Do you want to introduce the fediverse and/or Bluesky to your organization -- in addition to, or instead of, X & Meta?

Through Feb, Mar and Apr, I'll be offering free one-hour sessions on Fridays to talk to your org. For-profit, non-profit, gov, edu, etc. This is not a consultancy; this is volunteer advocacy and support for building our collective independence from X & Meta.

If you are interested, book a slot through this link (starting Feb 7). Time is not movable. :)

https://calendar.google.com/calendar/u/0/appointments/schedules/AcZssZ1moWG0f_wJqMz-rO0OkD27MBJpj1LR4W9SJQnIYIEe8lvb1UbbTXTYQw7cBbc4SuybqByqTjqh

New from our team: A PHP implementation of RFC 9180 (HPKE - Hybrid Public-Key Encryption):

https://github.com/paragonie/hpke-php

This should serve as building block for more secure protocols (i.e., RFC 9420 a.k.a. Messaging Layer Security)/

This would, in turn, enable PHP developers to write software that communicates with MLS-compatible end-to-end encrypted messaging services.

It looks like the "major" AMD vulnerability that @taviso reported had leaked has now been disclosed.

The vulnerability, with a 7.2 severity rating, allows hackers to bypass Secure Encrypted Virtualization—a protection that provides the cryptographic means for certifying that a VM hasn’t been compromised by anyone who may have had access to the physical machine running the vulnerable AMD chip. The patch comes in the form of microcode that presumably will be provided by the device OEM.

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3019.html

Google Android zero-day: Android Security Bulletin February 2025
46 CVEs in Framework (1 critical, 45 high severity) cc: @buherator

Note: There are indications that CVE-2024-53104 may be under limited, targeted exploitation.

#CVE_2024_53104 #android #google #vulnerability #zeroday #eitw #activeexploitation #infosec #cybersecurity

Our newest research project is finally public! We can load malicious microcode on Zen1-Zen4 CPUs!
https://github.com/google/security-research/security/advisories/GHSA-4xq7-4mgh-gp6w

Qualcomm: February 2025 Security Bulletin
Qualcomm has 7 propriety vulnerabilities (1 critical, 5 high, 1 medium severity) and 17 open source vulnerabilities (1 critical, 9 high, 7 medium). That critical vulnerability CVE-2024-49837 (7.8 high) is Improper Validation of Array Index in Automotive OS Platform QNX. No mention of exploitation. h/t @cR0w

#qualcomm #patchtuesday #vulnerability #infosec #cybersecurity

Project: mpengine-x64-pdb 1.1.24090.11
File: mpengine.dll
Address: 75aa68af0

_Partition_by_median_guess_unchecked<interval<unsigned___int64>_*,`dexscan_scanfile'::__l183::compare_intervals>

SVG:
dark https://tmr232.github.io/function-graph-overview/render/?graph=https%3A%2F%2Fraw.githubusercontent.com%2Fv-p-b%2Fghidra-function-graph-datasets%2Frefs%2Fheads%2Fmain%2F%2Fmpengine-x64-pdb%2F75aa68af0.json&colors=dark
light https://tmr232.github.io/function-graph-overview/render/?graph=https%3A%2F%2Fraw.githubusercontent.com%2Fv-p-b%2Fghidra-function-graph-datasets%2Frefs%2Fheads%2Fmain%2F%2Fmpengine-x64-pdb%2F75aa68af0.json&colors=light

Today's insanity:

What is the origin of the word "mainframe"? Digging through archives, I traced it back to 1953. The IBM 701 computer was built from "frames": power frames, a storage frame, a drum frame, and the main frame. This 1953 drawing from the Installation Manual shows the dimensions of the "main frame". 1/n

New way to get customer support just dropped

“For Sale: Binaries Compiled From Hand-Crafted Artisanal Code”

https://jasonbrownlee.me/blog/posts/hand-crafted-code/

So Apple has open-sourced the XCBuild system used internally by Xcode as Swift-Build: https://github.com/swiftlang/swift-build

Based on their previously open-source llbuild project.

It includes support for Windows and Linux (using clang-cl on Windows), but does not currently seem to have a way to make use of it outside of Swift package manager or Xcode.

Coming up this weekend: PE & Mitra!