Russia issued a monetary fine on Google: 2 undecillion rubles ($2,500,000,000,000,000,000,000,000,000,000,000) after refusing to restore the accounts of pro-Kremlin and state-run media outlets. https://www.themoscowtimes.com/2024/10/29/russia-fines-google-25-decillion-over-youtube-bans-rbc-a86846

Congratulations to our @MaitaiThe for discovering a new kickoff method to resurrect a universal gadget chain for exploiting unsafe deserialization in #ruby!

You can find the details here: https://github.com/GitHubSecurityLab/ruby-unsafe-deserialization/commit/8c66d0e31d000bb07ac5a50c575cf0ffec510bba
#doyensec #appsec #security

Somehow I missed it, but I just noticed that Chrome finally caught up with Edge to have a option to disable JIT.
If you care about security, which I suspect a good number of you do, you probably want to make this change in your settings.
https://www.cdbackslash.com/?p=221

We Patched CVE-2024-38030, Found Another Windows Themes Spoofing Vulnerability (0day) https://blog.0patch.com/2024/10/we-patched-cve-2024-38030-found-another.html

@pspaul just released a great writeup of the pacparser bug we found a few years back. The Zscaler VPN client, running as root, would inject the destination hostname in a JavaScript snippet and execute it with a very old version of SpiderMonkey. Paul transformed it in a CTF challenge for hack.lu and found the perfect vm bug to get RCE

https://blog.pspaul.de/posts/ancient-monkey-pwning-a-17-year-old-version-of-spidermonkey/

The removal of Russian linux maintainers working for sanctioned companies is a prime example of how one creates collective trauma by not being careful on how to convey the message proper.

The messaging were terrible, yes, a lot of people understood immediately why it happened, no, you can't look at it rationally and say "people will know". Your own collective trauma stood in the way.

Some people lost trust, others feel deeply betrayed, not due to the step itself, but by the way it was done.

Microsoft On the Issues: Google’s Shadow Campaigns
In a pot calling the kettle black moment, Microsoft is accusing Google of antitrust practices such as creating an astroturf lobbying organization. Since the author is a Corporate Vice President (CVP), Deputy General Counsel at Microsoft, there's some weight behind such an accusation on Microsoft's public blog. As a consumer with no skin in the game, this is a grab-the-popcorn moment. Let them fight.

#microsoft #google #monopoly #antitrust #lobbying

Serious question. Can anyone tell me how we are safer / better for the cookie warning clicking I have to do on the internet? Advertisers still own your browsing habits and the world expends a collective bazillion hours a week on a needless friction.

Give Me the Green Light Part 1: Hacking Traffic Control Systems https://www.redthreatsec.com/blog/greenlightspart1

Thirteen years ago I found "a bad babe" in Windows

https://daniel.haxx.se/blog/2011/10/28/whos-0xabadbabe-and-why/

In our new blogpost we guide you through the process of improving the tools available for #pentesting WCF services over the net.tcp binding:

https://blog.silentsignal.eu/2024/10/28/wcf-net.tcp-pentest/

We created a brand new #kaitaistruct based parser and implemented transformations so messages can be manipulated and replayed with #BurpSuite.

are YOU making a website with INFORMATION?

it needs a date. if its not just a list of links... it needs A DATE.

yes your blog, youre recipe edit etc NEEDS A DATE..

please, can we get this right

I had to deal with a freshly unboxed Android phone, and the flipping *clock* app, that was installed by default, came with a privacy policy.

I discovered this because the clock started crying that it couldn't work properly without Google Play Services.

I don't care what the privacy policy was for. I am tired. A clock app does not need to be in a position to have any privacy policy more involved than "we collect and report no data".

The clock is now disabled.

I am so tired of this.

Don't mention explodey stuff near TSA. Noted ✅