> the legitimate ones I’d initially generated still worked
This spooks me. I take this to mean either:
- They are still using the compromised key for validation, meaning if you have access to any old token, you can still mutate that, maybe needing to play around with the issuing times
- They built an allowlist of all permitted tokens, and check that list first. In which case, might as well use random session ids instead of JWTs, and at the same point where the allowlist is being checked, mutate the request to inject a JWT that the backend can use.
Also, kind of curious why the switch to RSA4096 instead of elliptic curves, since they are generally faster / smaller.
Ah that makes sense. For sufficiently small values of N, a hardcoded allowlist isn't a problem.
You're probably right that RSA 4096 "just worked", and some library in their stack doesn't have elliptic curve support. And again, if N is small, the verification performance doesn't matter that much.
+1 to this. I run Ubuntu 22.04 with microk8s. Keep all my yaml files in a local git repo, figured out how to hook up my NAS to provide storage via nfs.
It's definitely gone down a few times, but I've learned a TON tinkering with it. super easy to spin up a new hobby project, a nice web UI for seeing what the heck is going on.
I've completely borked it a couple times and survived one micro pc migration. Can't recommend it more
I was on the jury of a federal fraud trial with 2 defendants with 15 charges, ~30 million in losses.
We were thorough and went through each count separately, including reviewing some of the evidence, and were done in maybe 8 hours spread across 2 days.
We ended up with a mixed verdict: one count not guilty for both, another not guilty for one. I fully believe they were aware and committed fraud for the not guilty counts, but the prosecutor wasn’t able to cross the “reasonable doubt” threshold in our minds for those specific instances.
Only thing we weren’t super careful about was the first requirement for Mail/Wire fraud, which is “Mail and wires” were used.
It was amusing that the prosecutors brought in a bank IT guy to explain that “the internet uses wires”, but not really something we questioned.
And are modern fiber optic cables wires in any sense of the word? Does the relevant statute in USC18 actually define "wire" for the purpose of the crime?
Part of me thinks that wireless communications must be included, but one might make the case that even then, information/communication is transmitted over wire at some point.
"having devised or intending to devise any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises, transmits or causes to be transmitted by means of wire, radio, or television communication in interstate or foreign commerce, any writings, signs, signals, pictures, or sounds for the purpose of executing such scheme or artifice"
UPDATE: Various court decisions have expanded the interpretation so that "wire fraud" also involves the use of the internet, phone calls, emails, social media messages, faxes, telegrams, fiber optic, cable or SMS messaging and data systems.
I am not a lawyer, though. I could be mistaken on this.
“So, contrary to popular belief, the internet is not some big truck that you can just dump something on a la Ted Stevens; it’s more of a … series of tubes?”
Is there any way to tie an expectation of long term security support with legal protection of the product against competitors/reverse engineers/other parties that manufacturers may not want looking too closely?
I’m not suggesting granting additional protections to manufacturers, but codify an expectation of “if you abandon it, other people can come in and potentially salvage it”
At home I have a little Intel NUC running ubuntu hooked up to a 4 bay synology NAS.
I’m running several web apps, a git server, Plex, pihole, private CA, and keykloak, all on top of microk8s. It’s overkill, but I appreciated the opportunity to fiddle around and learn K8S without stress of external obligations.
I have two ingresses, one internal and one external facing. The external one is exposed via cloudflare and a micro vm (for multi level subdomains that cloudflare doesn’t support for free).
dyndns is handled by the router. It writes to a pseudorandom hostname, and cloudflare references it by CNAME.
It doesn’t get any significant amount of external traffic, but is good enough for family to use for the web apps + a yearly march madness pool (that can’t be hosted on yahoo/ESPN/etc due to a custom family rule set).
When kids first enter foster care, the state assumes care and tries to work with the parents to resolve whatever issues caused the kids to be removed. During this time, the kid ideally stays with another family member or friend, but with a random foster family if not. The parents remain the legal guardians and have opportunities to see their kids, coordinated by the state.
If reunification is determined to be impossible, the state goes to court to sever parental rights. This determination normally takes a year plus, and usually means the parents have checked out or are no longer trying to resolve the issues. Only once parental rights are severed is the child considered "legally free", and is eligible to be adopted into another family. In the ideal case, this is the family they were staying with before parental rights were severed, but not necessarily.
I haven't looked into the details of this article, but I assume these funds will be used for kids that have had parental rights severed, and were either adopted or "age out" of the foster care system.
Once in foster care, most kids are traumatized. Once parental rights are severed, it is incredibly difficult for parents to "re-adopt" their kid. I sure hope no parents are so short sighted to put their child through hell to reduce the cost of college.
This spooks me. I take this to mean either:
- They are still using the compromised key for validation, meaning if you have access to any old token, you can still mutate that, maybe needing to play around with the issuing times
- They built an allowlist of all permitted tokens, and check that list first. In which case, might as well use random session ids instead of JWTs, and at the same point where the allowlist is being checked, mutate the request to inject a JWT that the backend can use.
Also, kind of curious why the switch to RSA4096 instead of elliptic curves, since they are generally faster / smaller.