[RSS] Ruby 3.4 Universal RCE Deserialization Gadget Chain

https://nastystereo.com/security/ruby-3.4-deserialization.html

bsky.app/profile/mrme.bsky.social/post/3lbql2z2uas2f

Trust me, the Chinese hack Spring apps harder than you: https://juejin.cn/post/6972564484720328718

Revisiting unresolved JetBrains TeamCity issues: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=teamcity

• TeamCity 2024.07.3
  • Release/Blog Publish Date: 01 October 2024
    CVE assigned/publicly available: 08 October 2024 (8 days)
  • "5 security problems have been fixed."
    5 CVEs assigned
• TeamCity 2024.07.2
  • Release/Blog Publish date: 29 August 2024
    CVEs: N/A
  • "3 security problems have been fixed."
    0 CVEs assigned
• TeamCity 2024.07.1
  • Release/Blog Publish date: 06 August 2024
    CVE assigned/publicly available: 16 August 2024 (11 days)
  • "6 security problems have been fixed."
    5 CVEs assigned
• TeamCity 2024.07
  • Release/Blog Publish Date: 18 July 2024
    CVE assigned/publicly available: 22 July 2024 (5 days)
  • "19 security problems have been fixed."
    6 CVEs assigned

I may be a hater but I'm not lying and to my customers and hiding security issues.

#jetbrains #teamcity #vulnerability #cve

social media platform users are going to link offsite. the only question is how obnoxious the platform will make it for them and everyone else.

(For context: Instagram prohibits links in post text. This, plus the incentive to inflate comments, has led to the proliferation of tools where creators instruct their followers to comment with a specific word to receive a link in their DMs— in this case, to a pie crust recipe)

[RSS] RISC CPU Lives in Excel

https://hackaday.com/2024/11/24/risc-cpu-lives-in-excel/

From Guardian to Gateway: The Hidden Risks of EDR Vulnerabilities - Neodyme
https://neodyme.io/en/blog/wazuh_rce/

/via @tekwizz123

CVE-2024-32038, CVE-2023-50260
#frombsky

Page-Oriented Programming: Subverting Control-Flow Integrity of Commodity Operating System Kernels with Non-Writable Code Pages | USENIX
https://www.usenix.org/conference/usenixsecurity24/presentation/han-seunghun

/via @andersonc0d3

Prefer Rust to C? There's no reason your decompilation has to necessarily target C as the output. With our Language Representation UI/API in 4.2 you can see all your decompilation as Rust instead.

A bit annoying thing in #Bsky #ATProto is that you don't post plaintext that is "enriched" remotely, but provide a Rich Text object with links, tags, etc. marked as such. It seems from the servers perspective len(rich_text)!=len(str(rich_text)) and I found no way to find out what the true length of my rich Text object will be resulting in failed posts and bad thread splitting...

https://atp.readthedocs.io/en/latest/atproto_client/utils/text_builder.html

Latest #Ghidra failed to build because some obscure pyOpenSSL error, which can break pip altogether:

> TypeError: deprecated() got an unexpected keyword argument 'name'

Here's what worked for me:
- Delete the failing pyOpenSSL directory from site-packages
- pip install "pyOpenSSL>22.0.0,<23.0"

I really like the idea of Bandcamp Gift Cards! Get your friends and family hooked on supporting independent artists/small labels!

https://bandcamp.com/gift_cards

My son's #biology book represents carnivores as a true subset of animalivores (which is a new word to me).

Which animals are animalivores but not carnivores?

This is another #test

My keynote from @sansoffensive in Hollywood. Attacking Intelligence: Attacking and Defending AI on The Edge

I cover confidential GPUs, Windows Recall architecture, and post-compromise tradecraft with AI and lots more!

https://www.youtube.com/watch?v=1zl1NSwuhAk

Ignite session covering all the Windows Security newness just posted

https://ignite.microsoft.com/en-US/sessions/GS06

In the "Worth Reposting from Twitter" series today:

https://scrapco.de/twitter/buherator/status/1576535053571530752/

This is a thread about technological things I misjudged during my career. Maybe it'll help someone. (Or maybe I misjudge again?)

- I started gera's challenges, but "why bother with client-side?"

https://github.com/gerasdf/InsecureProgramming.git

- During university, seeing Meterpreter's shortcomings I considered to start developing a professional implant. But "no security boundaries, no fun".

Now look at all teh frameworks...

- Gave up on chemistry because of an idiot teacher

Hunting the Mongoose: Discovering 10 Vulnerabilities in the Mongoose Web Server Library
https://www.nozominetworks.com/blog/hunting-the-mongoose-discovering-10-vulnerabilities-in-the-mongoose-web-server-library

"You never pay here... not with money"

OMG I just realized at the end of the episode Needful Things was bought by *Google*

https://rickandmorty.fandom.com/wiki/Needful_Things

I am looking for padlock or similarly visual device that has bluetooth vulnerabilities (i.e. just uses an "unlock" command or so and no decent cryptography). Any tips welcome!