|
Just so we're all on the same page quote:3.437 User Name quote:The POSIX portable file name character set Sounds like numeric usernames should work, but unicode should not. That said I am admittedly not an expert on POSIX stuff. Sheep fucked around with this message at 14:23 on Dec 7, 2018 |
# ? Dec 7, 2018 14:05 |
|
|
# ? Jun 12, 2024 09:54 |
|
ratbert90 posted:I agree with Pottering on this one. The POSIX standard says that usernames aren’t allowed to start with numbers. If systemd starts taking into account and fixing fuckups from other programs (in this case useradd for allowing a bad username), then they would be there until the end of times. I get where you're coming from and agree at a high level, but in this case it's doing the worst possible thing. Obviously others have argued against the POSIX claim, I don't care enough to look in to it myself, but it really doesn't matter. Even taking the claim at face value, there are three main paths it could take: 1. Don't start the service, throw an error. 2. Start the service as the user anyways, maybe throw a warning that a user exists which is not compliant. 3. Just don't bother dropping privileges and start the service as root. Clearly one of those is much worse than the others. Which of the other two is better depends on how you feel about Postel's Law
|
# ? Dec 7, 2018 17:13 |
|
ratbert90 posted:The proper fix is to unfuck useradd. "the proper fix is for everyone else's software to be 100% bug-free, always" is what that is really saying. that's monumentally stupid in any context, not just infosec
|
# ? Dec 7, 2018 17:47 |
|
Shouldn't every single root level program and utility sanitize it's inputs? Hell, shouldn't all programs sanitize and reality check inputs? Relying on some other tool and assumptions about how things should be set up just means you get stupid poo poo like this, where something broken in some 3rd party utility could get you root trivially, because the babbies involved in the project are too busy being smug about poo poo instead of fixing things.
|
# ? Dec 7, 2018 20:57 |
|
Should they? Absolutely yes. Will they ever? Hell no. We have the best job security.
|
# ? Dec 7, 2018 21:08 |
|
Methylethylaldehyde posted:Shouldn't every single root level program and utility sanitize it's inputs? Hell, shouldn't all programs sanitize and reality check inputs? Relying on some other tool and assumptions about how things should be set up just means you get stupid poo poo like this, where something broken in some 3rd party utility could get you root trivially, because the babbies involved in the project are too busy being smug about poo poo instead of fixing things. There is no set standard for these kind of things or even bother to check for root. If there was a library every single application had to load that forced each program to fully detail permissions each application will be doing (if a user tries to load a user owned to start a root level service , reject for permission issues) we would hear the lamentations of every open source developer out there immediatley. Slashdot would be full of articlea of how Linux leads are hampering creatively by forcing them to use *scoff* security """""'standards"""""" and waste minutes of development time fulfilling these absurd demands. You might think I am overblowing the reaction and I'd like to only say.... I wish I could think and believe the developers are great and reasonable people.
|
# ? Dec 7, 2018 21:14 |
|
On the plus side no one cares about slashdot anymore so it sounds like we aren't missing anyone useful.
|
# ? Dec 8, 2018 15:42 |
|
Cup Runneth Over posted:At least the expired certificate prevented them from working...? yeah, honestly, I’m pleased to read that part
|
# ? Dec 8, 2018 16:08 |
|
Volmarias posted:On the plus side no one cares about slashdot anymore so it sounds like we aren't missing anyone useful. Then what site do self obsessed people post about how open their source are now? Because they are still here.
|
# ? Dec 8, 2018 16:16 |
|
Reddit or HN I think.
|
# ? Dec 8, 2018 16:34 |
|
Feels like the most relevant thread for this: https://twitter.com/jamescroft/status/1072652595674648580 Australians need not apply.
|
# ? Dec 13, 2018 14:24 |
|
I don’t really keep up with AusPol but I’m just going to assume that proposed law is a result of their government trying to out-racist every other country on earth.
|
# ? Dec 13, 2018 14:36 |
|
Thanks Ants posted:I don’t really keep up with AusPol but I’m just going to assume that proposed law is a result of their government trying to out-racist every other country on earth. More or less. And it's not proposed. It passed. They passed a law requiring tech companies to basically hamstring their encryption at government request. And apparently they've worded it so Aussie employees can be compelled to take action against their employers. It's a hosed up, regressive attack on privacy.
