void *me; ๐ฌ @voidstar@octodon.social
All your boxen are belong to me. Hacking all the Gibsons for great justice!
You can't make this up. Nomx is now claiming that their un-authenticated CSRF leading to admin privileges on a public URL poses "non-existing threat" because "the user must visit a hacked website".
https://www.infosecurity-magazine.com/news/nomx-researchers-defend-unfair-test/
That's it. CSRF is solved folks! You wanted to rework the OWASP Top 10 anyway, no?
AHA
((xn--)+[a-z0-9]+)[^-]+\.[a-z]{2,}
That regex matches punycode DNS lookups that do NOT contain ASCII characters, and does NOT match DNS lookups containing ASCII characters.
Google is serving ads over QUIC. Content blockers can't touch QUIC. QUIC communicates over UDP/443. Anyone want to guess what's about to be blocked on my network?
They say that corporations don't want to sign up on Mastodon because they are afraid of being supplanted on other instances... I don't quite understand that... They should be deploying right away an official .com instance where themselves check the authenticity of every account...
YOU DON'T NEED TO FORCE YOUR CITIZENS INTO BEING PROUD OF LIVING IN YOUR COUNTRY IF YOU GIVE THEM VALID REASONS TO LIKE IT IN THE FIRST PLACE
@thor And if you want to allow Node without native code, make it optional and have the functions spew warnings about possible integer truncation if they aren't backed by native code.
@thor Node.js has the capability of using native code, they could write portable C to handle it internally. As an exposed interface, yea probably UInt32[2] but ideally everything needing >53-bit integers (or numbers) could use native code. Like some kind of native generic "bignum" library this uses. 64-bit integers in native code have been around longer than UInt32.
@wallace On one hand, it's unlikely someone using Mastodon will be thus targeted. However, I would posit most people have not considered, or even comprehend, the difficulty and cost of securing infrastructure. Particularly when it's based on code you don't control. Yes it's all open source, but relying on that is beyond even advanced devs with day jobs. Though OpenBSD does an admirable job of it!
So you are up against a non-five eyes state Actor, with non-NSA size budget but a decent army of hackers. What protects you better? One or two people running your instance as a hobby, or Zuck?
Oh, and please, -please-, even if you're going to route guest wifi traffic through the rest of your network [ but please don't do that! ] put the guest wifi network on a separate subnet.
Same with any BYOD nets. Keep them segregated. Do not mix them up with the rest of your wholly owned asset allocations.
Ok, folks?
If you only have a dozen assets on your network, do yourself a favor and give them either static IPs or permanent DHCP leases.
It'll make the whole task of asset management -ever- so much easier for you.
Random IP allocations - especially at short intervals - are foolish in the extreme for any permanent assets - that only belongs on guest wifi; nowhere else.
@thor Quite likely it is, but with Node being increasingly used for regular apps (see Atom, with a wide install base, where this could be highly relevant) I think this is actually something they should fix. And since they expose it, it's not something bolted on, they should have dealt with it when they first created that ability.
Trek/DS9 Show more
Did you know Node.js uses IEEE double (53-bit) to store an inode number (64-bit)? Well now you do. And if you ever wondered why I think Node.js is unsuitable for even basic usage and must be avoided for anything you intend to run in any capacity n>=0 times, here's another reason.
https://github.com/nodejs/node/issues/12115#issuecomment-290064494
@munin Most excellent, I'm happy this kitty story turned out well!
@CobaltVelvet Any chance of adding filters for IPv6 availability and TLS score? Just something like "IPv6 available? Yes/Don't care" and "TLS score >= X" (though that might get tricky with college-style scores)
Political Show more
References to United and current US politics Show more
not having corporate accounts on mastodon is a feature not a bug
just in case someone read it later: the real question is not really technical but: How do you convince Katy Perry to join Mastodon and pay for a high-end instance and a full-time sysadmin and more CM when burdsite is free?
