I can finally talk about what we've been working on for the past two years(!)

Using #sigstore, GitHub now supports artifact signing, which allows you to create unforgeable provenance guarantees for any software you build inside Actions.

It's been a heck of a ride, & you can read more about (and learn how to use it) here:

https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/

Windows Defender reactivating itself defying all configured policies

[RSS] Chaining N-days to Compromise All: Part 5 — VMware Workstation Host-to-Guest Escape

https://medium.com/@vr-blog/chaining-n-days-to-compromise-all-part-5-vmware-workstation-host-to-guest-escape-5a1297e431b5?source=rss-4b564abdafa3------2

[RSS] Control Flow Guard in Windows 11 24H2

https://ynwarcs.github.io/Win11-24H2-CFG

protip: drawing a hilariously bad artwork in MS Paint with a mouse is a much stronger quality signal that you care about the blog post than attaching an obvious AI generation

I generated the docs from the latest #Ghidra version (11.0.3) and "int" supposed to be a valid metatype:

https://scrapco.de/ghidra_docs/cspec_parampass.html

I plan to keep this #documentation updated, let me know if you'd like to see HTML about other features published!

#Ghidra apparently forgot about metatype="int" in Compiler Specifications. Deleting the pentry attribute fixes the issue.

Relevant - probably outdated - documentation:

https://lemuellew.github.io/Ghidra-Compiler-Specification-Document/cspec_parampass.html

Look Mum No Computer, what a legend!

https://www.youtube.com/watch?v=nGqefb0qlds

#modular #synth #music

[RSS] The life and times of an Abstract Syntax Tree

https://blog.trailofbits.com/2024/05/02/the-life-and-times-of-an-abstract-syntax-tree/

[RSS] Hydra: Generalizing Peephole Optimizations with Program Synthesis [PDF]

https://users.cs.utah.edu/~regehr/generalization-oopsla24.pdf

BASIC is 60 years old. Here's a message - maybe more relevant than ever - from one of its inventors, John G. Kemeny:

"The most dangerous voice you will ever hear is the evil voice of prejudice that divides black from white, man from woman, Jew from gentile. Listen to the voice that says man can live in harmony. Use your very considerable talents to make the world better."

https://cis-alumni.org/JKemeney.html

I just told son about the old days when computer programs were distributed by radio and recorded on tape.

Reddit says[1] a 48k game took about 6.5 minutes to record.

With this speed minified Angular[2] would take 76 minutes to arrive.

#zxspectrum #oldcomputing

[1] https://www.reddit.com/r/todayilearned/comments/vhb9ji/comment/id7lez0/
[2] https://gist.github.com/Restuta/cda69e50a853aa64912d

Definitely the best interview about #AI I've seen:

https://www.youtube.com/watch?v=86qKgK0asGo

CISA: CISA Adds One Known Exploited Vulnerability to Catalog
HOT OFF THE PRESS! CISA adds CVE-2023-7028 (10.0 critical, disclosed 12 January 2024 by GitLab) GitLab Community and Enterprise Editions Improper Access Control Vulnerability to the Known Exploited Vulnerabilities (KEV) Catalog!

Why you should care about CVE-2023-7028:

This is a zero-click account takeover that people were freaking out about less than 4 months ago. Successful exploitation allows attackers to send password reset emails for a targeted account to an attacker-controlled email address, allowing the threat actor to change the password and take over the account.

cc: @campuscodi @serghei @todb

#kev #eitw #knownexploitedvulnerabilitiescatalog #vulnerability #CVE_2023_7028

Me, today: I'll start working on this problem in May.

Shit, it's May.

FTR: I have 0 recollection writing this GitHub workflow, so it was a bit challenging to fix it o.O

https://github.com/silentsignal/rsa_sign2n/blob/release/.github/workflows/test-docker.yml

Anyway, thanks to a generous contributor now you can calculate RSA public keys from message-signature pairs on ARM if you feel like it.

Someone on Tumblr has made a concept for a Tarot Card deck made out of ISO hazard symbols and it goes hard:

https://www.tumblr.com/medusasstory/749203130036699136/this-is-a-nice-sign-to-look-at-1010-for

Edit: apparently this image was a WIP version, a final, printable version is available here: https://organical-mechanical.itch.io/iso-tarot

[RSS] Failure is Required: Understanding Fail-Safe and Fail-Fast Strategies

https://debugagent.com/failure-is-required-understanding-fail-safe-and-fail-fast-strategies

This article mostly answers my previously expressed doubts about handling non-security edge-cases at multiple layers of code.

As expected, @hackerfantastic pwned run0 in no time (h/t @timb_machine)

Image repost from https://twitter.com/hackerfantastic/status/1785495587514638559

Edit: unrolled thread with more details/bugs at https://threadreaderapp.com/thread/1785495587514638559.html

Edit 2: as @mxey pointed out you can play the same trick with sudo. Note that according to these comments run0 should prevent similar hijacks:
https://mastodon.social/@pid_eins/112353420303876549
https://mastodon.social/@pid_eins/112353429211255588