Notices by buherator (buherator@infosec.place)
-
Embed this notice
buherator (buherator@infosec.place)'s status on Monday, 22-Sep-2025 05:31:16 JST 
buherator
@inthehands @timbray my first thought too, but if electron is compromised obsidian would not be among our primary concerns (esp. because according to this policy they would likely not update before the incident is noticed). So I think electron is more of an attack surface problem than a supply chain one. -
Embed this notice
buherator (buherator@infosec.place)'s status on Monday, 08-Sep-2025 21:33:02 JST
buherator
@h0ng10 @micahflee This is a fairly common mistake too and causes a lot of bullshit work for security teams. A banner string (*especially* in case of Apache HTTPd) doesn't mean anything, so unless you can demonstrate the presence of a vulnerability this is nothing (aka PoC||GTFO).
(edited) In addition the cited CVE-2024-38476 requires a *malicious backend* to be exploitable:
https://devco.re/blog/2024/08/09/confusion-attacks-exploiting-hidden-semantic-ambiguity-in-apache-http-server-en/ -
Embed this notice
buherator (buherator@infosec.place)'s status on Tuesday, 02-Sep-2025 21:22:41 JST
buherator
@GossiTheDog @MisuseCase I mean CTXS stock -
Embed this notice
buherator (buherator@infosec.place)'s status on Tuesday, 02-Sep-2025 20:47:58 JST
buherator
@GossiTheDog @MisuseCase Neat! It'd be cool to show threats drive down product use predictably! Stocks on the other hand seem pretty stable, so I still don't know what this all tells about the market... -
Embed this notice
buherator (buherator@infosec.place)'s status on Tuesday, 02-Sep-2025 20:32:48 JST
buherator
@MisuseCase @GossiTheDog I also think this is the true cause of the decline, vulns probably just correlate (evidence: every other product with frequent ItW vulns) -
Embed this notice
buherator (buherator@infosec.place)'s status on Tuesday, 19-Aug-2025 11:21:16 JST
buherator
Can You Write A Web Server in PURE BASH?! (no socat, no netcat, no external tools) 🍿
https://www.youtube.com/watch?v=L967hYylZuc -
Embed this notice
buherator (buherator@infosec.place)'s status on Friday, 01-Aug-2025 02:43:59 JST
buherator
@jschauma maybe that's why furries are overrepresented in reliable IT projects? -
Embed this notice
buherator (buherator@infosec.place)'s status on Tuesday, 17-Jun-2025 02:51:22 JST
buherator
[oss-security] CVE-2025-4748: Erlang/OTP 17.0–28.0.0 absolute-path traversal in zip:unzip/zip:extract
https://www.openwall.com/lists/oss-security/2025/06/16/5
Exquisite bug! -
Embed this notice
buherator (buherator@infosec.place)'s status on Wednesday, 28-May-2025 21:12:33 JST
buherator
[RSS] Inside GitHub: How we hardened our SAML implementation
https://github.blog/security/web-application-security/inside-github-how-we-hardened-our-saml-implementation/ -
Embed this notice
buherator (buherator@infosec.place)'s status on Sunday, 18-May-2025 04:59:41 JST
buherator
This could be us but you vibe coding
https://suberic.net/~dmm/projects/mystical/README.html
h/t @neauoire -
Embed this notice
buherator (buherator@infosec.place)'s status on Thursday, 15-May-2025 04:47:07 JST
buherator
"Are Pinky and the Brain still trying to take over the world? Because at this point I'm willing to hear them out." -
Embed this notice
buherator (buherator@infosec.place)'s status on Thursday, 15-May-2025 04:47:04 JST
buherator
Orbán’s Fidesz party proposes Russia-style crackdown on Hungary’s civil society
https://www.politico.eu/article/viktor-orban-fidesz-party-hungary-russia-democracy-transparency-public-life-civil-society/
The darkest times of my life in #Hungary. -
Embed this notice
buherator (buherator@infosec.place)'s status on Thursday, 17-Apr-2025 03:22:22 JST
buherator
Unauthenticated Remote Code Execution in Erlang/OTP SSH
https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2
Not much details and unfortunately I don't know much Erlang (yet), but this one seems pretty interesting!
CVE-2025-32433 -
Embed this notice
buherator (buherator@infosec.place)'s status on Tuesday, 08-Apr-2025 20:54:51 JST
buherator
@GossiTheDog @sadarex And managers at the receiving end are complicit because...? -
Embed this notice
buherator (buherator@infosec.place)'s status on Tuesday, 08-Apr-2025 20:54:49 JST
buherator
@sadarex @GossiTheDog Who is firing them? Is it DOGE? Can they do that? -
Embed this notice
buherator (buherator@infosec.place)'s status on Tuesday, 08-Apr-2025 19:43:34 JST
buherator
@GossiTheDog Excuse my EU ignorance, but what authority does DOGE have over random agencies HR decisions? -
Embed this notice
buherator (buherator@infosec.place)'s status on Tuesday, 08-Apr-2025 19:43:32 JST
buherator
@sadarex @GossiTheDog Ummm OK, so a newly created dept can take away money from DHS bypassing congress/senate/president? And this is constitutional? o.O -
Embed this notice
buherator (buherator@infosec.place)'s status on Sunday, 06-Apr-2025 03:51:07 JST
buherator
@VeroniqueB99 -
Embed this notice
buherator (buherator@infosec.place)'s status on Friday, 04-Apr-2025 01:25:40 JST
buherator
@cR0w How can this company still exist? -
Embed this notice
buherator (buherator@infosec.place)'s status on Friday, 04-Apr-2025 01:25:38 JST
buherator
@mttaggart @cR0w I don't want unicorns, I just would like to see that shitty security QA has consequences on the market, regardless of technology.
All GNU social JP content and data are available under the