Some codepaths do ns_capable() (must have capability in owning namespace, reachable via unprivileged user namespaces), some do capable() (must have capability in host user namespace, not reachable via user namespaces at all).
ZCRX can only be enabled by passing capable(CAP_NET_ADMIN), so you need to be privileged on the host.
Namespaces _may_ result in limits on what you can do with a capability, but a capability is global in scope.
If a kernel feature is gated on cap_sys_admin only, it doesn't matter at all what namespace it is in. Namespace support or additional constraints are not implicit and have to be added to each need.
People misunderstanding this is partially why we have this latest crop of vulnerabilities.
I was 17 at the time :) And FWIW, the whole joke there was that neither me nor the other guy being interviewed had anything at all to do with the attacks on PSN and XBL.
Yes, I'm sure my comments here are just full of terribly damaging stuff.
Not sure what the theory here is. Am I supposed to worry about the judges stalking me online and reading my HN comments professing innocence?
The prosecutors couldn't, and wouldn't even want to use anything I've written here, especially considering the trial is over and they can't just file new evidence.
See the AT&T/iPad data leak, where AT&T were leaking private information on the internet with no security checks at all. Someone found it, told the press, who in turn told AT&T, but the FBI still investigated it as a "crime", raided their home, charged them with "conspiracy to access a computer without authorization." AT&T go no punishment at all.
I think you are missing some nuance here. They found a vulnerability where they could just increment an "id" and get access to another user's information. They then went ahead and scraped as much as they could. Also this person (iProphet / weev / Andrew Auernheimer) is awful and certainly not a victim. AT&T did not leak the information, Andrew did!
Should they have had better security? Yes. Was the vulnerability extremely basic? Yes. Doesn't change much, a vulnerability was used to dump a bunch of private data.
Exactly. If you find an unlocked warehouse, even if you are supposed to pick up something of yours, and instead of directly complaining you also ransack everything, you’re going to catch some heat.
> I think you are missing some nuance here. They found a vulnerability where they could just increment an "id" and get access to another user's information.
That's not nuance; the information was publically available on the internet without any security. Even search engines had indexed it before it was patched.
> They then went ahead and scraped as much as they could.
They told the press instead of releasing it.
> AT&T did not leak the information, Andrew did!
So AT&T dumping it all onto the open internet without any security isn't culpable, but the person who let the press know that their information was available to everyone is. That's quite an interesting take.
I'm struggling to see the nuance... You just repeated back what I already said, but added that you dislike the person personally, which is absolutely fine, but we're talking about miscarriages of justice not running a popularity contest. If you feel like they committed other crimes (which they likely did per Wikipedia), that is unrelated to THIS supposed crime.
> Was the vulnerability extremely basic? Yes.
There was no vulnerability. You just needed to request a record from a public web-server, which the server happily provided with no extra steps.
Let me ask this: When you request e.g. google.com, and they return a HTTP response, why is that not a "vulnerability?" Because we'd both agree it objectively is not. So then, why, when AT&T provides a URL with information they're meant to keep private but available to the public, and you then request it, that is suddenly a "vulnerability?"
well which specific piece, your instagram username is very different than your phone number right? And depends on the event. Is it speed-dating or tech conference? You can chose what to broadcast. If you are at the event, you have some goal of who you want to meet. Long term in the app I want to let you give more info about that and then filter the list for you. Help you find your people.
Which is not obvious at all if you have JavaScript disabled by default, since it only shows up as a blank space, which could also be a blocked ad or an image which failed to load correctly.
The first few times I saw one of these transcripts with video at the top (IIRC, it was on Practical Engineering, not this site), I thought it sounded odd but didn't get that it was a transcript. Only later did I find out that there were videos (and they're great).
>The possibility to pay by card when the internet is not working – ‘so-called offline payments’ – is an area that ‘the Riksbank believes needs to be improved considerably, particularly in light of the geopolitical unease in the world,’ according to the announcement
