the https://32bit.cafe team ( @yequari, @flamed, jay, & @cooperationiskey) did a group interview for the FROM THE SUPERHIGHWAY newsletter! so so so cool to feel seen with what we're doing and be able to answer thoughtful questions about the #indieweb and hobby web development :)

read the issue here:

https://fromthesuperhighway.com/issues/issue02

#personalweb #smallweb #web #internet #smolweb #personalwebsites #personalsites #html #css #webdev

"Inside the U.S. Government-Bought Tool That Can Track Phones at Abortion Clinics"

An excellent @404mediaco investigation into "Locate X", a tracking tool that uses ad-tracking tech -- specifically, "mobile advertising identifiers" -- to follow people around

https://www.404media.co/email/f4992514-a605-4579-9a75-3d0707758e03/

Today I learned that GNU tar does network connections if you say "foo:bar", it tries to resolve "foo". FFS, wasn't the Unix philosophy to do one thing and do it well? Luckily there's a "--force-local" option to GNU tar to avoid it doing remote connections.

Sorry if you're in trouble now, either reviewing your tar calls in your application and whether they can take user input as filename -- or if this was part of your exfiltration or attack on a system.

VR News To Your Inbox Every Thursday 📰 EC 44 out now ‼️

@reodus_ gives you a virtual memory refresher

SELinux bypasses from @klecko0

@zeroclicksh VirtualBox Escape write-up

A binder bug analysis from @maherazz2

+ jobs and more 👇

https://blog.exploits.club/exploits-club-weekly-newsletter-44-itw-android-privescs-virtualbox-escapes-cross-process-spectre-exploitation-and-more/

Glad this is finally live: https://security.apple.com/documentation/private-cloud-compute

Getting started with the Virtual Research Environment: https://security.apple.com/documentation/private-cloud-compute/virtualresearchenvironment

"The PCC Virtual Research Environment (VRE) requires a Mac with Apple silicon with at least 16GB of unified memory and the latest macOS 15.1 Developer Preview. For optimal VRE performance, we recommend using a Mac with at least 24GB of unified memory.”

#PrivateCloudCompute #AppleSecurity #AppleIntelligence

Y’all know that CNN has a text-only web interface, right?

If you want to experience how GODDAMN FAST the web can be without the tens of megabytes of adware tracking cruft and hundreds of npm dependencies, try this out:

#news #web #tech #noJavascript

https://lite.cnn.com

Sometimes Google's AI results are accurate.

That brings Day 3 of #Pwn2Own Ireland to a close. We awarded $118,750 today, bringing the total to $993,625. With four more attempts tomorrow, $1 million is right there for the taking. Viettel Cyber Security (@vcslab) maintains their Master of Pwn lead and looks unstoppable.

People keep asking me why we wrote a new clean-slate RTOS for #CHERIoT. The short answer is that CHERIoT is a hardware-software co-design project and retrofitting ground-up co-design is hard. The longer answer is in this post

Unfortunately, ExLuck (@ExLuck99) of ANHTUD was unable to complete his SOHO S=mashup in the time allotted. HE was able to get into the Synology router but couldn't successfully pivot to the Canon printer.

There's only a week or so left on the RE//verse submissions! If you're interested in speaking at the inaugural event, make sure to get your submission in ASAP! Submissions will be closing some time after Nov 1.

https://sessionize.com/re-verse

Hello, I am planning to go to CCC this year. The only thing missing are the tickets. I would really appreciate it if you could help me and my wife get tickets. Thank you!

I presented about file formats identifiers at HackLu:
https://youtu.be/PBbld8xB2Bo

CVE-2024-8260: SMB Force-Authentication Vulnerability in OPA Could Lead to Credential Leakage https://www.tenable.com/blog/cve-2024-8260-smb-force-authentication-vulnerability-in-opa-could-lead-to-credential-leakage

MS Streaming Service Privilege Escalation PoC https://github.com/Dor00tkit/CVE-2024-30090

PoC for the Untrusted Pointer Dereference in the ks.sys driver https://github.com/varwara/CVE-2024-35250

Analysis of CVE-2024-8698 in KeyCloak https://huydoppa.hashnode.dev/analyst-cve-2024-8698-keycloak-with-zero-knowledge-about-keycloak

Confirmed! In the penultimate attempt of Day 2, @daankeuper, @xnyhps, and @notkmhn from @sector7_nl combined 4 bugs, including a command injection and a path traversal to going from the QNAP QHora-322 to the TrueNAS Mini X. They earn $25,000 and 10 Master of Pwn points. #Pwn2Own