infosex.exchange <3

You are probably looking for the infosec.exchange Mastodon instance

This host is mostly for my random stuff, and in little part acts like a well-intentioned placeholder for the typosquatted domain.

Discoverability and Archiving

Currently I'm using this host for saving the items from my own feeds to the Wayback Machine and provide in-links for search engines. I hate that I have to do this, but the non-sense ideology of Mastodon pretty much ruined the search feature for Fediverse as a whole, and this wasn't changed by the fact that they owned their mistake and implemented search eventually.

Yes, I (or anyone else) could do similar things with other peoples published feeds, regardless of the tantrum. No, you can't defederate this, because the process doesn't rely on an instance.

Gluttony Section for Search Engines

@jeffvanderstoep Just realized I can write directly to an author :)

I have some doubts about this "half-life" metric, but maybe I don't get the full picture:

https://infosec.place/notice/AmO2BAowHxngnThcjg
this post | permalink
About vulnerability "half-life":

I still have to dig into the works referenced by the recent Google post[1], but it the data is obviously based on known vulns.

https://security.googleblog.com/2024/09/eliminating-memory-safety-vulnerabilities-Android.html

Because of this I think the conclusion shouldn't be that bugs naturally die out ("half-life"). Rather, if we have a fixed set of methods to discover vulns, we will eventually find everything _we currently can_ in a fixed code base, and we will again find some in new code.

I think Orange Tsai's latest work on Apache modules is a great demonstration of how a new approach can result in a bunch of CVE's. But the "realization" about format strings also comes to mind. How much "old" code had to be fixed because of that?

What I'd like to see is some data on memory-safe languages blocking otherwise vulnerable code paths, or vulns getting discovered during integration with safe languages.
this post | permalink
@cR0w @krypt3ia
this post | permalink
[RSS] CVE-2024-28987: SolarWinds Web Help Desk Hardcoded Credential Vulnerability Deep-Dive

https://www.horizon3.ai/attack-research/cve-2024-28987-solarwinds-web-help-desk-hardcoded-credential-vulnerability-deep-dive/
this post | permalink
@dcoderlt There are probably less suspicious alternatives, but this is the one I know that certainly can do this.
this post | permalink
@dcoderlt Hardcode the address on a local low-priv proxy (e.g. burp free)?
this post | permalink
@cR0w This is very likely the reason, and IMHO it is good that general awareness is now raised. @Saren42 is technically right of course.
this post | permalink
@joxean I generally have a couple Gs free on my standard plans, so I'd count that as no cost. Hetzner has traffic limits, but that adds no additional cost until you try to serve many users (at which point torrents can help).
this post | permalink
@joxean BitTorrent also comes to mind!
this post | permalink
@joxean I can easily host 1.2G for you on one of my VPSs
this post | permalink
Next Page