The real slim shady || Ivanti Endpoint Manager (EPM) Pre-Auth RCE

CVE-2024-29847

https://summoning.team/blog/ivanti-epm-cve-2024-29847-deserialization-rce/

@inthehands Also related: https://fs.blog/writing-to-think/

Oh shit the vDSO implementation of getrandom() landed in Linux 6.11.

Might remove one of the last performance objections ot using the kernel CSPRNG for everything, the syscall overhead.

I have a large CL chain for crypto/rand, might as well add support for that...

"The productivity myth suggests that anything we spend time on is up for automation — that any time we spend can and should be freed up for the sake of having even more time for other activities or pursuits — which can also be automated. The importance and value of thinking about our work and why we do it is waved away as a distraction. The goal of writing, this myth suggests, is filling a page rather than the process of thought that a completed page represents."

1000x this.

https://www.techpolicy.press/challenging-the-myths-of-generative-ai/

"It is not the case that “AI gathers data from the Web and learns from it.” The reality is that AI companies gather data and then optimize models to reproduce representations of that data for profit."

"The productivity myth suggests that anything we spend time on is up for automation — that any time we spend can and should be freed up for the sake of having even more time for other activities or pursuits — which can also be automated."

https://www.techpolicy.press/challenging-the-myths-of-generative-ai/

Read the whole thing!

Ah shit, Flare-On in 11 days. Not sure I start it right away :-((((((

https://cloud.google.com/blog/topics/threat-intelligence/announcing-eleventh-annual-flare-on-challenge

[RSS] Non-Actionable Findings in 3rd-party Security Scanners...and How to Identify Them

https://bughunters.google.com/blog/6302522760626176/non-actionable-findings-in-3rd-party-security-scanners-and-how-to-identify-them

We are super grateful to the community members who are generously helping make Kagi accessible worldwide through translation support 🌍

Want to contribute? Join us at https://localazy.com/p/kagi-search

My exam season is finally over, and after some final touches, I have a few exciting announcements for you.

We’re launching the public beta phase of our CellGuard iOS app. It supports all iPhones running iOS 14 or newer. You can contribute to an optional study that helps us to improve detection algorithms. Read more & download CellGuard at https://cellguard.seemoo.de

[RSS] FreeBSD 11.0+ Kernel LPE: Userspace Mutexes (umtx) Use-After-Free Race Condition

https://accessvector.net/2024/freebsd-umtx-privesc

[RSS] Attacking PowerShell CLIXML Deserialization

https://www.truesec.com/hub/blog/attacking-powershell-clixml-deserialization

The Children of the Magenta lecture: https://www.youtube.com/watch?v=WITLR_qSPXk . The quality of the AV isn't great due to age and restoration, but the contents is _well_ worth it.

Today I'm thinking again about the "Children of the Magenta" lecture. In the late 90s, airlines realized that after going all-in on automation and flight assists in the 80s, they had trained a generation of automation-dependent pilots who were no longer capable of dealing with novel situations in which the automation couldn't help, or failed. Children of the magenta flight path line on the computer.

I'm thinking about it because someone this morning bragged about letting LLMs write the code.

@stf Thanks for the reminder, I never had the opportunity to use it! My goal is specifically to dump datasets from Wayback Machine for specific domains, so browser-based solutions are less useful for me now.

@qwertyoruiop the interactive graph crashed my browser

Fun* fact in this video: the 'disposable' vapes thrown away in Britain alone contain enough lithium batteries to make 1.2 Million e-bikes.
I've been independently powering things with vape batteries that I've rescued before seeing this video. Pull out the cell, add a cheap usb charging module and you have a fully rechargeable 3.7v power source. If you need higher voltage you can put them in series and you can even get multi-cell balancing modules for next to nothing if you want to have a few in parallel for more current.
I don't trust them for anything critical, but they're great for low-budget projects as the cells are completely free. My bike lights are all powered by them (one can run a flashing bike light for a couple of weeks' use), as well as various other things that had their batteries die, or that didn't come with rechargeable batteries.
I also only charge them somewhere flameproof, though I haven't had any issues so far.
#making #electronics #reuse
https://www.youtube.com/watch?v=ehp23hrrEHY

Please help us test OpenSSH ahead of the 9.9 release, due in a few weeks.

New features include a new post-quantum key exchange based on ML-KEM, improved controls to disallow unwanted connections and better performance for the existing PQ key exchange.

Full details at: https://marc.info/?l=openssh-unix-dev&m=172638834815257&w=2

God this is fucking incredible. Please take my word for it and read

https://modem.io/blog/blog-monetization/

Apple unexpectedly drops its civil suit against #spyware vendor NSO
Group as it claims discovery against it might disclose information that would benefit… spyware vendors. https://www.securityweek.com/apple-suddenly-drops-nso-group-spyware-lawsuit/

@ciaranmak Got you! I'd say that hitting paywalls and even some JS-based UI monstrocity is the "normal" these days which I'd expect (and probably use Selenium or similar to grab it). But in case of the Wayback Machine I'd expect a friendlier API...