I don't know, I don't think it's really a huge waste of time considering I just read the entire comment thread in a handful of minutes. And beyond that, failing to comply with RFC requirements is the bug here -- a workaround existing for a specific language isn't a fix.
Again: the maintainer does not say there is no bug. He says: please open a new issue, with a proper title and description for the actual underlying problem. Is that seriously too much to ask? Instead, the guy writes a whole blog post shitting on the project. Does anyone still wonder why people burn out on maintaining FOSS projects?
For both of them! Since both of them are aware now, either one could open that ticket. If the maintainer has very specific ideas about how a ticket should look, maybe they can do that themselves quickly, now that they are aware of not complying with the RFC. Then the ticket will perfectly match their expectations.
The maintainer is usually also the one who has to trace the root cause, which in this case the issue reporter did, which is certainly more work than creating an issue according to the formatting and other requirements the maintainer may have. So in that light, the reporter of the issue already did a big chunk of work for the maintainer or the project. I wouldn't really call them acting "entitled" after that. Clearly they put in effort more than could be expected already.
Exactly, that's all his PR had to be. The history of finding the issue could be an interesting story (I bet it involves Elixir!), but in places it reads as almost malicious. If I received a PR anything like that on something I maintained, it would be received very poorly. The author comes off as overly aggressive toward the maintainers and far too sensitive to their response.
It's pretty standard to open a new issue and reference the previous issue for context, while keeping the new issue specific about what needs to be addressed - ie. RFC compliance.
I don't see the problem here at all - it was a reasonable request and it would have taken `feld` all of 2 minutes to do. Certainly less time than writing that blog post.
It's not entirely WolfSSL's fault. TLS 1.3 is a mass of kludges and hacks to deal with the fact that they created a new protocol that's nothing like TLS 1.0-1.2 but dressed it up to make it look like TLS 1.2. It even lies about its protocol version in the handshake, hiding the real version in one of the many extensions they had to invent to kludge it into working. And in terms of RFC compliance, one of the most widely-used implementations isn't compliant, it doesn't send any of the mandatory-to-implement cipher suites in its client hello which means unless you want to trigger a rehandshake on every single connect you have to implement their non-compliant form of TLS 1.3.
The real problem though is that they made a protocol that really, really wants to pretend it's TLS 1.2 when it really isn't anything like TLS 1.2. I wouldn't blame "middleboxes" for getting confused when they encounter that.
The problem is there are many middleboxes that monitor port 443 and will drop any traffic that they can't decode as TLS (which in this case means TLS 1.2 or below). The choice was between masking traffic as an earlier version of TLS or forcing the replacement of all of those middleboxes. It's a no-brainer.
Then don't put it on 443 and pretend (badly) that it's TLS 1.2. Given that QUIC also uses 443 (and 80) without too many problems and that doesn't look anything remotely like TLS, presumably non-TLS 1.2 traffic to 443 is OK.
The problem isn't really the port used, it's the uncanny-valley approach they took in creating something that looks like a creepy zombie version of TLS 1.2, which keep-suspicious-things-out appliances quite rightly get suspicious over.
But QUIC doesn’t use 443/TCP; it uses 443/UDP. So it’s unsurprising that middleboxes that care about 443/TCP would ignore it. That doesn’t support your claim that “non-TLS 1.2 traffic to 443 is OK.”
The point I was trying to make, probably badly, was that there was no need to make TLS 1.3 pretend to be TLS 1.2 going to TCP/443. They could have picked some new port, called it TLS 2.0 (which is what it actually is), and run with that. If QUIC can pick its own port and, by the looks of it, not run into massive problems, there's no reason why TLS 2.0 can't do so too.
> wants to pretend it's TLS 1.2 when it really isn't anything like TLS 1.2.
I've seen a ton of this recently as Amazon has the option for TLS 1.3 with post quantum encryption on cloudfront now. A whole ton of different middleware shits itself.
The ruling itself even says that every case has to be taken in context, and that particular one was a known felon who has been accused of a crime fleeing in a vehicle. As a matter of fact, if you look at the decision [1] you won't find the word "defense" once, only "fleeing".
Last I checked, no one is a felon until so adjudicated by a court of competent jurisdiction.
Parent comment appears to have in mind either reasonable suspicion or probable cause to believe a felony was committed. So not identical at all — nor clear.
Also questionable whether any commands were lawful.
No it's not. See the most recent NY Times article where they analyze the shooting from every available angle, and it's clear Agent Ross was not in danger, and was not hit by Good's vehicle. His phone he was recording with hit the front of the car as he was preparing to fire his weapon.
> Electric cars are supposed to be simple. Give me something in a shape of a Civic, with the engine replaced with a motor and a battery good for 150 miles, and sell it for $10-12k new. Don't even need an entertainment cluster, give me a place to put a tablet or a phone and just have a bluetooth speaker.
I think this is more or less the pitch behind Slate (https://www.slate.auto/en), though it's more of a truck/SUV form factor.
I'm still bitter that they never refunded me for my canceled pre-order, despite promising to at the time. It's been years and I never got any money back (or a phone, for that matter). I consider Purism to be an untrustworthy business as a result.
I've actually heard people argue against having lights on signage for this exact reason: people shouldn't be reliant on lights that may or may not work to modulate their behavior when driving. They had been referring mainly to pedestrian crossing signs, but I think it applies here too. I generally treat any school speed limit sign as in effect if it's before nightfall as a rule of thumb.
As a Schrödinger-like property, it may vary by observer and not be publicly documented.. One could start with a commercial product that ships with coreboot, then try to find identical hardware from an upstream ODM. A search for "bootguard" or "coreboot" on servethehome forums, odroid/hardkernel forums, phoronix or even HN, may be helpful.
Headline is a little misleading imo -- the vulnerability isn't in Notepad++ itself as much as its installer. Current users, I imagine, don't have anything to worry about.
Unless the updater also runs the installer, then you just drop your malicious dll in the right place and wait for an update, or find a way to force-trigger an update.
Attackers can also use the notepad installer as a payload execution mechanism. To run your malware, just get older notepad++ installers and drop your dll after the installer is running to run it as SYSTEM.
For a non-admin user to get admin or system, that's a proper CVE. For an admin user behind uac though, uac bypasses aren't considered bypassing of a security boundary so no CVE there.
I did this recently and found out Comcast considers some security feature that runs only on their hardware to be part of the bundle they sold us.
So, bringing your own modem gets rid of the rental fee, but requires moving to a different plan without the security feature bundled. This is of course more expensive, almost entirely negating the savings of bringing your own network equipment (I think our net savings is $5/month, which means its going to be a couple years to pay back the modem cost).
If you're on a cheaper lower speed subscription, you can often find compatible modems at thrift stores for a couple dollars. People upgrade to faster tiers and unload their old perfectly serviceable equipment good for a couple hundred megabits - fine for most needs.
