QuatermassTools

@QuatermassTools@infosec.exchange

Securing a hole in the ground

Itinerant Coder.

This profile is from a federated server and may be incomplete. Browse more on the original instance.

jerry, to random

Have you ever had levels of anxiety that basically prevent you from doing anything productive?

QuatermassTools,

@jerry frequently, on days ending in ‘y’

GossiTheDog, to random
@GossiTheDog@cyberplace.social avatar

deleted_by_author

    •
    QuatermassTools,

    @GossiTheDog err, that’s 3 years ago ?

    jerry, to random

    🎶the best part of waking up is a brand new shooting pain when you pick up your cup🎶

    QuatermassTools,

    @jerry @joshbressers @kurtseifried but did you save the drink.

    QuatermassTools, to random

    Why are they called lookup results and not cache prizes ?

    jwildeboer, to random
    @jwildeboer@social.wildeboer.net avatar

    Instead of sending a fix to #postfix upstream, especially when postfix just celebrated its 25th anniversary, these folks at SEC consult decided to milk their 15 minutes of fame and #37C3 happily gives them the stage. https://chaos.social/@Foxboron/111621156200642472

    QuatermassTools,

    @jwildeboer exim already fixed in https://git.exim.org/exim.git/commit/5bb786d5ad568a88d50d15452aacc8404047e5ca a formal 4.97.1 release is already in the works.

    ryanc, to random

    How many different protocols can simultaneously be supported on the same TCP port via auto detection?

    HTTP+HTTPS+SSH is fairly straightforward.

    The fun bit would be combining SSH with one or more other server-talks-first protocols.

    QuatermassTools,

    @ryanc i just realised ZNC, the irc bouncer has done http/https/irc for at least 10 years

    jerry, to random

    sboms are all the rage now, and I’ve been thinking of them like the ingredients on packaged food. Similar to how some foods have “no MSG” or “sugar free”, I wonder how long it will be before we see software with “No Apache Struts” or “Written with only memory-safe languages”…

    QuatermassTools,

    @jerry as the documentation of the perl MIME::Lite module notes …

    NUTRITIONAL INFORMATION

    For some reason, the US FDA says that this is now required by law on any products that bear the name "Lite"...

    Version 3.0 is now new and improved! The distribution is now 30% smaller!

    MIME::Lite |

    Serving size: | 1 module

    Servings per container: | 1

    Calories: | 0

    Fat: | 0g

    Saturated Fat: | 0g

    Warning: for consumption by hardware only! May produce indigestion in humans if taken internally.

    SecureOwl, to random

    Oracle Netsuite has been around for 25 years and to date no one has appeared in The Hague charged with crimes against user experience.

    QuatermassTools,

    @SecureOwl before or after the charges for Oracle Forms ?

    mjg59, to random
    @mjg59@nondeterministic.computer avatar

    Just bought a USB foot pedal, now I can finally learn vi

    QuatermassTools,

    @mjg59 and later you can upgrade for emacs

    kurtseifried, to random

    Has anyone developing code here actually sat down with the people using it at scale for a week and observed/interacted with them and the code?

    QuatermassTools,

    @kurtseifried yes, and apparently I refuse to listen to myself

    kurtseifried, to random

    Holy cow. I want a browser plugin that checks my email for an unsubscribe link, and if it's hidden like this one (white text on light grey) unsubscribes me. I can't think of any legitimate email I get that doesn't have a prominent unsubscribe link.

    Edit: added zoomed in version

    QuatermassTools,

    @kurtseifried and the chances they’ll actually unsub you are ?

    kurtseifried, to random

    Digital ID is probably not a bad idea long term but making the root certificate system more insecure is probably a bad idea. Find out more with @joshbressers on the https://opensourcesecurity.io/2023/11/19/episode-402-the-eus-eidas-regulation-is-a-terrible-idea/ tldr: forcing everyone to trust governments and bypassing basic security requirements is bad, mmmkay?

    QuatermassTools,

    @joshbressers @pasties @kurtseifried for clarity it’s also worth noting that the server has to have the certificate(s) that signed the client certificates (the server provides the Subject fields which the client matches against the Issuer fields of possible client certs). It doesn't need the actual root cert(s) for the validation unless those directly sign the client cert (which is extremely bad practice, obviously).

