@jerry @bhawthorne @karl This is relevant to your comment about accusations, I promise.

Once upon a time there was an urban legend that putting 0wormalert@somewhere.com in your address book would protect you from email worms. The theory (speaking of Dunning-Kruger) was that the virus would send email to everyone in the address book, and since the first address didn’t exist, it would fail to propagate.

I owned somewhere.com.

At the time I was bouncing about a million messages a day, with peaks up to 2.5 million when some new email worm came out, and needless to say, I was tracking what addresses were bouncing (like the one that was kept getting video clips from inside jewelry stores), and I noticed this one very high on the list, so I routed it to my email to see what was up.

What kind of email do people send to everyone in their address book?

Urban legends of course. And anyone who had done this little hack was probably very susceptible to believing urban legends, so there were a lot of them. And a lot of repeats.

So I set up an auto-responder, and anytime someone sent mail to the address, it sent email back explaining why what they’d done wasn’t going to work, and debunking a dozen or so of the most common urban legends.

And boy did they get pissed.

The first surprise wasn’t that they didn’t believe my explanation. We didn’t even get that far. It was that most of them denied putting the address in their address book at all. Or of even *having* it in their address book. Yet there it was in their email.

The second surprise was how many of them accused me of hacking into their computer. People threatened to call the FBI. They tried to report me to my ISP. They blamed it all on me. (In retrospect, maybe I shouldn’t have done a reply-all, but I was hoping to slow the spread, and this was before alternative facts and Q and all that stuff showed how hopeless that was.)

I did send a write-up to my college anthropology professor on the off chance a student wanted to write a paper about it, but no takers. I’ve still got all the emails though if anyone wants them. :)

Sadly, C++ standardization leadership’s engagement with the memory safety topic is going even more embarrassingly badly than in January:

https://pony.social/@thephd/111550692413752045

The very first sentence is: “Memory safety is a very small part of security.” … Despite the result that about 70% of software vulnerabilties are memory-safety issues has been repeated at multiple organizations (Mozilla, Microsoft, parts of Google, IIRC also Apple).

…

Computers are like onions. Everything is layers built on layers, and every layer makes you cry. #sysadmin

We need a word for real-life enshittification caused by online culture. Like being unable to find an organisation’s info because they’ve Instagram but no website. Or panicked people being sent a videolink to download to their phone when they ring for an ambulance. Or being excluded from residents' association news if you're not on Facebook. Or having cash payment refused. Or staff in the business you’re physically standing in telling you to find the answer to your question on their website.

Computer science pioneer and United States Navy rear admiral Grace Hopper was born #OTD in 1906.

As far as I’m aware, she is the only person who has both a supercomputer and a US Navy destroyer named after her.

Image: Computer History Museum

Annoyed that a website is doing something custom on right-click?
Did you expect the browser's context menu (Back, Reload, Save Page As, View Source etc.)?

Just hold the ⇧Shift key while clicking and Firefox will show the built-in context menu.

Edit: I had no idea this was such a widely appreciated post. Credit where credit is due: @dveditz told me about this trick a couple of months ago.

How the first gen ipod was reverse engineered to run #Rockbox:

1. Someone figured out that when loading a particular HTML page (for viewing on the device), the device would reboot. It crashed. A buffer overflow in the HTML viewer!

2. The device remembered what it did before the crash, so it would reload the HTML page again after boot. Unless you connected to it over USB and removed the HTML file it would stick in this cycle.

(continues...)

Apache CouchDB 3.3.3 is now available. It is a maintenance release that among a number of bug fixes addresses CVE-2023-45725, the details of which will be released in seven days. We recommend all CouchDB users upgrade.

[Update: the blog post has now been amended with the CVE details.]

https://blog.couchdb.org/2023/12/05/3-3-3/

I can finally reveal some research I've been involved with over the past year or so.

