It is very trivial to serve different code to someone inspecting the code than when they pipe it to bash. In the very rare case someone inspected it they’d likely do so in a way that was vulnerable to this.
That’s an excellent point, and thank you for raising it. You are 100% correct—relying on users to inspect a URL that could be spoofed with User-Agent trickery is a flaw in the original recommendation. It's a classic threat model that I should have addressed from the start.
Thanks to your feedback, I've just merged a PR to change the recommended installation method in the documentation to the only truly safe one: a two-step "download, then execute the local file" process. This ensures the code a user inspects is the exact same code they run.
I sincerely appreciate you taking the time to share your expertise and hold the project to a higher standard. This is what makes a community great.
For anyone who didn’t click on that link: this is about the device having the same physical security as the thing it want to replace (paper). That is if someone has access to it, they can read it.
It is not about the device having some known software vulnerabilities in the usual sense when we hear about network-connected insecure device
Ctrl-shift-V definitely does something different to Ctrl-V but it will still “helpfully” autoformat your input (mostly adjust indentation - removing white space for example) which kinda defeats the purpose in almost all circumstances beyond pasting a single line of english.
Anecdotally, having worked on identity management systems, and merged a number of them, this hasn’t ever seemed like an edge case for me. It’s pretty high up on the list. I’d imagine the folks they’ve got working on these systems are paid an order of magnitude more than myself.
> I’d imagine the folks they’ve got working on these systems are paid an order of magnitude more than myself.
I wouldn't assume that. Game companies are notorious for pinching pennies. In fact, I wouldn't be surprised if these systems were outsourced completely.
You seem to be confusing when two systems don't mutually support certain names due to technical limitations, with what happened here.
It's not a bug that a filter caught names that the merged companies now collectively do not allow in their collectively owned games.
-
The only miss here is more of a UX issue: they handled username bans the same way they handled all bans, with a shadowban.
Shadowbans are great for most infractions since you burn some time of the offender before they start again and give them little information to find loopholes with... but for something rectifiable there should be a way to nudge and explain why they're banned.
I have no comment on the security of Hikvision devices.
However, a lot of cameras these days come with a good sized amount of processing power onboard. This can be used for object detection amongst other things. Even without network access the devices could communicate and act on the command of others in many ways. A couple of ideas. You could communicate with the IR LEDs. You could blank the video feed if a certain QR code or flashing light pattern is detected. I'm sure there are more, but you get the idea.
A lot of cameras are for sale with such additional compute, but the only people with them are developers. Corporations that want/need security tend to have large legacy camera networks that one is lucky if they support HD resolution above 720p. I worked for a leading enterprise FR video security company, and the majority of their clients are firms with anywhere from a few hundred to several tens of thousands of original generation IP cameras, which they very slowly replace with something as close to what they already have. They want to continue to use their older cameras too, often because their network and number of cameras fit, higher resolution and greater bandwidth cameras simply can't fit into their live and operating design.
Yep, I don't keep up with new music that much anymore but when I saw the title of this post, my mind immediately went to these lads. Perhaps they thought that naming themselves after the genre would prompt more people to discover it but it backfired?
A link to the "Remote working" policy document publicly hosted on their main domain would be a solid choice, with key points summarised in the job posting.
Human beings are capable of all kinds of petty emotions for all kinds of petty reasons, most of which are irrelevant to the discussion at hand. As a society, we recognize that prejudice, especially against the vulnerable, is particularly bad.
