Wiggly Wayne DDS posted:systemd: reexec state injection: fgets() on overlong lines leads to line splitting
|
|
# ? Oct 25, 2018 20:43 |
|
|
# ? Jun 8, 2024 23:25 |
|
uefi was a mistake
|
# ? Oct 25, 2018 21:49 |
|
Jeoh posted:uefi was a mistake the prevoius version of this behavior with the acpi key whose contents are executed with system privileges was: the bios of the machine has a rudimentary understanding of the NTFS filesystem structure, and on boot, replaces a core windows component (autochk.exe) with the hardware manufacturer's version lenovo did this, and this is how computrace works/worked "bios silently replaces core windows component with possibly badly written lenovo version" is far worse, dont blame this on uefi
|
# ? Oct 25, 2018 22:29 |
|
CRIP EATIN BREAD posted:whats gdpr? the EU version of the flo-rida hit, "Going Down Pour Real"
|
# ? Oct 25, 2018 22:29 |
|
Lysidas posted:the prevoius version of this behavior with the acpi key whose contents are executed with system privileges was: does windows and/or the builtin windows AV do any checks for tampering like this?
|
# ? Oct 25, 2018 23:54 |
|
Lutha Mahtin posted:does windows and/or the builtin windows AV do any checks for tampering like this? lol you know this behavior is used by some enterprise poo poo that they will never be able to break
|
# ? Oct 26, 2018 00:01 |
|
geonetix posted:I think the problem is worse since I believe a Swedish judge ruled an ip address is personal data and then the ECJ decided its conditional. the jurisprudence is all over the place You can collect all the PII data you want as long as you delete it in 24hrs.
|
# ? Oct 26, 2018 04:48 |
|
ate poo poo on live tv posted:You can collect all the PII data you want as long as you delete it in 24hrs. Is there some amount of processing after which the data is no longer considered personally identifying?
|
# ? Oct 26, 2018 14:25 |
|
You can also collect any PII as long as you have a legitimate purpose for it and the definition of "legitimate" is broad as gently caress. Covers pretty much everything except marketing and collecting poo poo for literally no reason.
|
# ? Oct 26, 2018 14:43 |
|
ArcMage posted:Is there some amount of processing after which the data is no longer considered personally identifying? cat /dev/zero > pii.txt
|
# ? Oct 26, 2018 15:05 |
|
oh right this systemd bug was also unveiled yesterday https://twitter.com/_fel1x/status/1055534821957603329
|
# ? Oct 26, 2018 15:35 |
|
are the recent new CVEs for systemd part of the stuff referred to earlier? because the dhcp6 one sounds hilarious.
|
# ? Oct 26, 2018 15:36 |
|
Evis posted:cat /dev/zero > pii.txt I was going to say /dev/random, but theoretically everyone's PII is in there somewhere...
|
# ? Oct 26, 2018 15:44 |
|
https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html yikes
|
# ? Oct 26, 2018 15:51 |
You know what makes this funny? The reporter is an OpenBSD developer, but didn't report it to OpenBSD despite 6.4 being released recently. Notably, after Theo complained about Intel not informing OpenBSD. Also, because FreeBSD is on xserver v1.18, it isn't vulnerable.
|
|
# ? Oct 26, 2018 17:44 |
|
ArcMage posted:Is there some amount of processing after which the data is no longer considered personally identifying? as long as you have no follow-up questions, the answer is “yes”
|
# ? Oct 26, 2018 17:52 |
|
D. Ebdrup posted:You know what makes this funny? The reporter is an OpenBSD developer, but didn't report it to OpenBSD despite 6.4 being released recently. Notably, after Theo complained about Intel not informing OpenBSD. nice
|
# ? Oct 26, 2018 18:30 |
|
my god https://cloudblogs.microsoft.com/microsoftsecure/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox/
|
# ? Oct 26, 2018 18:40 |
|
Wiggly Wayne DDS posted:my god https://cloudblogs.microsoft.com/microsoftsecure/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox/ who chose the name of that environment variable?
|
# ? Oct 26, 2018 18:44 |
|
Wiggly Wayne DDS posted:my god https://cloudblogs.microsoft.com/microsoftsecure/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox/ sounds good maybe?
|
# ? Oct 26, 2018 18:46 |
|
wasn't this thing driven by tavis and others on project zero doing like 80% of the heavy lifting just to prove a point that defender can and should be sandboxed
|
# ? Oct 26, 2018 18:51 |
|
BangersInMyKnickers posted:wasn't this thing driven by tavis and others on project zero doing like 80% of the heavy lifting just to prove a point that defender can and should be sandboxed https://twitter.com/taviso/status/1055876544768425985
|
# ? Oct 26, 2018 18:55 |
|
Yes, but majority of vendors still aren't there, like Avast.
