At least, in this case, the WAF in question had the decency to return 403.
I've worked with a WAF installation (totally different product), where the "WAF fail" tell was HTTP status 200 (!) and "location: /" (and some garbage cookies), possibly to get browsers to redirect using said cookies. This was part of the CSRF protection.
Other problems were with "command injection"-patterns (like in the article, expect with specific Windows commands, too - they clash with everyday words which the users submit), and obviously SQL injections which cover some relevant words, too.
The bottom line is that WAFs in their "hardened/insurance friendly" standard configs are set up to protect the company from amateurs exposing buggy, unsupported software or architectures. WAF's are useful for that, but you still gave all the other issues with buggy, unsupported software.
As others have written, WAFs can be useful to protect against emerging threats, like we saw with the log4j exploit which CloudFlare rolled out protection for quite fast.
Unless you want compliance more than customers, you MUST at least have a process to add exceptions to "all the rules"-circus they put in front of the buggy apps.
Whack-a-mole security filtering is bad, but whack-a-mole relaxation rule creation against an unknown filter is really tiring.
So, no you don't need a "Microsoft-esque" company, you need independent service providers who just know their stuff. Today, a company (any company!) with the proper skills CAN offer setting up and maintaining government infrastructure, independent and sovereign from Microsoft, by using commoditized hardware and open source software, with no long term vendor lock-in.
The offerings do exist, and get some traction. If done right, they should be cheaper in both short and long run, compared to Microsoft licensing.
So, what's holding us back?
1) One element is aggressive pricing for key customers and partners, on the part of the smarter incumbents (in this case Microsoft).
2) Another is a "reverse network effect": Scarcity of talent to create companies like the ones I suggest. And with too little supply, the demand side will be afraid to "not choose IBM" (figuratively).
3) A third is Microsoft 365's real-time collaborative editing. Yeah, really. The needs of some specific users get to dominate decision-making, since the key decisions are pitched in PowerPoint, analysed in Word, budgeted in Excel and distributed using Outlook. A lot of old dogs would have to learn new tricks.
The Eclipse Compiler for Java [1] is a notable exception, architected around incremental compilation, an API for “live” AST manipulation, and a layered non-batch approach to when to invoke various analysis steps.
The LSP for Java [2] used in eg. VSCode’s Java plugins, builds on this API.
But, no, I haven’t seen a generalized approach to this architecture discussed in literature.
By that logic, the worst possible recidivism rate (surely 100%) would make someone 1500x more likely to commit crime than a non-offender.
That’s still a pretty good case for having effective rehabilitation (unless you insist on the death sentence for all prisonable offences)
You don’t have to execute them, just lock them up until they’re too old to be a threat.
I’ve been a victim of violent crime at least a dozen times in my life. I wasn’t the first victim for any of my attackers. Far from it. And I wasn’t the last. Every single one of them escaped. They probably got caught on some other occasion, and maybe they spent some time in prison for that crime. And then they got out and continued robbing and assaulting innocent people. They’ll keep doing this as long as they are physically able.
I don’t really care what happens to them, because they’re basically constantly-exploding bombs that force the rest of us to pay more in taxes for police, invest in more security systems, avoid certain areas at certain times, and generally worry about safety much more than we otherwise would. Most criminals have been given countless chances to not commit crime, and they keep doing it. The sooner they’re separated from society, the better off we’ll all be.
I've moved lots of times. In terms of crime, the SF bay area was by far the worst. The Bronx was second-worst, but I hear it's gotten a lot better since I lived there. Portland has gotten pretty bad over the past few years but at least I can legally carry a gun there.
When you're 5'6" and 120lbs, criminals will target you.
You should try Europe or Australia. The worst I've ever experienced is having someone break and enter while I wasn't there. I have lived in what could be considered less than savoury areas in Sydney and have stayed all over Europe and the world (as a digital nomad, currently at 45 countries).
I wasn't born in the US. I've lived in other countries. There are other disadvantages to places like Europe or Australia (or Japan or China, where I've also spent time) that make the tradeoff not worth it to me. The biggest issue is that you'll always be a foreigner. Even if you jump through the hoops to become a citizen, you won't be accepted the same way that Americans accept immigrants. US conservatives are painted as disliking immigrants, but that's only true for immigrants who don't culturally assimilate. Conservatives have no problem electing immigrants like Winsome Sears, Arnold Schwarzenegger, and Young Kim. The mayor of Helena, Montana is a refugee from Liberia. The state with the most foreign-born governors is Georgia. Anyone who claimed that these people aren't "real Americans" would be shunned and shamed across the political spectrum.
