My wife watched this and went "I understood everything, are you sure you're okay? Usually your explanations take 40 minutes and have vscode open", which I'm going to take as a compliment, I guess.
That is in fact me! You can tell it’s recorded with a mic, rather than recording the output of the keyboard, because you can hear the keys 😌 it’s Lo-fi on purpose
The vulnerability presented in the video is a parser differential vulnerability. A parser differential vulnerability can occur whenever two parsers parse the same input in slightly different ways. URL parsers have been under a lot of scrutiny in the last few years because of that.
This is so interesting that I can't use it as my "noise cancelation" + mind wandering stop device since as soon as I actually listen I get something cool
Je viens juste d'apprendre que tu étais suisse-français et je dois dire que je suis super jaloux de ton accent xD. J'adore tes vidéos elles m’inspire énormément !!!
Is that by chance a reference to the "Mystery of the Yellow Room" ("Le mystère de la chambre jaune" by Gaston Leroux). That book is a "locked-room" crime novel, depecting a seemingly impossible to execute crime.
I don't think "your system is as secure as your least secure component" is very accurate. You can design a security model where your security components are "in series" rather than "in parallel", meaning you need to defeat each step to get to the next one. It is just very hard to not have parallel components that can be used to bypass your secure scheme. So basically "security in depth".
I forgot to mention it in the video, but hilariously, the Matrix docs say to... still use regexps, but they changed it to match only non-@ characters until the @ (which doesn't prevent someone from still messing up their config): matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#allowed_local_3pids
Great video. But I disagree with "it's hard to blame them" because of the following reasons: 1. Everybody knows, that if you try to solve a problem with regular expressions, you now have two problems. 2. Entry points to a security perimeter should be the places that get the most of developers' attention. 3. Doesn't matter how complicated the RFC is, you have to implement it yourself or use someone else's implementation, and either has to be thoroughly unit-tested. If there is an RFC and you don't follow it, you are asking for trouble, and Murphy's laws guarantee that you get some.
2++. This is a government service app so it is strange the startup didn't put most of their time there. It's probably better to say everyone is at fault and can learn something from this. Sign-ups should be a strict set of strings that the government should be maintaining anyway. They are already paying the cost of paperwork, documentation to maintain employment. This would add just one more step to the process of maintaining employees.
@@31redorange08 Sometimes I use them in the shell or in short one-off programs to generate code based on some repetitive input, but that's about it. If I need to parse something, I would rather use the "nom" crate or write a recursive-descent parser by hand - either way, the parsing code will be well-structured and easy to understand, with all that fancy stuff like self-explanatory variable names, which regexes do not have.
My wife watched this and went "I understood everything, are you sure you're okay? Usually your explanations take 40 minutes and have vscode open", which I'm going to take as a compliment, I guess.
:p
I dont know what you say most of the time but i dig it
@@kirklandday that's the spirit!
What a disgrace. Our wives can never understand what we're doing man! Think better next time, I'm disappointed in you.
s/vscode/nvim/g
From rust to techy Tom Scott, I like it :)
One could argue that techy Tom Scott is.. Tom Scott. I'll take the compliment but it's probably far from being deserved (yet!)
"Uhhh. Fiiiine." 😀💯
Came for the cool story, commented because of the ragtime outtro! (that's YOU playing right Amos? 😀)
That is in fact me! You can tell it’s recorded with a mic, rather than recording the output of the keyboard, because you can hear the keys 😌 it’s Lo-fi on purpose
@@fasterthanlime I noticed that too! A great vibe
If someone ever asks “so what is hacking then?” I will send them this video.
The vulnerability presented in the video is a parser differential vulnerability. A parser differential vulnerability can occur whenever two parsers parse the same input in slightly different ways. URL parsers have been under a lot of scrutiny in the last few years because of that.
Yeah regex for direct e-mails are a pain! Especially since top domain levels have grown significantly the last few years.
This is so interesting that I can't use it as my "noise cancelation" + mind wandering stop device since as soon as I actually listen I get something cool
i guess the lesson here is: never use the internet
short and sweet!
I just accepted many years ago that my French will never be perfect
Je viens juste d'apprendre que tu étais suisse-français et je dois dire que je suis super jaloux de ton accent xD.
J'adore tes vidéos elles m’inspire énormément !!!
m'inspirent*
Is that by chance a reference to the "Mystery of the Yellow Room" ("Le mystère de la chambre jaune" by Gaston Leroux). That book is a "locked-room" crime novel, depecting a seemingly impossible to execute crime.
I don't think "your system is as secure as your least secure component" is very accurate. You can design a security model where your security components are "in series" rather than "in parallel", meaning you need to defeat each step to get to the next one. It is just very hard to not have parallel components that can be used to bypass your secure scheme. So basically "security in depth".
It depends on how you define component. If you think of a chain of components as one logical component, then it still holds true.
Very cool! :)
Is there something you can use regex for that won’t become a big vulnerability? 😂
I forgot to mention it in the video, but hilariously, the Matrix docs say to... still use regexps, but they changed it to match only non-@ characters until the @ (which doesn't prevent someone from still messing up their config): matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#allowed_local_3pids
hawa Wakamba wamefika Faransa
Wow ur french sounds good my man, do you know this language? Are u some sort of polyglot?
He's French
@@dorktales254 Strange, I thought he's from India
lol. I'm Swiss-French.
@@fasterthanlime lol that explains a lot, I must misinterpreted something from previous videos
@@etterathe i thought he was from Portugal somehow
Great video. But I disagree with "it's hard to blame them" because of the following reasons:
1. Everybody knows, that if you try to solve a problem with regular expressions, you now have two problems.
2. Entry points to a security perimeter should be the places that get the most of developers' attention.
3. Doesn't matter how complicated the RFC is, you have to implement it yourself or use someone else's implementation, and either has to be thoroughly unit-tested. If there is an RFC and you don't follow it, you are asking for trouble, and Murphy's laws guarantee that you get some.
2++. This is a government service app so it is strange the startup didn't put most of their time there.
It's probably better to say everyone is at fault and can learn something from this. Sign-ups should be a strict set of strings that the government should be maintaining anyway. They are already paying the cost of paperwork, documentation to maintain employment. This would add just one more step to the process of maintaining employees.
So you never use regex?
@@31redorange08 Sometimes I use them in the shell or in short one-off programs to generate code based on some repetitive input, but that's about it. If I need to parse something, I would rather use the "nom" crate or write a recursive-descent parser by hand - either way, the parsing code will be well-structured and easy to understand, with all that fancy stuff like self-explanatory variable names, which regexes do not have.