It seems Google is still in the process of migrating issues to the new P0 issue tracker, resulting in bumping old reports to the top.

Now the bot implements a filter that won't post issues with CVE's earlier than 2023.

[RSS] Reflections on RANDSTRUCT in GrapheneOS

https://dustri.org/b/reflections-on-randstruct-in-grapheneos.html

@cynicalsecurity short answer: yes
daemonising is, as a concept (forking into background), essentially incompatible with go runtime model, which implements its own M:N threading and uses OS threads rather loosely, and it's trivial to end up in a situation where the process would already have some threads started before it would reach your daemonizing code.

long answer: still yes, but daemonizing is bad anyway.
as a preface, the following is coming from being burned in many ways by processes attempting to drop privileges and daemonizing on their own. most often by silent failures with nothing on stdout/stderr/logs; but sometimes by leaking/retaining elevated privileges when they weren't supposed to.

self-daemonising is surprisingly difficult to do properly in general, arguably maybe even impossible if your code is anything but a statically linked executable directly interfacing with the kernel syscall interface (not even going through libc) because of how many things happen before "your" code is reached in process lifetime.
i've seen services dropping privileges improperly too often to trust just about any service to do so, regardless of what programming language they're written in, and instead i strongly prefer to have a service manager that would setup proper environment (privs dropped, etc etc) first, and then start the service.
if nothing else, there's less security sensitive code to audit, and it's in just one place, instead of having a myriad variations, with every service author implementing their own slightly different way of doing things.

I recently saw an amazing Navajo rug at the National Gallery of Art. It looks abstract at first, but it is a detailed representation of the Intel Pentium processor. Called "Replica of a Chip", it was created in 1994 by Marilou Schultz, a Navajo/Diné weaver and math teacher. Intel commissioned the weaving as a gift to the American Indian Science & Engineering Society. 1/6

While Burp's browsers are devouring my disk space at least their disk usage diagram looks nice

We just published v4.1.0 of the eslint plugin `no-unsanitized`, which prohibits the usafe of XSS sinks (e.g., `innerHTML=` or `setHTMLUnsafe()`) without the use of a preconfigured sanitizer library.
The rule helps finding and preventing XSS in various Mozilla projects, including Firefox.
Technical Details at https://frederikbraun.de/finding-and-fixing-dom-based-xss-with-static-analysis.html and source at https://github.com/mozilla/eslint-plugin-no-unsanitized

[RSS] In the Windows kernel, what is a LUID, and what makes it loo-ey?

https://devblogs.microsoft.com/oldnewthing/20240830-00/?p=110198

[RSS] The vulnerabilities we uncovered by fuzzing µC/OS protocol stacks

https://blog.talosintelligence.com/fuzzing-uc-os-protocol-stacks/

NVD are you okay?

@dcoderlt been there...

@dcoderlt Forgot to use the Monitor object?

We broke 10k stars on #GitHub! Remaining in the 1st and 2nd positions on #Google for, “Reverse Engineering Tutorial”. Special thanks to @0xinfection @hasherezade @fox0x01 @three_cube @binitamshah and all of you! #ReverseEngineering https://github.com/mytechnotalent/Reverse-Engineering

@jann Related XKCD: https://what-if.xkcd.com/13/

Also see Debate on Fermi's Paradox: https://en.wikipedia.org/wiki/Self-replicating_spacecraft

@mainframed767 As always in security, prioritization based on risk assessment should be key, along with alternative solutions. This recent post is very relevant: https://alexgaynor.net/2024/aug/30/impact-of-memory-safety-on-sandboxing/

this is my emotional support carwash. whenever I get sad I ssh into this Montenegrin carwash I found on shodan 12 years ago and spin the rollers a bit. makes me feel real again

Capt. Grace Hopper on Future Possibilities: Data, Hardware, Software, and People (1982)

Part I.: https://www.youtube.com/watch?v=si9iqF5uTFk

Part II.: https://www.youtube.com/watch?v=AW7ZHpKuqZg

If I'm not mistaken getting these records declassified took several years of fighting NSA bureaucracy, so having this released is a pretty great achievement!

CVE-2024-5274: A Minor Flaw in V8 Parser Leading to Catastrophes

https://www.darknavy.org/blog/cve_2024_5274_a_minor_flaw_in_v8_parser_leading_to_catastrophes/?s=09

I know that one should never, ever go to SciHub to find academic papers but is there a site one should never, ever go to for ISO/IEC standards documents?

@joxean pleas use hashtags...