It finally happened - I got phished. Impact is limited to the Mailchimp mailing list for my blog, brief blog post with details here and more to come later: https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/

When you get invited to the NatSec group chat....

Today, Wiz (Woogle?) released an advisory detailing an attack chain they’ve dubbed IngressNightmare, which, if left exposed and unpatched, can be exploited to achieve remote code execution by unauthenticated attackers. The advisory, covering five separate vulnerabilities, was published after a brief embargo period, once the Kubernetes folks got their patches together.

You can find a brief writeup and search queries for runZero at: https://www.runzero.com/blog/ingress-nightmare/

this is a text block, can you guess which spot that goes in? thats right, the div hole. and how about this spacer? that one, it goes in there too. up next, we got this picture, can you guess where that goes? thats right, it goes in the div hole. and up next, an unordered list. hmm. i think that goes in, the div hole. now i also got this ordered list right here, do you see a tag that would fit the ordered list? thats right! its the div hole. ‘kay. up next, its the underline, we all know what tag that goes into, right? thats right,. the div hole. and up next , we have the audio ., you guessed it, it goes in the div hole.

-carrie

@ojensen @mhoye I know where the 23andme building is, I can guess which ewaste facility they'd end up in

Open source maintainers, did you receive your first vulnerability report? Don't panic! Handling vulnerability reports doesn’t have to be stressful. Read on to find out how you can tackle security issues efficiently and confidently with the right tools and approach. https://github.blog/security/vulnerability-research/a-maintainers-guide-to-vulnerability-disclosure-github-tools-to-make-it-simple/

Here's the paywall-free version of today's insane must-read: The Atlantic's Jeffrey Goldberg was added to a Signal chat including SECDEF, VPOTUS, and others that discussed the Houthi strikes. In addition to being illegal, it's just dumb. A foreign adversary's dream come true

https://archive.is/JEYep

@4ttil4sz1a @andreyknvl (and also provided those fixes back to Canonical, though I haven't tracked what was done with them). Crazy that the Linux CNA is issuing CVEs for unsigned crafted kernel modules (which can execute arbitrary code, modify arbitrary data) but not for things that have real exploits.

@4ttil4sz1a @andreyknvl Was that the reason the CVE got issued by Canonical instead? Our system saw it come through Feb 14th and was flagged as having no upstream commit (while recognizing it affected upstream), we backported Canonical's fix that day and also fixed 10 memory leaks the fix introduced

What have we here!

https://www.internetarchive.eu/

@mcc I mostly take the behaviour of AI scrapers as evidence that this style of machine learning is a form of violation. Like, whether or not it's philosophically or legally theft, AI companies are behaving more like smash-and-run robbers than anyone who believe they have a legitimate claim to the data they take (and take, and take and take...)