Tux Machines

Programming Leftovers

Posted by Roy Schestowitz on Mar 12, 2023

=> Android Leftovers | today's howtos

The oldest privesc: injecting careless administrators' terminals using TTY pushback

=> ↺ The oldest privesc: injecting careless administrators' terminals using TTY pushback

This trick is possibly the oldest security bug that still exists today, it’s been traced as far back as 1985.

It’s been discovered and rediscovered and re-rediscovered by sysadmins, developpers and pentesters every few years for close to 4 decades now. It’s been subject to multiple developper battles, countless posts, but still remains largely forgotten.

This is just another attempt at shedding light on it, for both attackers and defenders.

write posix shell

=> ↺ write posix shell

most people in tech are familiar with shell scripts. but shell is a language!

[Old] Exploiting input sanitization for regex denial of service

=> ↺ Exploiting input sanitization for regex denial of service

Web services use server-side input sanitization to guard against harmful input. Some web services publish their sanitization logic to make their client interface more usable, e.g., allowing clients to debug invalid requests locally. However, this usability practice poses a security risk. Specifically, services may share the regexes they use to sanitize input strings --- and regex-based denial of service (ReDoS) is an emerging threat. Although prominent service outages caused by ReDoS have spurred interest in this topic, we know little about the degree to which live web services are vulnerable to ReDoS.

Girl with AI earrings sparks Dutch art controversy

=> ↺ Girl with AI earrings sparks Dutch art controversy

That's because the work -- one of several fan recreations replacing the 1665 original while it's on loan for a huge Vermeer show at Amsterdam's Rijksmuseum -- was made using artificial intelligence (AI).

Its presence has sparked a fierce debate, with questions over whether it belongs in the hallowed halls of the Mauritshuis -- and whether it should be classed as art at all.

go install a fork

=> ↺ go install a fork

Keep only their version canonical

Do not rename the package paths and jump through serious hoops in order to compile your local version from the source tree.

Butlerian Jihad

=> ↺ Butlerian Jihad

My experience with the current generation (ChatGPT), for programming specifically, is that:

it suggests impossible things that can not ever be made to work even with tweaks

sends you down a rabbit hole of wrongness when what you would’ve needed instead was a blank slate and a clear perspective

it lies and says that it has tested things (even giving the specific version of the compiler it’s supposed to “work” on) without having done so

=> gemini.tuxmachines.org