solid-snail

@[email protected]
4 Followers
27 Following
14 Posts
Security Research & Blog
Bloghttps://blog.solidsnail.com
Show threadsolid-snailDec 19, 2023

@Viss @jerry Pretty sure I'm missing context here, but there is a barrier to entry to security. Proving your skill. You either find a vulnerability or you don't. You either catch an APT or you don't.

If you want a barrier of entry to voicing opinion that's a different story. I'd argue that it's problematic though.

I'd argue the underlying issue is the difficulty of evaluating credibility, and that it isn't specific to the world of security at all.

Show threadsolid-snailDec 18, 2023

@wikiresearch How do they define toxic? I think most people would call Torvald's comments "toxic", but also warranted and merit based.

Would harsh criticisms be considered toxic?
And if so, is it always negative that contributors leave after "toxic" comments?

A threshold of 0.8 on a score from an API just doesn't really clarify what toxic is.

Did I miss anything in the paper that clarifies that?

Show threadsolid-snailDec 16, 2023
@jerry can you refer to a good source on the implications of this, in terms of the data privacy/ownership?
Just want to better understand the issue :)
solid-snailDec 15, 2023
New post talk about RCE in npm search, and other vulnerabilities in terminal applications.
https://blog.solidsnail.com/posts/npm-esc-seq
npm search RCE? - Escape Sequence Injection

How many programmers does it take to filter out 36 characters? You may think this is an opening to a joke, but it’s not.

solid-snail blog
solid-snailDec 5, 2023
Ars TechnicaDec 5, 2023

Beeper Mini on Android claims to have reverse-engineered iMessage compatibility

Co-founder says it's a security improvement for everyone and should be legal.

https://arstechnica.com/gadgets/2023/12/beeper-mini-on-android-claims-to-have-reverse-engineered-imessage-compatibility/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social

Beeper Mini for Android sends and receives iMessages, no Mac server required

Co-founder says it's a security improvement for everyone and should be legal.

Ars Technica
solid-snailDec 5, 2023
This one is a bit different from my previous post.
I basically reported a feature as a vulnerability, not a bug.
https://blog.solidsnail.com/posts/vscode-shell-integ-rce
It’s not a Feature, It’s a Vulnerability

It takes a special kind of person to name a company after their own body part. Fortunately the Microsoft Security Response Center doesn’t seem to have inherited that kind of mentality, because when I have reported not a bug but a feature as a vulnerability - they accepted it.

solid-snail blog
Show threadsolid-snailSep 19, 2023

@dgl interesting talk. Never thought of looking into `less` for this.

I also didn't consider mitigating this on the shell's level. Although the task of avoiding a parser differential with most terminals might be... uhm... interesting.

solid-snailSep 12, 2023
My first write-up.
Vulnerability I discovered.
Getting RCE from terminal output.
https://blog.solidsnail.com/posts/2023-08-28-iterm2-rce
From Terminal Output to Arbitrary Remote Code Execution

It was the year of the Linux desktop 1978. Old yellowed computers were not yet old, nor yellowed. Digital Equipment Corporation released the first popular terminal to support a standardized in-band encoding for control functions, the VT100.

solid-snail blog