| birdsite | @barredijkstra |
| bsky | @salp |
| pronouns | he/him |
@kloenk @navi Back when 128 kB was the limit for argv+envp, Google was hitting it too because they passed all the configuration for their whole software stack on the command line as --long-option=value switches.
Their solution? Compress the command line. So every binary started by ungzipping argv[1] and parsing it to get the configuration.
The person explaining this to me saw my horrified face, and said with the perfect Hide The Pain Harold smile: "a series of individually completely rational and reasonable decisions led to this." and I have been thinking a lot about it since.
We @DianaInitiative are 50k (~a bit more) short of breaking even for the year. Would LOVE 3 recording sponsors - your logo on our videos posted to youtube!
Scroll to the bottom of the page we made example email templates to ask your employer - www.dianainitiative.org/sponsor
And we of course always welcome donations www.dianainitiative.org/donate
dear #appsec people, I'm curious how you deal with 3rd party dependencies. do you use a scanner that reports cves? manual audits? have external audits done?
and any difference in dealing with opensource and closed source libs?
and if you audit, how do you determine scope of which part to audit? you can determine the library code used, but that might change 1 commit later.
This petition is incredibly important.
Not only for EU citizens, but for everyone worldwide. If this proposal passes, it could have *devastating* consequences for all of us.
For your future self,
For your children,
For the next generations,
Sign it please đź’š
https://www.eff.org/deeplinks/2023/03/sign-petition-and-tell-eu-legislators-dont-scan-us
The European Parliament is debating a proposal that, if it passes, could be disastrous for privacy worldwide. Every message, photo, or hosted file could be scanned, with the results sent to government agencies. We don’t need “bugs in our pockets.” A private and secure internet should be built with...
@SheHacksPurple I'll stop after this one, unless I can remember a really fun one later
Some APIs missed the memo and just provide static resources like any other webserver by screwed up routes.
and I might have seen a variety of config files, .git directories and what not over time. once I even got a path traversal, that got me by surprise 🫢
@SheHacksPurple let's go for the golden oldie: injection
prototype pollution on a custom node service that acted as api gateway/proxy. that was fun and gave a rce
full blown simple sqli, because of course. ' or 1=1 -- shouldn't work anymore, ever, but I also saw that one in a recently built api
nosqli, because you can't do sql injection with mongodb, right?
Laurent Bercot
nicole schwartz amazonv
Em 