Posts by Ayemooth 36 publicly visible posts • joined 5 Jan 2016
"why not just stop access to port 123 UDP on the machines until fixed"
Or disable the software that listens on that port. But perhaps (one might say "hopefully") there are watchdogs in place to start it again? So stop the watchdogs? Unless it's watchdogs all the way down, I suppose.
Also, under the current administration, I would be keeping quiet about being a "federal employee actually paid to watch the clocks all day", lest the idiots at the top deem the role unnecessary.
Jon
Any word on whether a similar exploit is possible with other similar services (Gitlab, Bitbucket, etc)? Or they did they consider this possibility when designing their own fork features?
It seems reasonable to me that a fork should only include non-dangling commits. I wonder what a git clone does... I'll give it a try when I'm at my desk.
J
"stolen sessions can be invalidated by simply signing out of the affected browser, or remotely revoked via the user's devices page."
And how do I find out which of my browsers or devices (laptop? Phone? Tablet? Which browser, if I use more than one?) I need to log out from or otherwise revoke?
Or, you limit to the standards that all fairly-modern browsers support. There are always a few new CSS things that would make authoring web dev easier (and not to the detriment of users) but are not supported by enough browsers. So my staff are told not to use the them, simple as that. Sure, it makes life a little harder for us, but that's the world we live in.
To put it another way, if it doesn't work for all your users, then we don't consider that to have been built properly.
At the risk of sounding old, maybe it's because I've lived through the times when IE, Firefox and Chrome all had meaningful market share, so it's ingrained into my professional psyche.
I've found acme.sh to be a great alternative to Certbot. I tried it out when Certbot updated itself to a version that didn't work on CentOS 6 (because that was out of support, but we needed to keep it running a bit longer while we got stragglers moved off it), and promptly switched our other servers that Certbot still worked fine on.
"Our internal analysis shows abandoned accounts are at least 10x less likely than active accounts to have 2-step-verification set p. Meaning, these accounts are often vulnerable"
So just mandate 2FA then, Shirley.
However, please make the option to simply use TOTP codes easy to find, like it used to be.
And don't bollocks up the process like Facebook seems to have done for a couple of my colleagues (of course, we can all think of a different solution to that particular problem...).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
