alaxapta7 (u/alaxapta7)

alaxapta7 commented on Firefox tooltip bug fixed after 22 years bugzilla.mozilla.org/show... · Posted by u/MallocVoidstar

kgeist · 2 years ago

There was a similar Windows bug when a tooltip in the notification area (systray) wouldn't disappear no matter what. I first found the bug in Windows XP, and then witnessed it in Vista, in Windows 7, Windows 10. It was my ritual to check if it's fixed yet when upgrading to a new version of Windows. It never was. Since then I moved to Linux and now I don't know if it's fixed or not.

alaxapta7 · 2 years ago

Same, although I haven't seen this one for a while now. One way to fix the misbehaving explorer (which start menu, tray and others are part of) is to simply kill it and start it over from the task manager. Some applications failed to re-create their tray icons after this, but either all of them fixed it, or it got somehow fixed in Windows.

alaxapta7 commented on Data accidentally exposed by Microsoft AI researchers wiz.io/blog/38-terabytes-... · Posted by u/deepersprout

pixl97 · 2 years ago

This is why I always attempt to turn off as much version information output as possible from any service. Make the pentester do their homework and not just look at "Apache 2.XX"

Hopefully you also have an internal control that looks at actual package versions installed on the server.

alaxapta7 · 2 years ago

Normally I do that too, but this was fairly new and internal application that was still in development, so that's why it was there. And if it wasn't for this incident, they might actually trick our management into thinking they're somehow qualified to carry out such an audit.

alaxapta7 commented on Data accidentally exposed by Microsoft AI researchers wiz.io/blog/38-terabytes-... · Posted by u/deepersprout

dylan604 · 2 years ago

I recently ran into something along the lines of your devolved pentest concept. I have a public facing webapp, and the report came back with a list of "critical" issues that are solved by yum update. Nothing about vulnerability to session jacking or anything along the lines of requiring actual work. I was a few steps removed from the actual testing, so who knows what was lost in translation and it being the first time I've ever had something I worked on pen tested. However, I feel this was more of a script kiddie port scan level of effort vs actually trying to provide useful security advice. The whole process was very disappointing.

alaxapta7 · 2 years ago

I've seen worse. Couple years back, there was an audit that included an internal system I've been working on. It was running on Debian oldstable because of a vital proprietary library I wasn't able to get working on stable at the time, but it had unattended upgrades set up and all that.

The company made some basic port scan and established that we're running outdated and vulnerable version of Apache. I found the act of explaining the concept of backports to a "pentester" to be physically painful.

They didn't get paid and another company was entrusted with the audit.

alaxapta7 commented on Any sufficiently advanced uninstaller is indistinguishable from malware devblogs.microsoft.com/ol... · Posted by u/mycall

IshKebab · 2 years ago

Interesting. Has anyone done the same thing on Linux?

alaxapta7 · 2 years ago

I use and recommend subhook[0].

[0] https://github.com/Zeex/subhook

alaxapta7 commented on An Internet of PHP timotijhof.net/posts/2023... · Posted by u/edent

charrondev · 2 years ago

The built in web server is awful on its own. Forget production usage, it’s hard to even use for a quick bit of E2E testing.

Unfortunately it has some really opinionated routing rules with certain file extensions, preventing you from having a dynamic URL with something like a .json or a .xml extension. Instead it will always try to look up a static file of that and serve it instead.

I can’t find the bug tracker issue for it but it was closed out with a message along the lines of “don’t use the built in web server for anything besides a toy”.

Luckily there are plenty of PHP Cli based web servers now that some other commenters have mentioned.

alaxapta7 · 2 years ago

You can take full control over the routing using router script, then none of the default rules will apply. To be honest, I really dislike how many applications are wired around some Apache configuration or at least assume some specific hostname or path to be used for no reason. If it works with the built-in webserver, then it will work just as well with pretty much any SAPI.

alaxapta7 commented on An Internet of PHP timotijhof.net/posts/2023... · Posted by u/edent

xorcist · 2 years ago

PHP has had a built-in web server since version 5.

People use Apache or nginx because they want to, but because they need to.

alaxapta7 · 2 years ago

The built-in web server can only process one request at a time.

alaxapta7 commented on Using LD_PRELOAD to cheat, inject features and investigate programs rafalcieslak.wordpress.co... · Posted by u/icyfox

alaxapta7 · 2 years ago

I used LD_PRELOAD for patching RCE vulnerability in PunkBuster[0]. They did patch the exploit, but that didn't involve many of the older games they dropped support for. The AC itself isn't effective or even operational for the most part in those, but it still serves as a reliable method of identifying players.

