kva-gad-fly (u/kva-gad-fly)

kva-gad-fly commented on California sent residents' personal health data to LinkedIn themarkup.org/pixel-hunt/... · Posted by u/anticorporate

timfsu · 4 months ago

I understood it to be the reverse - they advertise on LinkedIn, and the trackers determine whether the users convert once they click through. Not great, but at least not as ill intentioned

kva-gad-fly · 4 months ago

Not sure I understand this, but "I" (coveredca) pay linkedin to place my ads, for which "I" have to use their libraries? That then scrape "my" clients/customer data to linkedin? for them to make more money selling that data?

Does this also mean that those pious popups about "Do not sell my information" are essentially vacuous?

kva-gad-fly commented on Do you need ID to read the REAL-ID rules? papersplease.org/wp/2024/... · Posted by u/greyface-

kva-gad-fly · 10 months ago

This was intriguing to me:

> One of your staff asked me yesterday how I had traveled to the DC area, whether I had traveled by air, and whether I has shown any ID to do so. As a matter of principle and personal security, I do not wish to discuss my travel history, modes, or plans with you, and I am not required to do so. But the consistent position of your agency in litigation has been that no Federal law or regulation requires airline passengers to have, to carry, or to show ID. The responses by your agency to some of our FOIA requests confirm that, as you know, people fly without ID every day.

How does one go about this process?

kva-gad-fly commented on Bypassing airport security via SQL injection ian.sh/tsa... · Posted by u/iancarroll

woodruffw · a year ago

They often do. The value of those kinds of blanket security audits is questionable, however.

(This is one of the reasons I'm generally pro-OSS for digital infrastructure: security quickly becomes a compliance game at the scale of government, meaning that it's more about diligently completing checklists and demonstrating that diligence than about critically evaluating a component's security. OSS doesn't make software secure, but it does make it easier for the interested public to catch things before they become crises.)

kva-gad-fly · a year ago

Even if these govt. security audits are checkboxes, dont they require some nominal pentesting and black box testing, which test for things like SQL injection?

That shoudl have caught these types of exposures?

kva-gad-fly commented on Bypassing airport security via SQL injection ian.sh/tsa... · Posted by u/iancarroll

timdorr · a year ago

Based on the language on their site about requiring an existing CASS subscription, my guess is there was no approval at all. It appears this person has knowledge of the CASS/KCM systems and APIs, and built a web interface for them that uses the airline's credentials to access the central system. My speculation is that ARINC doesn't restrict access by network/IP, so they wouldn't directly know this tool even exists.

Some quick googling shows the FlyCASS author used to work for a small airline, so this may piggyback off of his prior experience working with these systems for that job. He just turned it into a separate product and started selling it.

The biggest failure here is with ARINC for not properly securing such a critical system for flight safety.

kva-gad-fly · a year ago

If this were the case, then it seems quite plausible that the website itself was just a passthrough, and the APIs provided by ARINC would be exposed.

THis then begs the question of how ARINC passed security audit.

kva-gad-fly commented on OpenSSH Backdoors blog.isosceles.com/openss... · Posted by u/benhawkes

Vecr · a year ago

Was there ever a writeup of exactly how the XZ exploit worked? I mean exactly, I get the general overview and even quite a few of the specifics, but last time I checked no one had credibly figured out exactly how all the obfuscated components went together.

kva-gad-fly · a year ago

https://www.openwall.com/lists/oss-security/2024/03/29/4

?