Current temperature of #physics mastodon, twitter et al. ;-)

#curl bug-bounty stats

(Including 84,260 USD payouts and 15.4% being valid reports.)

https://daniel.haxx.se/blog/2024/10/09/curl-bug-bounty-stats/

New sensitive breach: "AI girlfriend" site Muah[.]ai had 1.9M email addresses breached last month. Data included AI prompts describing desired images, many sexual in nature and many describing child exploitation. 24% were already in @haveibeenpwned. More: https://www.404media.co/hacked-ai-girlfriend-data-shows-prompts-describing-child-sexual-abuse-2/

Ivanti warns of three more CSA zero-days exploited in attacks https://www.bleepingcomputer.com/news/security/ivanti-warns-of-three-more-csa-zero-days-exploited-in-attacks/

It's the spooky season, and #Microsoft and #Adobe have released their spookiest patches yet. Two bugs from Microsoft are under attack, and one looks strangely familiar. @TheDustinChilds breaks down the release and points out some deployment priorities. https://www.zerodayinitiative.com/blog/2024/10/8/the-october-2024-security-update-review

Happy #PatchTuesday from Microsoft: 5 ZERO-DAYS (2 exploited, all of them publicly disclosed)

• CVE-2024-43573 (6.5 medium) Microsoft Windows MSHTML Platform Spoofing Vulnerability (PUBLICLY DISCLOSED, EXPLOITED)
• CVE-2024-43572 (7.8 high) Microsoft Management Console Remote Code Execution Vulnerability (PUBLICLY DISCLOSED, EXPLOITED)
• CVE-2024-43583 (7.8 high) Winlogon Elevation of Privilege Vulnerability (PUBLICLY DISCLOSED)
• CVE-2024-20659 (7.1 high) Windows Hyper-V Security Feature Bypass Vulnerability (PUBLICLY DISCLOSED)
• CVE-2024-6197 (8.8 high) Open Source Curl Remote Code Execution Vulnerability (PUBLICLY DISCLOSED)

cc: @goatyell @mttaggart @hrbrmstr @ntkramer @iagox86 @zackwhittaker @dreadpir8robots @TheDustinChilds @neurovagrant @xorhex @campuscodi @briankrebs (remember to remove the mentions to avoid ReplyAll madness)

We can build the web that we want to see. Watch the recording of my talk from #XOXOFest!

https://www.youtube.com/watch?v=MTaeVVAvk-c

From HTTP request to ROP chain in Node.js! 🔥

Our latest blog post explains how to turn a file write vulnerability in a Node.js application into RCE – even though the target's file system is read-only:

https://www.sonarsource.com/blog/why-code-security-matters-even-in-hardened-environments/?utm_medium=mastodon&utm_source=twitter&utm_campaign=research&utm_content=social-why-code-security-matters-even-in-hardened-environments-241008-&utm_term=&s_category=Organic&s_source=Social%20Media&s_origin=mastodon

In response to my earlier post, some Twitter folks asked why I'm "so afraid of telemetry".

For one, it's because I've seen first-hand what ends up in it. Crash reporting is particularly bad: it's nearly impossible to reliably scrub of sensitive info - URLs, auth tokens, etc.

Worse, a lot of other "telemetry" is deliberately privacy-violating. "Don't worry, we only collect anonymized GPS routes". Except, you know, a buyer of this data can filter by tracks originating from my home.

But above all, I just don't want the mental burden of figuring this out for every piece of software I install, so I hate that it's the new norm.

If you want a peek at how I'm using your software, meaningfully ask, instead of sneaking it in on page 38 of the EULA.

@alienghic @ai6yr @meganL I read through Ajay Singh Chaudhary's "The Exhausted of the Earth" some months ago.

I got to this part:

"Capital will chew through the biosphere and societies alike in pursuit of an ever more costly maintenance of profitability."

About the same time as I read a piece about OpenAI claiming to want to spend the entire GDP of Japan on burning fuel and making electronic waste.

So I was not able to disagree with that part of his analysis.

TIL: AVX-512 supports an instruction implementing binary logic defined by a 3-input LUT. Sounds super handy.

https://arnaud-carre.github.io/2024-10-06-vpternlogd/