Notices by buherator (buherator@infosec.place)
-
Embed this notice
buherator (buherator@infosec.place)'s status on Friday, 14-Feb-2025 01:09:29 JST 
buherator
@ryanc X-Trust-Me-Bro: {"alg":"nOnE"...} vulns would be pretty funny actually :) let's hope we'll never get there though... -
Embed this notice
buherator (buherator@infosec.place)'s status on Friday, 14-Feb-2025 00:31:53 JST
buherator
@ryanc I was actually thinking whether some (not so) fancy crypto could be used to pass some instead of a bool that the attacker can't forge, then realized reverse proxy configs are not exactly designed to implement such transformations in the first place :)
Nonetheless, this is an illustrative example that unless we point to some robust solution ppl *will* come up with complex but insecure solutions (see also Schneier's Law). -
Embed this notice
buherator (buherator@infosec.place)'s status on Thursday, 13-Feb-2025 23:40:53 JST
buherator
Re: CVE-2025-0108
Can we agree that "X-Trust-Me-Bro: $boolean" headers set by reverse proxies are an anti-pattern?
If so, what is the best practice? -
Embed this notice
buherator (buherator@infosec.place)'s status on Thursday, 13-Feb-2025 04:44:32 JST
buherator
@cR0w @silverwizard PR has to show their worth, I'm pretty sure this wasn't composed by the offensive team -
Embed this notice
buherator (buherator@infosec.place)'s status on Thursday, 13-Feb-2025 04:40:17 JST
buherator
@silverwizard @cR0w To be fair, they could've pushed a silent patch... -
Embed this notice
buherator (buherator@infosec.place)'s status on Thursday, 13-Feb-2025 04:30:17 JST
buherator
OK I think this (via @cR0w) deserves some more attention ( #CrowdStrike CVE-2025-1146):
https://www.crowdstrike.com/security-advisories/cve-2025-1146/
In short, Crowd Strike agents on Linux can be MitM'd when they connect to their mothership (CS cloud).
My first Q is: what exactly is delivered to Falcon sensors from the CS cloud?
I present my second Q as a meme for higher reach: -
Embed this notice
buherator (buherator@infosec.place)'s status on Saturday, 08-Feb-2025 03:13:43 JST
buherator
@screaminggoat @zeljkazorz @GossiTheDog "However, due to inadequate server configurations, attacks become possible if *the serialized data is not verified* (CWE-642)" - this sounds more like disabled MAC than leaked key to me -
Embed this notice
buherator (buherator@infosec.place)'s status on Saturday, 08-Feb-2025 02:33:14 JST
buherator
@GossiTheDog Thanks! Now I'm more confused: npm does .NET these days? Or we're talking NuGet? -
Embed this notice
buherator (buherator@infosec.place)'s status on Saturday, 08-Feb-2025 02:17:09 JST
buherator
@GossiTheDog Forgive my ignorance, what is nom? -
Embed this notice
buherator (buherator@infosec.place)'s status on Friday, 07-Feb-2025 20:56:45 JST
buherator
@GossiTheDog 1) 3000 is not a big number on the Internet (quality matters though) 2) This is an overestimation because not all keys are useful (as the captured text also implies)
I haven't touched ASP.NET for a while, but I'd risk to say that app configuration also affects exploitability as i) not all apps rely on signed ViewState (IIRC) ii) deserialization gadgets are not universal.
These are of course solvable problems, but still need to be taken into account for risk assessment. -
Embed this notice
buherator (buherator@infosec.place)'s status on Friday, 07-Feb-2025 17:35:04 JST
buherator
@GossiTheDog That is technically true, but scanners already look for exposed web.configs, so any affected, but not already exploited Internet-facing sites would be simultaneously extremely negligent and lucky.
https://github.com/projectdiscovery/nuclei-templates/blob/2390fd195ab00f2bb1142dd27ac2ab888622d9bd/http/exposures/configs/web-config.yaml#L22 -
Embed this notice
buherator (buherator@infosec.place)'s status on Monday, 20-Jan-2025 23:04:43 JST
buherator
Serious question: Is there an open-source 2D printer (the type with paper and ink)?
