As far as I can tell the only known vector so far is messing with terminal escape sequences which are of questionable utility, but the patch may be part of some more complex scheme. Maybe the plot was to first fall back to vanilla fprintf(), then remove the format string parameter ina later patch (which didn't happen)?
@finestructure@inthehands I heard a legend about a lab exercise at our uni where students were tasked to figure out the contents of a box by electrical measurements on some external connectors. Sometimes the box contained a potato wired up.
@ret2bed@feld@jomo@lorenzofb I'm genuinely curious if there is some standard risk assessment practice to take into account that compromise of n% of users would provide access to data of, say (n^2)% of users (that function obviously doesn't work but you get the idea)?
Same question whether there are best practices for determining a threshold for "enforce MFA" or is it just "if you got breached, you definitely should've enforced it"?
@feld@lorenzofb@ret2bed@jomo Ahh of course, AAL's! The fact that they didn't come to my mind is a proof that I'm doing this holiday thing right...
Thanks, this mostly settles the question, although I still find the question of "cascading impact" interesting - I'll probably read up on 800-63 again about this!
@feld@lorenzofb@ret2bed@jomo Sure, regulatory compliance most probably won't go into this detail, but if we expect companies to make the right calls it seems fair to have some pointers for them about what "right" actually means.
Maybe requiring an extra special character in all passwords would've also mitigated all this, but I don't think that would've been the right way to go.
@stf it's nice to see they are willing to correct themselves, but I still won't put too much trust to a platform where ideology can so easily override reason. Do the ppl who were bullied to abandon their search projects get an apology now?