A case of missing bytes: #bruteforcing your way through #Jenkins' CVE-2024-23897

(In which US crypto export restrictions prove to be still harmful after 25 years)

https://www.errno.fr/bruteforcing_CVE-2024-23897.html

Alphabet, Amazon, Apple, ByteDance, Meta, Microsoft

These large, systemic online platforms were designated as gatekeepers under the Digital Markets Act.

As of midnight today, they won't be able to use unfair practices towards those depending on them – with a fine of up to 20% of their global turnover for multiple failures.

The #DMA will ensure:
- More services to choose and switch to
- Direct access to services
- Fairer prices
- New opportunities to compete

Check how: https://europa.eu/!QF6KGT

Kickstarter's bizarre blockchain announcement in December 2021 makes so much more sense now that we know Andreessen Horowitz secretly promised them $100 million to pivot to a blockchain-based product built on the also-a16z-backed Celo blockchain.

At the time, I wondered why COO Sean Leow was so insistent on the move despite being apparently very confused about the whole concept.

https://fortune.com/crypto/2024/03/11/kickstarter-blockchain-a16z-crypto-secret-investment-chris-dixon/
(archive: https://web.archive.org/web/20240311124253/https://fortune.com/crypto/2024/03/11/kickstarter-blockchain-a16z-crypto-secret-investment-chris-dixon/)

#AndreessenHorowitz #crypto #blockchain #kickstarter

I get that MSRC often flip-flops on what is and what is not a security boundary for some things (e.g. admin to kernel).
But when a non-admin user can reproducibly get SYSTEM privileges and MSRC says that "no security boundary is being broken here", it really makes you wonder.
🤔
https://github.com/Wh04m1001/GamingServiceEoP

If you bought or sold something on the darknet bazaar Incognito Market, you may be in for a surprise. Apparently Incognito is now extorting all of its former users, saying that depending on their vendor level, not having your info leaked could cost between $100 and $20,000.

responsible_disclosure.gif

Disclosure day!

Insufficient permission check vulnerabilities in Granicus's GovQA allowed unauthorized access to view, edit, and change ownership of open records requests, including restricted-access confidential records. By changing ownership of a request, an attacker could effectively deny a legitimate user's access to that request. The vulnerabilities affected various deployments, including numerous Departments of Children and Family Services or their equivalents, which handle highly sensitive records of domestic violence and sexual abuse allegations against children.

Details:
https://github.com/qwell/disclosure-granicus-govqa/

Coverage:
https://www.nextgov.com/cybersecurity/2024/03/flaws-public-records-management-tool-could-let-hackers-nab-sensitive-data-linked-requests/394755/

With 1 #transistor, I can make an inverter, a switch, or a not-very-good amplifier.

With 2 transistors, I can make a differential amplifier, a cascode, or a latch.

With 3 transistors, I can make a fairly good (Wilson) current mirror, or a Lorenz chaotic system.

20,000 transistors made a #computer that navigated spacecraft to the Moon and back.

But 10,000,000,000 transistors make a computer that's brought to its knees if it tries to interpret the Javascript used to load one #ad on a web page.

India has officially outlawed nine types of #UX #DarkPatterns, including saying "Hurry, only X amount left;" adding "processing fees;" adding dire language to opt-out buttons ("No, I'd rather not protect my purchase"); forcing people to agree to a EULA; forcing people to call a phone number to unsubscribe; using confusing opt-out language ("No, don't unsubscribe me"); blending ads into editorial content; and forcing people to click "remind me later" every day. https://bootcamp.uxdesign.cc/dark-patterns-are-now-illegal-in-india-6b3c35c5ce50

#ThanksEU #Amazon stops charging for moving data out of their services. You have to read to almost the end to find the real reason:

„The waiver on data transfer out to the internet charges also follows the direction set by the European Data Act and is available to all AWS customers around the world and from any AWS Region.“

https://aws.amazon.com/blogs/aws/free-data-transfer-out-to-internet-when-moving-out-of-aws/

Birmingham council's 'equal pay' bankruptcy provided cover for Oracle disaster
L: https://theconversation.com/how-birmingham-city-councils-equal-pay-bankruptcy-provided-cover-for-ongoing-oracle-it-disaster-224416
C: https://news.ycombinator.com/item?id=39613181
posted on 2024.03.06 at 02:12:05 (c=1, p=5)

Can you believe it? It's been 20 years since OpenTTD 0.1 was released! Time really does fly.

