Thought it was 0 0/2 * * * at first lol
- 1 Post
- 59 Comments
Joined 3 years ago
Cake day: July 3rd, 2023
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
4·3 months agoIf this is happening via a VPN you almost definitely already have transit encryption
28·4 months agoLook at this person over here using branches, show off
For loops with find are evil for a lot of reasons, one of which is spaces:
$ tree . ├── arent good with find loops │ ├── a │ └── innerdira │ └── docker-compose.yml └── dirs with spaces ├── b └── innerdirb └── docker-compose.yml 3 directories, 2 files $ for y in $(find .); do echo $y; done . ./are t good with fi d loops ./are t good with fi d loops/i erdira ./are t good with fi d loops/i erdira/docker-compose.yml ./are t good with fi d loops/a ./dirs with spaces ./dirs with spaces/i erdirb ./dirs with spaces/i erdirb/docker-compose.yml ./dirs with spaces/bYou can kinda fix that with IFS (this breaks if newlines are in the filename which would probably only happen in a malicious context):
$ OIFS=$IFS $ IFS=$'\n' $ for y in $(find .); do echo "$y"; done . ./arent good with find loops ./arent good with find loops/innerdira ./arent good with find loops/innerdira/docker-compose.yml ./arent good with find loops/a ./dirs with spaces ./dirs with spaces/innerdirb ./dirs with spaces/innerdirb/docker-compose.yml ./dirs with spaces/b $ IFS=$OIFSBut you can also use something like:
find . -name 'docker-compose.yml' -printf '%h\0' | while read -r -d $'\0' dir; do .... doneor in your case this could all be done from
findalone:find . -name 'docker-compose.yml' -execdir ...-execdirin this case is basically replacing yourcd $(dirname $y), which is also brittle when it comes to spaces and should be quoted:cd "$(dirname "$y")".
Not exactly “memory address 0”; there be dragons there. https://c-faq.com/null/index.html
I love nix and NixOS, but yes the documentation is incredibly insufficient. I’d recommend a normal distro + the nix package manager first for a personal laptop. You have be ok occasionally taking a detour to learn how to build some random program from source in a sandbox with no networking every once in a while so it’s kinda clunky as a daily use OS imo. It shines on servers though
NixOS is fun but requires tinkering for a desktop/laptop. You can use the nix package manager on any other distro though. At work I use Fedora and still use the nix package manager a ton when I want to, but I’m not locked into it when something needs to just work quickly. I have NixOS on my personal laptop and I kinda wish I didn’t. I have it on my home server and I’m very happy I did that.
6·5 months agoThe command injection in the GitHub action code was written by Claude[1]. That was used to get the NPM key and then malware was pushed to NPM.
They’re likely using NixOS. It makes
/usr/bin/envand/bin/shfor compatibility but nothing else goes in those dirs
Yes social engineering can be incredibly effective. I completely agree, but there is a bit of an obsession with it these days and imo it’s over indexed, because at the end of the day the type of social engineering detailed in that report typically just provides access.
In some cases, the target is important enough and has enough organizational power that accessing the network as them is sufficient, but that’s not often the case. What that means is that in those other cases social engineering (which in that report you cited is often just phishing) is providing, typically, internal network access. An attacker will have to move through the network and exploit software typically to continue their attack. There are many points in this chain that the weakness lies in software or configuration. If effort was placed on making those systems better it would likely see better results than hyper focusing on the social engineering, which is significantly more difficult to stop, especially with all of the things you mentioned on the horizon.
My point is then that even if it is a part of 74% of breaches, according to Verizon, it’s not necessarily sufficient and is often paired with software level exploits.
And I know this because my company does plenty of red teaming, and we use social engineering but at the end of the day the more interesting result comes from a software exploit or just abusing a weak configuration.
I have found the exact same type of bug shown here probably over a dozen times, most of those long before AI was writing code.
Not a big fan of the wording here. Plenty of skilled programmers make dumb mistakes. There should always be systems in place to ensure these dumb mistakes don’t make it to production. Especially when related to sensitive information. Where was the threat model and the system in place to enforce it? The idea that these problems are caused by “shit programmers” misses the real issue: there was either no system or an insufficient system to test features and define security requirements.
I work in security and I kinda doubt this. There are plenty of issues just like what is outlined here that would be much easier to exploit than social engineering. Social engineering costs a lot more than
GET /secrets.json.There is good reason to be concerned about both, but 95% sounds way off and makes it sound like companies should allocate significantly more time to defend against social engineering, when they should first try to ensure social engineering is the easiest way to exploit their system. I can tell you from about a decade of experience that it typically isn’t.
Agreed
Not really, but I’d probably try to organize those into sub structures where it made sense. A data structure holding the UI state and FFT data all flat is kinda messy imo since it becomes unclear what is actually required where.
Alternatively, use your shell however you want. And
whichisn’t POSIX so I wouldn’t use that in a shell script you intend to share.
I don’t really find it infuriating and I don’t think that makes me part of a problem. Self diagnosis can sometimes trivialize the people actually suffering from the problem, and there van be real harm there. So I definitely agree with you to some extent. But some people are so hungry for community that self diagnosing some problem like ADHD makes them part of something else. That’s sad to me, but not infuriating.
I do understand that mislabeling normal things as a mental health issue can be problematic. I wish you didn’t assume I thought otherwise from our small exchange. My point of responding was that I find it really annoying when people say “well everyone does or feels X so there’s nothing wrong with you”. I think that also does a lot of damage to people.
I’d say that the person on display in the comic doesn’t seem to be showing “normal” or “healthy” procrastination to me, but there is room for disagreement I guess.
Wow, people are so extreme on the Internet. One comment saying maybe take a step back and we’re already at “fucking stupid”.
This comic is relevant to general human experience and ADHD, both are true and valid. The comic didn’t tell people to self diagnose and no one here has told anyone to self diagnose.
Just fyi containers use
pivot_rootnotchroot