CISA: Closing the Software Understanding Gap
CISA, along with the Defense Advanced Research Projects Agency (DARPA), the Office of the Under Secretary of Defense for Research and Engineering (OUSD R&E), and the National Security Agency (NSA) published Closing the Software Understanding Gap (PDF) which urges the U.S. government to take decisive and coordinated action to close the software understanding gap. This gap arises from a disparity of technical investment where software production has outstripped investment in improving understanding for decades. By closing the software understanding gap, the United States will help mission owners and operators trust the system is functional, safe, and secure, and support confidence in national security and critical infrastructure systems.

#securitybestpractice #cisa #securebydesign #infosec #cybersecurity

Microsoft Configuration Manager (ConfigMgr / SCCM) 2403 Unauthenticated SQL injections (CVE-2024-43468) https://www.synacktiv.com/advisories/microsoft-configuration-manager-configmgr-2403-unauthenticated-sql-injections

@ekuber you are awesome, thank you! I'm sure your ticket will also help me better understand the situation.

New: this OnlyFans model publishes her machine learning explainers to both YouTube and Pornhub. Although YouTube may get a million views, that'll generate around $300. The same content posted to Pornhub, with ~30k views, makes $1000. We spoke to her https://www.404media.co/why-this-onlyfans-model-posts-machine-learning-explainers-to-pornhub/

@dey Win11 **makes** you know :D

@qwertyoruiop I'm no expert but IIRC sound engineers usually calculate with the expected listening medium too. For example there was an article about how commercial pop is mastered so it'll get into your head when played in malls, and they can probably also take into account that people will listen to a track from YT on a 3G connection.

Can any #Rust expert out there explain where is the syntax for this little challenge documented?

https://github.com/mainmatter/100-exercises-to-learn-rust/issues/245

(preferably with explanations about what the different lifetime annotations mean)

@qwertyoruiop Isn't that what people call lo-fi?

@raptor @obivan Oooh exciting!

@raptor @obivan I should read that post already...

"Proof of Concept that exploits CVE-2024-49138 in CLFS.sys"

https://github.com/MrAle98/CVE-2024-49138-POC

Note: I did *not* verify this but it's at least not an obvious fake. Be careful!

/via @obivan

Installing Sysinternals from MS store is actually pretty nice!

People finally caught on (sortof) to what I said 8 years ago ( ) that nobody knows what they're doing with the pointer hashing stuff, with %pK use for printks being the proof: https://lore.kernel.org/linux-hardening/Z4Z2TW_HaANvT4VH@smile.fi.intel.com/T/#t

https://bird.makeup/@grsecurity/929407342655008770

Currently planned schedule for my next livestreams:
Friday 9 PM CET, the WAD (Doom's) archive.
https://www.youtube.com/live/g0VyFDYefqQ?si=Ta2p1zn0jSDCivhV
Saturday 9PM, JavaScript in PDFs.
Sunday, Doom in PDF!

Project: golang/go https://github.com/golang/go
File: src/cmd/cgo/godefs.go:18 https://github.com/golang/go/blob/refs/tags/go1.23.4/src/cmd/cgo/godefs.go#L18

func (p *Package) godefs(f *File, args []string) string

SVG:
dark https://tmr232.github.io/function-graph-overview/render/?github=https%3A%2F%2Fgithub.com%2Fgolang%2Fgo%2Fblob%2Frefs%2Ftags%2Fgo1.23.4%2Fsrc%2Fcmd%2Fcgo%2Fgodefs.go%23L18&colors=dark
light https://tmr232.github.io/function-graph-overview/render/?github=https%3A%2F%2Fgithub.com%2Fgolang%2Fgo%2Fblob%2Frefs%2Ftags%2Fgo1.23.4%2Fsrc%2Fcmd%2Fcgo%2Fgodefs.go%23L18&colors=light

As you might imagine, recovering from rebuilding the Internet Archive systems from a new perspective took time, and the priority was super important systems, and ones merely "working" were left alone. But that's changed - we updated emulation at the Internet Archive so it's more secure, and the systems we're offering just added a few!

Any other gophers that use IDA Pro wanna help out?

https://github.com/blacktop/go-idalib

Ticket shop is live.
https://www.offensivecon.org/register.html

The OSS-Fuzz team is hiring a PhD intern for this summer. Come join us and build something interesting that will have immediate impact on 1000+ open source projects. https://www.google.com/about/careers/applications/jobs/results/92969243305222854-research-intern-phd-summer-2025

Cool project: "Nepenthes" is a tarpit to catch (AI) web crawlers.

"It works by generating an endless sequences of pages, each of which with dozens of links, that simply go back into a the tarpit. Pages are randomly generated, but in a deterministic way, causing them to appear to be flat files that never change. Intentional delay is added to prevent crawlers from bogging down your server, in addition to wasting their time. Lastly, optional Markov-babble can be added to the pages, to give the crawlers something to scrape up and train their LLMs on, hopefully accelerating model collapse."

https://zadzmo.org/code/nepenthes/