https://ioc.exchange/@matthew_d_green/112597849837858606

matts thread here is an important one

Tiny Awards https://lobste.rs/s/urihyy #web
https://tinyawards.net/

I’ve said before and saying again. This is a common problem in vendors - the lack of understandings of the importance/value of new attack vector discovery research.

https://x.com/l33d0hyun/status/1800299745623367867

https://bird.makeup/@l33d0hyun/1800299745623367867

it has been nearly three months since the last valid #hackerone report against #curl

Just saying.

I bet you can't find anything to report.

🤠

Hacker Template

https://patchfriday.com/64/

Did anyone realize that #MicrosoftEdge already had a #recall feature? 👀

good morning!
my talk from securityfest has been published!

if you have ~35 minutes and want to learn some stuff about adversarial defenses, have a peek!
https://www.youtube.com/watch?v=ShSR0c81h5U&ab_channel=SecurityFest

Google asks every app to have a Privacy Policy to be accepted in the Play Store. So, xScreenSaver had to write a privacy policy.

Here you go:

https://www.jwz.org/xscreensaver/google.html

NEW, by me: Mandiant says cybercriminals stole a "significant volume of data" from Snowflake customers.

Mandiant and Snowflake say they've notified 165 affected customers so far that their cloud-stored data may have been stolen.

Mandiant said the threat campaign was "ongoing," suggesting more victims to come.

More: https://techcrunch.com/2024/06/10/mandiant-hackers-snowflake-stole-significant-volume-data-customers/

A proof-of-concept (PoC) exploit for a Veeam Backup Enterprise Manager authentication bypass flaw tracked as CVE-2024-29849 is now publicly available, making it urgent that admins apply the latest security updates.

https://www.bleepingcomputer.com/news/security/exploit-for-critical-veeam-auth-bypass-available-patch-now/

Uncovering a Critical Vulnerability in Authentik's PKCE Implementation (CVE-2023-48228) | Offensity https://www.offensity.com/en/blog/uncovering-a-critical-vulnerability-in-authentiks-pkce-implementation-cve-2023-48228/

If you want to protect your IT #infrastructure against #MITM attacks where an attacker bypasses domain verification to obtain valid certificates, you may want to use #CAA and #accountURI binding, which is easy to set up. https://www.pentagrid.ch/en/blog/domain-verification-bypass-prevention-caa-accounturi/ #hardening

On a random note, mink (rewrite in Rust) is open-source

note: it’s what’s used for cross trust domain boundaries communication on the AP, but (AP <->) Hexagon uses a completely separate IDL (compiled w/ QAIC)

https://github.com/quic/mink-idl-compiler

AFL++ v4.21 release! Fixed a regression (+5%), better seed selection (+1%), many minor fixes, LLVM 19 support https://github.com/AFLplusplus/AFLplusplus/releases/tag/v4.21c #afl #fuzz #fuzzing #fuzzer #fuzzing-tools

87-year-old writes to Financial Times. This is a real technological problem also for people with disabilities. Including me. Banking systems (and others) may make people's life miserable. And you know what? In case of an issue, I couldn't even make a phone call (when mandatory).

Live now! Doing some Linux virtual memory manager experiments by using processes instead of threads! Maybe a custom allocator too! https://stream.bfa.lk/ . Also live on Twitch and YouTube :3

"Your personal information is very important to us."

Crowdsourcing snark! Dear Lazyweb,

Bbefore they will let me publish a new release of XScreenSaver on the "Play" [sic] store, Google, the most rapacious privacy violator on the planet, is insisting...
https://jwz.org/b/ykUc

Could not agree more.

Microsoft makes Recall feature off-by-default after security and privacy backlash

Windows Hello authentication, additional encryption being added to protect data.

https://arstechnica.com/gadgets/2024/06/microsoft-makes-recall-feature-off-by-default-after-security-and-privacy-backlash/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social

periodic reminder: you cannot "pass" a security audit. anybody selling you a passable security audit is selling you a lie, and anybody selling you a product that has "passed' an audit is lying to you.

a security audit can uncover bugs, or not uncover bugs, and can (in the words of the recipient) demonstrate positive or negative qualities about the codebase. but it cannot be "passed" or otherwise *endorse* the product or program itself.