1
point
kryogen1c
Joined 3,457 karma
I was in the US nuclear navy, now I work in IT.
- kryogen1cOh goodness, wheres my head at, thank you. Too late to edit, but you are correct. Memory exfiltration, potentially containing passwords and secrets, leading to privilege escalation. Not an RCE.
- >I think you mistook "MongoDB"
I must have, the sentence does not make sense to me. Here it is, shortened: "this vuln in mongodb server does not impact mongodb, managed mongodb server, or our systems". If the first clause is referring to their systems, why do they say the same thing in the third clause?
Also i just noticed, how come they say atlas wasn't affected but say they patched it in their timeline?
>give them the benefit of doubt that they'd have said so
Statements like this are basically legal admissions of guilt, i expect there to be as little truth as possible.
>You are familiar with things like SOC and SIEM, and you're confused by this?
I work in IT, I'm not a coder... so yes :) hundreds of hours seems excessive. Remember, this isn't a safe deployment or rollout plan, that's the next block of time. Hundreds of man hours is more than one person's full month of work. Do you expect it to take you a whole, dedicated month to fix 1 bug at a time?
>That's what SIEMs do if they're adequately configured.
This is a bit of a no true Scotsman. The intended error log is "error: {cstring payload nullterm} broke" and the mongobleed log is "error: {cstring payload MISSINGNULLTERM cstring payload nullterm} broke". Those two things look identical, how is any amount of configuration supposed to catch that?
- >proactive [...] security program
Idk how proactive patching an exploited-in-the-wild unauth RCE is, but pr statements gonna pr i guess.
>This [...] vuln is not a breach or compromise of MongoDB
IANAL, but this seems like a pretty strong stance to take? Who exactly are you blaming here?
>vulnerability was discovered internally >detected the issue
Interesting choice of words. I wonder if their SIEM/SOC discovered a compromise, or if someone detected a tweet.
>December 12–14 – We worked continuously
It took 72 clock hours, assumably hundreds of man hours, to fix a malloc use after free and cstring null term bug? Maybe the user input field length part was a major design point??
>dec 12 "detect" the issue, dec 19 cve, dec 23 first post
Boy this sure seems like a long time for a first communication for a guaranteed compromise if internet facing bug.
Not sure there's a security tool in the world that would stop data exfiltration via protocol error logs.
- I think the greatest crime social media has committed is convincing everyone their opinion matters, the idea that research/journalism is hot-swappable with fact-checking.
Sometimes in conversation Israel or tariffs or whatever comes and I'm always like... idk? What do I, have a PHD? I know enough to know they're complex issues and the worst thing i could do is have a strong opinion
- And how do you think vehicle ownership compares between those two groups?
- This is pretty much dead on. I live in a rural part of the US and there are tons of old, worked-on trucks. The idea that there might be an all-electric f150 hanging out in 40 years is, frankly, laughable.
I know a lot of city kids think trucks are some obnoxious luxury good, but they're basically a functional requirement in most of the (very large) country.
- >But don't tell me that Katie Ledecky didn't put in a huge amount of effort
Perhaps you should try reading the article, because it doesnt say that. Its a 5 minute read, although perhaps you shouldn't bother because most others dont appear to have either.
Edit: actually, I daresay the contention of the article is the exact opposite: its likely that ledecky put in the least effort out of anyone.
- >Jazz people can be such losers sometimes
This has never occurred to me before, but I don't think ive ever met a jazz lover I liked.
This surprises me. Ill think about this a bit, perhaps a cognitive psychological rabbit hole is in order.
- > 2013, the last pre-subscription version
https://www.microsoft.com/en-us/microsoft-365/p/office-home-...
I found this using my secret inside IT knowledge: searched "buy office perpetual" on the internet.
I know microsoft is the evil soulless megacorp on HN, but the least you could do is attack them for true things instead of totally made up, has-never-ever-been-true things.
- I went to Ignite a few weeks ago, and the theme of the event and most talks was "look at how we're leveraging AI in this product to add value".
Separately, the theme from talking to Every. Single. Person on the buy-side was gigantic eye roll yes I cant wait for AI to solve all my problems.
Companies I support are being directed from their presidents to use ai, literally a solution in search of a problem.
- > gambling/loot box [...] legit ethical concerns
I've never understood this argument. Dopaminergic and attention pathways/systems are under full assault from every angle, and parents give their 6 year olds phones, and people take a moral stance against... loot boxes?
Thats like taking a moral stance against flavors in alcohol. I kinda think youre missing the point.
- > “It’s shocking to see people blocking traffic, taking possession of the public space without a permit, without warning, and then turning our streets, our parks, our public squares into places of worship,” said Roberge.
It is fucking insane that the response to people blocking traffic in prayer is to outlaw prayer.
Secularism is giving equal treatment to all religions; this isn't Secularism, this is a thinly veiled, fanatical, Crusade against religion.
- Wouldn't this model price out poor people? Doesn't that mean the most vulnerable people cant afford the services when they need them most, ie max hot/cold?
Changing the utility to a market sort of defeats the point of trying to optimize the utility.
- The comparison was not accidental. I expect a similar, meaningless outcome for poisoning children.
- > a Meta spokesperson said in a statement to TIME. "The full record will show that for over a decade, we have listened to parents, researched issues that matter most, and made real changes to protect teens
Omegalol. Cigarette maker introduces filter, cares about your health.
- > But what is the solution?
Don't allow the commoditization of public imagery, ie being a tourist is legal and being a business is not.
- > They've poisoned the internet
And what of the people that ravenously support ads and ad-supported content, instead of paying?
What of the consumptive public? Are they not responsible for their choices?
I do not consume algorithmic content, I do not have any social media (unless you count HN for either).
You can't have it both ways. Lead by example, stop using the poison and find friends that aren't addicted. Build an offline community.
- Yes, to rephrase: you dont need ddos protection if you dont get ddos'd (just dont get attacked lol). Well no shit, thanks for the advice.
As you say, the risk is not a temp outage for small users, the risk is your isp or host or whatever disowning you.