Notices by buherator (buherator@infosec.place)
-
Embed this notice
buherator (buherator@infosec.place)'s status on Monday, 20-Jan-2025 23:04:43 JST 
buherator
Serious question: Is there an open-source 2D printer (the type with paper and ink)?
If not, why not? Is there some serious production bottleneck that only HP&co can meet? -
Embed this notice
buherator (buherator@infosec.place)'s status on Monday, 13-Jan-2025 16:24:51 JST
buherator
"Even if I wanted to improve the app, I really didn't understand how to achieve the increasingly difficult goal I was aiming for. So, rather than writing an automation script that helped me skip over /the hard details/ I focused on learning the science I was trying to ignore."
https://seclists.org/dailydave/2025/q1/3
#fuzzing #llm -
Embed this notice
buherator (buherator@infosec.place)'s status on Monday, 13-Jan-2025 02:03:58 JST
buherator
Old digital cameras turn out to be great for kids:
- They come without all the invasive crap of smart phones
- They boost creativity
- They teach user interfaces and controls outside "push shiny moving button"
- They teach basic software concepts like files (yes, knowing about files is a skill) and how to move them around
And probably more.
Coming up next: MP3 players!
#parenting -
Embed this notice
buherator (buherator@infosec.place)'s status on Thursday, 26-Dec-2024 00:18:45 JST
buherator
What are the online #book stores that are neither a) monopolistic giants built on enshittification nor b) copyright bullies?
If I ask for a unicorn, which ones do at least give authors a more fair share for their work? -
Embed this notice
buherator (buherator@infosec.place)'s status on Thursday, 26-Dec-2024 00:18:42 JST
buherator
@stf @pluralistic @cstross I learned at Bsky that at least author royalties are independent from distributors which is good news!
https://bsky.app/profile/notaname.info/post/3le53oer4hk24 -
Embed this notice
buherator (buherator@infosec.place)'s status on Sunday, 01-Dec-2024 20:28:32 JST
buherator
@brewsterkahle Finally giving up on quality? -
Embed this notice
buherator (buherator@infosec.place)'s status on Thursday, 28-Nov-2024 02:26:14 JST
buherator
@mrose.ink.bsky.social said it perfectly:
https://bsky.app/profile/mrose.ink/post/3lbwpud2mes2n
"One enduring complication with all this is that scraping happens all the time for reasons that people *don’t* find inherently objectionable, and in fact support—the Wayback Machine, all kinds of public health and extremism research, etc. The mistake was assuming that goodwill transfers.
A key problem in the Disc Horse (and policy to a lesser extent) is reminding people that scraping as a technological process is Important, Actually, for all the things You Think Are Good, and any proposed solutions to curtail GAI training uses need to be VERY narrowly tailored to not impact those.
All the proposed solutions so far have had some critical flaw that makes them unworkable.
Manual consent? Ok, how do we implement that at scale? robots.txt style flags are fine, but they’re also not legally binding—and that’s good! If they were, Wayback wouldn’t be able to index!
So exclusion protocols can be ignored, For Good Reason. “What if we give an exclusion protocol the force of law for this specific use?” Closer, but there’s active debate in the courts about whether this is all a fair use, and if the answer is “yes,” then it doesn’t matter
…then best case scenario the tags are rendered null (because you can’t legally override fair use), and worst case you’ve just recreated a DMCA 1201 style lockout trick, and we have spent the last 25 years seeing just how incredibly those fuck up everything around them." -
Embed this notice
buherator (buherator@infosec.place)'s status on Monday, 11-Nov-2024 02:28:47 JST
buherator
@GossiTheDog @reverseics @cR0w But could *non-admin* users access the DB of *other* users? SQLite or not, this should not be possible (in general...). If it was possible back then (as it was suggested by you and articles based on your comments), then now would be the best time for all to see what the problem was to check if the same or similar problem is present in the implementation that is to be released. -
Embed this notice
buherator (buherator@infosec.place)'s status on Monday, 11-Nov-2024 02:05:31 JST
buherator
@GossiTheDog @reverseics @cR0w Great you chime in! Any plans to release that x-user Recall exploit you talked about?
https://infosec.place/notice/AieinAN5CpyKNShdvE -
Embed this notice
buherator (buherator@infosec.place)'s status on Monday, 11-Nov-2024 01:25:46 JST
buherator
#directoryTraversalMemes seem to become a classic, but I wonder if anyone has a list of specific payloads that trigger the different vulnerabilities of recent memory?
