Untitled attachment

Notices where this attachment appears

1. Embed this notice
   David Chisnall (*Now with 50% more sarcasm!*) (david_chisnall@infosec.exchange)'s status on Wednesday, 26-Mar-2025 22:08:10 JST David Chisnall (*Now with 50% more sarcasm!*)

   I really like capability systems, but 'capability' is a terrible name.

   In normal English, a capability is something intrinsic. If you have the capability to run a four-minute mile, it's something that you can do. You don't need some token to enable you to do it.

   In a capability system, holding a capability doesn't grant you the ability to do the thing implicitly, it requires you to present the authorising capability when you try the action. This is one of the core advantages of capability systems over other kinds of access control. They respect the principle of intentional use. It's not enough that you have a capability to do a thing, you must use the correct capability when you try to do the thing. This eliminates a whole set of possible confused-deputy attacks.

   Capabilities are more like inventory items in an adventure game. Just having them in the inventory doesn't let you solve a puzzle, you must use the correct inventory item on the correct object to solve the puzzle.

   I can't think of a better word. 'Tool' might work (except that it's almost as bad as that time some French people named a theorem prover). Saying 'I don't have the right tool to accomplish this task' makes sense in English as a 'I need to hold this thing and use it correctly', whereas 'I don't have the capability to accomplish this task' sounds like you're talking about ambient authority.

   Are there better words? Maybe something in another language?

2. Embed this notice
   Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 04-Dec-2024 01:18:20 JST Kevin Beaumont

   in reply to

   NoName UK impact for the day - 3 of the 5 council websites targeted are still down

   For some reason NoName still target liverpool.gov.uk, which has had working mitigations for well over a year. They still pretend to their supporters they DDoS that one, but never do. They don't even bother to change their attack config.

   Keighley literally redirected their site to a site with "DDoS" in the name.

   In private companies/orgs, 3 of the 8 orgs are still down. Albion 8% uptime.

   #NoName #threatintel

3. Embed this notice
   Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Tuesday, 19-Mar-2024 19:23:19 JST Ryan Castellucci :nonbinary_flag:

   in reply to

   Are you still here? Okay, well, if you don't understand...

   • I am nonbinary.
   • "Mx" is a gender neutral title/honorific which I use.
   • In technology, an "MX record" identifies how to send email to an address based on its domain name.
   • In that instance, "MX" stands for "Mail eXchanger".
   • I run a private email server for myself.