The rise of Mastodon has made me so much more aware of government services requiring us to use private companies’ systems to communicate with them and access services.

Sitting on a Dutch train just now I was shown on a screen “feeling unsafe in the train? Contact us via WhatsApp”.

What if I don’t use WhatsApp? (I do, but I wish I didn’t have to) I’m forced to share my data with Meta to use it.

Public systems should not require use of private services.

#NS #Netherlands #FOSS #privacy

While trying to properly document Meta's use of public content for LLM training, I discovered they have a new "Privacy Center" that is not plaintext by any means. What's more, the "printable version" does not appear to contain the information related to using your public posts for training data.

Direct link: https://privacycenter.instagram.com/guide/generative-ai/

Good Retry, Bad Retry: an incident story. How exponential backoff isn't enough.

https://medium.com/yandex/good-retry-bad-retry-an-incident-story-648072d3cee6

Archive link: https://archive.ph/H3dIq

Wrote about representation of control flow and exceptions in the CFGs in my function-graph-overview extension.

https://tamir.dev/posts/cfg-visualization-legend/

OK, so I have 'prepped' the Seat61 Budapest<>Belgrade page for the launch of direct 200km/h Subotica-Belgrade SOKO trains on 24 November, https://seat61.com/trains-and-routes/budapest-to-belgrade-by-train.htm
Anyone happen to know the planned timetable?

UEFI is the new BIOS

https://www.leviathansecurity.com/blog/uefi-is-the-new-bios

Here are the slides from my BSides Canberra Keynote @bsidescbr

The Exploit Development Lifecycle: From Concept To Compromise https://drive.google.com/file/d/1jHnVdjAcPGkuVPiakZBAOTp8uzMej6LY/view

[RSS] Exploiting Visual Studio via dump files - CVE-2024-30052

https://ynwarcs.github.io/exploiting-vs-dump-files

China successfully compromised for months the infrastructure used to do wiretaps on the AT&T and Verizon networks.

This is a huge "told you so" moment for the cryptographic community that has been saying that such infrastructure does present a huge risk to national security. China reportedly used this capability for intelligence collection, obviously without a warrant ...

https://www.wsj.com/tech/cybersecurity/u-s-wiretap-systems-targeted-in-china-linked-hack-327fc63b?st=C5ywbp&reflink=desktopwebshare_permalink

🆕 New blog post! "The PrintNightmare is not Over Yet"

ℹ️ In this article, I take a look back at a previous post I wrote earlier this year about PrintNightmare. It turns out the Point and Print configuration I recommended at the end is still prone to Man-in-the-Middle attacks. So, I discuss that here, as well as additional mitigation I considered.

Props to @parzel and @l4x4 who both reported this issue to me.

👉 https://itm4n.github.io/printnightmare-not-over/

#printnightmare #windows #privesc #pentesting #pentest

A mathematician uses first person plural in proofs to suggest to the reader that they are on a journey together. This is not dissimilar to Virgil guiding Dante through the Inferno.

[oss-security] CVE-2024-47191: Local root exploit in the PAM module pam_oath.so

https://www.openwall.com/lists/oss-security/2024/10/04/2

mitmproxy 11 is out! We now fully support HTTP/3, including transparent mode. 🥳

Gaurav - my Google Summer of Code student - has all the details: https://mitmproxy.org/posts/releases/mitmproxy-11/. Awesome to have such a fantastic mitmproxy community. ☺️

Security Explorations - SIM / USIM cards

https://security-explorations.com/sim-usim-cards.html

"On this web page, we are to share some information based on the experiences gained in the SIM / USIM card security space, all in a hope this leads to the increase of public awareness on the topic, change perspective on the SIM / USIM card industry and potentially trigger some positive changes (such as introduce transparency in vulnerability handling processes in particular)."

Many congratulations to ESET researcher Marc-Etienne M.Léveillé (@marcetienne), winner of the 2024 Péter Szőr Award for Technical Security Research for his research "Ebury is alive but unseen: 400k Linux servers compromised for cryptocurrency theft and financial gain"! #vb2024 https://www.virusbulletin.com/conference/peter-szor-award/

Somebody should tell C-levels in tech that there are ways other than advertising to make money

Just a few more days left to sign up for our Online GMT Novice to Ninja training! Join us on our path through disassembly, lifting, and decompilation to learn how small patterns can add up to a larger understanding: https://shop.binary.ninja/products/n2n-oct-2024

"Mozilla is going to be more active in digital advertising."

"we do this fully acknowledging our expanded focus on online advertising won’t be embraced by everyone in our community" - https://blog.mozilla.org/en/mozilla/improving-online-advertising/

I appreciate Mozilla laying their intent out explicitly with no room for interpretation or guesswork.

Personally, I think this is not just a huge misstep, but a deathknell.

Mozilla's CEO doubles down on them being an advertising company now.

tl;dr: "LOL get fucked"

They've decided who their customers are, and it's not you, it's people who build and invest in surveillance advertising networks. But in a "respectful" way....
https://jwz.org/b/ykaO