Posts
4218
Following
733
Followers
1628
"I'm interested in all kinds of astronomy."
repeated

And after yesterday's post, here's one on the state of things in agentic identity: https://www.codon.org.uk/~mjg59/blog/p/securing-agentic-identity/

0
3
0
repeated

So. For the past few days I've been deep in a fun and very rewarding, but also extremely scary debugging saga. To cut a long git-bisecting story short:

Since Linux 6.9 (May 2024), the tool that locks the laptop's drive on suspend had been silently failing.

Like many of my friends, I use full-disk encryption (LUKS) to protect my data if my laptop is lost, seized or stolen. Highly recommended to everyone; in combination with tested and automated backups, it contributes greatly to peace of mind. (Under Windows, the canonical software to do that is VeraCrypt.)

Except that, for more than two years, the encryption key remained resident in memory across suspend, leaving it there for the taking by anyone who seized the still-powered laptop. (It still worked on a full shutdown, but a full shutdown is rare these days.)

There is something uniquely unsettling about trusting a security mechanism for years and learning it was never doing the thing. "A technical argument by a trusted author, which is hard to check and looks similar to arguments known to be correct, is hardly ever checked in detail." The same, it seems, is true for computer code.

The culprit was a sensible and useful refactoring, https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a28d893eb3270cf62c10dd8777af0d8452cdc072. But it had an unexpected long-range interaction with the encryption code. The fix is exactly one line long: https://lore.kernel.org/all/ajKwRtP8izwRsMmv@quasitopos/ And no, without formal proofs I cannot say whether my patch is correct and free of its own long-range interactions... At the very least, we now have an automated test to detect future regressions (https://github.com/NixOS/nixpkgs/pull/532499) and a patch to emit a warning instead of failing silently (https://gitlab.com/cryptsetup/cryptsetup/-/merge_requests/936).

4
8
0
repeated

This is so cool: 4 alternatieve Fields Medals for

Excellence in mathematics research by somebody who is currently over the age of 40.

Excellence in mathematics research with approaches that are not mathematically rigorous (construed broadly).

Excellence in leadership in the mathematics community (construed broadly).

Excellence in exposition of mathematics to a popular audience.

https://esander1789.github.io/afm/

0
2
0
I wanted to look up how "shotgun" as a reaction is used and after lots of irrelevant results I found this wonderful, barely readable #SmallWeb site giving me the explanation:

slangwall

https://sites.pitt.edu/~emk4/comp1/shotgun.html
1
0
3
repeated

If you run a peertube instance, you should have gotten an alert to update. Either way, it's time to update - there's a security fix out for a high severity vulnerability. Some operators got hit last time this happened. Don't let that happen to you. Patch your OS while you're at it. And drink some water. And then go for a walk. And call your mom.

2
11
0
repeated
Edited 6 days ago

Oh more at Mozilla

Senior Security Engineer (Add-ons) (https://www.mozilla.org/en-US/careers/position/gh/7583571/). This involves building code-review / malware detection pipelines for addons.mozilla.org - really cool team. The same team is also looking for an engineer to implement extension APIs within Firefox, a Senior Platform Engineer (https://www.mozilla.org/en-US/careers/position/gh/7921750/).

Reminder we're active looking for candidates from diverse backgrounds and with perspectives different from our own. Questions? Just ask me :)

1
8
0
repeated
repeated
Hmm.

The announcement by Meta that they'll start selling AI compute potentially broke one of the pet narratives of the AI bubble: compute is so scarce that we need to spend all the money to build more. That story is the justification for crypto-turned-AI companies with poor fundamentals like CoreWeave to continue existing.

Nothing about stock or commodities prices makes any sense anymore so maybe tomorrow their stock will be up 2x.


0
3
0
Has anyone compared Watts/bug stats of LLMs vs. fuzzers?
2
2
3
repeated

wow imagine being exposed to radio waves how will they ever recover

3
2
0
repeated

Given the LLM rubbish I just read, TempleOS isn't looking so bad

0
2
0
repeated

RE: https://infosec.exchange/@trailofbits/116850092020510927

If your goal is to provoke an over reaction in policy circles and further restrictions on defenders, keep framing llm advances from an attacker's perspective like this:

"The expertise barrier that kept bespoke fuzzing campaigns out of reach for most attackers is gone. "

0
2
0
repeated
I'm a software developer looking for job. I can code in python (good) and java (basic), but i'm an expert at programming in C. You could also say that i can code in C++, though i really prefer doing C over C++.

I'm experienced at software reverse engineering, especially in radare2, to which i've contributed since 2013. In r2 I've co-authored ESIL (evaluable string intermediate language) for instruction emulation and analysis. I've also written most parts of the r_io API as well as a few plugins. At the moment I live in germany, but relocating within the EU for a job after the probationary would be ok for me.

Previously i've worked for an US-american business, for which i've created components of an analysis pipeline for finding potential security vulnerabilities in firmware. One of the things that I've created during that time was a program, that could automatically find code and data sections of a binary of unknown format. You could destroy the elf header of a binary, throw it at the tool, and it would give you almost perfect section boundaries. This was followed by a script that would invoke cpu_rec in order to determine the correct ISA amd create a script to load the target correctly into r2 for further analysis. I was working on an elf-builder tool, which would allow customers to load the binary into any SRE tool, when someone decided the company would go "agentic" and that they no longer need me.

I'd love to analyse malware or develop software for embedded systems, but i'm also open to other jobs, where i can make use of my experience and skills.

#getfedihired
0
7
0
repeated

KERNSEAL makes the linear page cache overflow in https://cyberstan.co.uk/fuse-readdir-oob/ deterministically unexploitable. Serial log below 👇

0
1
0
repeated

1/3 🧑‍⚖️ Today, the Court of Justice of the EU has upheld a € 4.1 billion antitrust fine against Google for abusing the dominant position of its Android mobile operating system to thwart rivals.

💰 The judgment confirms the European Commission's finding that Google abused Android to strengthen the market position of Google Search, the Chrome browser and other Google products.

1
3
0
repeated

klist.exe Revisited: Internals and Further Use Cases https://jakeotte.com/posts/klist-revisited.html

0
2
0
repeated

Small businesses, please stop using corporate social media as your only online presence.

I’d happily visit a website that looks like it was designed in the 1990s if it meant I could actually scroll down and see your address, hours of operation, etc.

It doesn’t have to be pretty, just functional.

It would be really helpful if you also included common allergens for your food and drinks (if relevant) and how accessible your location is for disabled folks.

5
11
0
repeated

Good morning Europe I have written about the bewildering array of mechanisms available to prevent authentication token theft and also explained why we still basically have none of them available and so the authentication tokens are still being stolen and used. It is here: https://www.codon.org.uk/~mjg59/blog/p/preventing-token-theft/

4
3
0
repeated

LOGOS/END.GIF

0
1
0
repeated
Edited 8 days ago

Mastodon has automatic age verification built in, no scanning your face

✅ if you join here you're old
✅ you've seen too much shit
✅ you're tired of said shit

15
35
1
Show older