TheKMAP @ TheKMAP @lemmynsfw.com

Posts

0

Comments

277

Joined

2 yr. ago

SolarWinds had garbage infosec but you gotta admit the attack chain is much longer and more complex than "kidnap one guy".

How do you propose we meaningfully fix this issue? Hoping random people catch stuff doesn't count.

Interesting! When? Maybe that can be a metric or requirement before companies or seriously popular projects consider importing upstream code.

Your data is about remediation speed not thoroughness of discovery.

Not really. The most important admin interfaces are the ones you can't lock behind an IP whitelists.

"whitelists good IPs" - OK but what if I need to manage the "good ip" infra, etc

Bet you anything there were more pairs of eyes on SolarWinds code than this. Sick of this open source bystander effect.

Code scanners check for vulnerabilities not malicious code. Ain't no one running full coverage dynamic scanners to trigger all branches of code on this thing, otherwise this would've been caught immediately

Single point of failure on the lone maintainer of a popular package, vs having to hack an entire company like SolarWinds and make a backdoor that bypasses their entire SDLC. Which is harder?

Bystander effect, yes.

Have those audits you allude to ever caught anything before it went live? Cuz this backdoor has been around for a month and RedHat is affected, too. Plus this was the single owner of a package who is implicitly trusted, it's not like it was a random contributor whose PRs would get reviewed.

The code being open source helps people track it down once they try to debug an issue (performance issue and crashes because in their setup the memory layout was not what the backdoor was expecting), that's true. But what actually triggered the investigation was the bug. After that it's just a matter of time to trace it back to the backdoor. You understimate reverse engineers. Or maybe I'm just spoiled.

How long until US bans code from developers with ties to CN/RU?

EasyCanvas supports a one time payment model but seems to be focused on drawing instead of note taking, and it's not clear if the files would be stored on the iPad.

With a sprinkle of old school Deus Ex

https://deusex.fandom.com/wiki/Multitool_(DX)

Can someone explain to me why the mistake made about shrimp is different than the assumptions that went into speculating how other creatures perceive the world? Dogs, bees etc.

Companies don't serve staff. Staff is a necessary evil to them.

Exactly. Reddit mods and Wikipedia admins both get to be kings of their little fiefdoms. The power/pride/whatever is payment enough, otherwise they wouldn't be doing it. They are intrinsically motivated.

Being a mod for something you are passionate about is intoxicating. It is an awesome feeling to know you've contributed to the growth of something you care about.

Ehhhhh

Stock price is absolutely tied to the perceived performance and anticipated future performance of the company.

The problem is that most departments of a company are profit centers and therefore there is a huge incentive to squeeze the most return (product features, sales, etc) from that investment (your salary). They will abuse you just hard enough so you don't quit. Or they will abuse you endlessly because the churn is factored into it.

The company doing well is only loosely tied to morale. Yes happier employees probably perform better but it's not the best return on the investment.

Making a loan count as income will mess up legit home purchases. If you went that route it couldn't be that simple.

A big benefit to the buy borrow die strategy is the step up basis for your children. Realizing the gain will move the basis up and cause a taxable event.

I don't know all the details, much less if this plan is perfect, but I think that's the idea.

Maybe removing step up basis is enough, to help reduce generational wealth. IDK

"Collateral for loan is realized gain" targets the "Buy Borrow Die" strategy.

It's literally in the name. They are influencing.

As for why/how there's a ton of biases/fallacies that cause that to happen. Pick any and it's not difficult to create a scenario where a malleable person applies it.

No.

I know right? Some people haven't played XCOM, and it shows.