fsebugoutzone.org:9999

       Posts by msw@mstdn.social
 (DIR) Post #AYfOcWc2Zn216Mqawa by msw@mstdn.social
       2023-08-12T20:34:33Z
       
       0 likes, 0 repeats
       
       @immibis @TheSteve0 @kfogel it is so rare, it is still *very* misunderstood.
       
 (DIR) Post #AYfOcXM7oRtXPIPOm8 by msw@mstdn.social
       2023-08-12T20:36:09Z
       
       0 likes, 0 repeats
       
       @immibis @TheSteve0 @kfogel the cloud services model is far easier to grok.That&#39;s why I think some software producers want to be the only game in town that can use it.But that is not necessarily the best scenario for consumers...
       
 (DIR) Post #AYgQOuXtBucgLCV9sW by msw@mstdn.social
       2023-08-13T00:04:16Z
       
       1 likes, 0 repeats
       
       #OpenSource #FreeSoftware #FOSS #OSS #RemixCulture #DerivativeWorks #Copyright
       
 (DIR) Post #AYt1XGy6RNdJXfFTkm by msw@mstdn.social
       2023-08-19T00:12:29Z
       
       0 likes, 0 repeats
       
       Personally it&#39;s still surprising to me that, as a case study, MongoDB is not primarily highlighted as an example of a firm that used the brand goodwill of &quot;Open Source&quot; as a way to implement a &quot;Freemium&quot; GTM strategy by choosing the most misunderstood and feared #FOSS license (#AGPLv3), then invented a new license that had a cloaked field-of-use restriction (or &quot;constructive restriction&quot; as @webmink calls it), attempting to warp the definition of #OpenSource#FreeSoftware #SoftwareFreedom #OSS
       
 (DIR) Post #AYt1XIjHtQyF0IKfwG by msw@mstdn.social
       2023-08-19T00:14:30Z
       
       0 likes, 0 repeats
       
       On &quot;Constructive Restriction&quot;https://meshedinsights.com/2021/01/27/all-open-source-licenses-are-permissive/
       
 (DIR) Post #AYt1XKUTLUJASvPs7k by msw@mstdn.social
       2023-08-19T00:16:33Z
       
       0 likes, 0 repeats
       
       Instead, somehow this myth is told as if it is fact.https://mamot.fr/@pluralistic/110911473508008668
       
 (DIR) Post #AafIUyuNJEFeW2i3ua by msw@mstdn.social
       2023-10-10T17:47:01Z
       
       0 likes, 1 repeats
       
       This is your regular reminder that CVSSv3 base scores are information-poor, and taken alone are not fit for the purpose of evaluating appropriate actions to take for a given security vulnerability.I am hoping that CVSSv4 helps improve industry practices. It&#39;s badly needed.#InfoSec #CVSS #CVEhttps://csrc.nist.gov/csrc/media/Presentations/2023/update-on-cvss-4-0/jan-25-2023-ssca-dugal-rich.pdf
       
 (DIR) Post #AafIV0vVnyLim9Fzxg by msw@mstdn.social
       2023-10-10T17:53:07Z
       
       0 likes, 0 repeats
       
       If you use #curl or #libcurl and are worried about the pending &quot;High&quot; CVE that&#39;s coming out, @bagder said...&quot;Every security flaw requires a set of conditions to apply for the problem to trigger. The pending security vulnerabilities are no different. I cannot comment on what that set is ahead of time.The severity level is a blunt tool. This is a HIGH severity problem but there is still going to be a large chunk of users who will not be affected by these problems.&quot;https://github.com/curl/curl/discussions/12026#discussioncomment-7195449
       
 (DIR) Post #AafIV2fdJypuBTqLUO by msw@mstdn.social
       2023-10-10T17:56:09Z
       
       0 likes, 0 repeats
       
       The &quot;High&quot; rating for this bulletin, like &quot;CVSSv3 base score &gt;= 7.0&quot;, is information-poor.For open source libraries in particular, there are many potential mitigating circumstances.I really want for the #InfoSec community and industry practice to improve so that we don&#39;t blindly look at base scores or vendor ratings for #FOSS libraries in particular, and then panic.
       
