If a publisher doesn’t want modders improving the value of their product, I don’t feel too inclined to argue with them. There are no shortage of other games from more-amenable-to-modding publishers that could benefit from mods.

Could be distributing a modified copy of a copyrighted binary.

Note: If you want to backup a DBMS, you’re going to want to use some system that ensures that the backup is atomic.

11,000 meters

6,000 meters

5,000 meters

I’m not entirely sure of the application here.

https://en.wikipedia.org/wiki/Deep_diving

The deepest dive listed here is:

534 m (1,752 ft): COMEX Hydra 8 dives on hydreliox (February 1988 offshore Marseille, France).[2][4][10]

I guess you could build a submersible and put the watch on an arm outside the submersible or something.

I don’t think that we’re going to throw a little more hardware an one and it’s going to suddenly become an AGI, but that doesn’t mean that it doesn’t have considerable utility.

Also, there are a bunch of “composite” systems that have been built in AI research that use multiple mechanisms. Even if you’re off trying to do human-level AI, you may use components in that system that are not themselves fully-capable of acting in such a way.

Like, okay. Think of our own minds. We’ve got a bunch of hard-coded vision stuff, which is part of why we can get weird optical illusions. Our visual processing system isn’t an intelligence on its own, but it’s an important part of letting us function as humans in the world.

and absolutely can confirm it’s very complex to setup properly.

To expand on this, dealing with anti-spam stuff is a pain. It’s easy to think that things are working fine, but then have email getting blackholed because of some anti-spam system on some specific remote system. Like, this isn’t a “the config files are complicated, but once it’s running, it’s fine” situation.

Go back to 2000 and running an email server was no big deal.

Broadly-speaking, I think that mixing microphones or cameras with remotely-connected devices is also kind of asking for trouble.

Windows 95 will now run Solitaire to calm you.

If it wanted to calm me, it’d ship with Eight Off. Freecell frustrates me.

So, I think that there are at least two issues raised here.

First, that CVSS scores may not do a great job of capturing the severity of a bug, and that this may cause the end-user or their insurer to mis-assess the severity of the bug in terms of how they handle the issue on the system.

I am not too worried about this, because what matters here is how relatively good what they’re doing is. It doesn’t need to be perfect, just the best of the alternatives, and the alternative is probably having no information. The goal is not to perfectly-harden all systems, but a best effort to help IT allocate resources. An end-user for whom this is insufficient could always do their own, per-user per-vulnerability assessment, but frankly, I’d guess that for almost all users, if they had to do that, they probably wouldn’t. An insurer can take into account an error rate on a security scoring tool – they are in the business of assessing and dealing with uncertainties. Insurers work with all kinds of data, some of which is only vaguely-correlated with the actual risk.

In the curl security team we have discussed setting “fixed” (fake) scores on our CVE entries just in order to prevent CISA or anyone else to ruin them, but we have decided not to since that would be close to lying about them and we actually work fiercely to make sure we have everything correct and meticulously described.

Every user or distributor of the project should set scores for their different use cases. Maybe even different ones for different cases. Then it could perhaps work.

The thing is that for the vast bulk of users, that per-user assessment is not going to happen. So the alternative is that their scanner has no severity information. I doubt that there’s anything specific to curl that forces that one number to be less-accurate then for other software packages. I don’t think that other projects that do use this expect it to be perfect, but surely it’s possible to beat no information. If an organization is worried enough about the accuracy of such a score, they can always do a full review of all identified vulnerabilities – if you’re the NSA or whoever, have the capability and need, then you probably also don’t need to worry about being mislead by the score. Hence:

The reality is that users seem to want the scores so bad that CISA will add CVSS nonetheless, mandatory or not.

I mean, that’s because most of them are not going to reasonably going to be able to review and understand every vulnerability themselves and it’s implications for them. They want some kind of guidance as to how to prioritize their resources.

If the author is concerned philosophically about the limitations of the system to the point that they feel that it damages their credibility to provide such a score, I’d think maybe put up an advisory that the CVSS score is only an approximation, and could be misleading for some users’ specific use cases.

If someone wanted to come up with a more-sophisticated system – like, say, a multiple score system, something that has a “minimum impact” and “maximum impact” severity score per vulnerability, or something that has a score for several scenarios (local attacker able to invoke software, remote attacker, attacker on same system but different user), maybe something like that could work, but I don’t think that that’s what the author is arguing for – he’s arguing that each end-user do an impact assessment to get a score tailored to them.

Second, that an excessive CVSS score assigned by someone else may result in the curl team getting hassled by worried end users and spending time on it. I think that the best approach is just to mechanically assign something approximate off the curl severity assessment. But even if you don’t – I mean, if you’re hassling an open-source project in the first place about a known, open vulnerability, I think that the right response is to say “submit a patch or wait until it gets fixed”. Like, even if the bug actually were serious, it’s not like going to to the dev team for support is going to accomplish anything. They will already know about the vulnerability and will have prioritized their resources.

Finally, looking at the bug bounty page referenced in the article, it seems like the bug bounty currently uses a CVSS score to award a bounty. If curl doesn’t assign CVSS scores, I’m a little puzzled as to how this works. Maybe they only go to vulnerabilities from the bug bounty program?

https://curl.se/docs/bugbounty.html

The grading of each reported vulnerability that makes a reward claim is performed by the curl security team. The grading is based on the CVSS (Common Vulnerability Scoring System) 3.0.

Social Security numbers should really not be considered secret data. Too many places have leaked them.

Maybe – maybe – they’re okay for uniquely-identifying someone, but they’re a really bad way to authenticate someone.

I mean, this breach alone – if these are Americans – is something like 20% of the US population.

You can’t rely on something as authentication data if 20% of the population has irrevocable credentials that are floating around.

Synology Nas(12TB raid 1)

I have to say that I was really surprised that apparently there isn’t a general solution for gluing together different-sized drives in an array reasonably-efficiently other than Synology’s Hybrid RAID. I mean, you can build something that works similarly on a Linux machine, but there apparently isn’t an out-of-the-box software package that does that. It seems like the kind of thing that’d be useful, but…shrugs