Announcing #CodeQL Community Packs

https://github.blog/security/vulnerability-research/announcing-codeql-community-packs/

Maybe we should stop calling them *Notifications* and instead refer to *Interruptions*.

"Working on some stuff so I've turned off interruptions for a while."

"Right on."

⚡ A new remote code execution flaw in Apache Tomcat (CVE-2024-56337) exposes organizations to serious risk.

An uploaded file could turn into malicious JSP code—resulting in remote code execution.

» Affected Versions: Tomcat 9.0.0-M1 to 11.0.1
» Java users: Incorrect configurations = higher risk.
» Severity? CVE-2024-50379 scored a 9.8 on CVSS!

Details here 👉 https://thehackernews.com/2024/12/apache-tomcat-vulnerability-cve-2024.html

Near as I can tell, the activity around the #Struts2 bug,
CVE-2024-53677, is just ham-handed runs of some generalized PoC, and nobody's actually exploiting this yet (since exploitation would be very application/path specific).

Most of the news last week was all "exploitation happening, patch and rewrite everything now!" but not seeing any reports of successful (or even possibly successful) this morning.

Tell me I'm wrong!

(The PoC identified by SANS at https://isc.sans.edu/diary/31520 isn't specific to some particular application -- it's on the user to define upload_endpoint and assumes no auth or session or anything.)

Using @voooooogel control vector library to backdoor a model so that it introduces command injection vulnerabilities rather than using safer subprocess methods

2024 Headline of the Year nominee (June)

Hi all. In order to make the Defensive Security Podcast content a bit more approachable and easier to navigate, I've created a playlist of individual stories/segments we cover here: https://www.youtube.com/playlist?list=PLzHXsgtVDQEq9JiCbwJojE4nd9dRVAT5l

Note: I've only gone back 4 episodes, but will be doing this for all episodes going forward.

Happy holidays!

Kagi's new video search controls let you replace clickbait thumbnails with real screenshots, customize title formatting, and focus on actual content.

You may find these controls in your search settings.

#Kagi #Search #AdFree #Videos

I started keeping a log of the serious attempts I've made to use generative AI for things (mostly coding-related). I've been bucketing them as successes or failures, along with the date and models used.

From the past several months, I'm up to 9 failures and 3 successes. I'll share this list some day.

When these systems have been successful, it's pretty neat. However, the successes I've seen have been for easy things, and the failures have mostly been time-sucks for me.

I feel like a heretic saying this (I'm a Principal Machine Learning Engineer), but I am not seeing a net benefit from using generative AI in my own work!

I’ll be honest, hearing SEO people complain about the state of Google now is like hearing an arsonist complain that they just can’t get the quality of kerosene they used to.

A few of my followers mentioned that they'd like to know about my background as a "musician", so I am very happy to share my story as an amateur who went from trying to form a high school band to publishing a track with Sony Music, performed by a famous singer and produced by an even more famous producer.

Buckle up! I hope it is going to be an inspirational story or something, because it is a story of giving up and starting again, and again, and again.

New post in my Hyundai Kona Electric reverse engineering series: introducing the Fakon project
https://www.projectgus.com/2024/12/fakon/

#badpuns #reverseengineering #KonaHacking #EVs

current debian no longer writes to syslog 😦

if you look in /var/log, someone left a README file.

the README says "you are looking for logs? but you cannot find them?" and continues in broken english, smugly telling you that systemd has made logs obsolete, and you should use "journal cattle" to ask politely for your own logs.

[did you just tell me to fuck off, jim?]

if you run journal cattle, it shows a page of syslog from april. if you hit G to go to the end, it hangs forever.

[slow clap]

Compiling C to Safe Rust, Formalized

Link: https://arxiv.org/abs/2412.15042
Discussion: https://news.ycombinator.com/item?id=42476192

#rust