After ruling out Postfix as the potential target here, I found that Exim configuration has a use_shell setting for the pipe transport. That seems to be the vulnerable configuration here, and there is an older advisory on it (2013). https://www.redteam-pentesting.de/en/advisories/rt-sa-2013-001/-exim-with-dovecot-typical-misconfiguration-leads-to-remote-command-execution
The “Escaping the Crushing Despair” section is a painful read, it describes how much of the C++ community space became toxic beyond repair. Unfortunately, this kind of development isn’t uncommon in our industry. We all need to learn how to prevent this from happening elsewhere.
For reference, my summary of the privacy issues with their browsers. To my knowledge, this is still the state of affairs here. https://palant.info/2020/05/08/what-data-does-xiaomi-collect-about-you/
Those who followed the development around #Xiaomi browsers will not be very surprised but their payment app doesn’t care about users’ privacy either. And it just transmits all data unencrypted (!) to servers in Hong Kong.
And then I spent some time making an app with Cordova that would display a weather forecast, upcoming appointments and missed phone calls. As to the hardware, I only had to shut down unused services just in case these decide to access the web.
My line of thinking some years ago was: “I have that Raspberry Pi, I should do something with it. It will need WiFi and a display module. Oh, there are tablets below 40 € with quite usable displays. Wait, why did I need Raspberry Pi again?”
Do I see this correctly: after an utter failure to deduce users’ interests from extremely rich data, #Twitter is now asking users to validate their interests by subscribing to topics? Yes, that’s certainly one way to deal with this…
It deeply satisfies me to see search requests like “is miui spyware” in my logs. So people actually want to know, and they find my article. I hope that quite a few choose not to buy #Xiaomi hardware then. #privacy
I mean, already sending a message to the top frame of your tab is awkward if you have to proxy it through the background page. But sending a message to your parent/child frame is a nightmare to do correctly. This needs better extension APIs to stop people from making mistakes…
It should be used by every anti-fingerprinting extension out there, but none of them do. I write advise for anti-fingerprinting extensions, yet I don’t realize that this functionality still exists. There is no Chromium issue asking to add this feature. Nobody knows…
The sad thing about #Mozilla: they have decades of experience allowing powerful extensions. So when they switch to the inferior Chrome extension system, they rescue some gems over. Like exportFunction(): https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Sharing_objects_with_page_scripts#exportFunction. And nobody notices.
Software developer and security researcher, browser extensions expert. He/him
Other Mastodon account for non-technical topics: https://social.tchncs.de/@WPalant
A Mastodon instance for info/cyber security-minded people.