linus. .....he's the principal developer of the Linux kernel, so really most of the Companies owe him. Most of them gave him stock options for his work on the Linux kernel.
|
|
#
?
Jul 18, 2019 00:44
|
|
|
CommieGIR posted:.....he's the principal developer of the Linux kernel, so really most of the Companies owe him. Most of them gave him stock options for his work on the Linux kernel. what Linus is management are you giving management credit for ICs’ output
|
|
#
?
Jul 18, 2019 05:50
|
|
|
its amazing that Linus still has control over the kernel even though so many gigantic corporations depend on it's existence. i'm shocked nobody has tried to wrestle it away from him.
|
|
#
?
Jul 18, 2019 06:02
|
|
|
CRIP EATIN BREAD posted:its amazing that Linus still has control over the kernel even though so many gigantic corporations depend on it's existence. who says they haven’t
|
|
#
?
Jul 18, 2019 06:03
|
|
|
CommieGIR posted:.....he's the principal developer of the Linux kernel, so really most of the Companies owe him. Most of them gave him stock options for his work on the Linux kernel. CRIP EATIN BREAD posted:its amazing that Linus still has control over the kernel even though so many gigantic corporations depend on it's existence. Unlike a 501C3 (such as the FreeBSD Foundation) which needs to be for the public good - meaning that a certain number of their donations need to be from private individuals - a 501C6 has no such restrictions and can not only take all the money they want from companies, they're also free to spend that money however they want, including lobbying, which the 501C3 explicitly bans. Nomnom Cookie posted:who says they haven’t
|
|
#
?
Jul 18, 2019 10:42
|
|
|
i don’t get the last bit
|
|
#
?
Jul 18, 2019 11:01
|
|
|
cinci zoo sniper posted:i don’t get the last bit impossible/hard to tell who has the rights to which parts of the code, I'm guessing
|
|
#
?
Jul 18, 2019 11:54
|
|
|
Krankenstyle posted:impossible/hard to tell who has the rights to which parts of the code, I'm guessing ah, makes sense
|
|
#
?
Jul 18, 2019 12:22
|
|
|
CRIP EATIN BREAD posted:its amazing that Linus still has control over the kernel even though so many gigantic corporations depend on it's existence. the gigantic corporations don't run a linus-blessed kernel, and have no intent of doing so. in practical effect redhat controls the kernel that is used.
|
|
#
?
Jul 18, 2019 12:32
|
|
|
D. Ebdrup posted:It's not exactly common to advertise vulnerabilities found and fixed by developers before any attackers notice them. I get notifications all the time from vendors regarding fixed vulnerabilities found in testing of their own code. I understand not publishing unfixed vulnerabilities revealed by internal testing, but once it's fixed it should be at least ranked and included in release notes. Seems like it's kind of important to understand what you're leaving yourself open to if you don't patch. Globalprotect is far from open source software, it's owned by a literal security company (which maybe makes it worse, I guess).
|
|
#
?
Jul 18, 2019 12:43
|
|
|
Cybernetic Vermin posted:the gigantic corporations don't run a linus-blessed kernel, and have no intent of doing so. also, consider every android, running a 6-year-old kernal that every intern at Qualcomm has hosed with
|
|
#
?
Jul 18, 2019 13:03
|
|
|
ewiley posted:I get notifications all the time from vendors regarding fixed vulnerabilities found in testing of their own code. I understand not publishing unfixed vulnerabilities revealed by internal testing, but once it's fixed it should be at least ranked and included in release notes. Seems like it's kind of important to understand what you're leaving yourself open to if you don't patch. Globalprotect is far from open source software, it's owned by a literal security company (which maybe makes it worse, I guess). Krankenstyle posted:impossible/hard to tell who has the rights to which parts of the code, I'm guessing It's hard enough even with a VCS (it requires a lot of use of the blame subcommand, which is tedius at best and difficult at worst). BSD had the same problem way back when, as SCCS was only implemented around 3BSD - though at least back then the only way they could've gotten contributions from outside would've been by uucp over phone-cradle-modem, or someone visiting CSRG.
|
|
#
?