    This places an additional security burden on clients to know in advance which client certificates should be used with which endpoints, otherwise a malicious server could provide a list of harvested client signers and acquire client cert info.

    neurovagrant, to random
    @neurovagrant@masto.deoan.org avatar

    deleted_by_author

    •
    QuatermassTools,

    @neurovagrant you say that like it’s a bad thing

    kurtseifried, to random

    I found a Google dork that really shouldn't exist: "vulnerability reporting course" I mean it's 2023 and there's no good vulnerability reporting course...

    duck duck go results

    QuatermassTools,

    @kurtseifried yea, just ebay the reproducer and be done with it. Solves the bug bounty problem too.

    kurtseifried, to random

    Is there like a fake water glass that looks like a glass with water in it for a cat to shove off a shelf? But like it won’t break or spill water everywhere.

    QuatermassTools,

    @kurtseifried asking for a fiend ?

    nixCraft, to random
    @nixCraft@mastodon.social avatar

    How many of you are "burn a CD old"? 🤔

    QuatermassTools,

    @nixCraft Just punch another card deck.

    nixCraft, to random
    @nixCraft@mastodon.social avatar

    | ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄|
    Stop buying domain names
    |______________|
    \ (•◡•) /
    \ /
    ——
    | |
    |_ |_

    QuatermassTools,

    @nixCraft it only encourages DNS

    neurovagrant, to random
    @neurovagrant@masto.deoan.org avatar

    deleted_by_author

    •
    QuatermassTools,

    @neurovagrant the only item I find (mildly) concerning is wireless power control “Wake on Wireless? WoW?”. For security (they do apparently care) I don’t see the update image itself being anything other than a bog-standard signed beast. Most of the infra is already in place, they’re just riffing on existing capabilities.

    malwaretech, to random

    I was debating with a communist friend and ended up learning our beliefs on almost everything are identical. The only place they diverge is that they believe that in the absence of capitalism, communism is the natural state and without capitalist incentives people won't want to horde resources or organize into hierarchies. Whereas I believe both of those things are inherent to human nature and people will ultimately corrupt any such system.

    QuatermassTools,

    @malwaretech so, belief in a system vs 1000s of years of observed human behaviour

    neurovagrant, to random
    @neurovagrant@masto.deoan.org avatar

    deleted_by_author

    •
    QuatermassTools,

    @neurovagrant I replaced all the glass over the past couple of years. A larger varifocal for around the house, a smaller varifocal with reactive coating for driving/riding and most significantly a fixed length pair just for computer work.

    The latter was the biggest win of the lot.

    bagder, to random
    @bagder@mastodon.social avatar

    Today we got what must be the most alarming first line in a newly file sec issue to :

    "To replicate the issue, I have searched in the Bard about this vulnerability"

    ... followed by a complete AI hallucination where Bard has dreamed up a new issue by combining snippets from several past flaws. Creative, but hardly productive.

    Closed as bogus.

    QuatermassTools,

    @bagder “Fuck off and die, AI”

    neurovagrant, to random
    @neurovagrant@masto.deoan.org avatar

    deleted_by_author

    •
    QuatermassTools,

    @neurovagrant I have multiple logical heads with distinct dispersed email accounts, and then email aliases spread under each, each alias to custom folder for a given remote site. Password manager to keep the associations in place.

    Currently at over 600 distinct email addresses in play.

    briankrebs, to random

    This might have slipped under the radar these past few days, but a 9.8 RCE in Exim (on many, many mail servers) that does not require authentication is bad bad bad.

    https://www.zerodayinitiative.com/advisories/ZDI-23-1469/

    QuatermassTools,

    @briankrebs For an authenticator plugin that is not built/installed on 99% of those many, many servers.

    nixCraft, to random
    @nixCraft@mastodon.social avatar

    PHP is very much alive whether you like it or not.

    QuatermassTools,

    @nixCraft in a “Fear The Walking Dev” way

    jerry, to random

    Working on a title for my autobiography…. So far, I am thinking “Things to avoid” or “At Least I Tried”

    QuatermassTools,

    @jerry “shoulda pushed on a friday”

  • All
  • Subscribed
  • Moderated
  • Favorites
  • megavids
  • thenastyranch
  • rosin
  • GTA5RPClips
  • osvaldo12
  • love
  • Youngstown
  • slotface
  • khanakhh
  • everett
  • kavyap
  • mdbf
  • DreamBathrooms
  • ngwrru68w68
  • provamag3
  • magazineikmin
  • InstantRegret
  • normalnudes
  • tacticalgear
  • cubers
  • ethstaker
  • modclub
  • cisconetworking
  • Durango
  • anitta
  • Leos
  • tester
  • JUstTest
  • All magazines
    •