New Signal update just dropped

#SignalGate #USpolitics #WorldPolitics

@osxreverser Nah, they'll just wait until someone adds them to the group :P

Napalm Death is like fine wine, but with napalm.

Today we are very proud to announce that the United Nations has switched from Google Forms to CryptPad Form for collecting endorsements on the UN Open Source Principles: https://unite.un.org/news/sixteen-organizations-endorse-un-open-source-principles

CryptPad Form is a full-fledged application allowing you to build privacy-preserving questionnaires for your respondents.

Try it for free, without even registering an account, on our CryptPad.fr flagship instance!

#UnitedNations #UN #Privacy #OpenSource #Forms #Studies #FOSS

Looking to write your own MCP for a popular decompiler? Check out our unified API that allows scripting in IDA, Ghidra, Binja, and angr. In the same few Python lines, you can make a struct, retype a function, and modify local vars. Check it out: https://github.com/binsync/libbs

https://bird.makeup/@bl4sty/1904843439180493069

Anybody knows what Asimov is in MS lingo? :)

I think the ICO did a brilliant job with that report, it’s bang on the money.

They basically hadn’t implemented MFA for all Citrix Netscaler users,

hadn’t patched for ZeroLogon on customer systems (a vuln I worked on at MS two years before the Advanced incident, that I personally made sure sure was widely publicised),

didn’t do vuln management on customer systems,

ignored pentest findings,

then descoped customer systems to lie about Cyber Essentials Plus coverage to customers.

Back in 2022, there was wide scale disruption to the NHS (healthcare) in the UK due to LockBit ransomware at Advanced.

They have paid a £3m fine to the ICO, who have published their 58 page PDF investigation. Worth a read for findings.

https://cy.ico.org.uk/media2/gdlfddgc/advanced-penalty-notice-20250327.pdf

The £3m fine is due to failures to run Vulnerability Management correctly and failure to enforce MFA.

A thread about some other things:

@kaoudis I have plenty of experience with technically competent people messing up 1) risk assessment 2) communication, so I'd write this off as incompetence, but that should be called out too (esp. since based on the latest post they seem to think they've done everything right).

Tuesday's cryptic message about atop turns out to be a local memory corruption issue, but details are unclear:

https://www.openwall.com/lists/oss-security/2025/03/26/2

What is clear to me is that the original "warning" was a shameful example of spreading FUD...

CVE-2025-31160 was issued to track the problem.

Project: mpengine-x64-pdb 1.1.24090.11
File: mpengine.dll
Address: 75a810cc4

Revert

SVG:
dark https://tmr232.github.io/function-graph-overview/render/?graph=https%3A%2F%2Fraw.githubusercontent.com%2Fv-p-b%2Fghidra-function-graph-datasets%2Frefs%2Fheads%2Fmain%2F%2Fmpengine-x64-pdb%2F75a810cc4.json&colors=dark
light https://tmr232.github.io/function-graph-overview/render/?graph=https%3A%2F%2Fraw.githubusercontent.com%2Fv-p-b%2Fghidra-function-graph-datasets%2Frefs%2Fheads%2Fmain%2F%2Fmpengine-x64-pdb%2F75a810cc4.json&colors=light

Our first keynote from Natalie is live! Want to find fully-remote bugs? Learn more about her workflow and lessons learned from a true expert in the field. Bonus: during the Q&A you can learn that even just finding a single obscure file format can be what it takes to find a bug: https://www.youtube.com/watch?v=UOr1F-Tx1Zg

For those who missed it, here's last year's OffensiveCon talk about BLASTPASS explaining what P0 understood at that time:

https://m.youtube.com/watch?v=ZawX9I9MM6Y

I have a question: In Signal, imagine that a new device gets added to your phone as a Linked Device. What sort of notification would you receive on your primary device (phone)? Are there photos of the current workflow here? This article https://www.npr.org/2025/03/25/nx-s1-5339801/pentagon-email-signal-vulnerability asserts that recently Signal added UI to prevent user getting phished and unknowingly adding a linked device. What did they add?

@nixfreak no and tbf I don't really want to provide support for some half-baked stuff, so please just stick to upstream until x64 support gets merged or maybe comment on the relevant PR's if you think you found a bug in them (#97 tracks x64 support).

[RSS] Llama's Paradox - Delving deep into Llama.cpp and exploiting Llama.cpp's Heap Maze, from Heap-Overflow to Remote-Code Execution

https://retr0.blog/blog/llama-rpc-rce

[RSS] Blasting Past Webp

https://googleprojectzero.blogspot.com/2025/03/blasting-past-webp.html

An analysis of the NSO BLASTPASS iMessage exploit

@xgranade Relevant article: LLMs use a lot of the same techniques as psychics' "cold reading" to convince people they know more than they do.

https://softwarecrisis.dev/letters/llmentalist/

@nixfreak submodules maybe? also pls note that I linked an experimental branch, you'll be better off with upstream. if you encounter problems please use the GH issue tracker so others can learn from the answers too!

If it annoys you— as it somewhat does me— that the precise definition of the Rust programming languages is "vibes" and "three separate PDFs, none of them authoritative" and "well, whatever the reference compiler does is the language", this is pretty neat news. https://mastodon.social/@rustfoundation/114229759326166359