Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://provably.online/users/ktemkin/statuses/113866065234043513">Kate Temkin (ktemkin@provably.online)'s status on Tuesday, 21-Jan-2025 21:27:08 JST</a><a href="https://provably.online/@ktemkin" title="ktemkin@provably.online"><img src="https://gnusocial.jp/avatar/315096-48-20250112164409.webp" width="48" height="48" alt="Kate Temkin" style="position: absolute; left: 0; top: 0;">Kate Temkin</a><div><a href="https://infosec.exchange/@dymaxion/113865631643957529" rel="in-reply-to">in reply to</a><ul><li></ul></div></section><article><p><a href="https://infosec.exchange/@dymaxion" rel="nofollow noreferrer">@dymaxion</a> threat models still apply to all of these things; they're literally what you use to determine <u>where</u> you spend the limited time you can spend on security (whether that's training coders, auditing code, choosing what to harden, etc etc)</p><p>folks can lecture for days about how parser bugs creating weird machines is a serious threat, but if the parser is parsing some saved configuration flash on my digital stylus, chances are the worst that could come of any attack is a bricked stylus. </p><p>if you've spent your limited time and energy making sure that's ultra-audited because it's a parser, you're taking time away from things like "realizing that the auth token included in the GET requests for the firmware updater actually also has permissions to fetch and overwrite other products' files"</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4409293#notice-8641181">In conversation</a><time datetime="2025-01-21T21:27:08+09:00" title="Tuesday, 21-Jan-2025 21:27:08 JST">about 4 months ago</time> <span>from <span><a href="https://gnusocial.jp/notice/8641181" rel="external" title="Sent from gnusocial.jp via ActivityPub">gnusocial.jp</a></span></span><a href="https://gnusocial.jp/notice/8641181">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Kate Temkin (ktemkin@provably.online)'s status on Tuesday, 21-Jan-2025 21:27:08 JSTKate Temkin
in reply to
- Eleanor Saitta
@dymaxion threat models still apply to all of these things; they're literally what you use to determine where you spend the limited time you can spend on security (whether that's training coders, auditing code, choosing what to harden, etc etc)
folks can lecture for days about how parser bugs creating weird machines is a serious threat, but if the parser is parsing some saved configuration flash on my digital stylus, chances are the worst that could come of any attack is a bricked stylus.
if you've spent your limited time and energy making sure that's ultra-audited because it's a parser, you're taking time away from things like "realizing that the auth token included in the GET requests for the firmware updater actually also has permissions to fetch and overwrite other products' files"
In conversationabout 4 months ago from gnusocial.jppermalink

Public

Embed Notice

HTML Code

Corresponding Notice