720 to 4K is not the same as 480p to 720. The latter is far more noticeable. Most of the world hasn’t moved to 4K, I don’t see a huge amount of value in it personally.
You’re missing the point. Most people don’t want to download a video instead of streaming directly, which is a far lower barrier than procuring equipment, dealing with compatibility issues, doing system updates etc. I doubt competitive gamers will ever move across but it hugely reduces the barriers for casual or time poor gamers.
As a side note, and I’ll create a separate thread: say my host is comprised by super sophisticated malware, aside from a reformat what other sanitisation practices can I do? Can I ever trust the hardware again? I don’t think we’re at a point where a firmware compromised graphics card can’t reinfect the processor?
I never heard of malware soldering hardware implants onto the device ^^
For firmware you need to dump it and then compare afterwards.
>I don’t think we’re at a point where a firmware compromised graphics card can’t reinfect the processor?
Nation state based firmware attacks exists since at least a decade. Some professional hacking teams are also already making use of those. You can find POCs, publications, talks, blogposts for probably everything which has flashable firmware. These attacks are very real.
Only reasons you don't find that stuff in the wild is
because no one is looking for it, your average antivirus won't detect it and it's used mostly for targeted attacks where you need advanced persistence/stealth and early compromise of the OS.
Firmware security is a mess. USB, HDD, GPU in particular. Even for all the UEFI verified/secure/whatever boot where at least some more mitigations are in place, holes get found once in a while. Just a while ago had an attacker pwn through a standard qemu/kvm setup trying to flash the BIOS. Wasn't that successful with flashing though ... because muh mitigations.
You either need to check or keep the firmware read only.
If you wanna go a little bit more paranoid, use a dedicated host to virtualise those machines and connect to the host via RDP/whatever, that should create another layer of safety.
You may want to connect via a VM, there is a CVE for remote execution in FreeRDP from compromised server. In general anything doing video, image, or audio decompression should be an assumed vector.
Right but I’m the context of antivirus you’re executing unconstrained data in an unconstrained environment, in appsec you can handle data correctly rather than rely on a third party product that can’t contextualise or assess the impact of a payload on your application. I work in appsec and think WAF filtering is snake oil.
You clearly haven’t worked in appsec that long if you haven’t already come across dozens of third party code bases that are supported either by people who don’t code or by over stretched developers that have no love for those specific platforms. Think low margin Wordpress sites, a CEOs friends Magento shop that your business ends up hosting for free, or some other CMS that predates the majority of your dev team (all of these cases I’ve personally experienced). Basically anything that adds enough value to the business to justify the hosting fees but not enough to justify development resource and thus often gets forgotten about. I’ve seen these instances pop up time and time again and while there is always the best of intentions keeping up with patches, WAF does at least increase the margin for error.
Or maybe I’m just not scraping bottom of the barrel when it comes to security assessments. If the software is at that point the organisation is well and truly fucked, waf or not.
A company running on off-the-shelf CMS for a product that adds value but isn’t part of the core business so that they can focus of the hard problems that differentiates themselves from their competitors is absolutely the correct way to run infrastructure.
You do actually realise that a significant amount of national and international news sites are actually powered by offs-the-shelf components and often even Wordpress? Equally true is the number of independent shops that run off-the-shelf applications. Then you have SaaS solutions that run a hosted blog (not everyone has switched to Medium), shops that still run message boards, and so on and so forth.
It’s got absolutely nothing b to do with the organisation failing and everything to do with investing your expensive talent on the problems that differentiate your business.
It’s easy to say “I work in yadda yadda yadda” anonymously but you’re still massively misrepresenting how the industry actually works with your sweeping generalisations. And if you were half as experienced as you pretend, you’d already know that. For example there is another use case of WAFs that hasn’t yet been discussed: automatic blacklisting. If they detect suspicious activity hitting services under the WAFs control they can automatically blacklist that source across all customers using that WAF service. This is similar to how fail2ban works but at a cloud level and with the added bonus of saving your sysadmins/DevOps engineers the pain of adding and maintaining thousands of apache / nginx rules themselves.
Let’s also not forget that there is good money to be made off consulting for those companies that are “fucked” and guiding them through best practices and low maintenance security models. That can often be a rewarding job in its own right (depending on the business).
No it’s not recommending snake oil and telling them to do things properly instead I don’t. Care if that makes the security industry dry up, my only hope is that if it does the snake oil salespeople die with it.
You need to tweak your understanding of appsec to realize that most websites are run by non-technical people running old versions of off the shelf software attacked almost exclusively by automated drive-by attacks mass-scanning the internet.
If you don't see how WAFs could be useful, you may have been in the HN bubble too long thinking every website is some hand-coded Flask app.
You need to tweet your view of security requirements if you want to provide IT functions to users. Yes they are a nice to have, yes the cost of a data breach either to you or the user are highly damaging.
There’s nothing stopping most industries doing something stupid in the current state of things but I’m sure there will be in the future, you should be legally liable for your consumer data, irrespective of if you’re ‘nontechnical people running old versions of off the shelf software’ or not, mistakes happen, but failing the most obvious stuff in infosec is, IMO, criminally negligent. Waf or not.
I hate these kind of defenses. If your application is vulnerable to sqli, select is one of many tools an attacker can use and you’re pretty much screwed anyway.
Instead, use sane tooling, like modern ORMs and parameter izers, with some data sanitation if you’re really paranoid.
The point of Cloudflare WAF isn't to be a main line of defense for HN readers, it's to stop the low effort automated drive-by attacks for websites that were already hosed. Like WAFs that block /wp-admin/* and instead generate a new segment.
I'd be surprised if there was a single person in the world who is going to go "oh right I should replace Cloudflare WAF and my sqli with some parameterized queries!"
I think ‘stop wasting time on dumb stuff and focus on actual security’ is a good take home for the HN crowd. Time and money is finite, so spend it wisely.
It's also "Hey the superstar on the sales team just launched a new Wordpress blog that everyone likes, just wanted to let you know" and you have no time for a detailed security audit. Put it behind Cloudflare and at least you're more protected than you were!
Nah you pull it offline and tell them to follow correct procurement and development practices. If your development teams aren’t talking to your security teams you have bigger problems than Wordpress.
Consider: Your org is more likely to be run by people that are like the sales people than like you. Who do you think they side with, when sales goes up the chain to complain development broke their new initiative and is saying it'll take 4x longer to do the thing they already did themselves, and as a direct result means they won't hit revenue numbers this quarter?
What's even the risk here? Some minor marketing sub-site gets defaced, causing - at worst - an embarassing but instantly-forgotten incident?
No the risk is that somebody has decided to disregard security and general security process and create shadow IT, which if left unchecked will create massive problems within the organisation long term. If the culture is to disregard security, throw a waf infront and call it a day then they’ll pay for it financially (and possibly legally) in the long run and not something I’d want to associate with at all.
That is just when signed 32 bits rolls over. Unsigned takes us all the way to 2106.
Nervous nellies worried about rollover, and insisting we switch to 64-bit timestamps everywhere, are a nuisance. You can keep one 64-bit epoch, such as boot time or most recent foreign attack on NYC, and as many 32-bit offsets from that as you like, and always be able to get a 64-bit time whenever you need it. Most often you only need a difference, so one epoch is as good as any, and you can work purely in 32 bits.
Pcap format is good until 2106 assuming the 1970 epoch. A bit of one of the now-unused header fields could be repurposed to indicate another.
