Incredible essay about the importance and challenges of digital archival by Maxwell Neely-Cohen, as well as the various imperfect strategies to achieve “century-scale” digital archives.

https://lil.law.harvard.edu/century-scale-storage/

"We picked a century scale because most physical objects can survive 100 years in good care. It is attainable, and yet we selected it because the design of mainstream digital storage mediums are nowhere close to even considering this mark."

1/

#archival

@cR0w I see you are a man of culture as well!

[RSS] Cleo Harmony, VLTrader, and LexiCom: CVE-2024-50623, RCE via arbitrary file write

https://labs.watchtowr.com/cleo-cve-2024-50623/

[RSS] CodeQL zero to hero part 4: Gradio framework case study

https://github.blog/security/vulnerability-research/codeql-zero-to-hero-part-4-gradio-framework-case-study/

Scott Aaronson's take (i.e., somebody who, unlike me, knows what he's talking about):

https://scottaaronson.blog/?p=8525

New vulnerability report from Talos:

Adobe Acrobat Reader Font gvar per-tuple-variation-table Out-Of-Bounds Read Vulnerability

https://talosintelligence.com/vulnerability_reports/TALOS-2024-2064

CVE-2024-49532

New vulnerability report from Talos:

Adobe Acrobat Reader Font Private Point Numbers Out-Of-Bounds Read Vulnerability

https://talosintelligence.com/vulnerability_reports/TALOS-2024-2070

CVE-2024-49533

New vulnerability report from Talos:

Adobe Acrobat Reader Font Program Function Definition Out-Of-Bounds Read Vulnerability

https://talosintelligence.com/vulnerability_reports/TALOS-2024-2076

CVE-2024-49534

[RSS] Never Underestimate CSRF: Why Origin Reflection is a Bad Idea

https://www.sonarsource.com/blog/never-underestimate-csrf-why-origin-reflection-is-a-bad-idea/

QEMU 9.2 open-source machine emulator introduces advanced ARM support, Nitro Enclave emulation, Vulkan-enhanced graphics, and more.
https://linuxiac.com/qemu-9-2-open-source-machine-emulator/

#qemu #virtualization #foss

[RSS] Fake It 'til We Make It: The Art of Windows User Space Emulation

https://momo5502.com/posts/2024-10-04-the-art-of-windows-user-space-emulation/

The new #curl CVE-2024-11053 we call "netrc and redirect credential leak"

While security low, it will of course still be relevant to whomever uses the unlucky combination of options.

https://curl.se/docs/CVE-2024-11053.html

[RSS] 2025 Hackaday Europe CFP: We Want You!

https://hackaday.com/2024/12/10/2025-hackaday-europe-cfp-we-want-you/

[RSS] It rather involved being on the other side of this airtight hatchway: Disabling anti-malware scanning

https://devblogs.microsoft.com/oldnewthing/20241210-00/?p=110626

[RSS] The Ruby on Rails _json Juggling Attack

https://nastystereo.com/security/rails-_json-juggling-attack.html

[RSS] Binary pointer alias analysis -- beating CodeQL's taint analysis without even having source code

https://attilaszia.github.io/pointerarticle/

Back when I was poking around with filesystem fuzzing stuff years back, I noticed something odd:

An EXT filesystem can tell the Linux OS how it should behave "if" the filesystem is corrupt, including triggering a kernel panic. In a world where USB thumb drives exist, this seems... not ideal.

Let's see what happens if we plug such a mass storage device into a fully patched Chromebook in 2024...

Oh.

"iDecompile: Writing a Decompiler for iOS Applications"(Laurie Kirk)

Things I learned:
When decompiling iOS apps it makes sense to think of the application life cycle, i.e. specific code is triggered when apps go from background to foreground. You can think of these triggers as multiple mains or entry points.

Tool for #reverseengineering
https://github.com/LaurieWired/Malimite

https://objectivebythesea.org/v7/talks.html#Speaker_8

#obts #obtsv7

@wdormann ahh sry didn't spot that from mobile, just got the bookmark

LIEF 0.16.0 is out featuring new (extended) capabilities like Dyld Shared Cache support, Assembler/disassembler, ...

https://lief.re/blog/2024-12-10-lief-0-16-0/