say hello to ghidriff 🔥

#ghidra #patchdiffing #Python

https://github.com/clearbluejar/ghidriff

Peter Higgs, physicist who proposed Higgs boson, dies aged 94

https://www.theguardian.com/science/2024/apr/09/peter-higgs-physicist-who-discovered-higgs-boson-dies-aged-94

Holy shit, I thought I knew how evil the #SurveillanceAds industry was but here we are:

Two-thirds of European websites just ignore your #cookie choice and track you anyways, researchers from #ETHzurich found. 🤯

https://www.usenix.org/system/files/sec23winter-prepub-107-bouhoula.pdf

#privacy #TrackingFreeAds #consent #gdpr #ePrivacy #BanSurveillanceAdvertising

AI generation when writing software is a false economy. You are replacing writing code with code review. Code review is harder and requires you to already have an understanding of the domain which often means that you would’ve even able to write it yourself to begin with. If you code gen something because you don’t know how to write it yourself, you by definition cannot review it without going though an effort equivalent to writing it yourself in the first place.

Unless of course you don’t care about code review and so doom yourself into treating software like magical incantations that break randomly for no perceivable reason; but no good mage would do that, surely.

Is anyone aware of a list of software and tech companies that have been recently acquired by private equity firms? Seems like when that happens it's time to start yanking all the software/hardware tied to the acquired firm, because any accountability for security has a habit of disappearing when these firms get bought by PE.

Update: Found the chicken bit. This fixes the vulnerability.

"The main problem with the attack is that it's one that cannot be patched in Apple Silicon itself, since its a central part of the design."

Press X to doubt. I guarantee there's a chicken bit in the HID registers to disable the DMP. This could be disabled globally, only for some processes, or even exposed as a syscall to do it dynamically around sensitive code (Apple are not allergic to that, they already have codepaths that twiddle a HID4 bit at runtime).

https://gofetch.fail/

Edit: and just to be clear, this only affects M1 and M2. M3 is working entirely as intended, where the DIT bit disables the DMP. Constant-time, data-independent crypto code is already supposed to be using the Data Independent Timing bit. That's what it's for, we learned of this problem many years ago! Any issues on M3 caused by this problem are a code bug, nothing to do with the chips. The chicken bit story is for M1 and M2, where the bug is that the DIT bit is not hooked up to disable the DMP.

Forget the xz/liblzma backdoor in Linux distros, there's a confirmed backdoor in D-Link Network Attached Storage (NAS) products. Username is messagebus with an empty password. Tracked as CVE-2024-3273 (7.3 high, disclosed 26 March 2024), D-Link refuses to patch it because "All D-Link Network Attached storage has been End of Life and of Service Life for many years [and] the resources associated with these products have ceased their development and are no longer supported" 🔗 https://www.bleepingcomputer.com/news/security/over-92-000-exposed-d-link-nas-devices-have-a-backdoor-account/

#CVE_2024_3273 #backdoor #xz

You don't need an 8-core CPU and 16 gigabytes of RAM just to jot down some notes. An ESP32 and a handwired keyboard will work quite nicely.

You know...in case you don't have a pen.

https://hackaday.com/2024/04/05/esp32-provides-distraction-free-writing-experience/

"The biggest source of conflict was an amendment ... that would prohibit #databrokers from selling consumer data to #lawenforcement and would require a warrant to access Americans’ information... National #security hawks in #Congress and local law enforcement groups joined forces to kill the amendment, with the National Sheriffs’ Association claiming it would “kneecap law enforcement” in a letter to Congress..."

https://www.theverge.com/2024/4/5/24122079/data-brokers-fisa-extension-nsa-section-702-surveillance-lexis-nexis

I've taken to calling the Bitcoin price ticker "ransomware futures".

Babe wake up, new Google Pixel zero-days just dropped: 🔗 https://source.android.com/docs/security/bulletin/pixel/2024-04-01

• CVE-2024-29745 (information disclosure, high severity)
• CVE-2024-29748 (elevation of privilege, high severity)

Note: There are indications that the following may be under limited, targeted exploitation.

