[DiscordArchive] The definitions - yes, probably. A codebase review on the other hand... I won't even perform that ag
[DiscordArchive] The definitions - yes, probably. A codebase review on the other hand... I won't even perform that ag
Original source
The definitions - yes, probably. A codebase review on the other hand... I won't even perform that against the software **I use**, not to metion the software **I connect to**. Perhaps discord itself stores secrets in plain text (the attachments here are unconditionally public for instance), did you perform an audit by any chance?
rektbyfaith
06-27-2021, 04:41 AM #1Archived author: p620 • Posted: 2021-06-27T04:41:53.893000+00:00
Original source
The definitions - yes, probably. A codebase review on the other hand... I won't even perform that against the software **I use**, not to metion the software **I connect to**. Perhaps discord itself stores secrets in plain text (the attachments here are unconditionally public for instance), did you perform an audit by any chance?
Original source
I have done a bit of research into what data discord collects and what is stored yes, but I also know its a commercial product not a hobby project touched by thousands of devs, many of whom should not of
rektbyfaith
06-27-2021, 04:43 AM #2Archived author: tester • Posted: 2021-06-27T04:43:27.041000+00:00
Original source
I have done a bit of research into what data discord collects and what is stored yes, but I also know its a commercial product not a hobby project touched by thousands of devs, many of whom should not of
Original source
On the contrary, I would consider the fact as contributing to the distrust. I would (and do) rather use an open-source software with an active and large community of involved peers instead of some shady corporate entity. The community would build a product for themselves while the company would value profits above all else.
rektbyfaith
06-27-2021, 04:46 AM #3Archived author: p620 • Posted: 2021-06-27T04:46:39.101000+00:00
Original source
On the contrary, I would consider the fact as contributing to the distrust. I would (and do) rather use an open-source software with an active and large community of involved peers instead of some shady corporate entity. The community would build a product for themselves while the company would value profits above all else.
Original source
I'm not against open source, I'm all for it. but many early commits were to core systems not fully tested that left security holes for large periods of time
rektbyfaith
06-27-2021, 04:47 AM #4Archived author: tester • Posted: 2021-06-27T04:47:29.962000+00:00
Original source
I'm not against open source, I'm all for it. but many early commits were to core systems not fully tested that left security holes for large periods of time
Original source
This is much much less now, AC I've heard is slightly more relaxed than TC is about security things and all that but I assume their testing is fairly thorough
rektbyfaith
06-27-2021, 04:48 AM #5Archived author: tester • Posted: 2021-06-27T04:48:17.567000+00:00
Original source
This is much much less now, AC I've heard is slightly more relaxed than TC is about security things and all that but I assume their testing is fairly thorough
Original source
An indication of incompetence compromising many. Serving hosts the most though. I would like to emphasize (again) the fact that a user (overwhelmingly so) is unable to perform an audit of remotes they connect to. Therefore, a general notion of mistrust is to be assumed. Punishing the host for the user's failures (especially considering the fact that, as you've already stated, not everyone is even in control of what they run) wouldn't bring security to their interactions, only provide more potential for some malicious exploits to occur.
rektbyfaith
06-27-2021, 04:54 AM #6Archived author: p620 • Posted: 2021-06-27T04:54:38.236000+00:00
Original source
An indication of incompetence compromising many. Serving hosts the most though. I would like to emphasize (again) the fact that a user (overwhelmingly so) is unable to perform an audit of remotes they connect to. Therefore, a general notion of mistrust is to be assumed. Punishing the host for the user's failures (especially considering the fact that, as you've already stated, not everyone is even in control of what they run) wouldn't bring security to their interactions, only provide more potential for some malicious exploits to occur.
Original source
I agree that many users cannot. Just like I have not read every single line of every open source project I've used. But I do attempt to at least glance over a good bit of it to understand what it is that it does. That's part of it being open, security isn't done through obscurity
rektbyfaith
06-27-2021, 04:59 AM #7Archived author: tester • Posted: 2021-06-27T04:59:42.633000+00:00
Original source
I agree that many users cannot. Just like I have not read every single line of every open source project I've used. But I do attempt to at least glance over a good bit of it to understand what it is that it does. That's part of it being open, security isn't done through obscurity
Original source
Security is done through proper implementations and safeguards, not just hoping nobody notices I'm using a old windows build or a bad core with an auth issue
rektbyfaith
06-27-2021, 05:00 AM #8Archived author: tester • Posted: 2021-06-27T05:00:43.664000+00:00
Original source
Security is done through proper implementations and safeguards, not just hoping nobody notices I'm using a old windows build or a bad core with an auth issue
Original source
Past that is 1am here so I am off to find a bed. It was a fun conversation. Feel free to leave final thoughts that I'll read over in the morning
rektbyfaith
06-27-2021, 05:03 AM #9Archived author: tester • Posted: 2021-06-27T05:03:34.377000+00:00
Original source
Past that is 1am here so I am off to find a bed. It was a fun conversation. Feel free to leave final thoughts that I'll read over in the morning
Original source
Announcing the host meta is neither though. It won't introduce any security. On the contrary, it would almost literally attach a "kick me" badge to some servers. Users on the other hand would statistically gain nothing from the info seen. If anything, it would only hasten the undesirable event one hopes to avert.
rektbyfaith
06-27-2021, 05:05 AM #10Archived author: p620 • Posted: 2021-06-27T05:05:59.106000+00:00
Original source
Announcing the host meta is neither though. It won't introduce any security. On the contrary, it would almost literally attach a "kick me" badge to some servers. Users on the other hand would statistically gain nothing from the info seen. If anything, it would only hasten the undesirable event one hopes to avert.
1 Guest(s)
1 Guest(s)