Readit Newstmsbrg commented on Boring tech is mature, not old rubenerd.com/boring-tech-... · Posted by u/mikece
I think it’s hard to tell with the signals we have on GitHub for example the difference between mature and dead as a project. Regardless of what a commit is for, it’s a sign that someone is watching and maintaining and any novel issue will likely be quickly addressed. I think this means new stuff always will have an advantage there.
I wish we could just let software "die" aka be stable without constant updates. For software that doesn't have a significant attack surface (security) it'd be amazing. But because of the bitrot of constantly changing underlying APIs and platforms, oftentimes if you find some Python script that hasn't been updated for a few years it'll already be broken in some horrible ways due to dependencies changing and no longer being compatible with current versions of certain libraries.
Think of how much time is wasted because so much software that's been written but not maintained and can't be used because of how libraries have "evolved" since then.
tmsbrg commented on Boring tech is mature, not old rubenerd.com/boring-tech-... · Posted by u/mikece
I was meaning to do an Ask HN about this but this looks like an excellent post to ask my question.
What are some boring techs you use that you cannot live without? How long have you been using them?
For me, it'd be stuff like Vim, C, Python, Fedora, mutt and I've been using them for 25-30 years! How about you?
The Python 2-3 transition and some developments after made it definitely not so boring for me, but hopefully it'll be more stable in the coming decades ;).
"Cannot live without" is a strong wording, but software that I use a lot and that's mature/stable in my experience: shell (zsh, bash, sh), GNU utils, vim, nmap, xfce, git, ssh, mpv, Xorg, curl, and lots of little old CLI tools.
Q: How many Silicon Valley software engineers does it take to change a lightbulb?
A: They will refuse to change the lightbulb, claiming it "doesn't scale" unless the "lightbulb problem" is fixed globally ;)
In seriousness, enjoyed this article and it's a wise realization. I think the world would be a better place if more people take the time to be a good person to the people around them, rather than focusing so much on big picture issues.
tmsbrg commented on CVE-2024-4367 – Arbitrary JavaScript execution in PDF.js codeanlabs.com/blog/resea... · Posted by u/todsacerdoti
Original author here. This is indeed a bit confusing.
You are right for the case where Firefox's PDF.js is used (local or remote file in a tab or iframe). The XSS problem however is with web-applications that themselves use PDF.js. In that case, it does not run in a separate or special origin; that is a Firefox thing.
You are also right that the PDF format supports JavaScript, but that is something unrelated to this, and indeed highly sandboxed in all cases.
Thanks for the explanation! That makes it more clear. Nice research and thanks for the reply.
tmsbrg commented on CVE-2024-4367 – Arbitrary JavaScript execution in PDF.js codeanlabs.com/blog/resea... · Posted by u/todsacerdoti
I guessed this is a type of XSS but it seems not. The TL;DR is a bit vague on the impact. It says "This bug allows an attacker to execute arbitrary JavaScript code as soon as a malicious PDF file is opened" but PDFs can already execute arbitrary JavaScript as a feature (as noted in the article).
Hidden in some paragraph it does say
> Instead, PDF.js runs under the origin resource://pdf.js. This prevents access to local files, but it is slightly more privileged in other aspects.
Seems like it's not an XSS letting you take over the website origin, but it lets you run JS under this resource://pdf.js origin. Could be an interesting vector when combined with other weaknesses, but not an instant knock out as I expected when I read the title and saw the points :)
I don't know what you're getting at, that's clearly spelled out already. But in case you didn't get it: that's without liability for the manufacturer because you have the choice to bypass them. Presumably such a situation wouldn't occur very often because 'proprietary hardware' with 'open source software' wouldn't be proprietary for very long. The software would tell you all you need to know about how it works.
Have you heard about Android?
tmsbrg commented on Booking.com hackers increase attacks on customers bbc.co.uk/news/technology... · Posted by u/edward
Seems like a problem booking.com could instantly eliminate by enforcing 2FA for hoteliers.
Not really. In the article it says hackers are getting malware onto the hotel's computers using social engineering. That's really hard to counteract. They could steal cookies, or also just control the existing session using the malware. 2fa won't help if you're already logged in and the hacker hacks your computer.
tmsbrg commented on A simple web server written in Awk github.com/crossbowerbt/a... · Posted by u/keepamovin
> gsub(/\/\.\./, "/", request_filename) # avoid directory trasversal
Hmmmm
http://localhost:8888/..../..../..../..../..../..../.../.......
damn, you beat me to it.
Was gonna write:
http://localhost:8888/..../..../..../..../..../..../etc/host...
mypc
These regex substitutions are so easy to bypass :)
I can also recommend his other site, Analog Antiquarian[1] where he writes more about the larger history. His Magellan series that's going on now is really amazing, makes you feel like you're really experiencing the epic voyage through South America and South East Asia.
[0] https://www.filfre.net/2018/06/doing-windows-part-1-ms-dos-a...
[1] https://analog-antiquarian.net/