 (DIR) Post #AafIV4RWjOjzgJG6mO by msw@mstdn.social
       2023-10-11T02:46:01Z
       
       0 likes, 0 repeats
       
       Over on the bad place, it looks like an embargoed patch leaked?#curl #libcurl #cve202338545 #InfoSechttps://twitter.com/_JohnHammond/status/1711913166165463220
       
 (DIR) Post #AwhyTNAu9kXw4rzbhQ by msw@mstdn.social
       2025-07-31T22:18:25Z
       
       0 likes, 0 repeats
       
       @adamshostack There&#39;s this CryptoVerif model of the transport protocol, but it sounds like you want a model of the daemon process? https://bblanche.gitlabpages.inria.fr/publications/CadeBlanchetJoWUA13.pdf
       
 (DIR) Post #AwhyTO72fb3CzBC2Jk by msw@mstdn.social
       2025-07-31T22:20:07Z
       
       0 likes, 0 repeats
       
       @adamshostack Maybe something more like this historic relic from the pre-privsep days?http://niels.xtdnet.nl/ssh/privsep.html
       
 (DIR) Post #AwhyTRC7DBtKXmad8q by msw@mstdn.social
       2025-07-31T22:34:48Z
       
       0 likes, 0 repeats
       
       @adamshostack @mwl @bsdphk @jawnsy @ricci A reminder yet again to be thankful for all the pioneering work of Solar Designer... one of the first examples of privsep.https://www.openwall.com/popa3d/DESIGN.shtml
       
 (DIR) Post #AwhyTT6A8IJmRtou8m by msw@mstdn.social
       2025-07-31T23:00:19Z
       
       0 likes, 0 repeats
       
       @adamshostack @mwl @bsdphk @jawnsy @ricci For SSH in particular? Or for other UNIX-y daemons and how they progress through privilege transitions?
       
 (DIR) Post #AwhyTUZceFTf1YbwhM by msw@mstdn.social
       2025-07-31T23:03:57Z
       
       0 likes, 0 repeats
       
       @adamshostack @mwl @bsdphk @jawnsy @ricci cool, then definitely look at s2n (in a spur of the thread) as a modern case study, IMHO.
       
 (DIR) Post #AwhyTVAURAy4rtrOAC by msw@mstdn.social
       2025-07-31T23:25:11Z
       
       0 likes, 0 repeats
       
       @adamshostack @mwl @bsdphk @jawnsy @ricci A depiction is nice to have. Formal proof that code implements a specification is better...(context is a sister project to s2n--the libcrypto parts)https://sos-vo.org/system/files/2024-05/Formal%20Verification%20of%20AWS-LibCrypto_1.pdf
       
 (DIR) Post #AwhyTaPYwYzn85wzqq by msw@mstdn.social
       2025-07-31T23:02:18Z
       
       0 likes, 0 repeats
       
       @adamshostack @mwl @bsdphk @jawnsy @ricci When it comes to using simple state machines to build robust implementations of protocols, the TLS state machines in the s2n library comes to mind. https://github.com/aws/s2n-tls/blob/main/docs/STATE-MACHINE.md
       
 (DIR) Post #AwhyTiJTZ4sddXAFTU by msw@mstdn.social
       2025-07-31T23:03:13Z
       
       0 likes, 0 repeats
       
       @adamshostack @mwl @bsdphk @jawnsy @ricci this guide goes into the design philosophy https://github.com/aws/s2n-tls/blob/main/docs/DEVELOPMENT-GUIDE.md#control-flow-and-the-state-machine
       
 (DIR) Post #Ay5P4H0HB2JCtcs4Aq by msw@mstdn.social
       2025-09-09T17:37:31Z
       
       0 likes, 0 repeats
       
       @jacques @bagder @gregkh btw… how is it going, making the Universal Asset Graph on purpose?
       
 (DIR) Post #Ay5P4IHKR7XkqnrCOO by msw@mstdn.social
       2025-09-10T17:49:19Z
       
       0 likes, 0 repeats
       
       @jacques @bagder @gregkh I&#39;d really love to have some public database that would help us all collectively make more efficient resource allocation decisions.Let&#39;s take CVE-2025-38352 for example. CISA added it to the KEV because Google said that there is evidence of exploitation in the context of Android.If you use CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y the fix is not needed.Linux distros aren&#39;t affected but release &quot;fixes&quot; anyway. https://forums.rockylinux.org/t/rocky-8-10-cve-2025-38352/19590/3#PatchAllTheThings! #InfoSec