[RSS] Pluralistic: Canada's ground-breaking, hamstrung repair and interop laws (15 Nov 2024)

https://pluralistic.net/2024/11/15/radical-extremists/#sex-pest

Boost this toot if you're planning on sticking around Mastodon whether or not it's more popular than Bluesky.

If only Sun Microsystems had purchased Apple when it had the chance, we could have had this magnificent device
https://alecmuffett.com/article/110670
#SunMicrosystems #apple

Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474 - watchTowr Labs https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/

We’ve just published on the @hnsec blog the seventh article on the creation of extensions for @burp_suite "Extending Burp Suite for fun and profit - The Montoya way", by @apps3c.

Topic: using the #Collaborator in #BurpSuite plugins

https://security.humanativaspa.it/extending-burp-suite-for-fun-and-profit-the-montoya-way-part-7/

Extending Burp Suite for fun and profit - The Montoya way - Part 7 (Using the Collaborator) https://security.humanativaspa.it/extending-burp-suite-for-fun-and-profit-the-montoya-way-part-7/

[RSS] Heather 'Razzlekhan' Morgan sentenced to 18 months in prison, ending Bitfinex saga

https://therecord.media/razzlekhan-bitfinex-sentenced-18-months-bitcoin-laundering

The Crocodile of Wall Street spends some time in the sewers... https://www.youtube.com/watch?v=_DIuPPmY9mw

This week my brain is completely stuck on wanting an Alphasmart Neo. Half of my brain knows that buying tech to write a novel with is not actually the same as writing my novel. The other half of my brain... wants the tech. But also, just look at it, isn't it perfect?

#TrustYourTechnolust

The report of the #FreeBSD audit conducted by @masthoon and @jbcayrou is finally out!
https://freebsdfoundation.org/blog/strengthening-freebsd-addressing-vulnerabilities-through-synacktivs-code-audit/

[RSS] Salamander/MIME - Just because it's encrypted doesn't mean it's secure | Lutra Security

https://lutrasecurity.com/en/articles/salamander-mime/

CVE-2024-52316: Apache Tomcat: Authentication bypass when using Jakarta Authentication API

https://seclists.org/oss-sec/2024/q4/103

Sounds pretty esoteric, but I may be wrong:

"If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail"

CVE-2024-52317: Apache Tomcat: Request/response mix-up with HTTP/2

https://seclists.org/oss-sec/2024/q4/104

This looks fun! /cc @albinowax

This starts to look coordinated:
"Following Finnish media reports that an unexplained failure of an undersea telecommunications cable has disrupted communication services between Finland and Germany, Telia’s Chief Technology Officer Andrius Šemeškevičius says that the communications cable between Lithuania and Sweden was also damaged." (via @ErikJonker)
https://www.lrt.lt/en/news-in-english/19/2416006/undersea-cable-between-lithuania-and-sweden-damaged-telia

#SubmarineCables #Russia

Fixing a Bunch of Scripting Engine Vulnerabilities by Disabling Just-In-Time Compiler (CVE-2024-38178) https://blog.0patch.com/2024/11/fixing-bunch-of-scripting-engine.html

I know it seems like all of the good ideas for plugins are already implemented in our large plugin collection (https://github.com/Vector35/community-plugins) , but we also maintain a public list of ideas to get you started if you're interested in contributing:

https://github.com/Vector35/binaryninja-api/discussions/626

I haven't had as much time to work on it as I'd like, but I've pushed an update to the Emerald Source Code Commentary because I intend to use it as a demonstration of my technical writing. Do *you* want to know everything that happens from the instant you power on your GBA until Pokemon Emerald begins displaying graphics? https://0xabad1dea.github.io/emeraldscc/

It’s the academic paper on phishing sims I’ve been waiting for and the abstract alone is 🔥🔥 https://www.computer.org/csdl/proceedings-article/sp/2025/223600a076/21B7RjYyG9q

📼 The video edition is done! 🔥 You can now watch all the workshops (friday), conference presentations (saturday) and online talks (sunday) by checking our Youtube channel or following the links from the website!

➡️ https://radare.org/con/2024/

It's been ten years, so a short story about the "gotofail" bug.

Someone came to me about a catastrophic vulnerability in Apple's TLS implementation.

I shit you not, they'd overheard someone at a bar drunkenly bragging about how they were going to sell it to a FVEY intelligence agency for six figures.

They didn't know exactly what it was, just some vague details and the key point that it allowed use of the real certificate.

This was enough for me to find the bug (yay open source), which would go on to be known as "gotofail", and produce a working exploit in less than a day.

The details were anonymously back channelled to Apple, who released a fix.

@matthew_d_green posted on Twitter about it, concerned by Apple's vague release notes.

I used a burner phone to share the details with him anonymously.

Then everyone forgot about the whole thing because heartbleed.

¯\_(ツ)_/¯

When I was a PhD student, I attended a talk by the late Robin Milner where he said two things that have stuck with me.

The first, I repeat quite often. He argued that credit for an invention did not belong to the first person to invent something but to the first person to explain it well enough that no one needed to invent it again. His first historical example was Leibniz publishing calculus and then Newton claiming he invented it first: it didn’t matter if he did or not, he failed to explain it to anyone and so the fact that Leibniz needed to independently invent it was Newton’s failure.

The second thing, which is a lot more relevant now than at the time, was that AI should stand for Augmented Intelligence not Artificial Intelligence if you want to build things that are actually useful. Striving to replace human intelligence is not a useful pursuit because there is an abundant supply of humans and you can improve the supply of intelligent humans by removing food poverty, improving access to education, and eliminating other barriers that prevent vast numbers of intelligent humans from being able to devote time to using their intelligence. The valuable tools are ones that do things humans are bad at. Pocket calculators changed the world because being able to add ten-digit numbers together orders of magnitude faster allowed humans to use their intelligence for things that were not the tedious, repetitive, tasks (and get higher accuracy for those tasks). If you want to change the world, build tools that allow humans to do more by offloading things humans are bad at and allowing them to spend more time on things humans are good at.