[RSS] On Secure Boot, TPMs, SBAT, and downgrades -- Why Microsoft hasn't fixed BitLocker yet

https://neodyme.io/en/blog/bitlocker_why_no_fix/

[RSS] Private Keys in the Fortigate Leak

https://blog.hboeck.de/archives/908-Private-Keys-in-the-Fortigate-Leak.html

"stop believing that adding more attack surface will increase security"

/by @hanno

New blog post https://blog.cr.yp.to/20250118-flight.html "As expensive as a plane flight: Looking at some claims that quantum computers won't work." #quantum #energy #variables #errors #rsa #secrecy

@bert_hubert I'm surprised this one didn't make it to any of these lists:

https://infiniteundo.com/post/25326999628/falsehoods-programmers-believe-about-time
https://infiniteundo.com/post/25509354022/more-falsehoods-programmers-believe-about-time

Borrow checking in Rust is basically the world's most complex hot-potato game.

Technology has taken away our community events by making media available on demand, and our interpersonal connections, by first replacing our phone books with social media, and then ruining social media.

There is a massive community and authenticity gap in modern society that most people are even failing to notice, let alone articulate.

@krypt3ia Poor kid...

@freddy @osman @shortridge I don't think that approach would work because begbounty ppl just register new accounts every hour, you can't tie them to a persona.

Due to the scale of the problem I think it's more useful to use statistics rather than individual examples, and BB platforms do keep track of accepted/rejected numbers (I'm not sure how much of that is public though).

This comic is thirty years old and could be published verbatim today (give-or-take replacing "talk radio show" with "podcast")

Snyk publishes malicious packages to the public NPM registry.
I'm no expert on ethics, but I believe that this is... frowned upon?

https://sourcecodered.com/snyk-malicious-npm-package/
https://news.ycombinator.com/item?id=42690473
https://snyk.io/blog/snyk-security-labs-testing-update-cursor-com-ai-code-editor/

"Norway is sounding the alarm after discovering that Russia is no longer only disrupting the Global Navigation Satellite Systems (GNSS) across the border, but also spoofing GPS signals, an attack that can cause significant disruption to commercial aviation."

"We were spoofed on approaching Kirkenes today”
https://www.thebarentsobserver.com/news/we-were-spoofed-on-approaching-kirkenes-today/423323

In 1h, I’ll do a livestream about JavaScript in PDFs.
A bit about standard JS triggers that is seen in exploits, but also a few simple PDF games.
https://www.youtube.com/live/xZPK04a5ltc?si=_3sz9aEEfDT90-da

For all you Mastodon users living under a rock, this is how the #tiktokban is going…

🍿🍿🍿🍿

Whether you think capitalism is the source of all problems, believe free markets the solution to all problems, or are somewhere on the spectrum, it's important to understand when, where, and why markets work.

Disclaimer: This post contains numerous oversimplifications but character limit here is 11,000, not the 110,000 needed to do the topic justice.

Markets are an example of the category of system I find fascinating: complex systems built from individual actors performing simple local tasks that have emergent properties that are useful. Ants finding food and birds flocking are examples of the same kind of thing.

ASIDE: AI grifters love to talk about 'emergent properties' of their systems. When they do, you should understand 'emergent property' to mean 'some behaviour that we didn't intend, don't understand, and that might go away in a future version'.

Designing systems to have desirable emergent properties is really hard. A lot of engineering is about trying to avoid having any emergent properties because we still don't have good tools for reasoning about them. Emergent properties are why the bridge opposite Tate Modern had to be closed: individually, each component was fine, but assembled together they each contributed to a resonance when people walked across the bridge at a normal walking speed that could have broken the bridge.

Markets are something of a special case in that they are a single system that has been studied for over two hundred years and so there are things that we know about markets that may not generalise to other systems with emerging properties.

Markets are trying to solve the problem of resource allocation. Typically this is in a real-world setting, though there have been some interesting papers using markets for scheduling (especially distributed scheduling) in computing systems.

Trying to efficiently allocate resources across an entire economy is really hard. The Soviets tried it with central planning and it did not go well. Central planning requires global knowledge of a system. If you're trying to schedule tasks on a CPU, you probably know how many cores you have and how fast they are, but even then you don't have full knowledge of how long each task needs and what the dependencies are. A country's economy is so much more complicated than this that it's hard to even imagine that they're the same problem. And things change quickly, which requires re-planning.

The idea of a market is that each participant has some resources that they can trade. If they make good decisions, they will be able to make more trades. How do you know it's a good trade?