Jul 18, 2019 13:06
|
|
|
i'm not really getting how that's more of a problem for someone looking to fork the kernel than it is for the current kernel developers themselves
|
|
#
?
Jul 18, 2019 16:22
|
|
|
we managed to relicense all of the Mozilla codebase to a new version of the MPL and dual it with another license, and we relied on CVS blame partly but not exclusively to get sufficient agreement to proceed within our risk umbrella. I had a budget for settling with people who popped up later with a credible case for a material contribution and violently objected in a way we thought would stand up in court, but we kept it a secret so as not to get gamed on it. nobody ended up needing to be paid, though some people needed more convincing than others. it wasn't a lot of fun and it took a while, but it didn't require any violations of physical law
|
|
#
?
Jul 18, 2019 16:52
|
|
|
all you have to do to wrest Linux away from Linus is git clone and then ignore him
|
|
#
?
Jul 18, 2019 16:59
|
|
|
Continue engaging him in rants and he'll never realize what's happening
|
|
#
?
Jul 18, 2019 17:16
|
|
|
Krankenstyle posted:impossible/hard to tell who has the rights to which parts of the code, I'm guessing idgi, why does that matter for any company wanting to make a fork of the kernel? It's all published under the GPL which can't be revoked by the author.
|
|
#
?
Jul 18, 2019 18:21
|
|
|
lmao i haven't touched npm in a while (thank god) and had to go in and touch it again today. ran npm install to download dependencies and:code: well i guess it's better than back when they just didn't care at all
|
|
#
?
Jul 18, 2019 19:12
|
|
|
holy crap
|
|
#
?
Jul 18, 2019 19:26
|
|
|
Why even bother having severities when 99.43% are high
|
|
#
?
Jul 18, 2019 19:36
|
|
|
Raere posted:Why even bother having severities when 99.43% are high why did they have the green and blue bars on the terror alert level
|
|
#
?
Jul 18, 2019 19:38
|
|
|
Krankenstyle posted:holy crap on the one hand it's only that high because i hadn't updated any of the packages since the last time i touched this project on the other hand the last time i touched this project was like, november, and that's one heck of a lot of vulns to accumulate since then
|
|
#
?
Jul 18, 2019 19:57
|
|
|
D. Ebdrup posted:Are you sure he does any commits that he's written? If I understand it correctly, all he and his lieutenants do is commit the work of other people, and the vast majority of code that comes in are from the corporations. deep code review is a technical contribution, often a more important one than actually writing the code signed, a senior engineer
|
|
#
?
Jul 18, 2019 19:59
|
|
|
ok after running an update and getting everything to the latest minor version... there's still ~100 "high" vulns, that can only be fixed by updating major versions. ok whatever, updated the major versions of everything to the latest and... there's still 2 high vulns that npm has no idea how to deal with and just says "requires manual intervention"
|
|
#
?
Jul 18, 2019 20:08
|
|
|
rjmccall posted:deep code review is a technical contribution, often a more important one than actually writing the code i added the lil' squiggly boy to a bunch of my business cards with a pen so i'm now a señior
|
|
#
?
Jul 18, 2019 20:10
|
|
|
I can see the future. A future in which a gently caress-up will happen because of the MITM on all HTTPS traffic in Kazakhstan.
|
|
#
?
Jul 18, 2019 21:16
|
|
|
|
| # ? Apr 25, 2024 20:51 |
|
|
Raere posted:Why even bother having severities when 99.43% are high it's probably commutative where if you depend on something with a high sev vuln you have one too and because js has basically no standard library beyond import() if there's a flaw in "is-positive-integer" or "string-length" lmao every package is busted
|
|
#
?
Jul 18, 2019 22:03
|
|