Best practice guide: https://github.com/killerk3emstar/rot52
"Having been able to attend these events by hoarding airline miles and schmoozing certain cybersecurity vendors, Gal Nagli, Sam Curry, and I thought it would be fun to try and hack some of the different supporting websites for the Formula 1 events."
I will say though, this kind of thing does wonders for my imposter syndrome.
There's a lot less freedom in reinventing the wheel in formula 1 nowadays
https://www.formula1-dictionary.net/wheels.html
The steering wheel of course isn't even a wheel anymore, for a long time. It's some video game console / airplane cockpit looking monstrosity.
How do you arrive at that conclusion after reading an article on how an API had a broken access control vulnerability?
[1] https://en.wikipedia.org/wiki/Password_Hashing_Competition
[2] https://cheatsheetseries.owasp.org/cheatsheets/Password_Stor...
https://trust.okta.com/security-advisories/okta-ad-ldap-dele...
James Vowles, current Williams TP ordered his team to "break everything" in order to improve and change: https://youtu.be/nYzwvTSffiY?t=3129
What is often forgotten is, that all F1 cars are prototypes, they NEED to constantly change and innovate, and every year it starts from the beginning (almost).
There is a fantastic book called Total Competition, which is a conversation between two ex-team principles, one of them Ross Brawn, probably most successful F1 engineer. In it, Brawn says: "But where I think Formula One is very strong is in the culture. If you wanted to develop a concept and to drive things forward at maximum pace, utilize it in Formula One. The composite companies love Formula One because we are willing to try things. If they’ve got a new resin system or a new type of fibre, they give it to the Formula One teams to explore for them, to look at the applications and come back with the feedback. If they put it in the aerospace industry, five years later they would have an answer. Put it into Formula One and five months later they have got an answer"
[1] https://en.wikipedia.org/wiki/F%C3%A9d%C3%A9ration_Internati... https://en.wikipedia.org/wiki/Formula_One_Group
I hope you got at least free tickets for life out of this.
I hate this kind of post-hoc finger pointing people do after security breaches. There are other concerns in life beyond security - youre naive to think differently. Is your house secure or could somebody break past your protections? Have you harmed your defensive posture with negligence of security? Do you even care?
How do you feel if that's also what your bank chooses for you?
If you aren’t prepared to face criticism after a failure, you shouldn’t participate in a professional environment. Without people pointing out where it went wrong you’ll never j ow what to improve upon. Because if you knew, and chose not to act..now that would be a whole new level of incompetence.
NEVER trust user supplied data.
Once that rule was broken, any other rules broken became clear to everyone
Here's a better article: https://techcrunch.com/2017/07/25/hungarian-hacker-arrested-... - it seems like this was good faith security research (he disclosed the issue after testing it) and he couldn't use the transport pass he "stole" because he didn't even live in their service area anyway.
This arrest had nothing to do with stealing and all to do with putting well-connected, incompetent people in a very uncomfortable position.
A kid showed up a bunch of big names. That's the equivalent of a kid walking into a bank and somehow making it into the vault, alerting security to the fact that it's possible without actually making off with all of the gold. That's on the bank, not on the kid. Nobody came into your house or stole your property. If they had the police likely wouldn't show up, nor would the case make the newspaper even if - hah, as if that happens - they made an arrest.
The only reason you are hearing about this is because someone at 'bigcorp' didn't want to accept responsibility for their fuckups, and so they used the law to come down on some kid which effectively did them a service, which costs society a large pile of money, further externalizing the cost of their fuckup.
The kid purposely changed the price of a service to lower it to an insignificant fraction (reportedly from ~27£ to ~0.15£).
If that same kid went around a supermarket replacing price tags to lower the selling price, would you call it "showing up a bunch of big names"?
Say what you may about how broken and buggy the system was. Purposely misusing it for financial advantage is still a no-no.
I could comment extensively on the issue, as it is not as cut and dry as you imply. Instead, I'm going to link to the HM discussion from 2017 , as I think it is insightful and covers nuances.
> Did you try adjusting price?
And he was punished for "hacking", not for stealing, and for indirectly putting to shame who was responsible for the epic fail.
You're failing to address the point. It is also trivial to switch price tags in supermarkets. If a kid rips off the tag of an expensive product, tacks on another price tag for pennies, and proceeds to pay the reported price at the checkout counter, is this something deemed acceptable or even classified as vulnerability research?
Make no mistake: the system was a shit show and all companies involved pulled some "sociopath mid-level manager saving his ass" moves. But the issue is nuanced.
Sounds more like vulnerability reasearch than crime to me.
This is the key difference. The comment I was replying to implied that the transaction was actually completed, or at least I thought it did.
If the guy[0] didn't indeed actually benefit from the vulnerability then that is a very different story, and I don't think he should be arrested in that case.
0: not "kid" -- he is 18 which I assume is above the age of criminal responsibility in Hungary.
Then you took their money and gave them the item without saying anything.
