We’ve seen it documented before that they do indeed have a facial recognition database. Good news is it doesn’t seem all that reliable so who knows who is being labelled.
Readit Newsjerrythegerbil commented on Cloudflare zero-day: Accessing any host globally fearsoff.org/research/clo... · Posted by u/2bluesc
There’s a lot going on in this blog. Interestingly, the core mechanism at play here is the http-01 challenge validations which they state is fetched by the CA over HTTPS. This is particularly amusing when you consider that http-01 is explicitly NOT HTTPS (it’s HTTP), and this is actually the entire reason there’s a different code path to take.
The modern web requires secure (HTTPS) context for many things to work, so it’s commonplace to do so “HTTPS enforcement”; all requests are forcibly upgraded to HTTPS. However, you can’t do that to the CA when it’s performing a http-01 challenge validation. This necessitates a “well known” URL route be used for challenges so that they can very deliberately take a different code path that doesn’t enforce HTTPS (and be routed differently).
This is true of basically every ACME client used for http-01 challenges, not just cloudflare. So while they’ve unfortunately missed the mark on correctly explaining the mechanism at play here, I hope that I succeeded in making it a bit more clear. Other implementations are, of course, similarly exploitable.
jerrythegerbil commented on Universal SSL exposes domains to BGP leaks community.cloudflare.com/... · Posted by u/8organicbits
The unfortunate truth is: it doesn’t matter.
These BGP leaks do happen all the time. Cloudflare is right. This is a gap to the http-01 challenge on cloudflare’s end. It should be changed to match the RFC, but not because it’ll change anything meaningful for security.
It doesn’t matter because this (and similar http-01/dns-01 challenge exploits that allow the issuance or interception of CA signed certificates) are not a rare occurrence, and are surprisingly easy to perform as an individual. Even more so for governments.
Addendum: certificate transparency logs are free and are scraped and sold. Don’t believe for a second anyone out there is doing any free analysis at scale to watch your back. The orgs doing analysis are ultimately paid by orgs using it to hide their operations better. Your small business use-case for the data is pocket change compared to those contracts.
jerrythegerbil commented on Unauthenticated remote code execution in OpenCode cy.md/opencode-rce/... · Posted by u/CyberShadow
I run mine on the public internet and it’s fine, because I put it behind auth, because it’s a tool to remotely execute code with no auth and also has a fully featured webshell.
To be clear, this is a vulnerability. Just the same as exposing unauthenticated telnet is a vulnerability. User education is always good, but at some point in the process of continuing to build user-friendly footguns we need to start blaming the users. “It is what it is”, Duh.
This “vulnerability” has been known by devs in my circle for a while, it’s literally the very first intuitive question most devs ask themselves when using opencode, and then put authentication on top.
Particularly in the AI space it’s going to be more and more common to see users punching above their weight with deployments. Let em learn. Let em grow. We’ll see this pain multiply in the future if these lessons aren’t learned early.
jerrythegerbil commented on Tiny Core Linux: a 23 MB Linux distro with graphical desktop tinycorelinux.net/... · Posted by u/LorenDB
Do you really need the framebuffer in RAM? Wouldn't that be entirely in the GPU RAM?
To put it in GPU RAM, you need GPU drivers.
For example, NVIDIA GPU drivers are typically around 800M-1.5G.
That math actually goes wildly in the opposite direction for an optimization argument.
The copyright holder can sue. Let them sue. They could always sue.
Why are we letting them send frivolous notices and make the ISP a letter carrier in the first place?
jerrythegerbil commented on Mount Proton Drive on Linux using rclone and systemd github.com/dadtronics/pro... · Posted by u/cf100clunk
How can someone not familiar with the technical details use the alternative you suggest? Is there software (even if paid) that can sync to it?
A non technical person would probably Google “Hetzner Storage Box”, click the first link, and read the page that answers all of those questions.
There is many free software suites that Hetzner Storage box supports, up to and including official support for rclone (the free tool used in the post we’re replying to).
jerrythegerbil commented on Mount Proton Drive on Linux using rclone and systemd github.com/dadtronics/pro... · Posted by u/cf100clunk
As a (previous) customer of Proton from many years and a user of their drive product, you should be aware that earlier this year the drive API endpoints began to block their own VPN egress quite often for rate limiting. They also block many cloud provider’s egress. They also don’t officially support rclone, and their changing API spec often breaks the compatibility.
I saw the writing on the wall and migrated rapidly earlier this year ahead of crypto product launches ahead of the email fiasco. It was hard to get data back out, even then.
Proton still stands for privacy. But the dark patterns for lock-in I can do without.
Hetzner Storage boxes with rclone and the “crypt” option are a drop-in replacement, at ~$40 for 20TB. That’s where I went instead.
TLS intercepts with CA signed certificates can and been carried out. The undertone in previous reporting indicates that the execution depends on a mechanism that doesn’t have 100% reliability across renewal cycles, and shorter lifespans will make that more difficult to carry out without ostensibly visible warnings to the user.
It’s a headache, but you are supposed to be monitoring Certificate Transparency logs for rogue certificates. Barring that, shorter validity is a way to address it.
https://notes.valdikss.org.ru/jabber.ru-mitm/