One step closer to container breakout? Gaining root access give you a bigger attack surface for kernel exploits.
I cannot answer for all the program owners, but I imagine that there are other concerns than reproducibility
The policies states it’s not allowed to use automated tools, not to submit report using automated tools alone. Human review does not really change that.
«XBOW submitted nearly 1,060 vulnerabilities. All findings were fully automated, though our security team reviewed them pre-submission to comply with HackerOne’s policy on automated tools» That seems a bit unethical.…
I looked through most of the charts, and I it seems like you cannot get the best of two worlds. Can you get good edge retention, ease of sharpening and toughness at the same time? It would be nice with an example on how…
I love term how it plays on the words and the negative association we have with anti-personell mines If we could have a ban on anti-personell computers…
I get a cloudflare puzzle when I try to visit this link :(
Ed Martin seems like a SME when he himself has been influenced by foreign agencies and spoke their case.
Link is paywalled. Not possible to read
We do not know why you are in jail, but because you are in jail you must have done something bad. We cannot just let bad people roam freely
We all are
So, they are basically saying that bash is vulnerable to arbitrary command execution?
I would hope so, but on Tarlogics blog post, it is mentioned “modifying chips arbitrarily”, “infecting chips with malicious code”, “obtain confidential information stored on them”. Even though they rephrased the…
It it possible to create firmware that is encrypted and cannot be read out. Espressif state there is no security issues, but I have a feeling that these debug commands may be used to read out the flash of a properly…
There was someone that figured out how to detect if the output was piped or not to bash on the webserver, can consider the fact and chose to be malicious or not
My understanding of the article is that it was about shutting down the program that keeps the nuclear navy afloat, not about a backdoor with a switch to turn off the arsenal
Yeah, it says it will create an SVG in seconds, but seconds later, there is no SVG. Did not occur to me that I had to log in, but probably won’t as I cannot be bothered to follow black patterns…
I feel that dockerhub no longer can be the steward for the default docker repo because of this and the limitations they previously have implemented. It is time for them to hand over the baton stick to someone else, or…
Exactly this. And when a base image has a new release, all images based on this will also need an update
It is not immediately clear to me if the limit is per repo/package or globally in the hub. For instance, I fear it will not be possible to add a new kubernetes node to my cluster without hitting the limit as it would…
An old trick is to add a page to the robots disallow list, but the page should also be findable by crawlers. If a bot visits this page, you know it’s a bad actor.
Sounds like a job for nepenthes: https://news.ycombinator.com/item?id=42725147
Monitor access logs for links that only crawlers can find. Edit: oh, I got your point now.
I am curious of up to which level this manual is sound and become crazy
One step closer to container breakout? Gaining root access give you a bigger attack surface for kernel exploits.
I cannot answer for all the program owners, but I imagine that there are other concerns than reproducibility
The policies states it’s not allowed to use automated tools, not to submit report using automated tools alone. Human review does not really change that.
«XBOW submitted nearly 1,060 vulnerabilities. All findings were fully automated, though our security team reviewed them pre-submission to comply with HackerOne’s policy on automated tools» That seems a bit unethical.…
I looked through most of the charts, and I it seems like you cannot get the best of two worlds. Can you get good edge retention, ease of sharpening and toughness at the same time? It would be nice with an example on how…
I love term how it plays on the words and the negative association we have with anti-personell mines If we could have a ban on anti-personell computers…
I get a cloudflare puzzle when I try to visit this link :(
Ed Martin seems like a SME when he himself has been influenced by foreign agencies and spoke their case.
Link is paywalled. Not possible to read
We do not know why you are in jail, but because you are in jail you must have done something bad. We cannot just let bad people roam freely
We all are
So, they are basically saying that bash is vulnerable to arbitrary command execution?
I would hope so, but on Tarlogics blog post, it is mentioned “modifying chips arbitrarily”, “infecting chips with malicious code”, “obtain confidential information stored on them”. Even though they rephrased the…
It it possible to create firmware that is encrypted and cannot be read out. Espressif state there is no security issues, but I have a feeling that these debug commands may be used to read out the flash of a properly…
There was someone that figured out how to detect if the output was piped or not to bash on the webserver, can consider the fact and chose to be malicious or not
My understanding of the article is that it was about shutting down the program that keeps the nuclear navy afloat, not about a backdoor with a switch to turn off the arsenal
Yeah, it says it will create an SVG in seconds, but seconds later, there is no SVG. Did not occur to me that I had to log in, but probably won’t as I cannot be bothered to follow black patterns…
I feel that dockerhub no longer can be the steward for the default docker repo because of this and the limitations they previously have implemented. It is time for them to hand over the baton stick to someone else, or…
Exactly this. And when a base image has a new release, all images based on this will also need an update
It is not immediately clear to me if the limit is per repo/package or globally in the hub. For instance, I fear it will not be possible to add a new kubernetes node to my cluster without hitting the limit as it would…
An old trick is to add a page to the robots disallow list, but the page should also be findable by crawlers. If a bot visits this page, you know it’s a bad actor.
Sounds like a job for nepenthes: https://news.ycombinator.com/item?id=42725147
Monitor access logs for links that only crawlers can find. Edit: oh, I got your point now.
I am curious of up to which level this manual is sound and become crazy