Computers and Cat Toys. Equality and enshitification.
We got this "HIGH security problem" reported for #curl earlier today:
"The -o / --output parameter in cURL does not restrict or sanitize file paths. When passed relative traversal sequences (e.g., ../../), cURL writes files outside the current working directory, allowing arbitrary file overwrite. In automated or privileged environments (CI/CD, root containers), this leads to Remote Code Execution (RCE), privilege escalation, and supply chain risk."
Never a dull moment.
@SynAck it’s not bad. Didn’t really click for me this year. The pacing was meh. A noticeable amount of time was spent watching the same clip of the same quote from same interview.
@davidr hah, don’t worry about the false positives. It’s like silly memory games and reaction time tests. One is literally like “hit the space bar when you see an x, but only an x”. All of them are rather indirect. They are testing your brain, not your consciousness.
FYI: CVE-2024-11053 is *not* a critical security flaw, even if now several security related sites repeat that statement.
This is as good as any reminder that you should read the #curl advisories for #curl issues rather than trusting the scaremongers.
https://curl.se/docs/CVE-2024-11053.html
(edit: I wrote an extra '1' in there at first)
@siliconshecky EDR is probably the best improvement in cyber security for enterprise in over a decade. Not sure why it would be unpopular. Live response/RTR and network containment actions have changed the game for us.
Just wish the Mac and Linux clients had remotely telemetry parity.
Always fun when you click a button and your power goes out. Takes a second to think “did I do that?”
@hacks4pancakes I’ve interviewed as an Operator for both NSA and CIA, and about half the time I tell someone they ask what I did to get “noticed”. I went to their booth at a career fair. I applied on the website. I did an interview and a technical test. I didn’t hack anything (that I wasn’t allowed to). It’s a job. You apply and get it or don’t lol.
Just reviewed some #resumes from people who have either rotated into my team before or are actively contractors doing the work today and the resumes are so badly built and ugly it makes me seriously consider the nice and strong resume of someone I’ve never worked with. #infosec #cybersecurity #management
Very glad we tried that shit in the pre season haha #chiefs
@stolas I can’t open it right now. Final paper due this week. If I do it’ll be 8 hours later and I’ll have lost all my time.
@dragonarchitect I’m currently boycotting factorio 2 news and Friday facts because I want to go in blind haha.
@dragonarchitect having played thousands of hours of factorio, I still haven’t ever built a successful city block style layout. Perfection is the enemy of progress and all that.
I also like playing with biters turned up and modded harder. Without that I get bored. But that is one of the things that makes the game so beautiful in that is naturally enabled multiple playstyles without any gimmicks.
Have 7 days to do assignment worth 40% of total grade. Literally can’t bring myself to start it because it won’t take me 7 days to do. Fuckin #ADHD demands I wait until it’s actually last minute.
Built a #cat tree. They are more interested in the tree than the box. I’ll call that a success.
@chiefgyk3d ask why they didn’t have “integration tests”. Cause I’m not a developer by trade, but even I know you can’t test pieces individually.
@chiefgyk3d I saw, but if you read between the lines their interpreter/validator passed unit tests so they pushed configuration change with no testing. Even listed “local developer testing” as an improvement point. My CTO/COO is going to rip them a new one in the most pleasant and professional manner and I’m sad to miss it.
