As much as I've been inconvenienced by the Internet Archive being offline this long, I'm proud of them for making up their minds to just keep it down for as long as it takes to make sure everything's fixed and safe before exposing it again. I hope everyone involved is putting in reasonable hours and getting enough sleep.

I joined @durumcrustulum and @tqbf on the Security Cryptography Whatever podcast to talk about our latest blogpost:

https://securitycryptographywhatever.com/2024/10/15/a-little-bit-of-rust-goes-a-long-way/
https://security.googleblog.com/2024/09/eliminating-memory-safety-vulnerabilities-Android.html

Something that Thomas said in the podcast really stood out to me. He said “the blog post undersells it. …. This is a lot more interesting than it looks like on the tin.”

I agree with this. It feels like we discovered a game-changer not just in memory safety, but in security more generally - that doing something very practical results in major security improvements for non-obvious reasons. Focusing on new code is disproportionately effective, exponentially.

Thomas also said “And that observation about the half life of vulnerabilities, if that’s true, says something pretty profound about what the work looks like to shift to a memory safe future.”

Or as Deidre said: “You can get really big bang for your buck, which is if you have something new, just write it in the Rust or another memory safe language and make it interop with the rest of your project and you will in fact, get really good returns on mitigating your memory safe vulnerabilities, which is the majority of your vulnerabilities, period.”

Agreed. We’re already prioritizing differently based on this data. It was a fun conversation, and we believe that it applies to a lot more than just memory safety.

CISA is looking for feedback on its "Secure by design" initiative draft doc.

https://www.infosecurity-magazine.com/news/cisa-product-security-flaws/

#cisa #appsec

I'm talking at a conference later this year (on UX+AI).

I just saw an ad for the conference with my photo and was like, wait, that doesn't look right.

Is my bra showing in my profile pic and I've never noticed...? That's weird.

I open my original photo.
No bra showing.

I put the two photos side by side and I'm like WTF...

Someone edited my photo to unbutton my blouse and reveal a made-up hint of a bra or something else underneath. 🤨

Immediately, I email the conference host.
(FYI he is a great, respectable guy with 5 kids at home.)

He is super apologetic and immediately looks into the issue.

He quickly reports back that the woman running their social media used a cropped square image from their website.

She needed it to be more vertical, so she used an AI expand image tool to make the photo taller.

AI invented the bottom part of the image (in which it believed that women's shirts should be unbuttoned further, with some tension around the buttons, and revealing a little hint of something underneath). 🤯

—

FYI the conference organizers were super apologetic and took down all of the content with that photo.

UndefinedBehaviorSanitizer’s unexpected behavior

https://daniel.haxx.se/blog/2024/10/17/undefinedbehaviorsanitizers-unexpected-behavior/

How often do you get a 75x speedup on a real workload in a compiler? Not often!

Here's the story of one in SpiderMonkey: https://spidermonkey.dev/blog/2024/10/16/75x-faster-optimizing-the-ion-compiler-backend.html

Fuck Microsoft and Fuck Nadella.

As expected, the 24H2 update installed 'Recall', it can't be uninstalled.

To disable the Microcoft spyware, run this as admin

C:\Windows\System32>Dism /Online /Disable-Feature /Featurename:Recall

Can't vouch that all the people you share your screen, code, IP, private details, will disable theirs. consider NOT sharing anything ever again.

Sandbox escape from extensions due to insufficent checks in chrome.devtools.inspectedWindow.reload and chrome://policy (reward: $20000) http://crbug.com/338248595

I'm amazed that there has been zero coverage of this:

EU's new Product Liability Directive got voted through last thursday.

No later than two years from now, software, stand-alone, cloud or embedded are subject to "no-fault liability" (ie: doesn't matter how or why, only that it is defective.)

Here's the directive:

https://data.consilium.europa.eu/doc/document/PE-7-2024-INIT/en/pdf

Gentlemen, start your panic…

PS: Yes, there is a FOSS exemption, but only "outside commercial activity". (Ie: The guy in Nebraska but not RedHat)

Breaking News: The threat actor known as "USDoD" (aka "EquationCorp" and other monikers") has been arrested by Brazilian Federal Police. USDoD is probably best known for his attacks on #InfraGard, Airbus, and his role in the recent National Public Data breach.

Media coverage indicates he was arrested this morning: https://g1.globo.com/politica/noticia/2024/10/16/pf-prende-hacker-de-33-anos-suspeito-de-invadir-sistemas-e-vazar-dados-de-policiais.ghtml

#databreach #hacker #USDoD #EquationCorp

@brett @campuscodi

So, how true is it?

Proud to start sharing Google's strategy for tackling our remaining memory safety challenges: https://security.googleblog.com/2024/10/safer-with-google-advancing-memory.html

It's high level, but it outlines the long-term strategy. We'll be sharing more detailed posts in this series.

#CPlusPlus #RustLang #CarbonLang

Google Chrome security advisory: Stable Channel Update for Desktop
New Google Chrome version 130.0.6723.58/.59 for Windows, Mac and 130.0.6723.58 for Linux has 17 security fixes, 13 externally reported. No mention of exploitation, and nothing sticks out.

#google #chrome #patchtuesday #vulnerability #CVE