If not, why not? Is there some serious production bottleneck that only HP&co can meet? -
Embed this notice
buherator (buherator@infosec.place)'s status on Monday, 13-Jan-2025 16:24:51 JST
buherator
"Even if I wanted to improve the app, I really didn't understand how to achieve the increasingly difficult goal I was aiming for. So, rather than writing an automation script that helped me skip over /the hard details/ I focused on learning the science I was trying to ignore."
https://seclists.org/dailydave/2025/q1/3
#fuzzing #llm -
Embed this notice
buherator (buherator@infosec.place)'s status on Monday, 13-Jan-2025 02:03:58 JST
buherator
Old digital cameras turn out to be great for kids:
- They come without all the invasive crap of smart phones
- They boost creativity
- They teach user interfaces and controls outside "push shiny moving button"
- They teach basic software concepts like files (yes, knowing about files is a skill) and how to move them around
And probably more.
Coming up next: MP3 players!
#parenting -
Embed this notice
buherator (buherator@infosec.place)'s status on Thursday, 26-Dec-2024 00:18:45 JST
buherator
What are the online #book stores that are neither a) monopolistic giants built on enshittification nor b) copyright bullies?
If I ask for a unicorn, which ones do at least give authors a more fair share for their work? -
Embed this notice
buherator (buherator@infosec.place)'s status on Thursday, 26-Dec-2024 00:18:42 JST
buherator
@stf @pluralistic @cstross I learned at Bsky that at least author royalties are independent from distributors which is good news!
https://bsky.app/profile/notaname.info/post/3le53oer4hk24 -
Embed this notice
buherator (buherator@infosec.place)'s status on Sunday, 01-Dec-2024 20:28:32 JST
buherator
@brewsterkahle Finally giving up on quality? -
Embed this notice
buherator (buherator@infosec.place)'s status on Thursday, 28-Nov-2024 02:26:14 JST
buherator
@mrose.ink.bsky.social said it perfectly:
https://bsky.app/profile/mrose.ink/post/3lbwpud2mes2n
"One enduring complication with all this is that scraping happens all the time for reasons that people *don’t* find inherently objectionable, and in fact support—the Wayback Machine, all kinds of public health and extremism research, etc. The mistake was assuming that goodwill transfers.
A key problem in the Disc Horse (and policy to a lesser extent) is reminding people that scraping as a technological process is Important, Actually, for all the things You Think Are Good, and any proposed solutions to curtail GAI training uses need to be VERY narrowly tailored to not impact those.
All the proposed solutions so far have had some critical flaw that makes them unworkable.
Manual consent? Ok, how do we implement that at scale? robots.txt style flags are fine, but they’re also not legally binding—and that’s good! If they were, Wayback wouldn’t be able to index!
So exclusion protocols can be ignored, For Good Reason. “What if we give an exclusion protocol the force of law for this specific use?” Closer, but there’s active debate in the courts about whether this is all a fair use, and if the answer is “yes,” then it doesn’t matter
…then best case scenario the tags are rendered null (because you can’t legally override fair use), and worst case you’ve just recreated a DMCA 1201 style lockout trick, and we have spent the last 25 years seeing just how incredibly those fuck up everything around them." -
Embed this notice
buherator (buherator@infosec.place)'s status on Monday, 11-Nov-2024 02:28:47 JST
buherator
@GossiTheDog @reverseics @cR0w But could *non-admin* users access the DB of *other* users? SQLite or not, this should not be possible (in general...). If it was possible back then (as it was suggested by you and articles based on your comments), then now would be the best time for all to see what the problem was to check if the same or similar problem is present in the implementation that is to be released. -
Embed this notice
buherator (buherator@infosec.place)'s status on Monday, 11-Nov-2024 02:05:31 JST
buherator
@GossiTheDog @reverseics @cR0w Great you chime in! Any plans to release that x-user Recall exploit you talked about?
https://infosec.place/notice/AieinAN5CpyKNShdvE
All GNU social JP content and data are available under the