/cc @reverseics @cR0w -
Embed this notice
buherator (buherator@infosec.place)'s status on Saturday, 10-Aug-2024 03:23:36 JST
buherator
Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server!
https://blog.orange.tw/2024/08/confusion-attacks-en.html?m=1&s=09
Latest by Orange Tsai! -
Embed this notice
buherator (buherator@infosec.place)'s status on Saturday, 04-May-2024 21:38:10 JST
buherator
@GossiTheDog Medium's half-screen sign-up form certainly doesn't help with audience conversion. Just a tip. -
Embed this notice
buherator (buherator@infosec.place)'s status on Friday, 05-Apr-2024 16:59:11 JST
buherator
Finally a sane discussion about that safe_fprintf() -> fprintf() patch in libarchive:
https://www.openwall.com/lists/oss-security/2024/04/03/17
As far as I can tell the only known vector so far is messing with terminal escape sequences which are of questionable utility, but the patch may be part of some more complex scheme. Maybe the plot was to first fall back to vanilla fprintf(), then remove the format string parameter ina later patch (which didn't happen)? -
Embed this notice
buherator (buherator@infosec.place)'s status on Monday, 19-Feb-2024 03:38:54 JST
buherator
@finestructure @inthehands I heard a legend about a lab exercise at our uni where students were tasked to figure out the contents of a box by electrical measurements on some external connectors. Sometimes the box contained a potato wired up. -
Embed this notice
buherator (buherator@infosec.place)'s status on Saturday, 03-Feb-2024 01:06:34 JST
buherator
[RSS] Your Security Program Is Shit
#vent
https://crankysec.com/blog/shite/ -
Embed this notice
buherator (buherator@infosec.place)'s status on Tuesday, 30-Jan-2024 21:52:20 JST
buherator
I guess I have to add another item to my "reflective XSS exploited in the wild" list (still less than 5 elements though)
https://blog.google/threat-analysis-group/zimbra-0-day-used-to-target-international-government-organizations/ -
Embed this notice
buherator (buherator@infosec.place)'s status on Thursday, 04-Jan-2024 09:28:55 JST
buherator
@ret2bed @feld @jomo @lorenzofb I'm genuinely curious if there is some standard risk assessment practice to take into account that compromise of n% of users would provide access to data of, say (n^2)% of users (that function obviously doesn't work but you get the idea)?
Same question whether there are best practices for determining a threshold for "enforce MFA" or is it just "if you got breached, you definitely should've enforced it"? -
Embed this notice
buherator (buherator@infosec.place)'s status on Thursday, 04-Jan-2024 07:07:46 JST
buherator
@feld @lorenzofb @ret2bed @jomo Ahh of course, AAL's! The fact that they didn't come to my mind is a proof that I'm doing this holiday thing right...
Thanks, this mostly settles the question, although I still find the question of "cascading impact" interesting - I'll probably read up on 800-63 again about this! -
Embed this notice
buherator (buherator@infosec.place)'s status on Thursday, 04-Jan-2024 06:48:32 JST
buherator
@feld @lorenzofb @ret2bed @jomo Sure, regulatory compliance most probably won't go into this detail, but if we expect companies to make the right calls it seems fair to have some pointers for them about what "right" actually means.
Maybe requiring an extra special character in all passwords would've also mitigated all this, but I don't think that would've been the right way to go. -
Embed this notice
buherator (buherator@infosec.place)'s status on Sunday, 27-Aug-2023 21:17:35 JST
buherator
@stf it's nice to see they are willing to correct themselves, but I still won't put too much trust to a platform where ideology can so easily override reason. Do the ppl who were bullied to abandon their search projects get an apology now?
All GNU social JP content and data are available under the