New blog! "BGGP4: A 420 Byte Self-Replicating UEFI App For x64"

I cover UEFI, the UEFI x64 ABI, writing UEFI applications in x86_64 assembly, Tianocore EDK2 image loader internals, QEMU automation, and binary golf strategies for UEFI PEs.

Happy Friday!

https://github.com/netspooky/golfclub/tree/master/uefi/bggp4

For those new to #Mastodon / the #Fediverse or those looking to get more out of this awesome network, here are some tips for getting started, general advice, and links to a ton of related resources. This “Starter Pack" also features a ton of awesome #infosec / #cybersecurity follow recommendations.

https://shellsharks.com/notes/2023/10/20/infosec-mastodon-starter-pack

Let me know your own tips/tricks and please share out / boost if you find these useful!

#tips #mastotips #discoverability #welcome #resources #follow #mondayblogs

Today, we have opened five non-compliance investigations under the Digital Markets Act.

It concerns:
🔹Alphabet’s rules on steering in Google Play
🔹Alphabet’s self-preferencing in Google Search
🔹Apple’s rules on steering in the App Store
🔹Apple's choice screen for Safari
🔹Meta’s ‘pay or consent model’

More info: https://europa.eu/!4NF6bV

#DMA #EU

Me, an idiot: “So, kids, by setting the thermostat a little lower and eating less meat, we’re doing our part to make the world more sustainable”

VCs, very smart: “We just raised $100 billion dollars from the sovereign wealth funds of three petrostates to build the world’s largest AI supercomputer. It uses as much power and water as Guatemala and the primary use case is for management consultants to autogenerate powerpoints for justifying mass layoffs.”

NetHSM – A hardware security module with open hardware and open source code: «Unlike proprietary HSM products, NetHSM is the first HSM available as open source, which enables independent security audits, easy customization and avoids vendor lock-in. Only open source allows to verify the absence of back doors.»
https://www.nitrokey.com/products/nethsm
#HSM #OpenSource #OpenHardware #Security

Hey, I just met you, and this is async
But here's my function, so callback() maybe

Last night, about 21 hours ago, Manfred Paul demonstrated a security exploit targeting Firefox 124 at pwn2own.

In response, we have just published Firefox 124.0.1 (and Firefox ESR 115.9.1) containing the security fix.

Please update your foxes! 🦊

Kudos to all the countless people postponing their sleep and working towards resolving this so quickly! Really impressive teamwork again. Also, kudos to Manfred for pwning Firefox again :)

NEW: I spoke to the hacker behind the Apex Legends hacks.

He said he did it "just for fun," and to force EA/Respawn to patch the vulnerabilities he exploited, but he said he didn't report them to the companies.

“They know how to patch it," he told me.

He also defended himself saying that "not many people would have used an exploit like that in an absolutely innocent way for players.”

“Just imagine if it wasn’t a joke and we didn’t put any memes in the cheat, I’m pretty sure you can ruin someone’s career if they had a cheat pop up on a tournament,” he said.

https://techcrunch.com/2024/03/20/apex-legends-hacker-said-he-hacked-tournament-games-for-fun/

Today, March 18, Seattle high schooler David Lightman teaches his friend Jennifer Mack about war dialing, hacking, phreaking, and the importance of infosec (WarGames, 1983)

#Movies #Film #Cinemastodon #Letterboxd #WarGames #TheOnlyWinningMoveIsNotToPlay

Nigerian court orders Binance to release user data, as company execs continue to be held without charge https://therecord.media/nigerian-court-orders-binance-to-release-user-data-executives-detained

Theory:
We're *already* in the state where content creators are leveraging LLM/ChatGPT/AI to do their work for them. And as such, things you read will be confidently wrong / made-up.
As LLM/ChatGPT/AI is trained on LLM/ChatGPT/AI-generated content, this will only get worse. 😬

The whole Boeing thing uncovers so many amazing quotes:

"When people say I changed the culture of Boeing, that was the intent, so that it’s run like a business rather than a great engineering firm." - Harry Stonecipher, former Boeing CEO

The San Fransisco Aviation Museum (known as the SFO Museum / https://sfomuseum.org) has launched a massive initiative to federate their whole archive into the #fediverse! They have gone so far as to write their own #ActivityPub software in #Go suited to their needs and open sourced it (https://github.com/sfomuseum/go-activitypub). And have already launched thousands of automated accounts that cover different parts of their collection.
https://millsfield.sfomuseum.org/blog/2024/03/12/activitypub/

A case of missing bytes: #bruteforcing your way through #Jenkins' CVE-2024-23897

(In which US crypto export restrictions prove to be still harmful after 25 years)

https://www.errno.fr/bruteforcing_CVE-2024-23897.html

Alphabet, Amazon, Apple, ByteDance, Meta, Microsoft

These large, systemic online platforms were designated as gatekeepers under the Digital Markets Act.

As of midnight today, they won't be able to use unfair practices towards those depending on them – with a fine of up to 20% of their global turnover for multiple failures.

The #DMA will ensure:
- More services to choose and switch to
- Direct access to services
- Fairer prices
- New opportunities to compete

Check how: https://europa.eu/!QF6KGT

Kickstarter's bizarre blockchain announcement in December 2021 makes so much more sense now that we know Andreessen Horowitz secretly promised them $100 million to pivot to a blockchain-based product built on the also-a16z-backed Celo blockchain.

At the time, I wondered why COO Sean Leow was so insistent on the move despite being apparently very confused about the whole concept.

https://fortune.com/crypto/2024/03/11/kickstarter-blockchain-a16z-crypto-secret-investment-chris-dixon/
(archive: https://web.archive.org/web/20240311124253/https://fortune.com/crypto/2024/03/11/kickstarter-blockchain-a16z-crypto-secret-investment-chris-dixon/)

#AndreessenHorowitz #crypto #blockchain #kickstarter

I get that MSRC often flip-flops on what is and what is not a security boundary for some things (e.g. admin to kernel).
But when a non-admin user can reproducibly get SYSTEM privileges and MSRC says that "no security boundary is being broken here", it really makes you wonder.
🤔
https://github.com/Wh04m1001/GamingServiceEoP

If you bought or sold something on the darknet bazaar Incognito Market, you may be in for a surprise. Apparently Incognito is now extorting all of its former users, saying that depending on their vendor level, not having your info leaked could cost between $100 and $20,000.

responsible_disclosure.gif

Disclosure day!

Insufficient permission check vulnerabilities in Granicus's GovQA allowed unauthorized access to view, edit, and change ownership of open records requests, including restricted-access confidential records. By changing ownership of a request, an attacker could effectively deny a legitimate user's access to that request. The vulnerabilities affected various deployments, including numerous Departments of Children and Family Services or their equivalents, which handle highly sensitive records of domestic violence and sexual abuse allegations against children.

Details:
https://github.com/qwell/disclosure-granicus-govqa/

Coverage:
https://www.nextgov.com/cybersecurity/2024/03/flaws-public-records-management-tool-could-let-hackers-nab-sensitive-data-linked-requests/394755/