Now that browsers are *upgrading* some mixed content (instead of loading it insecurely), I wrote a tiny article which what I believe is sane and updated advice for the web of 2024. https://frederikbraun.de/mixed-content.html

Kaspersky: XZ backdoor: Hook analysis
Do you remember the XZ Utils incident? 29 March 2024 was a long time ago. The XZ Utils backdoor was discovered through miraculous troubleshooting by a PostgreSQL Developer (@AndresFreundTec) who noticed that SSH was taking 500ms longer in liblzma. He reported to OSS-Security that XZ Utils data compression library (used in major Linux distros) and its tarballs have been backdoored, and would lead to ssh server compromise.

Kaspersky previous provided the initial analysis of the XZ Utils backdoor, and then covered the threat actor Jia Tan’s social engineering tactics. This is a detailed analysis focusing on the backdoor’s behavior inside OpenSSH portable version 9.7p1. These are their key findings:

• The attacker set an anti-replay feature to avoid possible capture or hijacking of the backdoor communication.
• The backdoor author used a custom steganography technique in the x86 code to hide the public key, a very clever technique to hide the public key.
• The backdoor hides its logs of unauthorized connections to the SSH server by hooking the logging function.
• The backdoor hooks the password authentication function to allow the attacker to use any username/password to log into the infected server without any further checks. It also does the same for public key authentication.
• It has remote code execution capabilities that allow the attacker to execute any system command on the infected server.

#xzutils #xzbackdoor #liblzma #malwareanalysis #threatintel

Introducing Decree by @trailofbits: A new tool that helps devs define, enforce, and understand their Fiat-Shamir transcripts. Check it out!
https://buff.ly/3KUnALC

When building a x86 lifter, the first 1000 instructions are the hardest. After that all that's left is another 1000 or so SSE instructions.

🧵 In 2020, I nearly died from mysterious industrial chemical exposure at my apartment. Later, in 2023, I discovered my employer was dumping toxic waste into the apartment windows from their Skunkworks semiconductor fab next-door. I tipped off the US EPA, who sent their env cops to raid Apple's plant in Aug of 2023. The US EPA finally released the report of their enforcement inspections & sent me a copy on Friday. 💀 ⬇️

I have just discovered that a function's comment added to a MSVC well known runtime function added by IDA's Lumina Server was generated using an AI tool for IDA.

Please don't. I fucking hate it.

BTW: The code for the function that the LLM model is trying to explain *is hallucinated* and does not even correspond to the real function.

fun fact: the landing zone on a hard disk platter has a special surface texture that reduces stiction. the rest of the surface is so smooth the head would get stuck if it landed on it.

Goodbye Lynn.

As of today, Firefox Nightly ships with "HTTPS First". So, all new tabs, all links will try HTTPS🔒 regardless of the written URL scheme. When HTTPS fails, Firefox will fall back to using http.

This is thanks to the tireless work of our intern @mjurgens 👏👏👏.

Random objects: Intel Edison, or a look at the misadventures of x86 in the IoT space - https://lcamtuf.substack.com/p/random-objects-intel-edison

If you are still doing this to your customers, you're not understanding what has happened in the world of technology since 2004 and you are part of the problem.

Urvile, of Legion of Doom, discusses dumpster diving at the Bellsouth phone company on NBC Dateline in 1992.
#hacker #hacking #history

The wonderful world of #OpenSource and #Mastodon! https://tech.lgbt/@nina_kali_nina/112659983582469484 where Nina asks a question, I answer with a partial solution based on a little project by @vadim which is missing a specific feature. Vadim sits down, codes that missing feature, commits it, I pull his updates, build a new container and now we all have an even better way to turn Mastodon threads into copy/pasteable #Markdown.

https://mtr.wildeboer.net

That all happened in less than 5 hours!

I have rebased the #illumos / #solaris port of #Tailscale onto 1.68.1

https://github.com/nshalman/tailscale/releases/tag/v1.68.1-sunos

And here's my occasional Fedi outreach about my dream retrocomputer - does anyone have a Sun Ultra 45 they are willing to part with? I'm just a sad, pathetic person living in Arctic Sweden who has been trying for more than two decades (!!) to get his hands on one.

Boosts are definitely love.

#retrocomputing #unix #sun #solaris

Frankly, I'm appalled by the prospect of LLMs taking offensive security research jobs from honest, hard-working fuzzers

✍️ When Samsung Meets Mediatek - The story of a small bug chain by @max_r_b @pwissenlit Raphaël Neveu

https://www.sstic.org/media/SSTIC2024/SSTIC-actes/when_vendor1_meets_vendor2_the_story_of_a_small_bu/SSTIC2024-Slides-when_vendor1_meets_vendor2_the_story_of_a_small_bug_chain-rossi-bellom_neveu.pdf

so with the recent news i’ll ask again

does anybody have a uefi firmware image that includes kaspersky antivirus for uefi?

“For this you keep a lab notebook. Everything gets written down, formally, so that you know at all times where you are, where you've been, where you're going and where you want to get. In scientific work and electronics technology this is necessary because otherwise the problems get so complex you get lost in them and confused and forget what you know and what you don't know and have to give up.”

- Robert Pirsig, Zen and the Art of Motorcycle Maintenance

#engineering #space

NEW: The U.S. government has sanctioned 12 executives and senior leaders of Russian cybersecurity giant Kaspersky.

Notably, Eugene Kaspersky and company itself are not on the sanctions list.

These sanctions come a day after the U.S. government banned the sale of Kaspersky software in the United States.

https://techcrunch.com/2024/06/21/u-s-government-sanctions-kaspersky-executives/