|
infernal machines posted:i've recently seen a bug with replies to emails from an iphone using ios mail app where in some cases the signature image in the message replied to from the phone is not the original signature image, but presumably another image on their phone with the same name. this has caused some issues internally as people get antsy when they see the wrong picture under their name argh my gambit of naming my sig image throbbingcock.jpeg is foiled
|
#
?
Dec 28, 2021 06:19
|
|
|
|
| # ? Apr 26, 2024 18:01 |
|
|
pseudorandom name posted:tricking people into sending +++ is ancient, sending +++ to them to disconnect them (without them having to repeat it back via e.g. a ICMP ping packet payload) was relatively late, iirc This was kind of dumb, but back when everyone first started scripting MUDs to play 24x7, little old me on a lovely ancient computer mad that I couldn't script too, would broadcast stuff like "Blah moves to attack you!" "HP=-1" "You drop to the ground!" to the global chat and laugh as 95% of the people logged in would hang up to try to avoid getting fully killed. Even more dumb was holding pillows over the modem to try and mute the dial up noises at 3AM to avoid detection for months if not years before I learned ATM0. 2400 baud for life sadus fucked around with this message at 11:01 on Dec 28, 2021 |
|
#
?
Dec 28, 2021 10:58
|
|
|
cinci zoo sniper posted:https://news.ycombinator.com/item?id=29705957 a lot of commotion around what could be a fresh round of lastpass being a well made product just use Bitwarden, folks, sheesh
|
|
#
?
Dec 28, 2021 16:21
|
|
|
sadus posted:This was kind of dumb, but back when everyone first started scripting MUDs to play 24x7, little old me on a lovely ancient computer mad that I couldn't script too, would broadcast stuff like "Blah moves to attack you!" "HP=-1" "You drop to the ground!" to the global chat and laugh as 95% of the people logged in would hang up to try to avoid getting fully killed.
|
|
#
?
Dec 28, 2021 17:07
|
|
|
https://twitter.com/YNizry/status/1475764153373573120
|
|
#
?
Dec 28, 2021 17:15
|
|
|
infernal machines posted:i've recently seen a bug with replies to emails from an iphone using ios mail app where in some cases the signature image in the message replied to from the phone is not the original signature image, but presumably another image on their phone with the same name. this has caused some issues internally as people get antsy when they see the wrong picture under their name "but I thought hello.jpg was an innocuous name"
|
|
#
?
Dec 28, 2021 17:17
|
|
|
ahahahahahaha
|
|
#
?
Dec 28, 2021 17:22
|
|
|
i hope it involves emojis
|
|
#
?
Dec 28, 2021 17:31
|
|
|
Log4j is going to cause my death
|
|
#
?
Dec 28, 2021 17:57
|
|
|
Oh holy poo poo please no
|
|
#
?
Dec 28, 2021 17:58
|
|
|
Wat
|
|
#
?
Dec 28, 2021 18:00
|
|
|
Idgi Another l4j rce to add to the pile?
|
|
#
?
Dec 28, 2021 18:07
|
|
|
tak posted:Idgi yes
|
|
#
?
Dec 28, 2021 18:09
|
|
|
and on the 5th week of december another log4j vulnerability came to me
|
|
#
?
Dec 28, 2021 18:11
|
|
|
crazysim posted:and on the 5th week of december another log4j vulnerability came to me
|
|
#
?
Dec 28, 2021 18:14
|
|
|
crazysim posted:and on the 5th week of december another log4j vulnerability came to me
|
|
#
?
Dec 28, 2021 19:11
|
|
|
a parser with an rce
|
|
#
?
Dec 28, 2021 19:12
|
|
|
log4ever
|
|
#
?
Dec 28, 2021 19:34
|
|
|
animist posted:a parser with an rce yeah what year is it
|
|
#
?
Dec 28, 2021 19:53
|
|
|
ah i should have thought about a monkey paw scenario when i wished i had some clear todo list to start the new year im sorry
|
|
#
?
Dec 28, 2021 20:00
|
|
|
log 4 january
|
|
#
?
Dec 28, 2021 20:50
|
|
|
cinci zoo sniper posted:https://news.ycombinator.com/item?id=29705957 a lot of commotion around what could be a fresh round of lastpass being a well made product https://twitter.com/campuscodi/status/1475887569011453957
|
|
#
?
Dec 28, 2021 20:58
|
|
|
Chris Knight posted:and the winner is... sounds like someone is combing through an older breach
|
|
#
?
