Wolf480pl is a user on niu.moe. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.

Wolf480pl @Wolf480pl@niu.moe

>on an embedded IoT board with some low-power ARM and 512MB RAM or less
good luck.

@deshipu that's not a good analogy, unless you have no fence around your house and your garage is wide open.

@tinker from what type of attack does removing JTAG actually protect you?

@deshipu well, IMO things like "I found a remote code execution in this internet-exposed server, didn't go deeper, reported the vulnerability" shouldn't be called hacking attempts either. And people who stumpled upon it shouldn't be blamed for it.

@deshipu that depends on your threat model.

well... no.
But if you forget to install a lock in your door, that is a vulnerability.
Actually, when you forget to lock your door, it is a vulnerability in your process of leaving home. The problem is not that you didn't lock the door, it's that you're likely to do it again, because you haven't developed a strong habit of closing the door.

@quad looks more gloomy than the previous one. Reminds me of asie's fading-away-hakase avatars - he'd put more white noise on his avatar when he felt worse.

Wolf480pl boosted

I blame node.js and Rails for the global memory shortage that keeps prices sky high

@deshipu oh, I'm sure everyone thorougly documents every configuration mistake they make.
In this big spreadsheet where all their servers and their IP addresses are, they document every port they expose on each server, even if they expose it by mistake, right?

@pcachu @taiz and waste their time and energy being outraged because someone something on twitter? That's what the socnets and professional trolls want you to do - spend your time being outraged instead of doing something useful.

@deshipu IMO the latter (eg. if (goodhash = hash(pass)) instead of if (goodhash == hash(pass)) is IMO a vulnerability, not a bad decision or mistake in configuration.

@deshipu @jollysea
leaving your mongodb port exposed to the internet is also a mistake.
It's offering a service you shouldn't offer.

Not checking password in your authentication code is also a mistake. It's letting in people that shouldn't be let in.

Are you going to say these things aren't vulnerabilities either?
If not, where do you draw a line?

@phessler won't these same accountants do stuff like "do we really need give a a /64 to each customer, can't we just give them /112s ? this will allow us to remove a ton of addresses...."

Wolf480pl boosted

@phessler or /96s while we're at it. Ot /112s and tell customers them to disable privacy extensions.

@phessler still, I don't see why ISPs wouldn't start handing out /80s instead of /64s to their customers next week.

Wolf480pl boosted

Hi! We notice you're driving past our bookstore!

That's great, but you have your car windows closed. Would you mind opening your windows? We'd like to fill your car with wasps and locusts.

Now just one minute. Filling strangers' cars with wasps and locusts is how we pay our bills. Do you want us to starve?

We understand you may have had some bad experience with other wasp-and-locust providers. Some low-quality locusts got in the mix. But that's all been sorted out now!

Window. Open it.

Free Software Horror Story Show more

Wolf480pl boosted

"The Plural of Anecdote is Not Data"