good morning!
my talk from securityfest has been published!

if you have ~35 minutes and want to learn some stuff about adversarial defenses, have a peek!
https://www.youtube.com/watch?v=ShSR0c81h5U&ab_channel=SecurityFest

Google asks every app to have a Privacy Policy to be accepted in the Play Store. So, xScreenSaver had to write a privacy policy.

Here you go:

https://www.jwz.org/xscreensaver/google.html

NEW, by me: Mandiant says cybercriminals stole a "significant volume of data" from Snowflake customers.

Mandiant and Snowflake say they've notified 165 affected customers so far that their cloud-stored data may have been stolen.

Mandiant said the threat campaign was "ongoing," suggesting more victims to come.

More: https://techcrunch.com/2024/06/10/mandiant-hackers-snowflake-stole-significant-volume-data-customers/

A proof-of-concept (PoC) exploit for a Veeam Backup Enterprise Manager authentication bypass flaw tracked as CVE-2024-29849 is now publicly available, making it urgent that admins apply the latest security updates.

https://www.bleepingcomputer.com/news/security/exploit-for-critical-veeam-auth-bypass-available-patch-now/

Uncovering a Critical Vulnerability in Authentik's PKCE Implementation (CVE-2023-48228) | Offensity https://www.offensity.com/en/blog/uncovering-a-critical-vulnerability-in-authentiks-pkce-implementation-cve-2023-48228/

If you want to protect your IT #infrastructure against #MITM attacks where an attacker bypasses domain verification to obtain valid certificates, you may want to use #CAA and #accountURI binding, which is easy to set up. https://www.pentagrid.ch/en/blog/domain-verification-bypass-prevention-caa-accounturi/ #hardening

On a random note, mink (rewrite in Rust) is open-source

note: it’s what’s used for cross trust domain boundaries communication on the AP, but (AP <->) Hexagon uses a completely separate IDL (compiled w/ QAIC)

https://github.com/quic/mink-idl-compiler

Unfortunately I couldn't find these guys on my ballot for #EU elections :(

https://www.youtube.com/watch?v=tXTBsAzvvsE

#punk

AFL++ v4.21 release! Fixed a regression (+5%), better seed selection (+1%), many minor fixes, LLVM 19 support https://github.com/AFLplusplus/AFLplusplus/releases/tag/v4.21c #afl #fuzz #fuzzing #fuzzer #fuzzing-tools

87-year-old writes to Financial Times. This is a real technological problem also for people with disabilities. Including me. Banking systems (and others) may make people's life miserable. And you know what? In case of an issue, I couldn't even make a phone call (when mandatory).

"Like, people are out there just raw dogging source code from random other open source developers, with their local environment running tokens that give
them access to everything they could possibly need from their Google account.

[...]

Jia Tan might have been a best case scenario for this community."

https://lists.aitelfoundation.org/archives/list/dailydave@lists.aitelfoundation.org/thread/P3R4OIKL7YGMJZIUCZJEZMQI425YTFDV/

Live now! Doing some Linux virtual memory manager experiments by using processes instead of threads! Maybe a custom allocator too! https://stream.bfa.lk/ . Also live on Twitch and YouTube :3

Absolutely delightful to see the Run Your Own Mail Server book going through the roof:

https://www.kickstarter.com/projects/mwlucas/run-your-own-mail-server/

"Your personal information is very important to us."

Crowdsourcing snark! Dear Lazyweb,

Bbefore they will let me publish a new release of XScreenSaver on the "Play" [sic] store, Google, the most rapacious privacy violator on the planet, is insisting...
https://jwz.org/b/ykUc

[RSS] Make Your Code Slower With Multithreading

https://hackaday.com/2024/06/07/make-your-code-slower-with-multithreading/

Could not agree more.

I updated the #Ghidra documentation I host to version 11.1:

https://scrapco.de/ghidra_docs/javadoc/ghidra/framework/model/DomainObjectListenerBuilder.html

I really have to automate this process somehow, but there are some manual tasks that don't spark joy: https://infosec.place/notice/AhUQCYKkTCUwXv4ReK

#Ghidra 11.1 is released, change history:

https://htmlpreview.github.io/?https://github.com/NationalSecurityAgency/ghidra/blob/Ghidra_11.1_build/Ghidra/Configurations/Public_Release/src/global/docs/ChangeHistory.html

great deck from @mdowd on the exploit market from bluehat last year
https://github.com/mdowd79/presentations/blob/main/bluehat2023-mdowd-final.pdf