There's also the issue of employment and compensation. My skills are worth far less in other countries. I make over $250k/year in compensation, and my taxes are low enough that I've managed to accumulate "fuck you" money before the age of 40. I could retire, but I want to maximize my family's quality of life. It'd also be nice to have an aircraft and a cabin on some land in the middle of nowhere. My chances of accomplishing those goals in another country are much lower. (I'll probably have the cabin in a few years. The aircraft... well, we'll see.)
If I wanted to move to an area with low crime, I could choose from plenty of places in the US. I don't live in those places because, similar to other countries, I'd have to take a massive pay cut. As remote work becomes more commonplace, that could change.
Interesting points. Yeah, it is pretty funny hearing conservatives being called Nazis and fascists all the time. In many ways America is already living the Star Trek future. Well, except for the UBI. (You'll probably get that soon though, the robots are just about done cooking.)
I heard you can get a used Cessna for $15k. But maybe you want something fancy ;)
The buffer overflow is in the C version of the algorithm (and likely related to loop condition checks idiomatic to C's for-loops).
The Go version is a fresh implementation, not a wrapping of the C version. I'm no Go programmer, but if I'm not mistaken, the Go implementation just eats little slices of the input buffer until no more buffer is left, leaving all the overflow-danger to the Go array implementation:
Just for what it's worth, we're talking about the amd64 assembly version of the SHA3 code in the x/crypto/sha3 library; I didn't look carefully at how it's called, so if it's used incrementally the way this Go code shows, then yeah, it's fine regardless.
A second later
Oh, wait, yeah, this is just the Keccak permutation in assembly, not the entire hash. That was dumb of me. Yeah, this code looks ok?
PreVue Channel also had an ad-delivery platform which served ads for the upper half of the prevue channel. The system was completely “headless”, using an A4000 that you could dial into, and upload new ads etc.
I developed that in 1993 — I think it was called “AdVue” commercially.
It was able to slideshow/carrousel the uploaded IFF/ILBM files or JPEGs, as I recall. I somehow managed to write a dithering algorithm for rendering as HAM8. I don’t recall how I chose the palette seed colors, as I didn’t know proper clustering algorithms back then.
I also somehow pieced together the “BBS” like Zmodem/Xmodem/etc. functionality for uploads. Long live Public Domain sources. This was pre GitHub ;-)
I’ve heard that the system was used for several years in both USA and perhaps Central and South America.
I lost contact with the company after going back home to Denmark.
The first time I ever saw JPEG images was from an Amiga magazine (Amiga Format maybe?) coverdisk. If I recall correctly my A2000 would actually take time to display the whole image - it wasn't instant.
I actually went and found the code. It wasn’t JPEG after all, it was Targa, but it still had to be turned into HAM8.
At that time, I had already worked with JPEG on the Amiga, for loading and saving images to/from the GVP TBCplus product. As I recall, it took about a second to load a JPEG image at SD video resolutions, but that was likely with a 68030 or 68040.
There is actually a small community still interested in poking around what little software related to Prevue we’ve found. Did you have any other involvement with the Prevue software?
That's correct. With many concurrent connections, you save memory (from thread stacks) and context swiches (since you don't need to switch thread to process each socket).
If all you want is a single request (and you have wait for results to continue work), you don't gain anything by going async.
> If all you want is a single request (and you have wait for results to continue work), you don't gain anything by going async
This is true for HTTP version < 2 because of the head-of-line blocking. With HTTP 2 I think a single connection will see a better throughput if not massive increase.
I've worked with a WAF installation (totally different product), where the "WAF fail" tell was HTTP status 200 (!) and "location: /" (and some garbage cookies), possibly to get browsers to redirect using said cookies. This was part of the CSRF protection. Other problems were with "command injection"-patterns (like in the article, expect with specific Windows commands, too - they clash with everyday words which the users submit), and obviously SQL injections which cover some relevant words, too.
The bottom line is that WAFs in their "hardened/insurance friendly" standard configs are set up to protect the company from amateurs exposing buggy, unsupported software or architectures. WAF's are useful for that, but you still gave all the other issues with buggy, unsupported software.
As others have written, WAFs can be useful to protect against emerging threats, like we saw with the log4j exploit which CloudFlare rolled out protection for quite fast.
Unless you want compliance more than customers, you MUST at least have a process to add exceptions to "all the rules"-circus they put in front of the buggy apps.
Whack-a-mole security filtering is bad, but whack-a-mole relaxation rule creation against an unknown filter is really tiring.
reply