|
someone make brodyquest but with tavis. well don't make it, but think about it. pretty good, eh?
|
#
?
May 3, 2018 14:36
|
|
|
|
| # ? May 4, 2024 02:16 |
|
|
Wheany posted:someone make brodyquest but with tavis. tavis or-mandy tavis or-man-dy it works pretty well
|
|
#
?
May 3, 2018 15:00
|
|
|
Wheany posted:someone make brodyquest but with tavis. should involve waterfalls
|
|
#
?
May 3, 2018 15:25
|
|
|
I'm getting browser sandboxing setup with enterprise policy and Chrome is triggering a million alerts because its getting flagged for attempting to make modifications in catroot\catroot2. Anyone have an idea of what the hell its trying to do there? Check OS patch level or something? It's constantly re-checking that dir with disk IO.
|
|
#
?
May 3, 2018 15:33
|
|
|
My name is Ormandias, king of secfucks. Look on my works, ye developers, and despair!"
|
|
#
?
May 3, 2018 15:41
|
|
|
ratbert90 posted:My name is Ormandias, king of secfucks. Look on my works, ye developers, and despair!" "Look on my tweets, ye devlopers, and despair" is better. Hth.
|
|
#
?
May 3, 2018 15:47
|
|
|
Schadenboner posted:"Look on my tweets, ye devlopers, and despair" is better. Hth. I agree.
|
|
#
?
May 3, 2018 15:47
|
|
|
https://blog.npmjs.org/post/173526807575/reported-malicious-module-getcookies meanwhile in the wasteland that is npm
|
|
#
?
May 3, 2018 16:43
|
|
|
ratbert90 posted:what if kink shaming is his kink????? i think this reduces to russell's paradox and so is not a proctected instance of dont kink shame
|
|
#
?
May 3, 2018 17:07
|
|
|
on the fun security frontier: https://twitter.com/pit_frg/status/991984272021032961 https://www.vusec.net/projects/glitch/ quote:GLitch is one part of our series of Rowhammer attacks. We started by breaking the EDGE browser and the cloud. Then we moved towards Android devices showing how to root them with bit flips. This time we wanted to show that also mobile phones can be attacked remotely via the browser.
|
|
#
?
May 3, 2018 19:20
|
|
|
Lysidas posted:i think this reduces to russell's paradox and so is not a proctected instance of dont kink shame pls write the paper
|
|
#
?
May 3, 2018 19:26
|
|
|
Wiggly Wayne DDS posted:on the fun security frontier: WebGL is such a stupid loving mistake
|
|
#
?
May 3, 2018 19:31
|
|
|
its more javascript in general that's the mistake.
|
|
#
?
May 3, 2018 20:15
|
|
|
BangersInMyKnickers posted:WebGL is such a stupid loving mistake fight me
|
|
#
?
May 3, 2018 20:18
|
|
|
well this is certainly worse than the github one, and not just because the article/press release has zero information in it https://twitter.com/Reuters/status/992133254550519808
|
|
#
?
May 3, 2018 21:25
|
|
|
they were logged internally in some cases, in the clear
|
|
#
?
May 3, 2018 21:29
|
|
|
Please take @realDonaldTrump
|
|
#
?
May 3, 2018 21:31
|
|
|
Wasabi the J posted:Please take @realDonaldTrump more info: https://twitter.com/TwitterSupport/status/992132808192634881 https://blog.twitter.com/official/en_us/topics/company/2018/keeping-your-account-secure.html quote:About The Bug
|
|
#
?
May 3, 2018 21:33
|
|
|
two weeks ago i quipped about this very thing https://twitter.com/KateLibc/status/986990790088900608
|
|
#
?
May 3, 2018 21:36
|
|
|
I built a custom string type that couldn't easily be passed to logging functions for things like message text and passwords. if there was an implicit conversion, they would convert to things like "[[message text: 251 chars]]" or "[[password]]" and log a warning about misuse. it took about two days including converting a relatively large codebase. I don't know why people don't use the type system more for stuff like this
|
|
#
?
May 3, 2018 21:39
|
|
|
we are exceedingly pissy about logging and pay huge attention to that we dont even send customers internal dumps of our 503 logs because there's a .00000001 % chance depending on the customer that they might get A log line from another customer.
|
|
#
?
May 3, 2018 21:39
|
|
|
Subjunctive posted:I built a custom string type that couldn't easily be passed to logging functions for things like message text and passwords. if there was an implicit conversion, they would convert to things like "[[message text: 251 chars]]" or "[[password]]" and log a warning about misuse. it took about two days including converting a relatively large codebase. I don't know why people don't use the type system more for stuff like this ....huh. Yeah I'm going to take this.
|
|
#
?
May 3, 2018 21:51
|
|
|
Subjunctive posted:I built a custom string type that couldn't easily be passed to logging functions for things like message text and passwords. if there was an implicit conversion, they would convert to things like "[[message text: 251 chars]]" or "[[password]]" and log a warning about misuse. it took about two days including converting a relatively large codebase. I don't know why people don't use the type system more for stuff like this that's cool
|
|
#
?