This is where the first kind of common failure happens. Imagine you go to buy apples. One seller has fresh apples, the other has rotten apples. Obviously, you pick the one selling fresh apples. Now imagine that the apples are sold in opaque boxes with photos of fresh apples on the outside. As a consumer, you don't have enough information to be able to choose, so you will get it wrong half the time. You may be able to learn that oen seller has a bad reputation, but what if there are ten sellers and they all send a different representative and use a different trading name every week? Markets do not work unless customers have good information. It doesn't have to be complete information, but it has to be enough to make an informed purchasing decision. Data-harvesting companies such as Meta, for example, rely on people not being able to reason about the costs of their products and make good cost-benefit calculations.

Regulations help to redress this kind of failure. Without regulation, markets often stop behaving like markets.

If two apple sellers have equivalent quality (their goods are commodities: either can be substituted for the other) then they can compete only on price. If you sell your apples for less than the other person's apples, then you will sell more. To compete, they have to lower prices. Eventually, they reach a point where they cannot sell and make money so they do not lower them further. The price of apples converges on slightly more than the price of producing apples and the inefficient sellers go out of business.

The next common failure in markets comes because they don't account for externalities. If I'm dumping waste in the local river and you're disposing of it responsibly, my costs are lower because other people who live downstream from me are paying a lot of mine. This is a big part of the reason manufacturing moved to China: cheap labour helped, but being able to bribe officials to let you dump toxic waste anywhere made manufacturing a lot cheaper. The PRC started decapitating people who took that kind of bribe a few years ago, so it's a bit harder than it was, but any market that doesn't account for externalities will end up optimising well, but for the wrong thing. See also: fossil fuels, leaded petrol, CFCs in aerosols, and so on.

If you're an apple seller, you might realise that you can make an agreement with your competitors not to lower prices and then you all make money. You form a cartel. After a while, you realise you could make more money if you all raise prices together. Everyone wins (except your customers). Again, regulation helps here. The 20th century came with a lot of antitrust laws to prevent this kind of things (the history of it in the US is fascinating: the earliest antitrust law was passed because someone managed to get a monopoly on onions and some of the later laws are little changes that say 'this, but for commodities that are not just onions').

If you can lock people into your ecosystem, for example by having a stupid document format that is tied to the implementation details of your word processor that no one can replicate, you can prevent people from exercising choice. This, again, means that a thing that looks like a market doesn't behave like one.

Most recently, I've seen a lot of examples of a kind of market failure that is less-often mentioned in economics books: when people who make bad decisions are insulated from the outcomes of their choices.

A market works, in part, by ensuring that people who routinely make poor choices have less capital left and so their subsequent choices have less impact. But if you're a bank that causes a financial crisis and the government bails you out, this doesn't happen. If you're an investor in a privatised water company and the water company is asset stripped and you take home a load of money while the company fails, you don't lose out and can make more investments. If you're a person with a net worth of over a hundred billion dollars, you can make investments of billions of dollars that are really stupid and have a massive impact on the market that you put the money in, but are isolated (this is closely related to the cross-subsidy problem that some antitrust law covers, but it never considers the case where the investor is an individual). You can address this with wealth taxes and banking regulations, but most of those were repealed in the '80s and '90s.

There are a lot of other ways that markets can fail. I really like the idea of markets, but making them work well requires a lot of intervention. They have a habit of decaying to oligopoly without constant nudging. When they work, they do better than anything else that we've tried. When they collapse, they work about as well as having a small aristocracy centrally assign resources (ask the French how well that worked in the late 1700s).

I am so excited to finally show you the stable alpha of Venture, a cross-platform GUI for parsing Windows Event Logs!

https://github.com/mttaggart/venture

Venture was developed with support from my employer with the intent of creating an open source tool for all. Thank you, UCLA Health!

From startups to large companies, we've seen this setup used by many corporate clients in the wild. Here's why this is so difficult to fix and Microsoft has not changed the exploitable Bitlocker default settings yet: https://neodyme.io/blog/bitlocker_why_no_fix/

Does IBM think that we ( okay, I'm probably the only weirdo watching these ) won't notice a directory traversal vuln by using a different description? At least they're specially crafted, right @neurovagrant ?

An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.

https://www.ibm.com/support/pages/node/7176515

https://nvd.nist.gov/vuln/detail/CVE-2024-52363

#directoryTraversalMemes

CVEs got published for Schneider Electric's Patch Tuesday advisories. Of course their advisories are in PDFs. 😒

CVE-2024-11139 sev:MED 4.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Schneider Electric is aware of a vulnerability in its EcoStruxure™ Power Build Rapsody software.

