• 1 Post
  • 137 Comments
Joined 1 year ago
cake
Cake day: July 2nd, 2023

help-circle








  • Using Kali? Easy if you have training. The capstone for our security course a decade ago was too find and exploit 5 remote machines (4 on the same network, 1 was on a second network only one of the machines had access to) in an hour with Kali. I found all 5 but could only exploit 3 of them. If I didn’t have to exploit any of them 7 would be reasonably easy to find.

    Kali basically has a library of known exploits and you just run the scanner on a target.

    This isn’t novel exploit discovery. This is “which of these 10 windows machines hasn’t been updated in 3 years?”


  • A question to consider seriously: name a company that has a full OS that supports modern tooling/development environments with consistent graphical fidelity across a wide range of hardware that a manufacturer can pay to maintain the host OS, provides guarantees to OS LTS/security patching and has a proven track record in deploying, supporting and delivering kiosk support.

    The only serious answer is Microsoft, and maybe Canonical… But Canonical hasn’t been around for as long as most of these kiosks have.

    There are a couple of huge blockers for manufacturers looking at companies that provide Linux support:

    1. Industry track record. Red Hat, Canonical, Google and Oracle are basically the only large scale players in the enterprise Linux support. Red Hat basically only provides support for server/backend infrastructure. Has Google had anything other than Gmail and maps last for more than five years? So that leaves us with Canonical. What’s the longest release Canonical has? 4 years now? Microsoft has 15 year support contracts. The only other player in the market that even comes close is Oracle (Oracle still supports Java 1.4 for example: 22years)

    2. Consistent graphical performance: until the last 5 years graphical fidelity on Linux has been a shit show. A decade ago, getting even the largest players to support Linux was a huge undertaking. Basically the only consistent graphics support was the result of android and that is basically only mediatek.

    3. Development environments. Windows wins this hands down without even a question. Go back 15-20 years and it’s even more obviously in Microsoft’s favor. NET gui apps are brain dead easy to make, super consistent and stupid easy to maintain. This drastically decreases development time and cost allowing companies to pay for the crazy expensive support contracts.

    The numbers these companies deal with isn’t thousands or even hundreds of thousands of dollars. It’s tens or hundreds of millions. There is no way in hell a manufacturer is going to give an untested bespoke Linux distro maintainer 25 million to keep that Linux distro running for the next 10-20 years. There isn’t a feasible way for a small company to even support at that price for that length of time.

    Oracle and RedHat are the only truly feasible options, and it costs more to develop GUI apps on either platform when there isn’t a 20 year track record of known success. It’s obvious why companies pick Microsoft.






  • I don’t think either is actually true. I know many programmers who can fix a problem once the bug is identified but wouldn’t be able to find it themselves nor would they be able to determine if a bug is exploitable without significant coaching.

    Exploit finding is a specific skill set that requires thinking about multiple levels of abstraction simultaneously (or intentionally methodically). I have found that most programmers simply don’t do this.

    I think the definition of “good” comes into play here, because the vast majority of programmers need to dependably discover solutions to problems that other people find. Ingenuity and multilevel abstract thinking are not critically important and many of these engineers who reliably fix problems without hand holding are good engineers in my book.

    I suppose that it could be argued that finding the source of a bug from a bug report requires detective skills, but even this is mostly guided inspection with modern tooling.





  • The whoosh is part of the joke… Which apparently you didn’t know. Also, it isn’t insular. It’s literally the opposite of that. I thought they were participating in the joke until they replied in such a negative way.

    I don’t understand why you are so upset about this and why you are so derogatory towards what is potentially the largest generation of chess players proportionally to their generation size to have ever existed.