EDIT: Reported by security researcher Daniel Micay of GrapheneOS Foundation who reported that the vulnerabilities were exploited in the wild by forensics companies 🔗 https://grapheneos.social/@GrapheneOS/112204428984003954

CVE-2024-29745 refers to a vulnerability in the fastboot firmware used to support unlocking/flashing/locking. Forensic companies are rebooting devices in After First Unlock state into fastboot mode on Pixels and other devices to exploit vulnerabilities there and then dump memory. We proposed zeroing memory in firmware when rebooting to fastboot mode to wipe out the whole class of attacks. They implemented this by zeroing memory when booting fastboot mode. USB is only enabled by fastboot mode after zeroing the memory is completed, blocking these attacks. GrapheneOS already implemented defenses against this attack before we became aware of it. After becoming aware of this attack against Pixels running the stock OS, we improved our existing defenses and added new ones alongside reporting the firmware weaknesses to get those fixed.

CVE-2024-29748 refers to a vulnerability providing the ability to interrupt a factory reset triggered by a device admin app. It appears they've implemented a partial solution in firmware. See https://grapheneos.social/@GrapheneOS/112162304896898942 about ongoing work we spotted on wipe-without-reboot support.

See related Bleeping Computer reporting: 🔗 https://www.bleepingcomputer.com/news/security/google-fixes-two-pixel-zero-day-flaws-exploited-by-forensics-firms/

#zeroday #eitw #activeexploitation #CVE_2024_29745 #CVE_2024_29748 #Google #Pixel #Android

I always forget the CORE SSH story about @4Dgifts and Futo working on the then SSH implementation, finding a bug, sending the report upstream with a patch, upstream botching the patch and… it was a CRC32 checksum backdoor ("No relation"™ to the current stuff).

You might have seen it in a rather famous film where it is shown to enter the utility services from a pretty green phosphors terminal.

​

Any experienced C developers among my followers? #BoostsWelcome.

Expat, arguably the world's most popular #XML parser, is understaffed and without funding. As #xz has shown, situations like this are dangerous.

Last month, maintainer Sebastian Pipping put up a plea for help at https://github.com/libexpat/libexpat/blob/R_2_6_2/expat/Changes

(I would help myself, but my C skills barely surpass "Hello, World".)

Found via @timbray - https://cosocial.ca/@timbray/112203547801373427

#libexpat
#SoftwareSupplyChainSecurity #OpenSource #OpenSourceMaintainer
#C

The #PHP Foundation, alongside other #OpenSource organizations including the #Apache Software Foundation, #Blender Foundation, #OpenSSL Software Foundation, #Python Software Foundation, #Rust Foundation, and #Eclipse Foundation, announced today a collaborative initiative aimed at establishing common cybersecurity standards in alignment with the European Union’s Cyber Resilience Act (#CRA):

https://thephp.foundation/blog/2024/04/02/open-source-community-cra-compliance-initiative/

This is not a late April Fool's joke: After #37C3, we accidentally dumped the keypad codes of almost half of an IBIS hotel's rooms by entering some dashes into a check-in terminal: https://www.pentagrid.ch/en/blog/ibis-hotel-check-in-terminal-keypad-code-leakage/ #itsecurity #infosec #ibis #accor #terminal #hotel

Here's a fun AI story: a security researcher noticed that large companies' AI-authored source-code repeatedly referenced a nonexistent library (an AI "hallucination"), so he created a (defanged) malicious library with that name and uploaded it, and thousands of developers automatically downloaded and incorporated it as they compiled the code:

https://www.theregister.com/2024/03/28/ai_bots_hallucinate_software_packages/

1/

I'm watching some folks reverse engineer the xz backdoor, sharing some *preliminary* analysis with permission.

The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system().

It's RCE, not auth bypass, and gated/unreplayable.

More details in this thread: https://bsky.app/profile/did:plc:x2nsupeeo52oznrmplwapppl/post/3kowjkx2njy2b

A very niche joke via @leonjza

#MARCHintosh RCE challenge contest: whoever gets code execution on my Macintosh LC 475 running Mac OS 8.1 on the public internet at 185.218.227.18 wins $350 over PayPal