Thought it was 0 0/2 * * * at first lol

I watched Jurassic Park with a live orchestra playing all the music and it was rad

I’ve had someone screenshot my code, circle a buggy line in red, and blog about it instead of submitting a PR.

I can’t say I’ve ever sent a security related bug report without at least some work done trying to understand how to fix it. Surely the caliber of people working for Project Zero can do that too, otherwise hi Google I’ll take one job please.

Wonder if they can build on top of eBPF? I think Windows is trying to implement it too

Look at this person over here using branches, show off

Not exactly “memory address 0”; there be dragons there. https://c-faq.com/null/index.html

I love nix and NixOS, but yes the documentation is incredibly insufficient. I’d recommend a normal distro + the nix package manager first for a personal laptop. You have be ok occasionally taking a detour to learn how to build some random program from source in a sandbox with no networking every once in a while so it’s kinda clunky as a daily use OS imo. It shines on servers though

NixOS is fun but requires tinkering for a desktop/laptop. You can use the nix package manager on any other distro though. At work I use Fedora and still use the nix package manager a ton when I want to, but I’m not locked into it when something needs to just work quickly. I have NixOS on my personal laptop and I kinda wish I didn’t. I have it on my home server and I’m very happy I did that.

What’s funny is those always make me immediately think the site is a scam of some sort even though they’re everywhere. I get this feeling like I should leave the site as soon as I can

@ matches

They’re likely using NixOS. It makes /usr/bin/env and /bin/sh for compatibility but nothing else goes in those dirs

Caught the NixOS user

Yes social engineering can be incredibly effective. I completely agree, but there is a bit of an obsession with it these days and imo it’s over indexed, because at the end of the day the type of social engineering detailed in that report typically just provides access.

In some cases, the target is important enough and has enough organizational power that accessing the network as them is sufficient, but that’s not often the case. What that means is that in those other cases social engineering (which in that report you cited is often just phishing) is providing, typically, internal network access. An attacker will have to move through the network and exploit software typically to continue their attack. There are many points in this chain that the weakness lies in software or configuration. If effort was placed on making those systems better it would likely see better results than hyper focusing on the social engineering, which is significantly more difficult to stop, especially with all of the things you mentioned on the horizon.

My point is then that even if it is a part of 74% of breaches, according to Verizon, it’s not necessarily sufficient and is often paired with software level exploits.

And I know this because my company does plenty of red teaming, and we use social engineering but at the end of the day the more interesting result comes from a software exploit or just abusing a weak configuration.

I have found the exact same type of bug shown here probably over a dozen times, most of those long before AI was writing code.

Not a big fan of the wording here. Plenty of skilled programmers make dumb mistakes. There should always be systems in place to ensure these dumb mistakes don’t make it to production. Especially when related to sensitive information. Where was the threat model and the system in place to enforce it? The idea that these problems are caused by “shit programmers” misses the real issue: there was either no system or an insufficient system to test features and define security requirements.

I work in security and I kinda doubt this. There are plenty of issues just like what is outlined here that would be much easier to exploit than social engineering. Social engineering costs a lot more than GET /secrets.json.

There is good reason to be concerned about both, but 95% sounds way off and makes it sound like companies should allocate significantly more time to defend against social engineering, when they should first try to ensure social engineering is the easiest way to exploit their system. I can tell you from about a decade of experience that it typically isn’t.

Add SepiaSearch URL as default search index

I updated my weird wording but… you and they said something about the default [index] URL

If OP asked when global search was implemented the answer is 5 years ago. If they asked when SepiaSearch became the default index then sure, ChatGPT was wrong, but I’d bet they asked the first question

https://github.com/Chocobozzz/PeerTube/releases/tag/v2.3.0

ChatGPT is correct? The irony of people confidently asserting that ChatGPT is wrong, while being wrong, seems to be lost on the crowd here. Kinda makes you understand why ChatGPT is often so confident even when wrong.