Forwarded from HN Best Comments
Re: Potential session/cache leakage between workspace instances or consumer accounts
This attack is called "HTTP desync" or "request smuggling". It's often done intentionally by a client to try and spy on other clients' responses.
Every time you multiplex requests from multiple clients onto one upstream connection, you are probably vulnerable to this, because (despite its superficial simplicity) HTTP is just too complex to reliably match the requests and responses to upstream.
For example a desync can be triggered in some systems by having more than one Content-Length header, by mixing Content-Length with chunked encoding, or by passing an HTTP/2 header called Content-Length that doesn't match the actual content length.
Here's a DEF CON talk (6 years ago) on this topic: https://www.youtube.com/watch?v=w-eJM2Pc0KI
The same attack has been applied to SMTP by messing up the line endings surrounding the end-of-message delimiter, where it's called SMTP smuggling. It may also apply to other protocols.
pocksuppet, 1 day ago
This attack is called "HTTP desync" or "request smuggling". It's often done intentionally by a client to try and spy on other clients' responses.
Every time you multiplex requests from multiple clients onto one upstream connection, you are probably vulnerable to this, because (despite its superficial simplicity) HTTP is just too complex to reliably match the requests and responses to upstream.
For example a desync can be triggered in some systems by having more than one Content-Length header, by mixing Content-Length with chunked encoding, or by passing an HTTP/2 header called Content-Length that doesn't match the actual content length.
Here's a DEF CON talk (6 years ago) on this topic: https://www.youtube.com/watch?v=w-eJM2Pc0KI
The same attack has been applied to SMTP by messing up the line endings surrounding the end-of-message delimiter, where it's called SMTP smuggling. It may also apply to other protocols.
pocksuppet, 1 day ago
YouTube
albinowax - HTTP Desync Attacks: Smashing into the Cell Next Door - DEF CON 27 Conference
HTTP requests are traditionally viewed as isolated, standalone entities. In this session, I'll introduce techniques for remote, unauthenticated attackers to smash through this isolation and splice their requests into others, through which I was able to play…
Forwarded from Tech Crimes (Architector #4 (3D comms open))
theregister
Microsoft flips Windows Backup to on by default unless you're in the EU
Everyone else must opt out manually if they don't fancy settings data shipped off-device
>Я тут подумав: міністр оборони в Україні це як викладач захисту від темних мистецтв в Хогварсті
😁10🥴1
>“You type in the question or use your voice and it [AI] gives you a detailed answer,
like ‘How can I build a bomb?’ and then it tells you how. It is like a human robot! We
used it a lot.”
>“Before, the bomb explosion was not that big, but then they studied it. AI told us
what chemicals to put in that made the explosion heavier.”
>“We used to rely on our traditional methods. We sent 200 fighters because we had a
lot of strength, but then 60 got killed. With the help of AI, we learned that it
sometimes makes sense to only send 20. We learned more about well-coordinated
attacks and deployment of smaller units.”
>“The white guys assembled the top people in a room. They used a projector to show
how it [AI] works on a big screen.”
>“We have people in different places who set up accounts that can’t be linked to us.
They also pay for the subscriptions.”
“[B]oys that have received extensive training [...] bypass the restrictions. They say
they need it for a movie or something like that.”
>“God has helped us, and so will AI.”
like ‘How can I build a bomb?’ and then it tells you how. It is like a human robot! We
used it a lot.”
>“Before, the bomb explosion was not that big, but then they studied it. AI told us
what chemicals to put in that made the explosion heavier.”
>“We used to rely on our traditional methods. We sent 200 fighters because we had a
lot of strength, but then 60 got killed. With the help of AI, we learned that it
sometimes makes sense to only send 20. We learned more about well-coordinated
attacks and deployment of smaller units.”
>“The white guys assembled the top people in a room. They used a projector to show
how it [AI] works on a big screen.”
>“We have people in different places who set up accounts that can’t be linked to us.
They also pay for the subscriptions.”
“[B]oys that have received extensive training [...] bypass the restrictions. They say
they need it for a movie or something like that.”
>“God has helped us, and so will AI.”
👍4🌚3
Forwarded from mapgleos ✙ #УкрТґ
daily reminder that you can use LLMs to scan this kilometer-long Terms of Service agreements and find some nasty shit that they do with your data
👍14
Forwarded from vx-underground
> malware
> tries to run as admin
> fails
> already running as admin
> didn't check privileges before
> self terminates because thinks isn't admin
This is why you should run every application as Admin, for the 1/1,000,000 chance a malware payload forgets to check it's privilege
> tries to run as admin
> fails
> already running as admin
> didn't check privileges before
> self terminates because thinks isn't admin
This is why you should run every application as Admin, for the 1/1,000,000 chance a malware payload forgets to check it's privilege
😁23
Forwarded from Exilenova+
This media is not supported in your browser
VIEW IN TELEGRAM
Тим часом російські МВГ учаться літати. Як то кажуть аналогов нет 🤭
Please open Telegram to view this post
VIEW IN TELEGRAM
😁15
Exilenova+
Тим часом російські МВГ учаться літати. Як то кажуть аналогов нет 🤭
Як перестати передивлятися на репіті цей відос)
Forwarded from Half-Life Memes (🇱 🇴 🇺)
This media is not supported in your browser
VIEW IN TELEGRAM
😁2