Disclosure day!

Insufficient permission check vulnerabilities in Granicus's GovQA allowed unauthorized access to view, edit, and change ownership of open records requests, including restricted-access confidential records. By changing ownership of a request, an attacker could effectively deny a legitimate user's access to that request. The vulnerabilities affected various deployments, including numerous Departments of Children and Family Services or their equivalents, which handle highly sensitive records of domestic violence and sexual abuse allegations against children.

Details:
https://github.com/qwell/disclosure-granicus-govqa/

Coverage:
https://www.nextgov.com/cybersecurity/2024/03/flaws-public-records-management-tool-could-let-hackers-nab-sensitive-data-linked-requests/394755/

With 1 #transistor, I can make an inverter, a switch, or a not-very-good amplifier.

With 2 transistors, I can make a differential amplifier, a cascode, or a latch.

With 3 transistors, I can make a fairly good (Wilson) current mirror, or a Lorenz chaotic system.

20,000 transistors made a #computer that navigated spacecraft to the Moon and back.

But 10,000,000,000 transistors make a computer that's brought to its knees if it tries to interpret the Javascript used to load one #ad on a web page.

India has officially outlawed nine types of #UX #DarkPatterns, including saying "Hurry, only X amount left;" adding "processing fees;" adding dire language to opt-out buttons ("No, I'd rather not protect my purchase"); forcing people to agree to a EULA; forcing people to call a phone number to unsubscribe; using confusing opt-out language ("No, don't unsubscribe me"); blending ads into editorial content; and forcing people to click "remind me later" every day. https://bootcamp.uxdesign.cc/dark-patterns-are-now-illegal-in-india-6b3c35c5ce50

#ThanksEU #Amazon stops charging for moving data out of their services. You have to read to almost the end to find the real reason:

„The waiver on data transfer out to the internet charges also follows the direction set by the European Data Act and is available to all AWS customers around the world and from any AWS Region.“

https://aws.amazon.com/blogs/aws/free-data-transfer-out-to-internet-when-moving-out-of-aws/

Birmingham council's 'equal pay' bankruptcy provided cover for Oracle disaster
L: https://theconversation.com/how-birmingham-city-councils-equal-pay-bankruptcy-provided-cover-for-ongoing-oracle-it-disaster-224416
C: https://news.ycombinator.com/item?id=39613181
posted on 2024.03.06 at 02:12:05 (c=1, p=5)

Can you believe it? It's been 20 years since OpenTTD 0.1 was released! Time really does fly.

Read the full story: https://www.openttd.org/news/2024/03/06/happy-birthday

I spent the last week scraping through a terabyte of GeoCities archives and collecting ALL THE #88x31 buttons! In the end, I gathered 29257 unique buttons (75k with duplicates). They are available at https://hellnet.work/8831/

Check them out!

I also have the dataset (~160MB), stats and a bit about the scraping process here: https://hellnet.work/8831/stats.html

#indieweb #smallweb #geocities #neocities

Carmakers must bring back buttons to get good safety scores in Europe

In 2026, Euro NCAP points will be deducted if some controls aren't physical.

https://arstechnica.com/cars/2024/03/carmakers-must-bring-back-buttons-to-get-good-safety-scores-in-europe/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social

The US military tracked Putin's movements. How? His comrades (advisers, drivers, etc.) had smartphones and were browsing the internet, using apps. Ads were displayed to them. And data traces from advertising networks revealed everything. https://www.wired.com/story/how-pentagon-learned-targeted-ads-to-find-targets-and-vladimir-putin/

Here it is: the One Weird Thing that people who aren’t programmers (or are bad programmings) just don’t understand about writing software. This is it. If you miss this, you’ll miss what LLMs can and can’t do for software development. You’ll be prey to the hype, a mark for the con.

6/

I am re-reading Dune. This quote by the Reverend Mother Gaius Helen Mohiam is remarkable:

“Once, men turned their thinking over to machines in the hope that this would set them free. But that only permitted other men with machines to enslave them.”

It's not about a Terminator-style AI-apocalypse where the machines want to kill us all dead. It's just an accurate prediction of what actually appears to be happening.

@natty reminded me of

Hello world! Kaitai project and #KaitaiStruct finally got its own its own space in Fediverse!

If you're not familiar with us, we create declarative language for binary format specification — see https://kaitai.io/ — and tooling around it — a compiler which transforms declarative specs into ready-made parsers in variety of programming languages, visualizers and IDE for rapid format spec development and much much more.

Watch this space for more news from us!

god remember when every c-suite guy either got fooled into or gaslit themselves into believing “the metaverse” was going to be a thing and we were all supposed to respect that and pretend that it wasn’t transparently nonsense

Have you ever wanted to start editing #Wikipedia, but got overwhelmed or felt like you didn't know where to start? Every time I encourage people to start editing, I hear that, so I'm trying to help.

https://www.youtube.com/watch?v=bRRHR1NEOqE

programmers are always posting like "worked on tracking down an issue with a Flurble deployment for twelve hours. the problem wasn't in Flurble at all - it was in the Gumbies install. It turns out if you install Gumbies 3.0 over Gumbies 2.7 and don't do a cache flush on all the client spiders they'll get stuck in the crystal maze." then you look up Gumbies and the site is one of those scroll scroll scroll types with one sentence per page, like

"GUMBIES is a lean, expressive sharding sandcube for testing and deploying large scale Woodchips playgrounds.

GUMBIES automates and streamlines away watersliding phases, meaning your team can get right to the chipping.

See why Microsoft, OpenAI and Bloingo have embraced GUMBIES in their Woodchips workflows."

and you get to the bottom and you're like I want this I guess but I still don't know what it is

Tried using the new Google Chrome V8 settings to turn off the JavaScript JIT, as discussed by @campuscodi in https://news.risky.biz/risky-biz-news-google-addresses-jit-security-in-chrome-122/

However funnily enough that completely broke the Microsoft Teams web client on Mac OS X for me. It remained consistently stuck on "connecting" for over 5 minutes. Even allow-listing teams.microsoft.com wasn't enough, only worked when I allow-listed all of microsoft.com.

So be aware this is not as benign a change as it should be - not only a performance hit but things can actually stop working.

And this got me wondering... is Teams' JavaScript just so horribly inefficient that it takes forever to work without JIT? Or what kind of shenanigan is it doing to REQUIRE the browser JIT to work? 🤔

in the spirit of transparency, here’s our response to CISA’s RFI on Secure by Design: https://kellyshortridge.com/papers/CISA-2023-0027-Shortridge-Sensemaking.pdf

SbD should not incentivize lip service or #security theater. It should not be at odds with business goals.

So, @rpetrich and I wrote what SbD should be and not be.

We hope mastonerds especially appreciate our recommendations in Section 1.2.1 for how #software teams can start investing in SbD while supporting velocity, dev productivity, & reliability.

blog: https://kellyshortridge.com/blog/posts/rfi-secure-by-design-response/

UPDATE: In the last 24 hours, we’ve observed several LockBit attacks, apparently after exploitation of the recent ConnectWise ScreenConnect vulnerabilities (CVE-2024-1708 / CVE-2024-1709)

Mastodon change incoming in next release, if no mod logs into a server for a week open registrations will close. Will probably take a few weeks but should solve the current spam issue largely. https://github.com/mastodon/mastodon/pull/29318