May 3, 2018 22:05
|
|
|
Subjunctive posted:I built a custom string type that couldn't easily be passed to logging functions for things like message text and passwords. if there was an implicit conversion, they would convert to things like "[[message text: 251 chars]]" or "[[password]]" and log a warning about misuse. it took about two days including converting a relatively large codebase. I don't know why people don't use the type system more for stuff like this How does it recognize that stuff? I guess what I'm asking is, could you share this code, or at least an example of what it could look like? This sounds quite useful to me.
|
|
#
?
May 3, 2018 22:17
|
|
|
speaking of credentials or whatever, here is some insanely stupid poo poo i just experienced about 2 minutes ago if you want to do certain things with your skype account, such as deactivate it, you have to verify your email address to be sent a code if the local part of your email address is 1 character long, it is not possible to do this.
|
|
#
?
May 3, 2018 22:19
|
|
|
Subjunctive posted:I built a custom string type that couldn't easily be passed to logging functions for things like message text and passwords. if there was an implicit conversion, they would convert to things like "[[message text: 251 chars]]" or "[[password]]" and log a warning about misuse. it took about two days including converting a relatively large codebase. I don't know why people don't use the type system more for stuff like this you could probably also do static analysis to catch uses of explicit conversions to strings that end up in logger statements.
|
|
#
?
May 3, 2018 22:24
|
|
|
Meat Beat Agent posted:speaking of credentials or whatever, here is some insanely stupid poo poo i just experienced about 2 minutes ago I have an email address with a single character user name and I had a license plate renewal form rejected for "invalid email address" by the state of michigan.
|
|
#
?
May 3, 2018 22:25
|
|
|
the code is with a previous employer, but it does rely on people using PasswordString or PrivateMessageTextString when the sensitive data first enters the system. if your architecture permits, those can be subtypes of the normal String class and do implicit conversions. otherwise you use the types to enforce and audit the flow of sensitive data through your system, avoid inadvertent leakage, and make people say .getPrivacySensitiveContents() when they really do need to get their hands on the contents. it doesn’t eliminate the need for audit and understanding, but it really reduces the risk surface that you need to pay attention to static analysis tools can do some of this for you with a bit of annotation, if you get the right tool, but I preferred something that was more core to the program if you do crash reporting you have a bunch of other stuff to worry about. Chrome and Firefox both have a policy of not putting user-entered data (and maybe cookies?) on the stack, so that it doesn’t end up in crash dumps. I don’t know if those policies are tool-enforced.
|
|
#
?
May 3, 2018 22:26
|
|
|
Shaggar posted:you could probably also do static analysis to catch uses of explicit conversions to strings that end up in logger statements. you can do some, but in certain app architectures it’s hard to trace data flow through trips into the OS or framework code I am definitely on team static analysis, though
|
|
#
?
May 3, 2018 22:27
|
|
|
you can also catch this with automated testing. Use a ci test that checks the logs for data leaks after you’ve run your other tests or whatever
|
|
#
?
May 3, 2018 23:07
|
|
|
that only works if your CI exercises literally every path that generates a log entry. a common form of this big is leak-on-error. E: and it has to test at all log/debug levels Subjunctive fucked around with this message at 23:11 on May 3, 2018 |
|
#
?
May 3, 2018 23:08
|
|
|
apparently twitter thought they didn't need to tell anyone about the password disclosure https://twitter.com/paraga/status/992135139994943488 later he walked that back https://twitter.com/paraga/status/992146630232043520
|
|
#
?
May 3, 2018 23:15
|
|
|
lol at trying to score nerd-progressive points off a huge internal leak
|
|
#
?
May 3, 2018 23:16
|
|
|
Ooh that’s true, I was thinking more of the dumb devs level of errors, leaving in debug logging etc
|
|
#
?
May 3, 2018 23:16
|
|
|
I don't reuse passwords so meh if some Twitter engineer could have read my randomly generated password for the service they are an administrator of.
|
|
#
?
May 3, 2018 23:18
|
|
|
considering that this is the first time i've seen my own password for twitter, i would be impressed if someone could remember it
|
|
#
?
May 3, 2018 23:26
|
|
|
Subjunctive posted:I built a custom string type that couldn't easily be passed to logging functions for things like message text and passwords. if there was an implicit conversion, they would convert to things like "[[message text: 251 chars]]" or "[[password]]" and log a warning about misuse. it took about two days including converting a relatively large codebase. I don't know why people don't use the type system more for stuff like this aw man i thought i came up with this idea 
|
|
#
?
May 3, 2018 23:26
|
|
|
ate all the Oreos posted:aw man i thought i came up with this idea we both did!
|
|
#
?
May 3, 2018 23:27
|
|
|
anthonypants posted:apparently twitter thought they didn't need to tell anyone about the password disclosure https://twitter.com/paraga/status/992135139994943488 im the CTO of twitter that doesn't even have a blue check
|
|
#
?
May 3, 2018 23:28
|
|
|
|
| # ? May 4, 2024 02:16 |
|
|
Subjunctive posted:we both did! yeah but you used it in actual production code and i used it in a dumb hobby project from 10 years ago so i think you win 
|
|
#
?
May 3, 2018 23:29
|
|