The #PHP Foundation, alongside other #OpenSource organizations including the #Apache Software Foundation, #Blender Foundation, #OpenSSL Software Foundation, #Python Software Foundation, #Rust Foundation, and #Eclipse Foundation, announced today a collaborative initiative aimed at establishing common cybersecurity standards in alignment with the European Union’s Cyber Resilience Act (#CRA):

https://thephp.foundation/blog/2024/04/02/open-source-community-cra-compliance-initiative/

This is not a late April Fool's joke: After #37C3, we accidentally dumped the keypad codes of almost half of an IBIS hotel's rooms by entering some dashes into a check-in terminal: https://www.pentagrid.ch/en/blog/ibis-hotel-check-in-terminal-keypad-code-leakage/ #itsecurity #infosec #ibis #accor #terminal #hotel

Here's a fun AI story: a security researcher noticed that large companies' AI-authored source-code repeatedly referenced a nonexistent library (an AI "hallucination"), so he created a (defanged) malicious library with that name and uploaded it, and thousands of developers automatically downloaded and incorporated it as they compiled the code:

https://www.theregister.com/2024/03/28/ai_bots_hallucinate_software_packages/

1/

I'm watching some folks reverse engineer the xz backdoor, sharing some *preliminary* analysis with permission.

The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system().

It's RCE, not auth bypass, and gated/unreplayable.

More details in this thread: https://bsky.app/profile/did:plc:x2nsupeeo52oznrmplwapppl/post/3kowjkx2njy2b

A very niche joke via @leonjza

#MARCHintosh RCE challenge contest: whoever gets code execution on my Macintosh LC 475 running Mac OS 8.1 on the public internet at 185.218.227.18 wins $350 over PayPal

New blog! "BGGP4: A 420 Byte Self-Replicating UEFI App For x64"

I cover UEFI, the UEFI x64 ABI, writing UEFI applications in x86_64 assembly, Tianocore EDK2 image loader internals, QEMU automation, and binary golf strategies for UEFI PEs.

Happy Friday!

https://github.com/netspooky/golfclub/tree/master/uefi/bggp4

For those new to #Mastodon / the #Fediverse or those looking to get more out of this awesome network, here are some tips for getting started, general advice, and links to a ton of related resources. This “Starter Pack" also features a ton of awesome #infosec / #cybersecurity follow recommendations.

https://shellsharks.com/notes/2023/10/20/infosec-mastodon-starter-pack

Let me know your own tips/tricks and please share out / boost if you find these useful!

#tips #mastotips #discoverability #welcome #resources #follow #mondayblogs

Today, we have opened five non-compliance investigations under the Digital Markets Act.

It concerns:
🔹Alphabet’s rules on steering in Google Play
🔹Alphabet’s self-preferencing in Google Search
🔹Apple’s rules on steering in the App Store
🔹Apple's choice screen for Safari
🔹Meta’s ‘pay or consent model’

More info: https://europa.eu/!4NF6bV

#DMA #EU

Me, an idiot: “So, kids, by setting the thermostat a little lower and eating less meat, we’re doing our part to make the world more sustainable”

VCs, very smart: “We just raised $100 billion dollars from the sovereign wealth funds of three petrostates to build the world’s largest AI supercomputer. It uses as much power and water as Guatemala and the primary use case is for management consultants to autogenerate powerpoints for justifying mass layoffs.”

NetHSM – A hardware security module with open hardware and open source code: «Unlike proprietary HSM products, NetHSM is the first HSM available as open source, which enables independent security audits, easy customization and avoids vendor lock-in. Only open source allows to verify the absence of back doors.»
https://www.nitrokey.com/products/nethsm
#HSM #OpenSource #OpenHardware #Security

Hey, I just met you, and this is async
But here's my function, so callback() maybe

Last night, about 21 hours ago, Manfred Paul demonstrated a security exploit targeting Firefox 124 at pwn2own.

In response, we have just published Firefox 124.0.1 (and Firefox ESR 115.9.1) containing the security fix.

Please update your foxes! 🦊

Kudos to all the countless people postponing their sleep and working towards resolving this so quickly! Really impressive teamwork again. Also, kudos to Manfred for pwning Firefox again :)

NEW: I spoke to the hacker behind the Apex Legends hacks.

He said he did it "just for fun," and to force EA/Respawn to patch the vulnerabilities he exploited, but he said he didn't report them to the companies.

“They know how to patch it," he told me.

He also defended himself saying that "not many people would have used an exploit like that in an absolutely innocent way for players.”

“Just imagine if it wasn’t a joke and we didn’t put any memes in the cheat, I’m pretty sure you can ruin someone’s career if they had a cheat pop up on a tournament,” he said.

https://techcrunch.com/2024/03/20/apex-legends-hacker-said-he-hacked-tournament-games-for-fun/

Today, March 18, Seattle high schooler David Lightman teaches his friend Jennifer Mack about war dialing, hacking, phreaking, and the importance of infosec (WarGames, 1983)

#Movies #Film #Cinemastodon #Letterboxd #WarGames #TheOnlyWinningMoveIsNotToPlay

Nigerian court orders Binance to release user data, as company execs continue to be held without charge https://therecord.media/nigerian-court-orders-binance-to-release-user-data-executives-detained

Theory:
We're *already* in the state where content creators are leveraging LLM/ChatGPT/AI to do their work for them. And as such, things you read will be confidently wrong / made-up.
As LLM/ChatGPT/AI is trained on LLM/ChatGPT/AI-generated content, this will only get worse. 😬

The whole Boeing thing uncovers so many amazing quotes:

"When people say I changed the culture of Boeing, that was the intent, so that it’s run like a business rather than a great engineering firm." - Harry Stonecipher, former Boeing CEO

The San Fransisco Aviation Museum (known as the SFO Museum / https://sfomuseum.org) has launched a massive initiative to federate their whole archive into the #fediverse! They have gone so far as to write their own #ActivityPub software in #Go suited to their needs and open sourced it (https://github.com/sfomuseum/go-activitypub). And have already launched thousands of automated accounts that cover different parts of their collection.
https://millsfield.sfomuseum.org/blog/2024/03/12/activitypub/