QNAP NAS Zero-Day Vulnerabilities (CERT-EU Security Advisory 2024-115)

On October 29 and 30, 2024, QNAP released patches for two critical zero-day vulnerabilities, CVE-2024-50387 and CVE-2024-50388, affecting NAS devices. These vulnerabilities allow remote attackers to gain root access and execute arbitrary commands on compromised devices.

https://www.cert.europa.eu/publications/security-advisories/2024-115/

🧙‍♀️

e-voting fail including a "hidden" tab in an Excel file.
My bingo card for this year is getting full.

The Colorado Secretary of State’s Office inadvertently posted a spreadsheet to its website with a hidden tab that included voting system passwords.
https://apnews.com/article/colorado-election-voting-system-passwords-0a71d0c1fe85fc9712d895280fd519a2

Smashing the limits: Installing Windows XP in DOSBox-X

A couple of months ago, I tried to install (the unsupported) Windows XP in DOSBox-X. Well, it was not easy.

https://fabulous.systems/posts/2023/07/installing-windows-xp-in-dosbox-x/

#retrocomputing

Special Authority Data Mart created to allow me to see which profiles have special authorities, and to capture the information over time into a file.
💙 #IBMi #rpgpgm #IBMChampion
https://www.rpgpgm.com/2024/10/special-authority-data-mart.html

Put up the slides for my Bluehat 2024 presentation on improvements to OleView.NET https://github.com/tyranid/infosec-presentations/blob/master/Bluehat/2024/DCOM%20Research%20for%20Everyone!.pdf You can also grab v1.15 of OleView.NET from the PS Gallery which has the new features to generate proxy clients on the fly.

Outstanding. I am glad that more folks are picking on what I have been saying for quite some time. Confidential Computing is something we should continue pursuing and developing, but the tech, currently, is not there yet. Excellent work on formalizing a quite important (and hard) aspect of the discussion (remote attestation).

https://bird.makeup/@gabrielkerneis/1851664264895123736

Our security researchers @cod_rse@twitter.com and @inode conducted a security assessment on #Keycloak, identifying significant vulnerabilities impacting this open-source #IAM solution.

Read the full article at https://security.humanativaspa.it/an-analysis-of-the-keycloak-authentication-system

The Vanishing Culture report arrives today at a critical moment: While Internet Archive recovers from a cyberattack, it’s a reminder of how fragile our access to knowledge can be. Preserving culture & history requires resilience—and collective action.

🔗 https://blog.archive.org/2024/10/30/vanishing-culture-a-report-on-our-fragile-cultural-record/

Another Masto Instance going down. But not because moderation or something but because running bigger instances on Mastodon gets really expensive.

I think this is an issue that we need to put more work into: Not just finding better ways to sustainably fund the operation of instances but also the technical means to make running it on smaller hardware easier. This includes mechanisms to maybe push certain data into "archives" as to not have it in the live database/asset store.

(Original title: RIP botsin.space)

https://muffinlabs.com/posts/2024/10/29/10-29-rip-botsin-space/

Annoyed Redditors tanking Google Search results illustrates perils of AI scrapers | Ars Technica
https://alecmuffett.com/article/110533
#ArtificialIntelligence #llm #regulation

Consider: James Bond movie but his gadgets constantly fail and show him ads and he gets caught because the company that made his laser nose-hair trimmer nunchuck gets hacked.