Even their server libraries are obfuscated, and hooking open() turned out to be just easier than trying to patch the binaries themselves.

[0] https://medium.com/@prizmant/hacking-punkbuster-e22e6cf2f36e

alaxapta7 commented on Someone keeps trying to reset my Facebook password reddit.com/r/facebook/com... · Posted by u/babuskov

johngladtj · 2 years ago

Funny I keep getting login codes for my Microsoft account. Also there is seemingly no way to figure out who is doing it or how to stop it.

I wish I could just disable that form of login, I have a very safe password so the login via email isn't necessary.

alaxapta7 · 2 years ago

I thought this was the Passwordless account they implemented (EDIT: didn't realize you weren't talking about the Authenticator app), but I had it turned off. I somehow managed to make it stop by re-enabling/re-disabling both Passwordless and 2FA. So now they always ask me for a password and then I get the challenge.

To this day, I can't comprehend how this is supposed to be safe. So someone can just type in my username and wait until i eventually misclick in the Authenticator app? If it was from a browser I have used before at least, but I was getting these challenges from around the globe.

alaxapta7 commented on Google preemptively banned hundreds of millions of 'pirate' URLs last year torrentfreak.com/google-p... · Posted by u/CoBE10

carlosjobim · 2 years ago

On Kagi (International) I got these results on the first page:

First result: Joe Biden

Further down: Bernie Sanders, Marianne Williamsson, Hillary Clinton

Further down: Article: "Google hides campaign sites of Trump, RFK Jr. and other Republican candidates"

Further down: Ron DeSantis

Between these results there are several links with lists of all candidates.

alaxapta7 · 2 years ago

Did it give you a result leading directly to their canonical campaign website? I can see Sanders and Clinton with international, but can't see DeSantis nor any other Republican candidate (not even Pence).

I can definitelly see pages with lists of candidates, but I couldn't find a single one that would also link their websites and thus satisfy the query, at least indirectly.

alaxapta7 commented on Google preemptively banned hundreds of millions of 'pirate' URLs last year torrentfreak.com/google-p... · Posted by u/CoBE10

LegionMammal978 · 2 years ago

No search engine seems to respond very well to the query "presidential candidate websites" (without the quotes), by your criterion. As an experiment, I tried it with a few of them from a private tab on my phone, looking at the first 5 pages of results.

Yandex.com (page length 10) doesn't link to any candidate websites.

DDG (page lengths 10, 20, 50, 50, 50) links to Joe Biden (page 1), Nikki Haley (page 2), RFK Jr. (page 2), Chris Christie (page 3), Marianne Williamson (page 3), Ron DeSantis (page 3), and Perry Johnson (page 4). It's missing Donald Trump, Vivek Ramaswamy, and Mike Pence.

Bing (page lengths 10, 14, 14, 14, 14) links to Joe Biden (page 1), Nikki Haley (page 2), Chris Christie (page 2), Marianne Williamson (page 3), RFK Jr. (page 3), and Ron DeSantis (page 3). It's missing Donald Trump, Vivek Ramaswamy, and Mike Pence.

Brave Search (page length 19) links to Joe Biden (page 1), Marianne Williamson (page 1), and Cornel West (page 3). It's missing RFK Jr., as well as all Republican candidates.

Yahoo (page length 10) links to Nikki Haley (page 2), Chris Christie (page 2), RFK Jr. (page 4), and Ron DeSantis (page 4). It's missing Joe Biden, Marianne Williamson, Donald Trump, Vivek Ramaswamy, and Mike Pence.

Google (page length 10) links to Joe Biden (page 1), Marianne Williamson (page 1), Ron DeSantis (page 4), and Mike Pence (page 5). It's missing RFK Jr., Donald Trump, Vivek Ramaswamy, Nikki Haley, and Chris Christie.

None of these search engines link to more than two candidate websites within the first 20 results, nor do they link to Trump's or Ramaswamy's websites, so Google is far from alone in that regard. (I haven't been able to test with Kagi Search to see if it is any different.)

Perhaps search engines are simply bound to see such a query as asking more for the concept of candidate websites in general, than for topical examples in particular.

alaxapta7 · 2 years ago

Kagi, location set to United States:

Page 1: Biden, Williamson and link to an article Google hides campaign sites of Trump, RFK Jr. and other Republican candidates

Page 2: Biden again, Pence

No further pages. 5th result contains an article that claims to be linking all presidental candidate websites, but it's a Medium, hidden behind sign-up. I haven't find any result with a comprehensive list of the websites of interest. Kagi does aggregate results from Google and Yandex, so this is probably not too surprising.