Wrote BASIC on original C64 and BBC Micro and felt the blessing of the Omnissiah wash over me. 😊

Tried to browse webapps on Android and felt like smashing the fucking phone into the sea.🤽

Step aside, devs. The Infosec Wizards are coming.

https://www.theregister.com/2024/08/09/marlinspike/

I very much enjoyed this talk by @thegrugq While there are many issues here worth discussing like systems' perception of the world or why is it not so easy to predict how system will fail, I particularly liked discussion on impact of policy decision.

Too often I have heard arguments how certain technical solution can overcome/solve particular issues and make them "policy-proof". In reality scope of influence available to both state and private actors, makes policy way more important factor determining outcome. You can't out-obfuscate your way out of telemetry available to major tech companies or out-encrypt government level targeted surveillance.

https://www.youtube.com/watch?v=P6PnhDfWvx0

excited to see my janky code being put to good use for jailbreaking flagship smartphones such as the "vtech kidizoom snap touch"

https://bird.makeup/@rdjgr/1818367871086686432

Time-travel Testing of Android Apps

https://mboehme.github.io/paper/ICSE20.TTT.pdf

Listen Up: Sonos Over-The-Air Remote Kernel Exploitation and Covert Wiretap – BlackHat USA 2024 Whitepaper [PDF]

https://www.nccgroup.com/media/uzbp3ttw/bhus24_sonos_whitepaper.pdf

Interesting paper - A Verification Methodology for the Arm® Confidential Computing Architecture: From a Secure Specification to Safe Implementations https://dl.acm.org/doi/abs/10.1145/3586040

As a Blind person i never thought i would be on social media savoring photos. But the communal Mastodon alt text game is so strong that sweet, poetic or silly descriptions abound on my timeline. Thanks to legions of people who take time to write a meaningful description of the ephemera they post, i learn so much about insects, plants, buildings, memes — all dispatches from a dimension of the world that i otherwise wouldn't experience. If you're wondering whether anybody reads these things: YES.

🧵 Saturday reversing thread: I was going to wait until the full release, but since the beta seems to have become more-public-than-intended, let’s look at how the official “IDA as a library” works in IDA Pro 9.0…

Making RSA faster on Graviton2: https://www.amazon.science/blog/formal-verification-makes-rsa-faster-and-faster-to-deploy

Happy Zero Cool Day

One question regarding #copyright and #DMCA: Can I legally make a video showing cuts of videos from multiple news sources? Like, say, I show some ~5 seconds from a video in CNN, then another one from BBC, then another one from a Chinese outlet, etc...

PS: The music & video will be free. Most likely Public Domain.

#publicdomain

Yeah, all decompilers included. Very good day for the RE "community" :PPPPPPPP

Nice addition to my IDA leak collection :-)))))))))

Tech Analysis: CrowdStrike’s Kernel Access and Security Architecture

https://www.crowdstrike.com/blog/tech-analysis-kernel-access-security-architecture/

Interesting explainer about the architectural design decisions of #CrowdStrike, focusing mainly on the reasons for moving code to the kernel.

I find it curious that they talk about “User-Mode-Only Security Products” in the context of tamper protection: AV’s tend to have kernel components and if my observations at the time were correct they provided protection for user processes even before PPL. I’m not Ionescu enough to know if such protections would work with KPP&co though…

Picard management tip: Empower others to command when you are unfit. You never know when your mind will be taken over by an alien.

It’s been a while since we had a good 512-bit RSA key controlling anything important, and I’m here for it. https://arstechnica.com/security/2024/08/home-energy-system-gives-researcher-control-of-virtual-power-plant

All vendors will keep producing garbage as long they have no long term liability and maintenance obligations to all the garbage they produce. And somehow we want secure products... Rust everything, yeah LOL

Incentives, how do they work?

I bet this guy has quite the LinkedIn profile: Feds arrest a 38 y/o Nashville man who allegedly provided a US network presence for a bunch of fake North Korean IT workers trying to raise money for the DPRK's nuclear weapons program:

"According to court documents, Knoot ran a “laptop farm” at his Nashville residences between approximately July 2022 and August 2023. The victim companies shipped laptops addressed to “Andrew M.” to Knoot’s residences. Following receipt of the laptops, and without authorization, Knoot logged on to the laptops, downloaded and installed unauthorized remote desktop applications, and accessed the victim companies’ networks, causing damage to the computers. The remote desktop applications enabled the North Korean IT workers to work from locations in China, while appearing to the victim companies that “Andrew M.” was working from Knoot’s residences in Nashville. For his participation in the scheme, Knoot was paid a monthly fee for his services by a foreign-based facilitator who went by the name Yang Di. A court-authorized search of Knoot’s laptop farm was executed in early August 2023."

"The overseas IT workers associated with Knoot’s cell were each paid over $250,000 for their work between approximately July 2022 and August 2023, much of which was falsely reported to the Internal Revenue Service and the Social Security Administration in the name of the actual U.S. person, Andrew M., whose identity was stolen. Knoot and his conspirators’ actions also caused the victim companies more than $500,000 in costs associated with auditing and remediating their devices, systems, and networks. Knoot, Di, and others conspired to commit money laundering by conducting financial transactions to receive payments from the victim companies, transfer those funds to Knoot and to accounts outside of the United States, in an attempt both to promote their unlawful activity and to hide that transferred funds were the proceeds of it. The non-U.S. accounts include accounts associated with North Korean and Chinese actors."

https://www.justice.gov/opa/pr/justice-department-disrupts-north-korean-remote-it-worker-fraud-schemes-through-charges-and

"an amazing 325 page google strategy document quietly unsealed buried in google antitrust docket. It's gonna take a long thread but I have pulled out the gems. It's from 2017 planning, no doubt Google will just say these were only ideas but many will look very familiar." #adtech

https://threadreaderapp.com/thread/1821554841786683554.html

Happy birthday @openstreetmap !

You are simply the best, not only for providing a reliable map at home, or for guiding me when #bikepacking 10,000 km from #Belgium to #China, but also for all the fun #mapping, completing and correcting details on the map!

#osm #openstreetmap #opendatabase #commons #digitalpublicgoods #PublicInfrastructure #digitalsovereignty