As I mentioned a number of times, I take good care of the discoverability of my content, which includes #SEO. At the same time, my personal homepage is comfortably low traffic and updates rarely, allowing me to easily spot how Google cheats.

This image shows the ratio of indexed/unindexed pages - as you can see Google just decided not to index thousands of pages.

At the same time, my clicks look great, in part because Google counts clicks to other pages that host the same/similar content (this also results in falsely reported in-links) to my site. I wouldn't be surprised if these clicks were doubly counted to pump numbers...

Google's removal of the estimated number of search results is particularly user-hostile.

And it's me. I'm "user".

There's a specific kind of searching where you know that there shouldn't be a ton of results, and you are adding exclusions until your search matches the expected result space.

And now that's impossible (without scrolling to the bottom to see how many pages of results there are).

Some thoughts on memory safety

https://pacibsp.github.io/2024/some-thoughts-on-memory-safety.html

This post briefly describes some theoretical aspects of memory safety that feel important to me but that aren't always obvious from how I see memory safety being discussed:

1. Memory unsafety is a specific instance of a more general pattern of handle/object unsafety

2. Memory unsafety is relative to a particular layer in a stack of abstract machines

3. Memory unsafety matters because it violates local reasoning about state

4. Safe languages use invariants to provide memory safety, but these invariants do not define memory safety

Also, not sure what was up with the embed in my last post, hopefully this one works.

Another SolarWinds RCE vulnerability…

… I instantly had the image from Hunt for Red October when the Soviet ambassador tells the US SecState that they needed help and SecState says "Don't tell me you lost _another_ submarine!"

I have some words for the developers who decided that it was completely reasonable to expect a user to be able to precisely hit a single pixel to be able to resize a window.

I've seen this on both Windows and Linux. 🤦‍♂️

The SensorWatch LCD works from Micropython! https://github.com/osresearch/micropython/tree/sensorwatch

Versa security advisory: Versa Security Bulletin: Update on CVE-2024-39717 – Versa Director Dangerous File Type Upload Vulnerability
See parent toot above for CISA adding CVE-2024-39717 to the KEV Catalog. Here is some notable information:

• CVE-2024-39717 affects all Versa SD-WAN customers using Versa Director, that have not implemented the system hardening and firewall guidelines.
• The impacted users were Managed Service Providers
• "This vulnerability has been exploited in at least one known instance by an Advanced Persistent Threat actor."
• The threat actors had Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges, in order to upload malicious files.
• Impacted customers failed to implement system hardening and firewall guidelines, with an internet-exposed management port.

Versa released a patch to address CVE-2024-39717, and provided Firewall Guidelines and System Hardening guidance.

Note: A CISA joint cybersecurity advisory from 2022 states that “threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects.” This security advisory was published today while all of the other URLs in NVD/Mitre are behind a loginwall.

cc: @ntkramer

#CVE_2024_39717 #vulnerability #CVE #Versa #cyberespionage #apt #KEV #KnownExploitedVulnerabilitiesCatalog #eitw #activeexploitation

GNU/Linux Sandboxing - A Brief Review https://hardenedlinux.org/blog/2024-08-20-gnu/linux-sandboxing-a-brief-review/

@rostiger Didn't know about this project, it looks great! Thanks for sharing!

Most mirrors of libgen are now down. Anna's Archive is fighting to keep the lights on.
https://annas-archive.org/

[RSS] Advanced UEFI Analysis with Binary Ninja

https://binary.ninja/2024/08/23/uefi-firmware-analysis.html

Last year on this day the bogus #curl CVE arrived that triggered a series of events that subsequently made #curl become a CNA.

https://daniel.haxx.se/blog/2023/08/26/cve-2020-19909-is-everything-that-is-wrong-with-cves/

Brief intro on how to use eBPF for syscalls tracing

http://sh4dy.com/2024/08/03/beetracer/

#Linux #ebpf

Andy Jassy talks about the benefits Amazon is seeing from their AI coding assistant. It’s widespread that devs are more productive with these tools.

The question is whether this is like accountants and Excel where it creates jobs or travel agents & the web where it kills them.

PageJack: A Powerful Exploit Technique With Page-Level UAF

A talk by @pkqzy888 et al. about overwriting slab objects containing a `struct page *` field to achieve arbitrary read/write in physical memory.

Slides: https://i.blackhat.com/BH-US-24/Presentations/US24-Qian-PageJack-A-Powerful-Exploit-Technique-With-Page-Level-UAF-Thursday.pdf

So I made a thing ☺️
Converted #phnt (Native API header files from the System Informer project) to #IDA TIL, IDC.

To import "phnt" types and function definitions to IDA and help with Reverse Engineering.
@hexrayssa @mrexodia

Introducing #IDA_PHNT_TYPES:
https://github.com/Dump-GUY/IDA_PHNT_TYPES

✍️ A free book on Linux kernel module programming

https://sysprog21.github.io/lkmpg/

@raptor FTR he's been persona non grata and charged with spreading CSAM in France, so...what did he expect?

Being a C programmer in 2024 is so ridiculous, look what I need to do! Every (!) evening I have to charge my sacrifice cats, complete the ritual and pray to the gods just to be as memory safes as Ru^\x00

Programm terminated with signal SIGSEGV, Segmentation fault

Happy Birthday, Linux!

From: torvalds@klaava.Helsinki.FI (Linus Benedict Torvalds)
Newsgroups: comp.os.minix
Subject: What would you like to see most in minix?
Summary: small poll for my new operating system
Message-ID:
Date: 25 Aug 91 20:57:08 GMT
Organization: University of Helsinki

Hello everybody out there using minix -

I'm doing a (free) operating system (just a hobby, won't be big and
professional like gnu) for 386(486) AT clones. This has been brewing
since april, and is starting to get ready. I'd like any feedback on
things people like/dislike in minix, as my OS resembles it somewhat
(same physical layout of the file-system (due to practical reasons)
among other things).

I've currently ported bash(1.08) and gcc(1.40), and things seem to work.
This implies that I'll get something practical within a few months, and
I'd like to know what features most people would want. Any suggestions
are welcome, but I won't promise I'll implement them :-)

Linus (torvalds@kruuna.helsinki.fi)

PS. Yes - it's free of any minix code, and it has a multi-threaded fs.
It is NOT protable (uses 386 task switching etc), and it probably never
will support anything other than AT-harddisks, as that's all I have :-(.

@torvalds

#Linux #Birthday #CakeDay #HappyBirthday