Enjoy this month’s nasty VMWare vulns, including a CVSS 9.8 potential RCE: https://www.theregister.com/2024/06/18/vmware_criticial_vcenter_flaws/

Direct advisory link: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453

#ThreatIntel #CVE_2024_37079 #CVE_2024_37080 #CVE_2024_37081

somebody asked how people who have historically been anti-copyright could be against AI content theft, so let me give this a shot:

Information wants to be free to enrich human knowledge. It does not want to be free to make human knowledge worse to enrich the pockets of assholes

Our tl;dr from @RealWorldCrypto
https://buff.ly/4c3J70h

FYI, there is a bug in systemd. So, running: "systemd-tmpfiles --purge" will delete your /home/ in systemd version 256. #linux

Source: https://mathstodon.xyz/@bremner/112615591101488528 and https://x.com/DevuanOrg/status/1802997574695080067

This is a keynote that I quite enjoy and highly recommend. https://mastodon.social/@joxean/112631528543638454

Newly disclosed (and dismissed) #curl vulnerability reports

"HTTP headers eat all memory:"
https://hackerone.com/reports/2552192

"Incorrect conversion in hostname"
https://hackerone.com/reports/2552179

"Unicode-to-ASCII conversion in cmdlines on Windows lead to argument injection"
https://hackerone.com/reports/2550951

Transparency baby.

The new Intel Skymont architecture details, as presented brilliantly by Chips & Cheese¹ (strongly recommended) have a very "inspiring" paragraph:

"Skymont duplicates microcode for the most common complex instructions across all three clusters, letting them handle those instructions without blocking each other. Intel gave gather instructions as an example, which can load from multiple non-contiguous memory locations."

Intel is calling this nanocode, I am calling this a new playground...

__
¹ https://chipsandcheese.com/2024/06/15/intel-details-skymont/

You open up a Commodore 64, and the box says "welcome to the world of friendly computing."

You turn on a modern PC, and it immediately threatens your data unless you agree to save your data to *their* cloud service.

That right there is why we talk about vintage computers. Folks need to be reminded of what's possible.

#Commodore64 #VintageComputing

Cook’s “How complex systems fail” is the most personally impactful paper I have ever read, and yet I’m convinced that it would never have been accepted for publication in a peer-reviewed journal.

https://www.adaptivecapacitylabs.com/HowComplexSystemsFail.pdf

📢 Next week is #TROOPERS24 week! We will celebrate 15 years of making the world a safer place and are looking forward to all of you. See you in #Heidelberg. 🥳

A few years ago, a kid mourning his dad handed me over 300 DVDs his dad had made of local bands in his London Suburb in the 2010s before passing on. He didn't know what do with them. I did. All of them are up at Internet Archive, hundreds of hours of cover bands playing in a bar, and now, thanks to a volunteer, Ducky, we have them all with dates and descriptions, where known. Enjoy.

https://archive.org/details/hamiltonpubperformances

Our Program Analysis for Vulnerability Research class is filling up, if you were planning on attending Recon in a few weeks and were hoping to grab one of the last seats, you move quickly!

https://recon.cx/2024/trainingprogramanalysisforvulnerabilityresearch.html

Fuzzing can do more than find memory corruption vulnerabilities. With the right invariants, it can catch runtime errors and logical issues, as demonstrated by our custom testing harness for Fuel Labs. https://blog.trailofbits.com/2024/06/17/finding-mispriced-opcodes-with-fuzzing/

ASUS Releases Firmware Update for Critical Remote Authentication Bypass Affecting Seven Routers https://mobile.slashdot.org/story/24/06/17/0237229/asus-releases-firmware-update-for-critical-remote-authentication-bypass-affecting-seven-routers?utm_source=rss1.0mainlinkanon

https://streetartutopia.com/2024/06/17/yarn-bombing-guerrilla-crochet-a-collection/

IBM vs LzLabs. On reverse engineering zOS / mainframe software and big corpo lawsuits https://mainframeupdate.blogspot.com/2024/06/ibm-versus-lzlabs.html

Abusing title reporting and tmux integration in iTerm2 for code execution (CVE-2024-38396) https://vin01.github.io/piptagole/escape-sequences/iterm2/rce/2024/06/16/iterm2-rce-window-title-tmux-integration.html

The year is 2030.

Computers boot directly into the browser. IDEs are just a web app now, running in the GPU. No one knows why. Or how.

All programs run in 4 nested containers on top of a hypervisor abstracting over the 5 major computational clouds. The last time a branch was predicted correctly, in any CPU anywhere, was 4 years ago.

Cloud costs are withdrawn directly from your retirement fund.

Ext7 just came out, it's written in Javascript and uses AI to guess what the file may contain.

I've done it! After literal months of work, I've finally finished my (rather long) blog post about how AES-GCM works and how it's security guarantees can be completely broken when a nonce is reused:

https://frereit.de/aes_gcm/

It includes more than 10 interactive widgets for you to try out AES-GCM, GHASH and the nonce reuse attack right in your browser! (Powered by #RustLang and #WASM )

If you're interested in #cryptography , #math (or #maths ) or #infosec you might find it interesting.

If you do read it, I'm all ears for feedback and criticism!

Just published age v1.2.0 ✨

Minor release:

• binaries built with Go 1.22.4
• plugin client API
• CLI edge case fixes
• RecipientWithLabels to make auth'd or post-quantum recipients

Very happy about the last point, it was the last hardcoded thing about scrypt recipients.

https://github.com/FiloSottile/age/releases/tag/v1.2.0