Would seem like a weird situation but I don’t see how its theft.
somefile-small.jpg -> somefile.jpg
There is zero excuse for that though. 16 chars is just way too short for a proper secure pass phrase, but at least make it consistent with password creation!
If your software doesn't accept this password, please change career immediately:
ú¨<¹7®fÍå0Á1n:1}Àº»ê:t]íw´¾ã\B²¸Æþ®M3_ø>$¼ÿa÷mH¦ñ%?6ñE$l#DhqI£«{'Ø"V^c4u
Yeah, this is incredibly annoying, though to be fair, this can be a hard problem to solve. 3rd-party systems often don't tell you what their exact phone number validation rules are or silently update them, and then, to top it off, don't throw errors when validation fails. And more often than not, the 3rd-party system's developers also must have never heard of the Falsehoods programmers believe about phone numbers[0].
Source: I was responsible for adjusting phone number validation for a major ecommerce site in the past.
[0]: https://chromium.googlesource.com/external/libphonenumber/+/...
This is why you normalize your tables and use FK Constraints - you aren’t going to catch all the edge cases in code. Let the DB be the final arbiter of validity, because it’s been tested to hell and back.
Re: Huel, that’s pretty smart. My rate of consumption is fairly consistent (usually 1x/day on weekdays), but occasionally I’ll have one on the weekend, so the given cadences worked for me. I do 2x 12-pack / 4 weeks to hit the free shipping tier.
Well, we have passkeys. /s
I don't even call it data anymore. I call it datain't.
I agree, there definitely are many people who don't follow the rule! And so we get things like this, https://en.wikipedia.org/wiki/2014_celebrity_nude_photo_leak
I imagine the instructor "What could I teach Verstappen now..."
I once saw a custom service where you could connect your data, like Mixpanel or some analytics, and the whole motto was that this service did not want any of your PII data, and even the employees and companies that could access all the anonymous data had pseudonyms (e.g., a company named "Ocean's Eleven" with the employees Billy, Reuben, Rusty, Benedict, Linus, Basher, and so on).
Does someone know any architectures or designs of applications (books or references) that take anonymity as default?
Oh, here we go again. JavaScript brings mass assignment back. My efforts went in vein. Strong params, pls!
intheitmines•3mo ago
forgotaccount22•3mo ago
SirHumphrey•3mo ago
technothrasher•3mo ago
iancarroll•3mo ago
intheitmines•3mo ago
gausswho•3mo ago
LoganDark•3mo ago
seb1204•3mo ago
zozbot234•3mo ago
iancarroll•3mo ago
[0] https://www.justice.gov/archives/opa/pr/department-justice-a...
bitexploder•3mo ago
squigz•3mo ago
trollbridge•3mo ago
array_key_first•3mo ago
Nextgrid•3mo ago
Remember that while for a lot of us this kind of security research & remediation is “fun”, “the right thing to do”, etc there are also people in our industry that are completely incompetent, don’t care about the quality of their work or whether it puts anyone at risk. They lucked their way into their position and are now moving up the ranks.
To such a person, your little “security research” adventure is the difference between a great day pretending to look busy and a terrible day actually being busy explaining themselves to higher ups (and potentially regulators) and get a bunch of unplanned work to rectify the issue (while they don’t care personally whether the site is vulnerable - otherwise they wouldn’t have let such a basic vulnerability slip through - now that there is a paper trail they have to act). They absolutely have a reason and incentive to blame you and attempt legal action to distract everyone from their incompetence.
The only way to be safe against such retaliation is to operate anonymously like an actual attacker. You can always reveal your identity later if you desire, but it gives you an effectively bulletproof shield for cases where you do get a hostile response.
aleph_minus_one•3mo ago
Even if they do care personally (which I would assume is often the case if the respect person is not an ignorant careerist), they often don't have the
- organizational power
- (office-)political backing
- necessary very qualified workforce
to be capable of deeply analyzing every line of code that gets deployed. :-(
Kaibu•3mo ago
https://www.heise.de/news/Bundesverfassungsgericht-lehnt-Bes... (German article)
aleph_minus_one•3mo ago
When the changes that toughened the § 202 StGB were made in 2007, there were a lot of public rallies against it in which many programmers participated. These were ignored by the politicians in power. This (together with other worrying political events) even lead to a temporary upcoming of a new party (Piratenpartei) in Germany.
The fact that these rallies were ignored by the politicians in power lead to the situation that from then on by many programmers the German politicians got considered to be about as trustworthy as child molesters who have relapsed several times.
anal_reactor•3mo ago
2rsf•3mo ago
abustamam•3mo ago
It costs next to nothing to try out a key in multiple places in the same proximity. Once you start going door to door using a random key you found, that's suspicious.
*it occurs to me now that I write this that this behavior is suspicious as well and probably illegal. He should have turned it into the leasing office.
mmmlinux•3mo ago
abustamam•3mo ago
garyfirestorm•3mo ago
somehnguy•3mo ago
anal_reactor•3mo ago
dylan604•3mo ago
2rsf•3mo ago