Unfortunately I couldn't find these guys on my ballot for #EU elections :(

https://www.youtube.com/watch?v=tXTBsAzvvsE

#punk

AFL++ v4.21 release! Fixed a regression (+5%), better seed selection (+1%), many minor fixes, LLVM 19 support https://github.com/AFLplusplus/AFLplusplus/releases/tag/v4.21c #afl #fuzz #fuzzing #fuzzer #fuzzing-tools

87-year-old writes to Financial Times. This is a real technological problem also for people with disabilities. Including me. Banking systems (and others) may make people's life miserable. And you know what? In case of an issue, I couldn't even make a phone call (when mandatory).

"Like, people are out there just raw dogging source code from random other open source developers, with their local environment running tokens that give
them access to everything they could possibly need from their Google account.

[...]

Jia Tan might have been a best case scenario for this community."

https://lists.aitelfoundation.org/archives/list/dailydave@lists.aitelfoundation.org/thread/P3R4OIKL7YGMJZIUCZJEZMQI425YTFDV/

Live now! Doing some Linux virtual memory manager experiments by using processes instead of threads! Maybe a custom allocator too! https://stream.bfa.lk/ . Also live on Twitch and YouTube :3

Absolutely delightful to see the Run Your Own Mail Server book going through the roof:

https://www.kickstarter.com/projects/mwlucas/run-your-own-mail-server/

"Your personal information is very important to us."

Crowdsourcing snark! Dear Lazyweb,

Bbefore they will let me publish a new release of XScreenSaver on the "Play" [sic] store, Google, the most rapacious privacy violator on the planet, is insisting...
https://jwz.org/b/ykUc

[RSS] Make Your Code Slower With Multithreading

https://hackaday.com/2024/06/07/make-your-code-slower-with-multithreading/

Could not agree more.

I updated the #Ghidra documentation I host to version 11.1:

https://scrapco.de/ghidra_docs/javadoc/ghidra/framework/model/DomainObjectListenerBuilder.html

I really have to automate this process somehow, but there are some manual tasks that don't spark joy: https://infosec.place/notice/AhUQCYKkTCUwXv4ReK

#Ghidra 11.1 is released, change history:

https://htmlpreview.github.io/?https://github.com/NationalSecurityAgency/ghidra/blob/Ghidra_11.1_build/Ghidra/Configurations/Public_Release/src/global/docs/ChangeHistory.html

Microsoft makes Recall feature off-by-default after security and privacy backlash

Windows Hello authentication, additional encryption being added to protect data.

https://arstechnica.com/gadgets/2024/06/microsoft-makes-recall-feature-off-by-default-after-security-and-privacy-backlash/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social

periodic reminder: you cannot "pass" a security audit. anybody selling you a passable security audit is selling you a lie, and anybody selling you a product that has "passed' an audit is lying to you.

a security audit can uncover bugs, or not uncover bugs, and can (in the words of the recipient) demonstrate positive or negative qualities about the codebase. but it cannot be "passed" or otherwise *endorse* the product or program itself.

I would equate writing your own parsers for fiddly formats that lack formal single specification and may even require implementers to know the right undocumented or verbally passed down lore with doing your own gas plumbing.

If you’re a pretty competent plumber and can turn the gas on and off you could try it right? Somebody has to do it and they usually get it right. And you’ve fixed a leaky sink tailpipe once or twice in your day.

But should *you* as a non gas plumber? My vote is no, your house could explode or you could die of noxious gas inhalation if you get it wrong.

I would equate using FFI to shoehorn such parsers from, say C++ into your nice “safe” main codebase language to then using an inappropriate connector type to attach a new gas range to your DIY job.

Should you do it? My vote is no, please let someone who is trained to do it. *Could* you do it? Nobody laid down a personal challenge, mate.

The worst thing about #recall is not that it's a security and privacy disaster, it’s that the root cause of the security problems is also the reason it will be completely useless.

Imagine that you are scrolling through some news aggregator or social media page and you spot something that’s interesting. You forget and then a few days later ask recall to find it for you. Recall has access only to screenshots and so will tell you ‘yes, that thing you found interesting, it was at http://mastodon.social’ and you will say ‘you are a total waste of battery life and I hate you’. It does not have access to the structure of the page, so it cannot extract the link to the specific post, it just does optical character recognition on the address bar. Most of the sites where it’s hard to find things do infinite scrolling, so knowing that ‘this thing was somewhere in this infinite-scrolling page’ is unhelpful.

If it had been designed as a solid piece of engineering, rather than a ‘please find a use case for this AI thing’ project, it would work more like Spotlight on macOS, exposing hooks for apps to provide structured data. Edge would extract the permalink fields and index them along with post content. If it had been designed like this, apps would be able to choose what to provide and so Edge could automatically skip any content of sites that you log into unless you opt in, and also opt out anything in a private browsing window. Office apps would be able to exclude files marked as sensitive (e.g. anything with PII or medical or financial data). The privacy implications would be much less bad, the performance would be better, and it would actually be useful.

This is fairly representative of a lot of the AI hype. By using machine learning, you can build something that could be done a lot better without AI. That’s not to say that there’s no use for ML models in such a system. Providing a feature extraction model for indexing would be useful, so I can search for ‘that paper I read that had a picture of an orange cat on the first page’ and it would be able to record ‘orange cat’ in the metadata for that picture when it indexed the PDF. It’s not the right foundation, because an existing off-the-shelf PDF parser can extract the table of contents and text with 100% accuracy, whereas ML-driven OCR on screenshots will fail if I’ve scrolled some of it off the window.

libarchive 3.7.4 released with 2 security fixes

@taviso 's analysis of CVE-2024-26256 explains the concept of RarVM and how it may relate to the now fixed vulnerability:

https://seclists.org/oss-sec/2024/q2/270

This may have impact on a bunch of downstream software (khm..AVs) too.

Edit: See also the analysis of @thezdi here: https://www.zerodayinitiative.com/blog/2024/4/17/cve-2024-20697-windows-libarchive-remote-code-execution-vulnerability

The only feeling I have about starship is dread.

They want to use that to launch batches of HUNDREDS of Starlinks at once. And guess where all those Starlinks will end up? The pieces that don't make it to the ground will end up in our upper atmosphere, screwing up the stratosphere, the ozone layer, who knows what else because SpaceX isn't required to do any environmental assessments of this.

Shit. Maybe a good time to post this essay I wrote yet again: https://theconversation.com/an-astronomers-lament-satellite-megaconstellations-are-ruining-space-exploration-215653

if you have a github integration that just started crashing, it's because the comment IDs have surpassed signed 32-bit range.

twitter citation