Today was my last day at ONCD. I turned in my White House pass, laptop and phone.

I was explaining why I was resigning, while they were explaining the Special Governmental Employee (SGE) program was being eliminated. We both got to the same result. No hard feelings, I wish the best for ONCD and Cyber, there are a lot of important and pressing challenges ahead.

On the way out I watched movers empty out the Pandemic Readiness office. 😦 I went for drinks with friends.

You remember #Apple scanning all images on your #mobile device?

If you have an #Android #phone, a new app that doesn't appear in your menu has been automatically and silently installed (or soon will be) by #Google. It is called #AndroidSystemSafetyCore and does exactly the same - scan all images on your device as well as all incoming ones (via messaging). The new spin is that it does so "to protect your #privacy".

You can uninstall this app safely via System -> Apps.

https://developers.google.com/android/binary_transparency/google1p/overview

Please be very clear I am not saying not to use Signal, or saying that using Signal is pointless; I am describing a threat model which you should be aware of when using the application.

( This said I'd also recommend turning off "Apple Intelligence" on Signal. And also turning off "Apple Intelligence" on every app. And also discontinuing use of any device, application, or operating system which has the capability to interoperate with "Apple Intelligence" or "Copilot".

https://www.powerpage.org/apple-intelligence-reads-signal-messages-on-newer-iphone-models-privacy-concerns-cited/ )

If you are using Signal, and you are doing something the government considers illegal, the way they are going to read your messages about it is they will arrest the person you sent the messages *to*, and make your counterparty show them the logs. We know this because this technique came up again and again in, for example, the Jan. 6 court filings.

There may, hypothetically, be other Signal exploits available to a government, but this is the one they will use, because it works.

@three_star_dave /cc @zh4ck

Via my son:

#pinky #brain

I just published a blog post about getaddrinfo and all the other weird DNS APIs that we use in Firefox to resolve HTTPS records.

https://valentin.gosu.se/blog/2025/02/getaddrinfo-sucks-everything-else-is-much-worse

All this was part of the talk I gave at FOSDEM last weekend.

ROPing our way to “Yay, RCE” - and a lesson in the importance of a good nights sleep!

From vulnerability to exploit - follow our Colleague Michaels journey of developing an ARM ROP chain to exploit a buffer overflow in uc-http

Via Return-Oriented Programming chain small code snippets, or gadgets, already present in a program’s memory can be leveraged

By chaining these gadgets together, they can execute arbitrary code without injecting anything new

Dive into the process of reverse engineering, gadget hunting, and crafting a working exploit.

Learn all about it in Michaels full report.

https://modzero.com/en/blog/roping-our-way-to-rce/

@screaminggoat @ntkramer Yeah the payload definitely doesn't match.

@screaminggoat @ntkramer Sooo, deserialization, IIS... have they left their ViewState key exposed? /speculation

@munin Their mother was a hamster and their father smelt of elderberries!

@mttaggart @GossiTheDog Some recurring themes in these repos are 1) abandonware 2) test/training code

Also, TIL you can use boolean expressions, e.g. you can filter for autogenerated keys:

https://github.com/search?q=%3CmachineKey+validationkey+path%3Aweb.config+NOT+autogenerate&type=code

Why pay for search?

(Illustration by @chazhutton for Kagi)

#Kagi #AdFree #Search #Privacy

@GossiTheDog Yeah, edits are weird around here, thanks for the clarification! I can only see npm being used for frontend stuff in .NET projects, could you perhaps link an affected repo/npm page?

@GossiTheDog Thanks! Now I'm more confused: npm does .NET these days? Or we're talking NuGet?

[RSS] Micropatches Released for Windows OLE Remote Code Execution (CVE-2025-21298)

https://blog.0patch.com/2025/02/micropatches-released-for-windows-ole.html

Daniel weekly February 7, 2025

https://lists.haxx.se/pipermail/daniel/2025-February/000099.html

old security, ssh security, BBC, URLs from file, you can help, curl up CVE-2024-7264, EOSAwards, Workshop, FOSDEM, 1337, release, regressions, release candidates, codeql, no goods

If you use Signal, Discord, or any other messaging app and you DON'T want Google or Apple monitoring/reading/learning from your messages, follow these steps.

Android:
1. Open Google app
2. Tap your profile photo
3. Settings
4. Google Assistant
5. "Your Apps"
6. Choose the app (e.g., Signal)
7. Toggle "Let your assistant learn from this app" off

iPhone:
1. Settings
2. Apps
3. Choose the app (e.g., Signal)
4. Toggle Apple intelligence or Siri settings to off (“learn from this app”)

@screaminggoat @zeljkazorz @GossiTheDog "However, due to inadequate server configurations, attacks become possible if *the serialized data is not verified* (CWE-642)" - this sounds more like disabled MAC than leaked key to me