|
# ? Dec 13, 2018 14:40 |
|
I’m sure the chinless fucks that run the UK are going to have a go at a similar thing soon then
|
# ? Dec 13, 2018 14:46 |
|
Thanks Ants posted:I’m sure the chinless fucks that run the UK are going to have a go at a similar thing soon then They've got other problems to deal with for the next few months
|
# ? Dec 13, 2018 14:47 |
|
Proteus Jones posted:More or less. It's just in line with their policy that the laws of mathematics don't apply in Australia, only the laws of Australia.
|
# ? Dec 13, 2018 15:25 |
|
long-rear end nips Diane posted:They've got other problems to deal with for the next few months But once those couple of months pass, privacy finally isn't a concern for them anymore, either.
|
# ? Dec 13, 2018 15:41 |
|
Thanks Ants posted:I’m sure the chinless fucks that run the UK are going to have a go at a similar thing soon then Going to? They did it back in 2016
|
# ? Dec 13, 2018 15:58 |
|
I saw an interesting take on the AA bill which was (IIRC) that organizations have always been at risk from state-level actors compelling employees to do their bidding one way or another, and therefore if your threat model didn't already include that sort of attack, this doesn't change things. As a decidedly non-expert individual, I'm not sure I entirely buy that reasoning – surely the fact that said compulsion can now be effected entirely legally means it's significantly more likely than when it required illegal/extrajudicial shenanigans?
|
# ? Dec 13, 2018 20:35 |
|
Even if the only difference is that at least you know about it now and it could have theoretically been an issue before, if you're deciding where to open an office in the region and Australia has that sort of law and somewhere else doesn't then why would you pick Aus?
|
# ? Dec 13, 2018 20:39 |
|
bitprophet posted:I saw an interesting take on the AA bill which was (IIRC) that organizations have always been at risk from state-level actors compelling employees to do their bidding one way or another, and therefore if your threat model didn't already include that sort of attack, this doesn't change things. The US asked Apple to hack their own phones, Apple said no and went to court. So clearly its not settled law and this changes the calculations a lot.
|
# ? Dec 13, 2018 20:43 |
|
hobbesmaster posted:The US asked Apple to hack their own phones, Apple said no and went to court. So clearly its not settled law and this changes the calculations a lot. A smaller US mail provider decided to shut down instead of complying with a national security letter a few years ago. Seems pretty hard to fight it when you're a smaller outfit.
|
# ? Dec 13, 2018 20:45 |
|
Lambert posted:A smaller US mail provider decided to shut down instead of complying with a national security letter a few years ago. Seems pretty hard to fight it when you're a smaller outfit. The way you fight it is by having enough money to tell the federal government 'gently caress you, make me', then sitting on your Billions with a capital B dollars bribing any senator you can find to cloud the waters and put pressure on the mid-level bureaucrat charged with enforcing the secret court ruling.
|
# ? Dec 14, 2018 00:10 |
|
Lambert posted:A smaller US mail provider decided to shut down instead of complying with a national security letter a few years ago. Seems pretty hard to fight it when you're a smaller outfit. That helps the argument that random employees aren’t being made to hack their employers in the US
|
# ? Dec 14, 2018 03:41 |
|
hobbesmaster posted:That helps the argument that random employees aren’t being made to hack their employers in the US Don't worry, if they did, you'd never know about it, since they can be compelled to secrecy by gag orders
|
# ? Dec 14, 2018 04:00 |
|
While the Australian encryption law is a hilarious capitulation by the labour party and an all around bad thing, America has had the Patriot Act since 2001(https://en.wikipedia.org/wiki/Patriot_Act) and it doesn't seem to have had much of an effect on dissuading big tech companies from doing business there.
|
# ? Dec 14, 2018 05:38 |
|
abigserve posted:While the Australian encryption law is a hilarious capitulation by the labour party and an all around bad thing, America has had the Patriot Act since 2001(https://en.wikipedia.org/wiki/Patriot_Act) and it doesn't seem to have had much of an effect on dissuading big tech companies from doing business there. It's much harder to not do business in the US than it is to not do business in Australia, if you're an international company.
