• 0 Posts
  • 15 Comments
Joined 1 year ago
cake
Cake day: June 26th, 2023

help-circle
  • IANAL nor intelligent, but after skimming the text of the directive I felt like the definition of damage is very limited. In particular, if I understand correctly:

    our business to lose this giant contract

    would not be covered by this directive, this directive is only about a human being hurt in some way,

    thousands of consumers left with bricked devices

    would be covered in case of “your game installs a kernel-level anticheat and the anticheat breaks PCs”, but not in the case of “you uploaded an upgrade to a firmware of the washing machine you produced and it bricked the machines”; the directive is not about a product breaking, but about the product breaking your health, other property or data,

    my washing machine to eat my dog

    is basically the exact case this directive covers.



  • It seems OP wanted to pass the file name to -k, but this parameter takes the password itself and not a filename:

           -k password
               The password to derive the key from. This is for compatibility with previous versions of OpenSSL. Superseded by the -pass argument.
    

    So, as I understand, the password would be not the first line of /etc/ssl/private/etcBackup.key, but the string /etc/ssl/private/etcBackup.key itself. It seems that -kfile /etc/ssl/private/etcBackup.key or -pass file:/etc/ssl/private/etcBackup.key is what OP wanted to use.


  • Oracle trilateration refers to an attack on apps that have filters like “only show users closer than 5 km”. In case of the vulnerable apps, this was very accurate, so the attacker could change their position from the victim (which does not require physical movement, the application has to trust your device on this, so the position can be spoofed) until the victim disappeared from the list, and end up a point that is almost exactly 5 km from the victim.

    Like if it said the user is 5km away, that is still going to give a pretty big area if someone were to trilateral it because the line of the circle would have to include 4.5-5.5km away.

    This does not help, since the attacker can find a point where it switches between 4 km and 5 km, and then this point (in the simplest case) is exactly 4.5 km from the victim. The paper refers to this as rounded distance trilateration.




  • metiulekm@sh.itjust.workstoProgramming@programming.dev...
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    1
    ·
    7 months ago

    I really need to try out Mercury one day. When we did a project in Prolog at uni, it felt cool, but also incredibly dynamic in a bad way. There were a few times when we misspelled some clause, which normally would be an error, but in our case it just meant falsehood. We then spent waaay to much time searching for these. I can’t help but think that Mercury would be as fun as Prolog, but less annoying.

    I actually use from time to time the Bower email client, which is written in Mercury.


  • My understanding is that all issues are patched in the mentioned releases, the config flag is not needed for that.

    The config flag has been added because supporting clients with different endianness is undertested and most people will never use it. So if it is going to generate vulnerabilities, it makes sense to be able to disable it easily, and to disable it by default on next major release. Indeed XWayland had it disabled by default already, so only the fourth issue (ProcRenderAddGlyphs) is relevant there if that default is not changed.



  • I’m betting there’s probably something that generates the key from a vastly smaller player input, i.e what gameobjects you interacted with, in what order, or what did you press/place somwhere. But that also means that the entropy is probably in the bruteforcable range, and once you find the function that decrypts the secrets, it should be pretty easy to find the function that generates the key, and the inputs it takes.

    When handling passwords, it is standard practice to use an intentionally costly (in CPU, memory, or both) algorithm to derive the encryption key from the password. Maybe the dev can reuse this? The resulting delay could easily be masked with some animation.





  • Edit: Actually, I thought about it, and I don’t think clang’s behavior is wrong in the examples he cites. Basically, you’re using an uninitialized variable, and choosing to use compiler settings which make that legal, and the compiler is saying “Okay, you didn’t give me a value for this variable, so I’m just going to pick one that’s convenient for me and do my optimizations according to the value I picked.” Is that the best thing for it to do? Maybe not; it certainly violates the principle of least surprise. But, it’s hard for me to say it’s the compiler’s fault that you constructed a program that does something surprising when uninitialized variables you’re using happen to have certain values.

    You got it correct in this edit. But the important part is that gcc will also do this, and they both are kinda expected to do so. The article cites some standard committee discussions: somebody suggested ensuring that signed integer overflow in C++20 will not UB, and the committee decided against it. Also, somebody suggested not allowing to optimize out the infinite loops like 13 years ago, and then the committee decided that it should be allowed. Therefore, these optimisations are clearly seen as features.

    And these are not theoretical issues by any means, there has been this vulnerability in the kernel for instance: https://lwn.net/Articles/342330/ which happened because the compiler just removed a null pointer check.


  • You could make an argument that not using banking apps decreases your security, since most banks use either SMS or those apps as the second factor while confirming the operations. It is true that the apps are of varying quality, but SMS is not really a serious alternative. Some banks do have apps that are limited to confirming operations, and one bank where I live did recently start accepting U2F, which is amazing news.