What a shame that I no longer have access to my teenage-level conscience, I am sallivating at the idea of going wild with this and the Copy Fail cve.
The potential here to do all kinds of manipulation for search engines / AI tools is enormous. Perhaps the more scary thought is that someone could easily make an agent that would exploit both bugs to wipe out servers.
Good on these companies to publish their findings straight away as I'd imagine that both bugs would have fetched quite a lot on the black market.
> Good on these companies to publish their findings straight away as I'd imagine that both bugs would have fetched quite a lot on the black market.
You should read the other thread regarding copy fail and the gentoo maintainer. I haven't seen so many unhinged and outright rude comments on a security topic since the good old days of slashdot and x vs. y controversy of the day.
I wonder what the reason behind so much hostility is. Is it gentoo or the kernel folks or the fact that the company that found it used "AI"? No idea, but it was a weird read.
Especially weird when from their description they actually had an idea. ".splice()" and then just searched possibilities of that and then identified place and only then used AI to build something. Which they likely could have done manually too...
As of this comment, Debian Stable ("Trixie", though I hate codenames) doesn't have a fix in place and remains vulnerable, or at least their CVE tracker shows it as such:
I choose not to call it Debian 13 because that carries less context than Stable/Testing/sid. I'd rather not require the user to maintain that extra metnal mapping.
Anyone who knows anything about this subject immediately understands what is connoted by "Debian Stable". I run Trixie on most of my personal boxes and I had no idea what version number it is, nor do I particularly care.
Probably to some extent it is marketing, but generally it has to do with significant bug finds to get the message out to the people who need to apply patches and/or be informed. Heartbleed, Log4Shell, etc.
Very few CVE’s get names dedicated to them like this, because usually when they do - it is very serious, as in this case.
I did the Everest base camp trek in late 2015, at that time it was quite common (saw it myself and heard about it) that people would do the trek up but to get down they would fake a leg/back injury or blame altitude sickness and the chopper from Kathmandu would come pick you up, as long as you had the right insurance.
Not an insurance underwriter - but wouldn't the obvious counter-move be to exclude coverage for medical assistance/transportation when you're climbing mountains overseas, spelunking, within X miles of the north or south pole, traveling in a submarine, or have otherwise ventured into "high-dollar extraction" territory?
I went to Nepal two years ago. The standard insurance of my Mastercard Gold specifically excluded medical assistance/transportation for acute altitude sickness from the coverage (and rescue operators are reluctant to intervene without proof of proper insurance coverage).
As a precaution (having read about it on forums) I had taken an additional insurance from a French shop specialized in hiking and mountaineering (le Vieux Campeur) to cover more events.
Good thing I did because I ended up having to be evacuated for something that was initially considered as acute altitude sickness and turned out to be a lot more life threatening once in the hospital.
The obvious counter move is just to charge higher premiums. It works whether the crises are real or fabricated. The real losers are not the insurance companies, but other tourists overpaying on their premiums.
In my experience, it's only the cheap insurance policies bundled with credit cards and various memberships that consider high-altitude hiking a high-risk activity. Any travel insurance you buy as individual should cover it. If there is an altitude limit, it's usually 6000 m, so Everest Base Camp and Kilimanjaro would be covered but Aconcagua wouldn't. And any actual mountaineering would also be high-risk, regardless of altitude.
The people doing that could probably afford the copter ride outright, so they can afford the "right" insurance that wouldn't ask any questions. The uber-wealthy live under a completely different system than the average schmuck like me.
I can tell you exactly what it cost for me. I took the helicopter from Gorakshep, the highest/last town on the EBC trek, to Lukla, the crazy airport people call the most dangerous one in the world. For me, a 255 lbs / 115kg guy, 2 Nepalis that are each half my size, a pilot, and our not-that-heavy hiking gear was 2000 USD in October of 2024.
Having something scheduled is cheaper than on-demand, too. You may even end up using the same equipment, but at a lower priority (it costs $200 or so to have an ambulance sit at your event, for example).
I think Discord/IRC are the best two options for real-time talk. Social media sites are quite clunky for that purpose, but still useful to discuss the topic.
The potential here to do all kinds of manipulation for search engines / AI tools is enormous. Perhaps the more scary thought is that someone could easily make an agent that would exploit both bugs to wipe out servers.
Good on these companies to publish their findings straight away as I'd imagine that both bugs would have fetched quite a lot on the black market.
reply