Securing a DoD contractor: Finding a multi-tenant authorization vulnerability

Posted by bearsyankees 14 hours ago

Securing a DoD contractor: Finding a multi-tenant authorization vulnerability(www.strix.ai)

192 points | 80 commentspage 2

ryanisnan 14 hours ago|

Yikes, Schemata and that delinquent CEO should be held accountable.

bearsyankees 14 hours ago||

https://x.com/strix_ai/status/2051361018450948511

sailfast 12 hours ago||

Would be fascinated to know if this went through competitive procurement or if it was one of those Hegseth “let’s be lethal and ship broken shit to the warfighter” procurements.

icedchai 12 hours ago||

Was the app vibe coded?

rectang 14 hours ago||

a16z = "Andreessen Horowitz", for those not in the know. (The acronym is not expanded in the article. EDIT: OP has fixed the article.)

bearsyankees 14 hours ago||

fixed now

rectang 14 hours ago||

Thanks! Happy to have my comment hidden by the mods if they get around to it.

cheschire 12 hours ago|||

Perhaps the community could band together and crowdsource the moderation action through flags. Kidding.

bearsyankees 14 hours ago|||

appreciate the feedback!!

OsrsNeedsf2P 12 hours ago||

Honestly, I didn't know who Andreessen Horowitz was, until you spelt out a16z

DougN7 14 hours ago||

Would it be possible to stop using aXXb nomenclature within the titles? Some of us aren't hip enough to know what all of them mean.

beambot 14 hours ago||

Andreessen-Horowitz, who most people (and they themselves) refer to as a16z and have the eponymous domain name (a16z.com). They're one of the top VC firms on the planet -- exceedingly relevant to HN audiences and commonly discussed here.

krisoft 13 hours ago|||

> you'd rather say Andreessen-Horowitz, which is just as arbitrary as a16z

Yes. I know Andreessen-Horowitz and I don’t know a16z. Reading the title i thought it will be about the cryptography serialisation specification. Turns out i was mixing it up with ASN.1.

> Their website is literally a16z.com

I hear now. Before this if pressed i would have guessed that they probably have a website indeed. If you would have twisted my arm my guess would have been andersenhorovitz.com (yup, with the typos. I learned the correct spelling today from your comment.)

> exceedingly relevant for the HN audience

We contain multitudes.

PenguinCoder 9 hours ago|||

> Yes. I know Andreessen-Horowitz and I don’t know a16z.

So the world needs to adapt to your knowledge instead of you learning to adapt to a often used, and well-known moniker?

operatingthetan 13 hours ago|||

They just want to sound technical.

DougN7 14 hours ago||||

I'll be honest - I was thinking authorization (a11n?) - so I didn't read it closely enough. But despite that, and being on HN from almost the beginning (with a different account I lost the password to), I still didn't know what a16z was, though I do recognize Andreessen-Horowitz.

Semaphor 14 hours ago|||

Opposite for me, I've seen a16z tons of time on HN, and also the domain where sometimes, but the full name would have meant nothing to me.

rectang 14 hours ago||||

I didn't either. This is an ancient debate that can never be resolved completely, though — because the articles that HN submissions point to don't follow a style guide and there are always assumptions about audience priors. Best to just resolve it and move on.

ok123456 10 hours ago|||

Sorry, I come here for hacker content.

bearsyankees 14 hours ago||

apologies, just a vc firm

tomhow 13 hours ago||

The guidelines require using the same title on HN as is on the original post.

bearsyankees 13 hours ago|||

oh apologies, thanks for the reminder

tptacek 13 hours ago|||

Even when the author submits? :)

tomhow 13 hours ago||

Yes... unless we think it's fine to tailor a title to activate a particular reaction from the HN audience :)

GhostDriftInc 7 hours ago||

[flagged]

SkyGuard_Lead 11 hours ago||

[flagged]

testing_auth 11 hours ago|

[dead]