Embedded Files
- Today proved again some absolutely ridiculously laughable security. Can't go into details, but I guess this is enough said. OWASP unrestricted file upload. Yet they should figure it out, that the situation could have been a lot worse. Instead of slightly ridiculing website defacement, all the information and whole server could have been taken easily over using the exactly same attack surface. - So don't bother whining about slight defacement for fun. Anyway, they allowed uploading both, web.config which pretty much means you're already very screwed. Both your site, and your users / clients are both totally owned, if you just bother to combine a few technologies.
- Yes we CAN. Hacking cars, and exploiting protocol design vulnerabilities.
- Updated all Windows development tools to Python 3.6.2 64 bits. Yet there are still some applications which use legacy 32 bit ODBC and for some strange reason that interface is such, you can't mix 64 bit and 32 bit stuff. Which is bit annoying, but practically doesn't make any meaningful difference after all. I'm not hitting 32 bit memory limits any time soon with my ETL jobs. Usually the amount of data stored in RAM per process is very small. Installing latest pyodbc and cx_freeze where just a breeze using pip.
- Google+ - got a new layout with more columns.
- Now all of my administered web servers are also using HTTP/2 with SSL naturally. Nice.
- Long discussion about Human-in-the-loop (HITL) versus human-on-the-loop (HOTL). I personally prefer HOTL. Yes, we can stop something, but buy default everything should be automated and take the default process route, unless someone is intervening with that process.
- Relocated lots of content and updated related Bluetooth Physical Web Beacons to new servers, with H2 and TLSv1.3 and so on.
- Once again had fun with Microsoft extremely bad documentation and error messages. Such a pain. Getting simple things working might take several days. No wonder some MS stuff is expensive, because its such a mess, it's almost impossible to get it to work.
- About these new mass Internet monitoring and surveillance laws in Finland. I've got only one quote: “Those who surrender freedom for security will not have, nor do they deserve, either one.”
- Quote: "We published instructions on how to repair a Tails 3.0.1 broken by the automatic upgrade . " - How to repair system, broken by the automatic upgrade... Hmm, pure love, again. I've been warning about automated updates all the time. Untrusted code, from untrusted sources, replacing running systems and ... Yes, there are just so many ways to exploit that unfortunately. Sorry if this is a dupe. But somehow their statement just hit my sweet spot.
- Migrating 1200 db from MySQLL to PostgreSQL (Postgres) - Quite a nice post. Yet there's nothing special. That's the stuff that's gets done all the time. Migration, integration, conversion, tech stack changes, etc. You'll just deal with it. Junk in tables, missing relations, broken references, total worthless junk data, which shouldn't have been in the database to begin with and so on.
- I hate studies, those are so misleading. This one study widely published in Finland says that small and medium enterprises got inadequate IT security. Well that depends. Especially because the results re based on the fact that the customer feels that they got inadequate security. That's stupid question. It's where you set the bar. Every business got inadequate security, and we all know it. There's always things which you could do better. The real question is, what is adequate security. Because this hasn't been exactly defined, the original question is also totally pointless. Unless your point it to sell some BS security consulting, which is expensive, produces lots of 'documents for the management' and practically does almost nothing. - Yep, maybe that was the whole point of this study. They also asked if it's possible that you might not notice hacking. Well, I think that should be obvious answer. The only viable answer is yes. If you answer no, it's already totally clear, that the person giving the answers is absolutely incompetent.
2018-12-02
Google Sites
Report abuse