If you are interested in the multiple moving parts needed to get #mte support for #qemu's #gdbstub you might find my colleges blog post interesting: https://www.linaro.org/blog/adding-support-for-mte-debugging-to-qemu/ - fortunately #linaro's #upstream first development policy is well suited to tackling these sort of integrations.

This meeting could have been a Signal leak

Doctors personally liable if mandatory NHS AI transcriber gets it wrong

https://pivot-to-ai.com/2025/04/30/doctors-personally-liable-if-mandatory-nhs-ai-transcriber-gets-it-wrong/ - text
https://www.youtube.com/watch?v=9RWdZml54eg&list=UU9rJrMVgcXTfa8xuMnbhAEA - video

@buherator not just mazdas, nissans too! And others , that sort of prompted me to dig into mine and resulted in https://github.com/ea/bosch_headunit_root
https://noc.social/@todayilearned/114425467000309539

30 April 1945 | As Soviet forces neared his command bunker in Berlin Adolf Hitler shot himself.

Hitler's Thousand Year Reich lasted twelve years, four months & eight days.

We need to commemorate all the victims & remember where ideologies of hatred may lead humanity to.

"Microsoft CEO says up to 30% of the company’s code was written by AI."

It can't be 30% by plain math. Just replacing 30% of existing code with new code takes (many) years, and then we include all produced code. If they ONLY used AI to write all code for the last few years, and they wrote it at a high pace, it could *perhaps* be done.

We all know that AI can't write code that good. But sure "up to 30%" could also mean "2%".

Of all *new* code perhaps? Still feels high.

https://techcrunch.com/2025/04/29/microsoft-ceo-says-up-to-30-of-the-companys-code-was-written-by-ai/

🚨 New advisory was just published! 🚨

MagicINFO exposes an endpoint with several flaws that, when combined, allow an unauthenticated attacker to upload a JSP file and execute arbitrary server-side code:
https://ssd-disclosure.com/ssd-advisory-samsung-magicinfo-unauthenticated-rce/

#Mozilla: Multiple Vulnerabilities in Mozilla Products (Firefox, Firefox Updater, Thunderbird) Could Allow for Arbitrary Code Execution:
CVE-2025-2817, CVE-2025-4082, CVE-2025-4083:
👇
https://www.mozilla.org/en-US/security/advisories/mfsa2025-28/

🌪️HP printers are back to TyphoonPWN. This year, we’re offering up to $20,000 for a Pre-Auth Remote Code Execution vulnerability in HP MFP 4303dw/fdw printers.

If you’ve been researching HP printers, this is your moment. Show off your skills, get recognized, and earn big. 🏆

Remote participation is fully supported. Register now:
👉 https://typhooncon.com/typhoonpwn-2025/

TIL a programming bug caused Mazda infotainment systems to brick whenever someone tried to play the podcast, 99% Invisible, because the software recognized "% I" as an instruction and not a string

https://99percentinvisible.org/episode/the-roman-mars-mazda-virus/
#til #todayilearned
https://www.reddit.com/r/todayilearned/comments/1kb9pb8/til_a_programming_bug_caused_mazda_infotainment/

JS in SVG strikes again. This time it's a forever-day in AngularJS.

https://codepen.io/herodevs/pen/qEWQmpd/a86a0d29310e12c7a3756768e6c7b915

https://www.herodevs.com/vulnerability-directory/cve-2025-0716

sev:MED 4.8 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

Improper sanitization of the value of the href and xlink:href attributes in <image> SVG elements in AngularJS allows attackers to bypass common image source restrictions. This can lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing and also negatively affect the application's performance and behavior by using too large or slow-to-load images.

This issue affects all versions of AngularJS.

Note:
The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .

https://nvd.nist.gov/vuln/detail/CVE-2025-0716

The Israel National Cyber Directorate published a few advisories in Ribbon Apollo products ( networking gear ), including a hardcoded creds one.

https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing

NEW: A court in India has ordered the block Proton Mail across the whole country as part of a case where a local design firm received obscene emails.

As of this writing, Proton Mail is still working, based on our tests.

Story by @jagmeets13

https://techcrunch.com/2025/04/29/indian-court-orders-blocking-of-proton-mail/

Prosecutors have requested Alex Mashinsky, CEO of the collapsed Celsius cryptocurrency company, be sentenced to at least twenty years in prison for his "sustained, calculated campaign of deceit carried out over years, targeting ordinary people."

https://www.courtlistener.com/docket/67604619/144/united-states-v-mashinsky/

#Celsius #crypto #cryptocurrency

Significant event for many, many reasons. Especially the fact Sophie Wilson spoke at it considering what is going on in the UK right now. One of the world's most widely used chips wouldn't exist without her contribution.

https://www.theregister.com/2025/04/29/arm_40/

#bbcmicro #arm

Google published a blog post about 0days and the like. This jumped out at me:

Vendor investments in exploit mitigations are having a clear impact on where threat actors are able to find success.

Stack canaries gained popularity in the Linux world in 2002. When did the Linux-based Ivanti ICS product get stack canaries, after years of ITW exploitation? 2025. That's right. They decided to wait TWENTY THREE YEARS before deciding to turn on a compile-time flag that would have prevented successful exploitation of April's CVE-2025-22457.

We all know that comparing the security disposition of companies/products based on CVE counts is both foolish and futile, but sometimes they make it easy for us. 😂

NEW: Last year, there were 34 recorded zero-days being exploited in real-world attacks, which were attributed to specific groups.

Of those, 23 were attributed to government-backed hackers, including spyware makers, which shows that governments are the main users of zero-days.

And while those got caught, Google's @_clem1 told us that spyware makers “are investing more resources in operational security to prevent their capabilities being exposed and to not end up in the news.”

Full story:

https://techcrunch.com/2025/04/29/government-hackers-are-leading-the-use-of-attributed-zero-days-google-says/