• @rhymepurple@lemmy.ml
    link
    fedilink
    22 years ago

    I wouldn’t lose any sleep over it. That user has a history of this type of behavior (eg - https://lemmy.ml/post/163751 ), as pointed out by @X_CLI

    Similar to other bans in that sub, I don’t agree with your ban. The reason provided (“Creating fake drama and attention that only exists in your head, you proved absolutely nothing. https://lemmy.ml/post/168793/comment/118643”) does not seem accurate. If anything, you could have been violating the rule “No doomsday, all is insecure and world will end drama.”, but that doesn’t seem to be accurate either.

    On the other hand, the other user seemed to be violating the rule “Do not defend product x or service x because you like it, post evidence for your claim otherwise you will get banned.”.

  • @X_Cli@lemmy.ml
    link
    fedilink
    12 years ago

    Yeah, you should ignore that person and their communities. That person is toxic and entirely clueless, based on their response in that thread (and some others) _ They are one of those trolls on Lemmy… and the admins seem to tolerate that person for some reasons, even though everybody complains about them.

    I had a good laugh reading your write-up :D

  • CHEF-KOCH
    link
    fedilink
    -22 years ago

    You did not prove any RCE. You linked to coding best practice. That is all.

    • @nutomic@lemmy.ml
      link
      fedilink
      0
      edit-2
      2 years ago

      You should read the big red warning in this link. The PHP developers clearly state that using the function on untrusted input allows for remote code execution. And ip-api.com (without TLS!) doesn’t seem very trustworthy.

      • CHEF-KOCH
        link
        fedilink
        -12 years ago

        You usually need to bypass multiple OS defense mechanism + the IP database is public, so there is nothing you can leak that is not already known. As also explained taking over and abusing the OS mechanism is not that easy, often needs specific rights as well as the OS or and the php needs to be exploited. If you want to say that e.g. GET is insecure, that is an internet issue and not tools author problem.

        If we now question each and every single coding practice and misinterpret doomsday theories in it, no tool that is audited and inspected by thousands of people are left to use and even then they also can still be attacked.

        As said in original thread, you also can download manually a file and infect yourself. This is a common thing the OS must protect you from. IP-API com has not the highest standards but there are standards.

        I see this as troll attempt and therefore the ban remains. He did not had the guts to contact the original author, let me do his dirty work but apparently has time to create this necessary drama here.

          • CHEF-KOCH
            link
            fedilink
            -2
            edit-2
            2 years ago

            I think you do not understand that abusing it requires more than just executing a random script, which you swipe under the carpet because it benefits your wrong conclusion. If you would know, you would realize the script would just crash, misbehave etc. it depends on platform, their protection mechanism etc.

            TLS also would not prevent someone if he already has access to the server to deliver malicious payload, encrypted or not plays no role, but let it go, you guys are bunch of amateurs. Your statement that they do not have TLS is wrong too which I debunked.

            I also do not wrongfully imply that because Lemmy does not support 2FA that it is automatically attackable and then smear your platform all over the place because I am not happy with best practices.

            It is not more or less secure than downloading unknown database to your PC and then executing it, creating doomsday scenarios is disrespectful and unproven. Especially on Linux ransomware is more ineffective than on e.g. Windows, so your horror scenarios, what if … is nonsense.