Read the full story: https://www.openttd.org/news/2024/03/06/happy-birthday

I spent the last week scraping through a terabyte of GeoCities archives and collecting ALL THE #88x31 buttons! In the end, I gathered 29257 unique buttons (75k with duplicates). They are available at https://hellnet.work/8831/

Check them out!

I also have the dataset (~160MB), stats and a bit about the scraping process here: https://hellnet.work/8831/stats.html

#indieweb #smallweb #geocities #neocities

Carmakers must bring back buttons to get good safety scores in Europe

In 2026, Euro NCAP points will be deducted if some controls aren't physical.

https://arstechnica.com/cars/2024/03/carmakers-must-bring-back-buttons-to-get-good-safety-scores-in-europe/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social

The US military tracked Putin's movements. How? His comrades (advisers, drivers, etc.) had smartphones and were browsing the internet, using apps. Ads were displayed to them. And data traces from advertising networks revealed everything. https://www.wired.com/story/how-pentagon-learned-targeted-ads-to-find-targets-and-vladimir-putin/

I am re-reading Dune. This quote by the Reverend Mother Gaius Helen Mohiam is remarkable:

“Once, men turned their thinking over to machines in the hope that this would set them free. But that only permitted other men with machines to enslave them.”

It's not about a Terminator-style AI-apocalypse where the machines want to kill us all dead. It's just an accurate prediction of what actually appears to be happening.

Hello world! Kaitai project and #KaitaiStruct finally got its own its own space in Fediverse!

If you're not familiar with us, we create declarative language for binary format specification — see https://kaitai.io/ — and tooling around it — a compiler which transforms declarative specs into ready-made parsers in variety of programming languages, visualizers and IDE for rapid format spec development and much much more.

Watch this space for more news from us!

Have you ever wanted to start editing #Wikipedia, but got overwhelmed or felt like you didn't know where to start? Every time I encourage people to start editing, I hear that, so I'm trying to help.

https://www.youtube.com/watch?v=bRRHR1NEOqE

programmers are always posting like "worked on tracking down an issue with a Flurble deployment for twelve hours. the problem wasn't in Flurble at all - it was in the Gumbies install. It turns out if you install Gumbies 3.0 over Gumbies 2.7 and don't do a cache flush on all the client spiders they'll get stuck in the crystal maze." then you look up Gumbies and the site is one of those scroll scroll scroll types with one sentence per page, like

"GUMBIES is a lean, expressive sharding sandcube for testing and deploying large scale Woodchips playgrounds.

GUMBIES automates and streamlines away watersliding phases, meaning your team can get right to the chipping.

See why Microsoft, OpenAI and Bloingo have embraced GUMBIES in their Woodchips workflows."

and you get to the bottom and you're like I want this I guess but I still don't know what it is

Tried using the new Google Chrome V8 settings to turn off the JavaScript JIT, as discussed by @campuscodi in https://news.risky.biz/risky-biz-news-google-addresses-jit-security-in-chrome-122/

However funnily enough that completely broke the Microsoft Teams web client on Mac OS X for me. It remained consistently stuck on "connecting" for over 5 minutes. Even allow-listing teams.microsoft.com wasn't enough, only worked when I allow-listed all of microsoft.com.

So be aware this is not as benign a change as it should be - not only a performance hit but things can actually stop working.

And this got me wondering... is Teams' JavaScript just so horribly inefficient that it takes forever to work without JIT? Or what kind of shenanigan is it doing to REQUIRE the browser JIT to work? 🤔