This is fantastic and I think it's going to fuck up software engineering so much.

https://www.theverge.com/2024/2/15/24074214/justice-in-forensic-algorithms-act-democrats-mark-takano-dwight-evans

This was honestly super hard to write. The subject has been bugging me all day. I'm worried that people are going to hate my guts for saying it, but everything feels right to me.

https://wedistribute.org/2024/02/tear-down-walls-not-bridges/

I guess this stuff is plenty obscure, huh?

So, folks, there's a new browser engine dropped (a while ago, actually). It isn't based on WebKit and it isn't based on Firefox, it is written from scratch for a hobbyist operating system SerenityOS by some awesome/crazy people. The browser, called Ladybird, actually can be compiled for Windows, Linux, Mac, OpenIndiana and Android.

It can pass Acid3 and render Github page well (note that Firefox and Chrome circa 2018 cannot do that!), and it has decent JS and afaik wasm support.

Edit: the project seems to be not great in terms of ethics, so I removed the link.

Dear @mozilla
Please, please, please put the RSS indicator back in Firefox.

People need to know about this technology which empowers users over greedy, controlling corporations.

Update: As many have pointed out, you *can* use @thunderbird as an RSS feed reader, and there are many #firefox add-ons to restore the RSS indicator (one of which I'm already using). But my point is that Firefox needs to lean into RSS as an answer to all the crap that is the modern web, and help educate users about it

no centralised social network could ever produce "the taliban deleted my account". that's a mastodon special.

@bynkii @saraislet I haven’t seen any real data on this, but if we assume the avg corp worker receives ~100 biz-related emails per day during the work week, that’s approx 26k per year. Let’s assume 50% have links.

If they click on 1 malicious email link in a year, that’s a ~0.008% “fail” rate to them.

Even if they click on 100 malicious links, that’s only ~0.8%.

It’s entirely rational to click the damn links; spending even 1 min on scrutinizing each email adds up to 217 hours per year!

The 0day dumpster fire that is the security hardware industry rn continues unabated this week.

From Rapid7:

"Critical Fortinet FortiOS CVE-2024-21762 Exploited
Feb 12, 2024

On February 8, 2024 Fortinet disclosed multiple critical vulnerabilities affecting FortiOS, the operating system that runs on Fortigate SSL VPNs. The critical vulnerabilities include CVE-2024-21762, an out-of-bounds write vulnerability in SSLVPNd that could allow remote unauthenticated attackers to execute arbitrary code or commands on Fortinet SSL VPNs via specially crafted HTTP requests.

According to Fortinet’s advisory for CVE-2024-21762, the vulnerability is “potentially being exploited in the wild.” The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-21762 to their Known Exploited Vulnerabilities (KEV) list as of February 9, 2024, confirming that exploitation has occurred."

https://www.rapid7.com/blog/post/2024/02/12/etr-critical-fortinet-fortios-cve-2024-21762-exploited/

https://www.cisa.gov/news-events/alerts/2024/02/09/cisa-adds-one-known-exploited-vulnerability-catalog

Broadcom Ends Support For Free ESXi Vmware Hypervisor https://tech.slashdot.org/story/24/02/12/1816248/broadcom-ends-support-for-free-esxi-vmware-hypervisor?utm_source=rss1.0mainlinkanon

Meanwhile in Canada

It makes me sad at how accurate this is.

Updated #radare2 #cheatsheet

Okay, so I did a quick dive into sudo in Windows and here are my initial findings. https://www.tiraniddo.dev/2024/02/sudo-on-windows-quick-rundown.html

The main take away is, writing Rust won't save you from logical bugs :)

Again, as a computer scientist, I believe computers should be in fewer things

I gave #linkedin an honest try, for a year or more, in terms of finding #work. It's a cesspool of #toxicpositivity and fake job postings.

Now I'm asking, with all urgency -- to anyone who has anything #tech to offer, please consider a guy who has:

- 30 yrs of exp
- out of work 20 mo
- 3 kids, one approaching her 1st birthday
- a track record for secure systems
- a month before eviction
- low salary reqs

CV: https://jrlenz.com/files/cv-2023-12.pdf

US citizen | PH resident

#GetFediHired #Remote

Shout out to the Security Research Legal Defense Fund for helping us go public about our train research! We're honored to have been their first grantees.

Without their financial assistance we would've had to crowdfund our legal bills, or even worse, stay quiet about the locks we've found in Impuls trains.

If you're facing legal threats (or even anticipate the possibility of such threats) as the result of security research we definitely recommend reaching out to them.

https://www.securityresearchlegaldefensefund.org/

google has unleashed ungodly AI nightmares beyond my comprehension

so awhile ago, i've set up screen call on my android phone, because it's pretty useful for stopping robocalls from annoying me, since usually they just hang up, or google knows it is just a scam call.

well. i got another call in, but it couldn't get the transcript. so, i played the audio back.

to my fucking horror, GOOGLE IS USING MY OWN VOICE TO ANNOUNCE IT'S PRESENCE AS THE VIRTUAL ASSISTANT.

nowhere, i mean fucking NOWHERE did they ever tell me this was a thing they'd do. in fact, i'm not able to find a single fucking thing about this online!

i don't even have the fucking option set for them to preserve my voice history, the fact they have audio recordings of my voice, and enough of them to make a fucking AI-generated version of my voice, without my god damn consent, is... i don't even know how to put it.

google, i sincerely hope someone burns down all your data centers

GitS is RIGHT NOW, and the laughing man incident is literally today

whoa

https://thelaughingman2024.jp

AnyDesk was popped, with 170,000 advertised users.

They claim their install base is secure, but that the code signing cert was stolen. From the changelog, its clear that they knew this on January 29th but didn't announce until the end of the day on a Friday. Not cool.

Based upon their actions so far, I would recommend all enterprises kill AnyDesk across their fleet using EDR or other means for now until we know more.

https://anydesk.com/en/public-statement
https://anydesk.com/en/changelog/windows

I wanna surface this to my main timeline because it's kinda important to say out loud from time to time:

Businesses do NOT "have to" focus exclusively on their return to shareholders. Not legally, not morally.

That is the misguided OPINION of a 1970 essay by Milton Friedman, and the fact that everyone seemed to just hop on board that opinion is a significant reason why we switched gears into hyper-hell-capitaliam since then.

Push back on this every time you see it.

Given Okta's recent troubles with keeping their network secure, I guess I shouldn't be surprised by this blog post.

Still, a company that supposedly markets and sells security services, you would think they would have a better handle on something as rudimentary as password hashing.

TL;DR- Use SHA-2 or SHA-3 to hash passwords.

🤦🏻

https://auth0.com/blog/hashing-passwords-one-way-road-to-security/