|
# ? Dec 14, 2018 05:41 |
|
abigserve posted:While the Australian encryption law is a hilarious capitulation by the labour party and an all around bad thing, America has had the Patriot Act since 2001(https://en.wikipedia.org/wiki/Patriot_Act) and it doesn't seem to have had much of an effect on dissuading big tech companies from doing business there. The Patriot Act is horrific, but Australia trying to force companies to break encryption by building in a weakness affects far more people and can have global implications (I mean it won't, because every company is going tell them to gently caress off and/or pull up stakes and leave Australia)
|
# ? Dec 14, 2018 05:42 |
|
yeah just to be clear I'm not defending it, it's a terrible idea made up by people who have no idea of the consequences but I'm being optimistic that the realised impact of it will be low, because to think of the alternative is...pretty grim, to be honest.
|
# ? Dec 14, 2018 06:04 |
|
Patriot act also caused a lot of orgs to host and deploy their stuff in other regions to dodge that. Ironically nowadays a lot of it with gcp/aws/azure but the idea counts. Still MSFTs fight over digital jurisdiction about the emails of drug dealers stored in Ireland is an interesting read.
|
# ? Dec 14, 2018 08:01 |
|
I'm going to sell one of my dad's computers and Android mobile phone, so I want to wipe them before doing that. - For the HDD, is there any alternatives to DBAN where I can still use the computer while doing the wiping of the non-OS drive? - For the SSD, if I do an ATA Secure Erase, how much of the drive's life expectancy will be lost? - For my Android mobile, what's the procedure I should do? I don't have a slight idea.
|
# ? Dec 14, 2018 15:30 |
|
Mystic Stylez posted:I'm going to sell one of my dad's computers and Android mobile phone, so I want to wipe them before doing that. Don't use DBAN for the hard drive, do an ATA Secure Erase (enhanced secure erase, ideally) as well. If you want to do a less secure erase from a running Windows, get something like sdelete from Microsoft's website. But realize that files that are small enough to live in the Master File Table can survive this process, even though sdelete claims to remove them as well. With the SSD: It depends. The vast majority of SSDs don't erase all cells, they simply throw away the encryption key. This means pretty much no loss of life expectancy. A small handful of SSDs actually do erase all cells, this means loss of endurance equivalent to the drive size. For the Android phone, simply do a factory reset. Lambert fucked around with this message at 15:47 on Dec 14, 2018 |
# ? Dec 14, 2018 15:44 |
|
Thanks for the answers! So I take it that tools like Samsung Magician aren't good enough to wipe the SSD?
|
# ? Dec 14, 2018 16:57 |
|
I thought the best way to totally erase an Android phone was to encrypt it then factory reset it? Most people have encryption on but that's an important caveat.
|
# ? Dec 14, 2018 17:18 |
|
Mystic Stylez posted:Thanks for the answers! So I take it that tools like Samsung Magician aren't good enough to wipe the SSD? Samsung Magician executes an ATA Secure Erase, which throws away the encryption key. Without the encryption key, the data is no longer recoverable. kensei posted:I thought the best way to totally erase an Android phone was to encrypt it then factory reset it? Most people have encryption on but that's an important caveat. Pretty much any phone released in the past few years should have encryption enabled by default. But this is a good point, enable it before resetting. Lambert fucked around with this message at 17:36 on Dec 14, 2018 |
# ? Dec 14, 2018 17:30 |
|
Arc degausser, bulk shredder, fine shredder, drop into the sea. If you live in the US, ask
|
# ? Dec 14, 2018 18:21 |
|
Lol MS DNS
|
# ? Dec 14, 2018 21:55 |
|
Potato Salad posted:Lol MS DNS Is there a specific thing happening?
|
# ? Dec 14, 2018 23:00 |
|
Patch your AD controllers and any other MS DNS systems newer than Windows 2008r2 asap if you don't like people easily running pretty much anything as NT\SYSTEM remotely and I think without very clear logging
|
# ? Dec 14, 2018 23:16 |
|
|
# ? Jun 12, 2024 09:54 |
|
Potato Salad posted:Patch your AD controllers I mean, is this not a fundamental no matter what?
|
# ? Dec 14, 2018 23:17 |