Wladimir Palant @WPalant@infosec.exchange

@varx In their defense, they immediately admitted that they made a mistake here. They also want to investigate how it could have happened. Unfortunately, I doubt that they will share the results of this investigation with me - I just cannot imagine this being implemented without somebody making a conscious decision that this fix would be sufficient.

@leip4Ier @rain I'm pretty sure that "source code" implies "unprocessed." So if you run a minifier on your code, or if you strip out the comments, you'll probably have a hard time proving that you comply with the license terms. On the other hand, removing external documentation, such as build instructions or API documentation files should be unproblematic license-wise. Yes, there is no guarantee that you will get source code that you can use.

@rain Yes, "open source" means very little, doesn't it? It merely guarantees that you will get the source code, in some form. But it doesn't necessarily mean that you will see how and why certain decisions were made, it doesn't mean that the community is welcoming and free of toxic people, or that anybody but the inner circle is allowed to contribute at all.

@varx I notified them but I'm not changing the deadline. Frankly, I have no idea what they were thinking. With what I was going to publish, anybody taking a slightly closer look would notice that the issue isn't fixed. I can only assume that they don't consider this issue important enough, they'd rather mask it with minimal time investment?

Wait, I thought that they did it as an additional precaution after fixing the issue. They didn't, that *is* their fix! WTF??? 🤯

Wow, one of my proof-of-concept pages is now triggering antivirus response, supposedly it's infected with "HEUR:Exploit.Script.Generic" (trivial to circumvent of course). I'm honored! #Kaspersky

This is a lengthy article, building up the backstory before getting to the interesting part, but it's definitely worth reading. @ameschright@twitter.com has a point, FLOSS movement obsessing with source code is counterproductive, it's missing the bigger picture. https://lifeofaudrey.com/essays/history_and_future_floss.html

No, I'm not that naive. The real reason for Wikipedia not listing any criticism is its editors actively removing that information. Official reason: "we need better sources." As some people suspect, they mean sources putting Stallman in a better light. https://en.wikipedia.org/wiki/Wikipedia:Biographies_of_living_persons/Noticeboard#Richard_Stallman

There are topics where one wishes to have never heard anything about. I can only hope that it is the reason why the Wikipedia article on Richard Stallman contains no huge section titled "Criticism" or "Controversy." Most things in this thread aren't exactly new yet unmentioned.

https://twitter.com/_sagesharp_/status/1173637138413318144

@PresGas I've done it a bunch of times before, but usually only as a sentence or two (TL;DR). This one is more extensive.

@gcluley

The results on Mastodon are 5 for "keep as is" vs. 1 for "split up." On Twitter I got 6 for "keep as is" vs. 3 for "split up" vs. 1 for "remove details." I've added an executive summary at the top of the post as suggested by @gcluley which is hopefully sufficient as a compromise.

@nbering We do simple exercises for some roles - just to see how they would approach a problem that is new to them. As to real projects, that's what probation time is for.

Too many (most?) companies seem to focus a lot on the current skill level, including things that are irrelevant for the job. I think that's because evaluating soft skills is more complicated, while being far more important IMHO.

The important factors are motivation, willingness to learn and the ability to see own mistakes and shortcomings. The current skill level can often be judged from previous work, no need to waste everybody's time on that in the interview.

For reference, my take is:

• Education is not important, there are different ways to get there.
• Having done the exact same thing before is not important, they can learn on the job.
• Accent is not important, they will get better at English very soon.

Don't design your interviewing process like that. You don't need hiring consensus from everybody working at the company. There aren't all too many things that are really important to know about a candidate. Understand what those are and ask the right questions.

https://twitter.com/EmmaWedekind/status/1172390425073577990

@gcluley Good idea, I added a summary section at the top. As things are looking right now, I don't think that I will split up this post - two posts on Kaspersky in November are already enough.

Now that a have a mostly final version of the draft, I did a word count. It's pretty identical in size to https://palant.de/2019/08/12/recognizing-basic-security-flaws-in-local-password-managers/ and around 25% longer than https://palant.de/2019/08/19/kaspersky-in-the-middle-what-could-possibly-go-wrong/. So at least it isn't a lot longer than things I've written before.

@leip4Ier Ok, if we compare to that post - the draft I have right now is still shorter (9 vs. 12 screens here). On the other hand, some content is still missing, and I'll also be adding more images...

Will need to see whether it's going to stay two blog posts or whether I'll turn it into a three parts series. The first post that I'm writing right now is about five related issues, but it's possible to split it up logically nevertheless.

Of course, if you say that my blog posts are always very long, you will probably be right. No matter how hard I try, it always gets out of hand. But this one is even longer than usual!

The draft of my post on more #Kaspersky vulnerabilities (to be published end of November) is getting very long. What should I do with it?