|
# ? Oct 26, 2018 18:57 |
|
yeah the malware authors need to up their game to compete with the native offerings
|
# ? Oct 26, 2018 19:07 |
|
the only av product on the market worth a poo poo just got better
|
# ? Oct 26, 2018 19:24 |
|
Wiggly Wayne DDS posted:yeah the malware authors need to up their game to compete with the native offerings
|
# ? Oct 26, 2018 20:32 |
|
BangersInMyKnickers posted:the only av product on the market worth a poo poo just got better
|
# ? Oct 26, 2018 20:41 |
|
BangersInMyKnickers posted:wasn't this thing driven by tavis and others on project zero doing like 80% of the heavy lifting just to prove a point that defender can and should be sandboxed
|
# ? Oct 26, 2018 21:14 |
|
my boss seems to think that selling software that clients can run in their pc opens us to a risk of losing all the IP and our fancy algorithms when it gets decompiled/reverse-engineered (C#/C++) thus we need to supply our own pc to the client with all the software already deployed etc. but my limited knowledge of sec stuff tells me that this is seriously overreacting because a) physical access means game over anyways and b) we are contractually bound with the client so i am not sure why should the threat model include them loving us over and stealing the IP (even then we can just deploy the software so that it contains the algorithms the customer has paid for) all this started from me suggesting supplying/renting out a physical server as a legal way to be able to use gpl code without needing to distribute the source i mean if decompilation and stealing trade secrets was so drat easy, how come companies can still sell software??
|
# ? Oct 27, 2018 03:01 |
|
the people that are good at reverse engineering and disassembling software usually have much more lucrative work than trying to steal an entire line of business from another company
|
# ? Oct 27, 2018 03:09 |
|
software has no value. you pay for support/enhancements. the more useful the software, the more you can charge for support.
|
# ? Oct 27, 2018 03:16 |
|
CRIP EATIN BREAD posted:software has no value.
|
# ? Oct 27, 2018 03:18 |
|
CRIP EATIN BREAD posted:software has no value. edited for complete accuracy
|
# ? Oct 27, 2018 03:39 |
|
CRIP EATIN BREAD posted:software has no value. yeah did i mention that we seem to have no pricing plan for this stuff
|
# ? Oct 27, 2018 04:00 |
|
Penisface posted:all this started from me suggesting supplying/renting out a physical server as a legal way to be able to use gpl code without needing to distribute the source how would that work? you’re still distributing the software, whether it’s on a hard drive or on a DVD or in firmware. that’s why the router companies have the GPL-afflicted downloads on their sites
|
# ? Oct 27, 2018 04:24 |
|
Subjunctive posted:how would that work? you’re still distributing the software, whether it’s on a hard drive or on a DVD or in firmware. that’s why the router companies have the GPL-afflicted downloads on their sites i admit i am not familiar with the legalities, but the point was that we do not sell the hardware but instead rent it to the customer and take full responsibility for maintenance and what goes on inside - we could have the same software running in the cloud somewhere but supplying a physical box is necessary because internet access is not guaranteed and there are some real-time processing requirements
|
# ? Oct 27, 2018 04:30 |
|
Penisface posted:i admit i am not familiar with the legalities, but the point was that we do not sell the hardware but instead rent it to the customer and take full responsibility for maintenance and what goes on inside - we could have the same software running in the cloud somewhere but supplying a physical box is necessary because internet access is not guaranteed and there are some real-time processing requirements you still need to provide the GPL sources you could put it all on the box itself and have them sign some sort of NDA or something I guess?
|
# ? Oct 27, 2018 04:36 |
|
wasn't tivo doing this literally why GPL 3 was made
|
# ? Oct 27, 2018 04:37 |
|
|
# ? Jun 8, 2024 23:25 |
|
hobbesmaster posted:you still need to provide the GPL sources i am not sure how our thing differs from a client-server solution like google or amazon, and this should allow for network use without distribution (except agpl) Shame Boy posted:wasn't tivo doing this literally why GPL 3 was made tivo was preventing users from running modified (i.e. DRM disabled) software on hardware that the users bought - our case is different as the customer would not own the hardware and as per the contract, we would provide any support or modifications to the hardware and software sorry for the derail, thanks for backing up my world view that nobody sane would steal this niche software through decompiling
|
# ? Oct 27, 2018 09:29 |