wow, check out this time lapse from last night's solar storm 😍

🤖 GSM-Symbolic: Understanding the Limitations of Mathematical Reasoning in Large Language Models

"Recent advancements in Large Language Models (LLMs) have sparked interest in their formal reasoning capabilities, particularly in mathematics. The GSM8K benchmark is widely used to assess the mathematical reasoning of models on grade-school-level questions. While the performance of LLMs on GSM8K has significantly improved in recent years, i…"

https://machinelearning.apple.com/research/gsm-symbolic

Two relatives of mine got scammed/phished recently. Nothing serious happened fortunately. Some interesting observations:

- People see URL's as opaque blocks. They have 0 clue where they point to since they have 0 clue about how to read them.
- "Check the domain" doesn't help (even assuming the knowledge of what part of an URL string is a domain) if you have no information about what domains are "normal" (whatever that means).
- Regular people don't see giving out CC's or other sensitive information as a critical task. One of the victims told me they gave out their CC while doing two other things - I'd drop everything to focus such a task, while for them it's just another boring physical copy-paste.

Based on this most of our awareness advise is shit.

#phishing #scam

This is ...I don't know, but a little bit funny. Fortinet is DIGGING DEEP into some Ivanti exploited vulnerabilities.

if only they could dig equally deep into their own shit.

https://www.fortinet.com/blog/threat-research/burning-zero-days-suspected-nation-state-adversary-targets-ivanti-csa

#Fortinet #Ivanti #Vulnerabilities

We can't stop here...this is Dependency Hell!

#ghidra #java

Latest update on the DDOS attack from @brewsterkahle (Oct 11 @ 10:22am PT):

"The data is safe.

Services are offline as we examine and strengthen them. Sorry, but needed. @internetarchive staff is working hard.

Estimated Timeline: days, not weeks.

Thank you for the offers of pizza (we are set)."

We wrote a thing https://www.microsoft.com/en-us/security/blog/2024/10/11/microsofts-guidance-to-help-mitigate-kerberoasting/

Another Ghidra build script bug yaay...

I wonder how much did Eclipse contribute to the bad reputation of Java...

Very kind for 0-day to hit right at the start of a workday TBH
https://blog.mozilla.org/security/2024/10/11/behind-the-scenes-fixing-an-in-the-wild-firefox-exploit/
Light on details, but there's some.

[RSS] Aw, Sugar. Critical Vulnerabilities in SugarWOD

https://www.n00py.io/2024/10/critical-vulnerabilities-in-sugarwod/

[RSS] Marriott agrees to pay $52 million settlement, improve data security practices

https://cyberscoop.com/marriott-starwood-breach-ftc-settlement-data-security/

Here's a story about a Hungarian guy who hacked Marriott ~15 years ago: https://www.securityweek.com/hungarian-man-pleads-guilty-hacking-marriott-systems-demanding-job-it-dept/ I know this guy learned some hard lessons, Marriott apparently didn't...

[RSS] Russian cyber firm Dr.Web denies data leak by pro-Ukraine hackers

https://therecord.media/russian-antivirus-company-drweb-denies-data-leak

HyperDbg v0.10.2 is released!

This release comes with lots of bugfixes and improved stability, check it out here:
https://github.com/HyperDbg/HyperDbg/releases/tag/v0.10.2

Re: traffic lights hacking

We have a childrens book series, where the pets of the protagonist children often do reckless and outright dangerous magic, like changing traffic lights and being fascinated by all the hard breaks and horns. There is no explanation why such thing would be irresponsible and any "punishment" is very mild (and usually also self-imposed).

I think this book should not be read to/by children without a responsible adult explaining why the cute characters are actually dangerous psychopaths.

The writing is also objectively bad.

How can I responsibly get rid of these books (I don't want to destroy them)?

#Book #Bookstodon

If anyone ever needs an example of costs & time saved by "shifting left" (doing the security work & testing earlier, ideally from the the very start):

"Dutch authorities will have to replace tens of thousands of insecure road traffic lights...after a security researcher found a vulnerability that could allow threat actors to change traffic lights on demand"

https://news.risky.biz/risky-biz-news-dutch-government-to-manually-replace-tens-of-thousands-of-hackable-traffic-lights/

Via @campuscodi / @riskybiz

#InfoSec #Security

38C3 Call for Participation
https://events.ccc.de/2024/10/10/38c3-cfp/

(CVE-2024-9680)[1923344][animation]UAF in Animation timelines -> ACE in the content process(exploited ITW), fixed in Firefox 131.0.2, Firefox ESR 128.3.1 & Firefox ESR 115.16.1
https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/#CVE-2024-9680
https://hg.mozilla.org/mozilla-central/rev/0ee07613d0506da465539cfaff1826cdc8bf0384