Latest update on the DDOS attack from @brewsterkahle (Oct 11 @ 10:22am PT):

"The data is safe.

Services are offline as we examine and strengthen them. Sorry, but needed. @internetarchive staff is working hard.

Estimated Timeline: days, not weeks.

Thank you for the offers of pizza (we are set)."

@lcamtuf There are probably creative ways to decorate the ballot either to deliberately invalidate it or to make it remain just valid enough

We wrote a thing https://www.microsoft.com/en-us/security/blog/2024/10/11/microsofts-guidance-to-help-mitigate-kerberoasting/

Another Ghidra build script bug yaay...

@tmr232 Yeah I get the latter reasons, but I just updated Eclipse (because I had to upgrade GhidraDev because it somehow couldn't be upgraded in the earlier version...) and having seen things like VSCode or IDEA I feel like walking into a torture chamber. And I practically grew up with Eclipse!

Edit: also important to note that I mostly think of e.g. Swing as an early attempt that didn't end up that good, while I think the IDE could you know, make some sense?

I wonder how much did Eclipse contribute to the bad reputation of Java...

@mdfranz lol

Very kind for 0-day to hit right at the start of a workday TBH
https://blog.mozilla.org/security/2024/10/11/behind-the-scenes-fixing-an-in-the-wild-firefox-exploit/
Light on details, but there's some.

[RSS] Aw, Sugar. Critical Vulnerabilities in SugarWOD

https://www.n00py.io/2024/10/critical-vulnerabilities-in-sugarwod/

[RSS] Marriott agrees to pay $52 million settlement, improve data security practices

https://cyberscoop.com/marriott-starwood-breach-ftc-settlement-data-security/

Here's a story about a Hungarian guy who hacked Marriott ~15 years ago: https://www.securityweek.com/hungarian-man-pleads-guilty-hacking-marriott-systems-demanding-job-it-dept/ I know this guy learned some hard lessons, Marriott apparently didn't...

[RSS] Russian cyber firm Dr.Web denies data leak by pro-Ukraine hackers

https://therecord.media/russian-antivirus-company-drweb-denies-data-leak

HyperDbg v0.10.2 is released!

This release comes with lots of bugfixes and improved stability, check it out here:
https://github.com/HyperDbg/HyperDbg/releases/tag/v0.10.2

@futurebird if you want to read Vinge's "A Fire Upon The Deep" along with the author's notes, I've converted the 1993 Hugo and Nebula anthology CD-ROM into a website: https://deepness.trmm.net/

(not "A Deepness in the Sky" as I originally wrote. those responsible have been sacked, etc)

Re: traffic lights hacking

We have a childrens book series, where the pets of the protagonist children often do reckless and outright dangerous magic, like changing traffic lights and being fascinated by all the hard breaks and horns. There is no explanation why such thing would be irresponsible and any "punishment" is very mild (and usually also self-imposed).

I think this book should not be read to/by children without a responsible adult explaining why the cute characters are actually dangerous psychopaths.

The writing is also objectively bad.

How can I responsibly get rid of these books (I don't want to destroy them)?

#Book #Bookstodon

If anyone ever needs an example of costs & time saved by "shifting left" (doing the security work & testing earlier, ideally from the the very start):

"Dutch authorities will have to replace tens of thousands of insecure road traffic lights...after a security researcher found a vulnerability that could allow threat actors to change traffic lights on demand"

https://news.risky.biz/risky-biz-news-dutch-government-to-manually-replace-tens-of-thousands-of-hackable-traffic-lights/

Via @campuscodi / @riskybiz

#InfoSec #Security

38C3 Call for Participation
https://events.ccc.de/2024/10/10/38c3-cfp/

(CVE-2024-9680)[1923344][animation]UAF in Animation timelines -> ACE in the content process(exploited ITW), fixed in Firefox 131.0.2, Firefox ESR 128.3.1 & Firefox ESR 115.16.1
https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/#CVE-2024-9680
https://hg.mozilla.org/mozilla-central/rev/0ee07613d0506da465539cfaff1826cdc8bf0384

However, there's also some less good news in relation to this:
@nlnet has been funding open source projects via a program financially supproted by the @EUCommission - but current plans are to stop that funding by 2025. It appears the commission does not consider supporting open source security and internet infrastructure software to be that important any more. See also @fsfe 's info here: https://fsfe.org/news/2024/news-20240719-01.en.html