And by the way, the fact that I had to come out and make this explanation is *yet again* another example of the sorry state of tech security reporting, by both media and infosec folks themselves. Like every single article about this bug is wrong and makes no sense.https://twitter.com/marcan42/status/1217803207084134401 …
-
-
To me this is partially due to an interesting property of this bug: you don't need to know *exactly* what goes wrong in order to produce a (kind of) working exploit. Oh, and people love talking about seemingly cool textbook crypto instead of software engineering (bad) practices.
-
Yeah, it's a lot more impressive to talk about how you can use a quirk of ECC math (even though it literally involves no math, just copying a value from A to B) than to talk about how MS messed up the moral equivalent of an .equals method.
End of conversation
New conversation -
-
-
I'm still annoyed at how one of the early Spectre reports said "vm" (virtual memory) and everyone assumed it meant virtual machine
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
File a CVE against HumanOS: In the absence of trusted roots, incoming information in incorrectly validated against *any* matching source. The failure is easily exploitable, and self-perpetuating.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Sounds like you're describing every binary analysis and DRM discussion ever
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.