biscuitswalrus

The messaging around this so far doesn't lead me to want to follow the fork on production. As a sysadmin I'm not rushing out to swap my reverse proxy.

The problem is I'm speculating but it seems like the developer was only continuing to develop under condition that they continued control over the nginx decision making.

So currently it looks like from a user of nginx, the cve registration is protecting me with open communication. From a security aspect, a security researcher probably needs that cve to count as a bug bounty.

From the developers perspective, f5 broke the pact of decision control being with the developer. But for me, I would rather it be registered and I'm informed even if I know my configuration doesn't use it.

Again, assuming a lot here. But I agree with f5. That feature even beta could be in a dev or test environment. That's enough reason to know.

Edit:Long term, I don't know where I'll land. Personally I'd rather be with the developer, except I need to trust that the solution is open not in source, but in communication. It's a weird situation.

Now I'm not part of this, but a international student just got scammed $170 000 dollars over 3 months. They believed that the police had seized their Australian bank account and were contacting them related to their identity being stolen. It wasn't at the time of call, but the international student, maybe 25, was fully profiled. They knew where he studied, who they had been talking to. At the time of call, the poor kid thought he was talking to the police, gave every bit of information including bank account which had mfa, but undid it and and followed the scmmers requests believing he would be deported. He called home to his parents and asked them for more money even in order to build a new account because he believed is other one was frozen, the new account was under order and control of the scammer who this kid trusted. The scammer even made this kid move into a hotel for a week as their "premise needed to be searched" it wasn't for a month after this that it was found because the kid believed he couldn't tell anyone before the school (where he was attending but kept leaving to take calls which is a no no) had to tell the kid that absenteeism will result in the student visa being cancelled. At that point it all came out, month and more of being scammed.

My point is, no it's not business. Just look at the YouTubers, just watch Jim Browning. Just ask people, it's a multi billion dollar industry. And it's not limited to rules like 'business'.

Although that might be true, the moment the 'friend' gave away his account recovery answers to the phisher I think he would have been compromised either way. It was likely that the phisher was in real time actioning a account recovery, and using the friend as the proxy to give answers to the prompts. Plus since it's already second hand info we can't tell, but if the phisher simply asked 'can you read me the code on your authenticator' or 'press approve and you'll complete the recovery process' and would have been successful.

In investigating account breaches I've found most people shamefully don't retell the whole story they're embarrassed and upset and fearing loss of employment. They kind of shut down. In this case, social status or opinion could bet harmed so it would be hard to trust the story is complete. Generally my logs come from entra ID and you can see the authentication came from the mobile device even though it was a prompt generated by the phisher.

Anyway I'm a big advocate for layers of security and you're completely right in your stance. Technology is fragile to exactly what you said. We live in a world of incomplete information using trust and judgement under time pressure and poor sleep. Phishing attacks are ruthlessly designed to target that weakness in people. I'm empathetic when it is successful.

There are massive collections of databases online that find where breaches have occurred allowing attackers to dump the database of that service, then collect all those database dumps together to identify all known accounts under an email address. Then once that email account ever has a password breach attackers can look up and see 'was this password used also on other accounts' and attempt to use the same email and password on them. Moreover they will just try that email regardless of known affiliation, if they already have a user name and password across many online services, it's safe to assume this will work sometimes. This is the essence of a credential stuffing attack.

https://www.abc.net.au/news/2024-01-19/what-is-credential-stuffing-scams-how-to-prevent-and-protect/103367570

https://www.abc.net.au/news/2023-05-18/data-breaches-your-identity-interactive/102175688

I've used abc here since I believe they write better for a lay person.

Edit: I should mean to say, they can also create a profile of you and your many email addresses as demonstrated.

On many systems, the weakest link is that it needs to accommodate a 'lost my x' eg mfa, password etc.

Systems often have a way to get in by resetting them by validating through more factors but often weaker ones, "not phishing resistant" factors like security questions. That way the account can get it removed or a new one put on.

Mfa isn't a silver bullet, it is another layer of Swiss cheese, most people will think twice about giving it away on a chat app. But there's a reason IT departments sign you up for those phishing simulation and training videos.

But you could still be right in this case, I just wanted to note broadly speaking you can't assume prefect security is achieved with mfa. You still need to be constantly vigilant.

Digging tunnels.

You realise if it's saved you can now use features that are built into the software, that get saved, like using 'track changes' to accept or discard edits granually. You have file system level version control to choose previous versions, you have an undo feature built in. Three different tools to use.

Not really, you can leave auto save on, and use the inbuilt track changes function. Best of both worlds.

Have you tried using file versioning, or using review (track changes) functions to propose changes so you can choose to accept edits or decide against them? It's like there are specific features for this scenario that allow you to save, have backups and have that control.

This is an insane scenario: my software design decision is, despite recovery mechanisms like previous versions, file history, and undo mechanisms, I'm afraid if a cat uses a keyboard I'll accidentally save changes I don't want to a word document.

Lol. The only user error was choosing libre office instead of a user friendly software stack that has reasonable defaults and r recovery mechanisms.

There's a few random projects that aim to store bulk data and human information in durable materials.

https://www.popsci.com/technology/5d-disc-stores-500-tb-of-data/

Professor Peter Kazansky, from the ORC, says: "It is thrilling to think that we have created the technology to preserve documents and information and store it in space for future generations. This technology can secure the last evidence of our civilisation: all we've learnt will not be forgotten."

I'm learning most of the articles are all based on this guy from 2013 until now it's still been in mostly research phase though proof of concepts have been done.

I'm trying to find evidence of another thing I swear I heard about where someone had some instructions from first principals how to read the data, but all the way from something like understanding the language to data format. I listened to something in a tech podcast but can't find it.

But if I request it there, after its federated everywhere, what happens?