We (@redford, @mrtick and I) have reverse engineered the PLC code of NEWAG Impuls EMUs. These trains were locking up for arbitrary reasons after being serviced at third-party workshops. The manufacturer argued that this was because of malpractice by these workshops, and that they should be serviced by them instead of third parti
es.

1/4

Provisional agreement reached between the Council of Europe and European Parliament on the CRA.

For us software security needs, this is BIG.

The EU is the only jurisdiction to be proposing a bespoke regulatory regime for hardware _and software_ products, as opposed to merely using procurement regs/consumer protection law.

Of course, in Australia, we will never have the temperament to propose anything like this for software security. We prefer voluntary self-regulation and eventually fixing procurement regulations (see Shield 2 of our cyber security strategy).
https://www.consilium.europa.eu/en/press/press-releases/2023/11/30/cyber-resilience-act-council-and-parliament-strike-a-deal-on-security-requirements-for-digital-products/

Three days after Amazon announced its AI chatbot Q, some employees are sounding alarms about accuracy and privacy issues. Q is “experiencing severe hallucinations and leaking confidential data,” including the location of AWS data centers, internal discount programs, and unreleased features, according to leaked documents obtained by Platformer.

An employee marked the incident as “sev 2,” meaning an incident bad enough to warrant paging engineers at night and make them work through the weekend to fix it.

https://www.platformer.news/p/amazons-q-has-severe-hallucinations

The first was this paper, which discusses how master keyed mechanical locks work and relates them to the kind of analysis we use in cryptography: https://www.mattblaze.org/papers/mk.pdf

It was published in IEEE Security & Privacy, but locksmiths got wind of it because it got some press coverage. They didn't like it. They were unhappy that it described a very simple attack against master keyed systems that lets a regular user turn their key in to a master key for the whole system.

NEW: David Vincenzetti, the founder of spyware maker Hacking Team, has been arrested.

Vincenzetti is accused of attempted murder. He allegedly stabbed a relative at his home. A judge has ordered him to stay in prison as a precautionary measure, and has ordered a psychological evaluation, according to Italian media reports.

I'm honestly in shock. Hacking Team's story is still getting crazier, eight years after it got spectacularly hacked.

https://techcrunch.com/2023/11/29/founder-of-spyware-maker-hacking-team-arrested-for-attempted-murder-local-media/

Interesting nugget from Okta's blog post by chief security officer David Bradbury.

"While 94% of Okta customers already require MFA for their administrators..."

That means 6% of Okta customers *don't* require MFA for its administrators. That accounts for over a thousand organizations potentially without a basic secondary security control in place. Truly wild in the year of 2023.

Like, I really don't get why so many of you are so eager to have statistical models write code for you.

I've been arguing for literally my whole career that the actual writing isn't the hard part of software development. But wow, did everyone take that in the wrong direction recently.

Understanding the system is the hard and valuable part. And I genuinely don't know how you think you're going to do that if you never get to do any of the safe and easy interactions with the system.

Terry Pratchett was wise

Whenever I explain my #research at Google into mobile text editing, I'm usually met with blank stares or a slightly hostile "Everyone can edit text on their phones, right? What's the problem?"

Text editing on mobile isn't ok. It's actually much worse than you think, an invisible problem no one appreciates. I wrote this post so you can understand why it's so important.
https://jenson.org/text
#UXDesign #UX

@cstross Butcher, baker, ransomware maker...

Credit: @rubenbolling for Tom The Dancing Bug's take on Busy Town 🙏

Microsoft paid money for this. A lot of money.

Dear Microsoft. Here is a list of things I want the Start Menu to do:

* Show my installed programs
* Search my local files
* Provide access to system settings

Here is a list of things I do *not* want the Start Menu to do:

* Show the weather for a randomly-selected town near my network's public IP infrastructure
* Show tabloid headlines
* Show programs I *don't* have installed
* Search the web via Bing
* Show adverts(!)
* Attempt to engage me in conversation with a hallucinating LLM

Thanks.