The EcoStruxure™ Power Build Rapsody is used to enter or import the single line diagram, to get the extensive bill of material of your switchboard, including all devices, connection items, and mounting components

Failure to apply the remediations and mitigations provided below may risk memory corruption, heap-based
buffer overflow, stack-based buffer overflow, which could result in local attackers being able to exploit these issues to potentially execute arbitrary code.

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-09&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-014-09.pdf

https://nvd.nist.gov/vuln/detail/CVE-2024-11139

CVE-2024-11425 sev:HIGH 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Schneider Electric is aware of a vulnerability in its Modicon M580 PLCs (Programmable Logic Controllers), BMENOR2200H and EVLink Pro AC products.

Modicon M580 PLCs control and monitor industrial operations.
BMENOR2200H is an advanced RTU communication module for Modicon M580 PLCs.
EVLink Pro AC is a 3rd generation of AC charging station.
Failure to apply the fix or mitigations provided below may risk buffer overflow attack, which could result in Denial-of-Service.

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-014-01.pdf

https://nvd.nist.gov/vuln/detail/CVE-2024-11425

CVE-2024-12399 sev:MED 6.1 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

Schneider Electric is aware of multiple vulnerabilities in its Pro-face GP-Pro EX and Remote HMI products.
The Pro-face GP-Pro EX product is HMI Screen Editor & Logic Programming Software.
The Pro-face Remote HMI product is a remote monitoring software for mobile and allows you to check equipment information on a tablet or smartphone.
Failure to apply the mitigations provided below may risk Man-in-the-Middle attacks which could result in information disclosure, integrity issues and operational failures.

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-014-02.pdf

https://nvd.nist.gov/vuln/detail/CVE-2024-12399

CVE-2024-12476 sev:HIGH 8.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Schneider Electric is aware of a vulnerability in its Web Designer configuration tool for the following Modicon communication modules:
• BMXNOR0200H
• BMXNOE0110(H)
• BMENOC0311(C)
• BMENOC0321(C)
The Web Designer product is a software application used to create Web-based operator panels and configure operating parameters for Web human machine interface (Web HMI) devices.
Failure to apply the Mitigations provided below may risk XML external entity attack, which could result in information disclosure, workstation integrity and potential remote code execution on the compromised computer.

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-014-04.pdf

https://nvd.nist.gov/vuln/detail/CVE-2024-12476

CVE-2024-12142 sev:HIGH 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

Schneider Electric is aware of a vulnerability in its Web Server on Modicon M340 and BMXNOE0100/0110, BMXNOR0200H communication modules products.
The Modicon M340 is a programmable automation controller; BMXNOE0100 and BMXNOE0110 are network communication modules used with Modicon M340. BMXNOR0200H is a communication module that enables M580 and M340 platforms to use RTU protocol exchange with RTU stations.
Failure to apply the remediation/mitigations provided below may risk information disclosure on web pages, modification of web pages and denial of serviceClick or tap here to enter text., which could result in the unavailability of the controllers or modules.

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-05&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-014-05.pdf

https://nvd.nist.gov/vuln/detail/CVE-2024-12142

2024-12703 sev:HIGH 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Schneider Electric is aware of a vulnerability in its RemoteConnect and SCADAPackTM x70 Utilities software product.
The RemoteConnect and SCADAPackTM x70 Utilities product is a configuration software providing a user interface that allows users to configure and manage communications and operations for SCADAPackTM x70 devices.
Failure to apply the Mitigations provided below may risk deserialization of untrusted data, which could result in loss of confidentiality, integrity and potential remote code execution on the compromised workstation.

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-06&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-014-06.pdf

https://nvd.nist.gov/vuln/detail/CVE-2024-12703

CVE-2024-10497 sev:HIGH 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
and
CVE-2024-10498 sev:MED 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Schneider Electric is aware of multiple vulnerabilities in its PowerLogic™ HDPM6000 High-Density Metering System product.
The HDPM6000 products are high-density, multi-circuit busway and panelboard power meters for cost and network management in large and critical power applications.
Failure to apply the remediation provided below may risk a low privileged user gaining higher level access, which could allow for modification of system configuration parameters or an unauthenticated user causing data corruption or denial of service to the devices web interface via a specially crafted Modbus protocol write operation.

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-08&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-014-08.pdf

https://nvd.nist.gov/vuln/detail/CVE-2024-10497
https://nvd.nist.gov/vuln/detail/CVE-2024-10498

@ciaranmak I was contemplating that maybe this page has at least some use for threat hunting as I don't do that but yeah I see your point...