Got some negative or unrealistic threat model results that still bring interesting insights? A side channel that requires root to leak something from the kernel? Reproducing prior work? Somewhat related to microarchitecture? Here's your venue: uasc.cc

First edition is happening on February 19 in Bochum, the day before RuhrSec.
We accept submissions (papers, posters, talks) starting today and try to provide reviews within a 2 week time frame of submission.
Last Submission Deadline: January 27, 2025

@mcc I think this is relevant: https://devblogs.microsoft.com/oldnewthing/20240923-00/?p=110297

stalld: unpatched fixed temporary file use and other issues

https://security.opensuse.org/2024/11/29/stalld-fixed-tmp-file.html

@hajovonta @amszmidt I can mess up the same thing multiple times a day...

Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect()

https://seclists.org/oss-sec/2024/q4/130

What a mess:

“the reporter also did not reply to any of linux-distros’ members questions, most notably ‘have you contacted either security () kernel org or the bluetooth maintainers about this issue?’”

“the issue may be the same as CVE-2024-27398”

tuned: local root exploit in D-Bus method instance_create and other issues in tuned >= 2.23 (CVE-2024-52336, CVE-2024-52337)

https://seclists.org/oss-sec/2024/q4/127

@timb_machine Glad to hear that :) On my side that rendered as a very sad little blob.

@timb_machine What's wrong?

⛧ SLEIGHER ⛧

NEW: The phones of the new NATO Secretary General Mark Rutte (including a hotline with the White House):
https://www.electrospaces.net/2024/12/the-phones-of-new-nato-secretary.html

@jann @freddy I've heard that bug bounty submissions definitely correlate with the summer break

@todb @zmanion Based on the post I'm afraid including error detection in new ID's would cause a Hell of a mess at the consumers side :(

The Archive has definitely hit the phase of "it works unless it doesn't, and then it will suddenly work". This is where the urge to just throw open what's left just to drop bug reports or complaints is high, but you just need to keep tracking things down. This was a quarter century codebase! It's beyond amazing it got this far, this fast. But every time I go back to work at my interfaces, the team has made them run better and better.

This was my tenth(!) year building 25 days of puzzles for #AdventOfCode. You can solve them all for free! Most people write code to solve them, but you can solve them however you like. I hope they help people become better programmers. 🌟

The first puzzle comes out in two hours: https://adventofcode.com/

The 2024 Economist Word of the Year:

“kakistocracy” - Government by the least qualified or most unprincipled citizens.

https://www.economist.com/culture/2024/11/29/the-economists-word-of-the-year-for-2024

@brewsterkahle Sorry, not a native speaker here! What I mean (half-jokingly) is these days we - as in users and developers - just accept that our software is bad. We create higher layers of abstractions so ppl with minimal training can produce more sw, because we always need more sw somehow. Then ofc the abstractions leak, and the design doesn't make sense and UX is horrible. Then - if the lawyers and salesppl were smart enough - the producer can charge even more money for the fixes. And the buyers don't have alternatives and they just accept their faith because sw has always been buggy. And this is how you boil a frog.

@brewsterkahle Finally giving up on quality?

@astralia @pancake @joxean @radareorg I like the warm fuzzy feeling of running NSA code (financed by US taxpayers) on my machine :)