Tweetovi

Blokirali ste korisnika/cu @esizkur

Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @esizkur

  1. proslijedio/la je Tweet
    29. sij

    I... Look, I enjoy spending money for goods and services. When you pull crap like this I want to go back to physical books. This is disgusting, Amazon. You don't need this level of data to delight customers.

    Poništi
  2. proslijedio/la je Tweet
    29. sij

    Remote shell metacharacter injection and command-execution as root in an SMTP server... what year is it again?

    Poništi
  3. proslijedio/la je Tweet
    25. sij

    I just fixed another Holy Grail bug!! This one caused several games to hang, such as Sonic Pinball Arcade () and Hello Kitty Collection - Miracle Fashion Maker (). This bug has been vexing me for 3 and a half years!

    Prikaži ovu nit
    Poništi
  4. proslijedio/la je Tweet
    15. sij

    💕❤️💕 for all who have worked for a better web and a better world at Mozilla.

    Poništi
  5. proslijedio/la je Tweet

    There’s two new pre-auth RCE with CVSS score 9.8 in RD Gateway, commonly used to protect RDP servers (adds MFA etc). RD Gateway is a (great, btw) Enterprise solution for protecting those RDP boxes. You probably want to patch these.

    Prikaži ovu nit
    Poništi
  6. 15. sij

    Less than 7 hours after the patch for CVE-2020-0601 was dropped, seems to have reproduced it. Hopefully y'all have patched already...

    Poništi
  7. proslijedio/la je Tweet

    I think that vulnerability scoring should have these two added in access vector terms.... Or is this mental?

    Poništi
  8. proslijedio/la je Tweet
    14. sij

    Some speculation on CVE-2020-0601. Earlier version of Windows cryptography API only supported a handful of elliptic curves from NIST suite-B. It could not handle say an arbitrary prime-curve in Weierstrass form with user defined parameters 1/N

    Prikaži ovu nit
    Poništi
  9. proslijedio/la je Tweet
    14. sij

    NEW: along with several other cryptographers speculate on how CVE-2020-0601 works at a technical level:

    Prikaži ovu nit
    Poništi
  10. 14. sij

    Thinking about this for another minute, it seems unlikely however: I would expect MSFT to rate exploitation likeliness lower in that case. Hmm...

    Prikaži ovu nit
    Poništi
  11. 14. sij

    Given that ChainLogMSRC54294Error()'s output is formatted like "CA: <%s> sha1: %s para: %s otherPara: %s" I begin to wonder whether CVE-2020-0601 might be related to the recent advances on SHA-1 chosen prefix collisions []...

    Prikaži ovu nit
    Poništi
  12. 14. sij

    Also, note that MSFT logs exploitation attempt [ChainLogMSRC54294Error()].

    Prikaži ovu nit
    Poništi
  13. 14. sij

    OK, this explains the call to ChainComparePublicKeyParametersAndBytes() in ChainGetSubjectStatus():

    Poništi
  14. proslijedio/la je Tweet
    14. sij

    The NSA advisory is much more helpful than Microsoft's.

    Poništi
  15. 14. sij

    "Certificates containing explicitly-defined elliptic curve parameters which only partially match a standard curve are suspicious, especially if they include the public key for a trusted certificate, and may represent bona fide exploitation attempts." []

    Poništi
  16. proslijedio/la je Tweet
    14. sij

    Now that it's all public: 1) CVE-2020-0601 - Windows doesn't properly validate X.509 certificate chains. 2) CVE-2020-0609, CVE-2020-0610 - Windows Remote Desktop Gateway (not to be confused with RDP proper) unauthenticated RCE.

    Prikaži ovu nit
    Poništi
  17. 14. sij

    So CVE-2020-0601 is an ECC signature verification bypass:

    Poništi
  18. proslijedio/la je Tweet
    26. stu 2019.

    Debuggers suck, not using a debugger sucks, and you suck.

    Poništi
  19. proslijedio/la je Tweet
    26. stu 2019.

    Unlink heap exploitation was introduced in the year 2000 by Solar Designer as the first generic heap exploitation technique. It's been mitigated in glibc and most allocators for 15+ years. Think it's dead? Not in modern day uClibc by

    Poništi
  20. proslijedio/la je Tweet
    23. stu 2019.

    Amazing compendium of failures of "provable security": . I saw a preprint months ago and the shock value of the huge lists still hasn't worn off. I think (and hope) this will put an end to the delusion that provable-security failures are isolated mistakes.

    Poništi

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·