Now those gpg.fail people made me find similar vulns elsewhere (console control character injection). By "elsewhere" I mean... my own code.
Opinions wanted: should "input can inject console output with ansi and control chars" always be considered a vuln/CVE?
(I'll fix it in any case, I'm just wondering if I should do all the "security release/advisory/request CVE/..." stuff.)
TyphoonCon 2026 Early Bird tickets now on sale!
Dive into exploits, reverse engineering and cutting-edge insights in offensive security. May 28-29 in Seoul, South Korea
🎟️ Limited tickets available: https://www.eventbrite.com/e/typhooncon-2026-tickets-1968561639857
Question to people more knowledgeable about #BSD systems (primarily #FreeBSD, but the more answers the merrier)!
On Linux, I can use ipset (or nftables sets) to create a set of IP addresses I can match against with one rule. Like:
# ipset create test-set iphash
# iptables -I INPUT -m set --match-set test-set src -j DROP
This would drop any and all source addresses that I add to test-set in the future, without having to update INPUT. It also does some magic hashing thing to make all this efficient.
The reason I want this is because I'll be adding a lot of unique IPs to this set (about half a million, if not more). When adding them directly to iptables, the Linux kernel was very unhappy about that. But with a set? Worked like a charm.
Can pf or any other packet filter tool on the BSDs do something similar? Allow me to block a very large number of unique IPs?
Blocking ASNs or ranges is not feasible, I need to block unique IPs.
Bonus points if it can automatically expire entries that were added or updated N seconds ago.
Boosts appreciated.
I recently bought something from poshmark.com, for the first time. While I haven't heard of them before, I figure with credit card protections as they are in the US, there's really no harm with giving it a shot.
Within about 30 minutes of placing my order, I got a not-very-good phishing email from purchase-orders@loyverse[.]com, claiming to be "Poshmark".
The first time in my life that I've received a phish from somebody claiming to be Poshmark.
My wonders at this point:
🤔