Maybe it's just me, but that is like 10x worse. They're basically admitting they didn't pay an influencer to spread misinformation about public wifi in order to sell VPN products, they just stole her likeness, used her photo, and attributed completely made up quote to her.

If they did that to me, we'd all be discussing my actions at Geneva's next convention.

Seems #Supermicro has not yet released some updated BMC firmware to fix #CVE-2024-36435
since July 2024.
https://nvd.nist.gov/vuln/detail/CVE-2024-36435

Points were made...

[RSS] Streaming vulnerabilities from Windows Kernel - Proxying to Kernel - Part II

https://devco.re/blog/2024/10/05/streaming-vulnerabilities-from-windows-kernel-proxying-to-kernel-part2-en/

@stf Didn't know that one, very interesting! Thanks!

"- If I were to say to you, 'I am a stranger traveling from the East, seeking that which is lost'...
- Then I would reply that, 'I am a stranger traveling from the West, it is I whom you seek.'"

https://mummy.fandom.com/wiki/Medjai

Is there a technical term for similar "identifier phrases"?

I'm looking for ways for mutual authentication for humans, e.g. over the phone.

Why I don't write exploits*: https://addisoncrump.info/important-information/why-i-dont-write-exploits/

In which I describe why I avoid writing exploits at all costs.

#testing #defense #vulnerability #academia #research

The rise of Mastodon has made me so much more aware of government services requiring us to use private companies’ systems to communicate with them and access services.

Sitting on a Dutch train just now I was shown on a screen “feeling unsafe in the train? Contact us via WhatsApp”.

What if I don’t use WhatsApp? (I do, but I wish I didn’t have to) I’m forced to share my data with Meta to use it.

Public systems should not require use of private services.

#NS #Netherlands #FOSS #privacy

While trying to properly document Meta's use of public content for LLM training, I discovered they have a new "Privacy Center" that is not plaintext by any means. What's more, the "printable version" does not appear to contain the information related to using your public posts for training data.

Direct link: https://privacycenter.instagram.com/guide/generative-ai/

What I really want from technology these days is passivity. Physical buttons, and PASSIVITY.

No guessing, no anticipating, no predicting.
No autofill, no autocorrect, no autodrive and PLEASE God no autoplay.

Just be inert until acted upon!

Good Retry, Bad Retry: an incident story. How exponential backoff isn't enough.

https://medium.com/yandex/good-retry-bad-retry-an-incident-story-648072d3cee6

Archive link: https://archive.ph/H3dIq

Wrote about representation of control flow and exceptions in the CFGs in my function-graph-overview extension.

https://tamir.dev/posts/cfg-visualization-legend/

OK, so I have 'prepped' the Seat61 Budapest<>Belgrade page for the launch of direct 200km/h Subotica-Belgrade SOKO trains on 24 November, https://seat61.com/trains-and-routes/budapest-to-belgrade-by-train.htm
Anyone happen to know the planned timetable?

UEFI is the new BIOS

https://www.leviathansecurity.com/blog/uefi-is-the-new-bios

Here are the slides from my BSides Canberra Keynote @bsidescbr

The Exploit Development Lifecycle: From Concept To Compromise https://drive.google.com/file/d/1jHnVdjAcPGkuVPiakZBAOTp8uzMej6LY/view

[RSS] Exploiting Visual Studio via dump files - CVE-2024-30052

https://ynwarcs.github.io/exploiting-vs-dump-files

Exploits of "lawful access" interfaces, such as the Chinese attack reported today by the WSJ, appeared almost immediately after they became standardized in the 90's. The most famous example is the case known as "the Athens Affair" https://spectrum.ieee.org/the-athens-affair .

It was a bad idea then, and still a bad idea now.

China successfully compromised for months the infrastructure used to do wiretaps on the AT&T and Verizon networks.

This is a huge "told you so" moment for the cryptographic community that has been saying that such infrastructure does present a huge risk to national security. China reportedly used this capability for intelligence collection, obviously without a warrant ...

https://www.wsj.com/tech/cybersecurity/u-s-wiretap-systems-targeted-in-china-linked-hack-327fc63b?st=C5ywbp&reflink=desktopwebshare_permalink

🆕 New blog post! "The PrintNightmare is not Over Yet"

ℹ️ In this article, I take a look back at a previous post I wrote earlier this year about PrintNightmare. It turns out the Point and Print configuration I recommended at the end is still prone to Man-in-the-Middle attacks. So, I discuss that here, as well as additional mitigation I considered.

Props to @parzel and @l4x4 who both reported this issue to me.

👉 https://itm4n.github.io/printnightmare-not-over/

#printnightmare #windows #privesc #pentesting #pentest