Dec 28, 2021 21:19
|
|
|
Lol why are people reusing passwords for their password manager
|
|
#
?
Dec 28, 2021 21:21
|
|
|
i meant that as in older lastpass breach, but it’s definitely fair to expect a good number of people reusing a “super serious” password for a number of sites like gmail or online banking portal alongside their password manager vault
|
|
#
?
Dec 28, 2021 21:25
|
|
|
more like LastAss
|
|
#
?
Dec 28, 2021 21:25
|
|
|
last, rear end or grass
|
|
#
?
Dec 28, 2021 21:27
|
|
|
cinci zoo sniper posted:i meant that as in older lastpass breach, but it’s definitely fair to expect a good number of people reusing a “super serious” password for a number of sites like gmail or online banking portal alongside their password manager vault
|
|
#
?
Dec 28, 2021 21:27
|
|
|
https://twitter.com/YNizry/status/1475916671953117184
|
|
#
?
Dec 28, 2021 21:28
|
|
|
Chris Knight posted:and the winner is... i would be very stoked if this means i can stop using last rear end at work
|
|
#
?
Dec 28, 2021 21:30
|
|
|
okay, so pending the blog post, sounds like:
so if you don’t have a trust boundary between your thing and its logging configuration file (???) you should be fine. or if you’ve completely disabled remote loading in your vm
|
|
#
?
Dec 28, 2021 21:37
|
|
|
im trying to imagine a legitimate scenario where someone has access to modify the configuration but not the deployed binaries
|
|
#
?
Dec 28, 2021 22:11
|
|
|
yeah, this kind of "vulnerability" always annoys me for exactly that reason. you should be thinking of configuration files as code unless you've got rigorous reasons to think otherwise. i'm not saying it isn't good to chase out stuff like crashes in the parser, but the only situation where malicious configuration is a real vulnerability is when you've got something like a system-level service that parses and respects user-level configuration files
|
|
#
?
Dec 28, 2021 22:20
|
|
|
just chmod 777 / 
|
|
#
?
Dec 28, 2021 22:27
|
|
|
if you steal the computer you can pretty much do whatever you want to it! where's my CVE
|
|
#
?
Dec 28, 2021 22:28
|
|
|
rjmccall posted:yeah, this kind of "vulnerability" always annoys me for exactly that reason. you should be thinking of configuration files as code unless you've got rigorous reasons to think otherwise. i'm not saying it isn't good to chase out stuff like crashes in the parser, but the only situation where malicious configuration is a real vulnerability is when you've got something like a system-level service that parses and respects user-level configuration files the only thing i can think of is an application allowing runtime configuration of logging through its own UI, but even then i'd blame the application and not log4j. i know jira lets you configure component logging levels through its UI, but last time i checked the appenders themselves had to be configured in log4j.properties this specific issue seems like them being overly cautious.
|
|
#
?
Dec 28, 2021 22:30
|
|
|
yeah. i mean, it's probably good, in the sense that probably every use of these apis that can trigger jndi (or remote loading in general) should have to explicitly authorize it, e.g. by passing the allowed schemas in and not providing an "allow anything" default. but it's not something that people need to run in and hot-patch unless i'm completely misunderstanding
|
|
#
?
Dec 28, 2021 23:11
|
|
|
rjmccall posted:okay, so pending the blog post, sounds like: Here's the post It's the same JNDI:LDAP deserialization, but from a different place... https://checkmarx.com/blog/cve-2021-44832-apache-log4j-2-17-0-arbitrary-code-execution-via-jdbcappender-datasource-element/ Dr. Kayak Paddle fucked around with this message at 00:11 on Dec 29, 2021 |
|
#
?
Dec 29, 2021 00:01
|
|
|
yeah, ok, so that’s just what i was saying although they do say that jog4j has its own mechanisms for doing remote configuration? presumably ones you have to opt into with local configuration, though
|
|
#
?
Dec 29, 2021 01:05
|
|
|
|
| # ? Apr 26, 2024 18:01 |
|
|
cinci zoo sniper posted:https://news.ycombinator.com/item?id=29705957 a lot of commotion around what could be a fresh round of lastpass being a well made product yeah I had an account I set-up a long time ago with nothing in it and I got a notification that someone was trying to use my (auto-generated) master password there to log-in from India. Lastpass is such garbage.
|
|
#
?
Dec 29, 2021 01:28
|
|
