It's funny your warning about QR codes goes onto warn about PDF exploits. Yet you clicked the link to this article, by your own definition opening you up to "a whole different world of possible exploitations via whatever file is being returned". It's the nature of the internet to follow links, but our updated browsers keep us safe from exploits.
When was the last time you saw an un-targeted mass 0-day exploit campaign? There haven't been any for modern browsers. If we're talking about 0-days, you likely known there have been zero-click iMessage/WhatsApp vulnerabilities in the past. There's no protecting against those, but you're not here warning users to disable iMessage and WhatsApp. What's more realistic is making sure users keep their software updated, and trust that QR codes and links aren't going to waste a 0-day worth a million dollars on you.
First of all, the problem here is more a point of trust.
Ill try explain based on your example with "any link".
If you type amazon.com you trust that there will be amazon.com returned and not any maleware. On a QR code, the target url isn't as obvious so the user should be aware that a qr code, even if for example below it says "hackernews - the best news in the IT world" the qr code could still link to "https://news.xn--combinator-xwi.com" (edit : because ycombinator is a nice website it auto resolves the unicode char here : bad example tho but i dont have the time to recraft it and i guess you know unicode link/url tricks therefor i can just let it be the way i pasted it) did u spot the difference? Its not a regular "y" and just could get you on a fishing page. So ye even just know "urls" that you review on a qr code still can be dangerous if not typed by yourself. And than, for alot of users it prolly wouldn't event take that of a measure to trick them. Its not like the average Jane/John Doe does very good on url verification - else alot of scammers would go bancrupt.
Therefor i hope you understand you don't need a 0day. I also stated that in my answer but you seem to be so keen focusing on me listing some 0days (to disprove the initial article) that you kinda lost my point.
Also - sure everyone should keep his/her device updated - noone said anything else. Apart from that no i wouldn't recommend people to use whatsapp but that was't the point and im not actually sure why you mentioning it but here i said it : i wouldn't recommend it if that helps ¯\_(ツ)_/¯
Edit: not to forget - i for myself know that clicking on unknown links poses a certain risk and have several measures in place to reduce this risk.
>It's funny your warning about QR codes goes onto warn about PDF exploits. Yet you clicked the link to this article, by your own definition opening you up to "a whole different world of possible exploitations via whatever file is being returned". It's the nature of the internet to follow links, but our updated browsers keep us safe from exploits.
you really don't know what they did.
In the time of containerized OSs and virtualized-everything it's silly to guess.
Updating software is good advice. Do you realize how many CVEs are reported on a daily basis? Once you've got a password manager you're largely protected against phishing, so the biggest target becomes your computer, and the most likely way to compromise that would be through outdated software with public vulnerabilities.
What do you expect your browser security levels to the max to do? Browsers are designed to be secure from default settings.
Almost all CVEs are basically irrelevant to everyone that doesn't have some obligation to keep on top of patching them. Meanwhile, auto-updates are RCE by default.
Indeed. I'm far more worried about picking up a supply-chain hack via updates than I am that some low-profile denial-of-service attack will actually affect me; the updates themselves historically have caused me far more actual denials of service than they fix.
Case in point: “[Print] To meet security goals and support new print capabilities, this update transitions Windows printing components from MSVCRT to a modern Universal C Runtime Library.
As a result of this change, print clients running versions of Windows prior to Windows 10, version 2004 and Windows Server, version 2004 (Build number 19041) will intentionally fail to print to remote print servers running Windows 11, versions 24H2 or 25H2, and Windows Server 2025, that have installed this update, or later updates. Attempting to print from an unsupported print client to an updated print server will fail with one of the following errors: […]”
CVEs are better viewed as "a uniform numbering system that ensures we are talking about the same bug" today. But updating software is good anyway.
> Browsers are designed to be secure from default settings.
Not quite. They are usually designed to be both fast and safe, but neither goal is considered "done" yet in modern ones. If you want max security, you'll likely have to disable all performance boosts like JS JIT.
It's completely the opposite of "use one password for everything". When you do that any single compromise of a website you have an account on means all your accounts are likely compromised. With a password manager you have a long random password for every single website, meaning a compromise is siloed to just that site.
Even if your password vault is stored on the cloud you're likely using a very secure passphrase for it that has 0 reuse anywhere else, so even if your password vault is stolen it's impossible to brute force.
For a hacker to comprise your password vault it would likely involve hacking your computer, which if you're keeping your software updated is a very difficult task these days without the target user's active help.
I checked my GitHub archive (https://www.gharchive.org/) indexed data and the only repo that I saw for johncoates was LanscapeVideos, which has a last event time of 2015-06-09 07:09:52+02
It is important to note that GitHub archive is not 100% accurate and there is over 319 missing hours.
I can't find any reason why I would have made it public. I made the repo in 2014 for internal use and don't like to share projects like that. I'm pretty careful when releasing any code publicly. It's some code that other private projects depend on. I searched for any references in public code and there are none, so there should have been no reason to make it public.
Interestingly my public code with thousands of stars isn't in "The Stack".
This shouldn't be something where we're relying on recollection.
Presumably github repo privacy state has an audit trail. This would allow GH to prove / disprove claims on any given repo easily. I hope a rep steps in to do so.
Yeah I agree. Tried https://news.ycombinator.com/item?id=39771541 but there's nothing related to this repo. Does GitHub send an email out when you make something public? I don't have any emails related to this repo.
reply