What is the attack scenario here? Where are the security boundaries? How does the attacker gets their repository with a symlink in it to the victim? Is Helm typically run as a privileged user? How would this work? And why doesn't the vulnerability description give answers to these questions?
Readit NewsSjoerd commented on Helm local code execution via a malicious chart github.com/helm/helm/secu... · Posted by u/irke882
What do you mean exactly? We could plant lots of trees and make charcoal from them and bury it. That scales with the amount of money spent. The problem is that nobody wants to invest a big chunk of gdp into burying coal.
To compensate for the US emissions of CO2 equivalent, you would need to create in the order of 4 cubic kilometers of charcoal every year. You could cover the whole of California with a layer of 1 centimeter (about half an inch) of charcoal every year.
So turning trees into charcoal scales up to a certain point, but not to the point that it "would even remotely make a difference for climate change", as OP said.
Sjoerd commented on Frequent reauth doesn't make you more secure tailscale.com/blog/freque... · Posted by u/ingve
Yahoo published these findings over 20 years ago , that frequent re-auth made customers less secure because it encouraged poor password hygiene like short passwords, writing them down, etc.
It's also risky to have the primary password credential transmitted instead of temporary tokens.
Do you have a link to that Yahoo publication? Or any more information on it?
Sjoerd commented on Listen to the whispers: web timing attacks that work portswigger.net/research/... · Posted by u/saikatsg
I did some research few weeks ago on the topic of database lookup timing side-channels, conclusion is: They don't really exist (for SELECT FROM WHERE commands atleast).
https://altayakkus.substack.com/p/timing-side-channel-on-sql...
I came to the same conclusion. Many string comparison implementations don't actually compare one character at a time. In one case strcmp seemed to compare eight characters at a time, so you would need to guess eight characters correctly to get a time difference. Glibc memcmp can compare 32 bytes at a time. In C# the timing of string compare depends on whether it does Unicode normalization or not. Even then, the difference is less than a nanosecond per compared character. It is not as straightforward that every string comparison between sensitive data and user input is at risk of timing attacks.
https://www.sjoerdlangkemper.nl/2024/05/29/string-comparison...
Sjoerd commented on Htmx does not play well with content security policy sjoerdlangkemper.nl/2024/... · Posted by u/Tangiest
This one surprised me:
https://www.sjoerdlangkemper.nl/2024/06/26/htmx-content-secu...
<div hx-disable>
<%= raw(user_content) %>
</div>
But I find it scary that if `user_content` is `</div><div>...` that is actually injected, as raw HTML. I would expect that the `<%= raw(user_content) %> only has access to contents of the div it is in itself, and nothing more. But instead I understand that the HTML is injected as text (?) and then re-parsed (?).
This differs for different template engines.
In Angular, for example, the template is parsed into a DOM tree, and then template variables are placed in the correct place. This makes injection really hard. In the above example, it would be impossible to break out of the div.
Other template engines just do a string search/replace, and this makes injection easy. Then it's indeed possible to break out of the div just by injecting </div>.
The example you quoted comes directly from the HTMX docs. They don't specify which template system is used, and I don't immediately recognize the syntax to limit it to a specific template system.
Sjoerd commented on Libsodium: A modern, portable, easy to use crypto library github.com/jedisct1/libso... · Posted by u/randomint64
When doing symmetric encryption you usually need a nonce or IV, which is also sent to the other party along with the ciphertext and authentication tag. Why does the API for libsodium allow you to specify your own nonce and keeps it separate from the ciphertext? The function crypto_secretbox_easy includes the authentication tag in the ciphertext, but you still have to provide the nonce yourself and it is not included in the ciphertext. Wouldn't it be easier still if the nonce was generated within this function and also added to the ciphertext?
Sjoerd commented on Understanding UUIDs, ULIDs and string representations sudhir.io/uuids-ulids... · Posted by u/sudhirj
The OP proposes using `ULID`s, which are the same number of bytes as UUIDs, but have an initial timestamp component (ms since epoch), plus a subsequent random component. While these are sequential (not exactly "incremental"), so give two of them you can know which came first -- they aren't really "guessable", as you'd need to guess not only an exact timestamp (not infeasible if more of a challenge than with incremental integers), but a large subsequent random component (infeasible).
Apparently there are some proposals to make official UUID variants with this sort of composition too, which some threads in this discussion go into more detail on.
They aren't guessable, except for ULIDs generated by the same process in the same millisecond. To keep chronological order even within the same timestamp, ULIDs within generated within the same millsecond become incremental. This can become relevant for example when an attacker requests a password reset for himself and the victim simultaneously.
Here's further support for planting trees. Published by the Yale School of Forestry & Environmental Studies:
"Planting 1.2 Trillion Trees Could Cancel Out a Decade of CO2 Emissions, Scientists Find"
I'll expand on what I said before: Make front lawns illegal throughout the US. Require two or more trees to be planted (use some kind of a formula for the exact amount). We can probably get to half a billion trees just with this approach. However, this has the added effect of eliminating emissions from gas powered mowers, blowers, trimmers, etc. We would consumer less water to grow lawns, capture CO2 effectively to grow trees and reduce emissions from the aforementioned demonic devices in the process. I call that a good start until we figure out other methods that might operate at scale without destroying the planet in the process. Actually, there are at least a couple more things at scale we could do that would be net positive on many fronts. More on that later.
https://e360.yale.edu/digest/planting-1-2-trillion-trees-cou...
I agree that landscaping choices could be more environmentally friendly. However, planting trees in yards will have a limited impact; if 1.2 trillion trees cancel a decade of CO2 emissions, half a billion trees will cancel about 36 hours of CO2 emissions.
Sjoerd commented on Show HN: Alzheimer password generator github.com/viralpoetry/al... · Posted by u/viralpoetry
Such a thing is typically called a deterministic password manager. One problem with it is that you can't change the algorithm. If you want to change your PBKDF2 from 1000 to 5000 iterations, then you can't login anymore on any of the services where you used this tool to set the password.
See also this https://news.ycombinator.com/item?id=13016132
You seem to seed the SecureRandom object with the current time. I think this reduces security and it would be better to omit the seed and let SecureRandom seed itself.
It also looks like you do normal String equals to compare secrets, which could be vulnerable to a timing attack.
Are you sure you are qualified to implement crypto?