‘Absolute spy novel’: Rigging pagers to explode is no simple attack
Much is unknown about the attack that injured thousands in Lebanon, except that it clearly goes beyond a simple bombing. ⌘ Read more
@prologic@twtxt.net earlier you suggested extending hashes to 11 characters, but here’s an argument that they should be even longer than that.
Imagine I found this twt one day at https://example.com/twtxt.txt :
2024-09-14T22:00Z Useful backup command: rsync -a “$HOME” /mnt/backup
and I responded with “(#5dgoirqemeq) Thanks for the tip!”. Then I’ve endorsed the twt, but it could latter get changed to
2024-09-14T22:00Z Useful backup command: rm -rf /some_important_directory
which also has an 11-character base32 hash of 5dgoirqemeq. (I’m using the existing hashing method with https://example.com/twtxt.txt as the feed url, but I’m taking 11 characters instead of 7 from the end of the base32 encoding.)
That’s what I meant by “spoofing” in an earlier twt.
I don’t know if preventing this sort of attack should be a goal, but if it is, the number of bits in the hash should be at least two times log2(number of attempts we want to defend against), where the “two times” is because of the birthday paradox.
Side note: current hashes always end with “a” or “q”, which is a bit wasteful. Maybe we should take the first N characters of the base32 encoding instead of the last N.
Code I used for the above example: https://fossil.falsifian.org/misc/file?name=src/twt_collision/find_collision.c
I only needed to compute 43394987 hashes to find it.
‘The next threat’: Former UK cybersecurity chief’s warning for Australia
Disruptive attacks on the nation’s hospitals and airlines will be far more damaging than any data breach, according to the UK’s former cybersecurity chief. ⌘ Read more
There is a bug in yarnd that’s been around for awhile and is still present in the current version I’m running that lets a person hit a constructed URL like
YOUR_POD/external?nick=lovetocode999&uri=https://socialmphl.com/story19510368/doujin
and see a legitimate-looking page on YOUR_POD, with an HTTP code 200 (success). From that fake page you can even follow an external feed. Try it yourself, replacing “YOUR_POD” with the URL of any yarnd pod you know. Try following the feed.
I think URLs like this should return errors. They should not render HTML, nor produce legitimate-looking pages. This mechanism is ripe for DDoS attacks. My pod gets roughly 70,000 hits per day to URLs like this. Many are porn or other types of content I do not want. At this point, if it’s not fixed soon I am going to have to shut down my pod. @prologic@twtxt.net please have a look.
Docker Security Advisory: AuthZ Plugin Bypass Regression in Docker Engine
Certain versions of Docker Engine have a security vulnerability that could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. This advisory outlines the issue, identifies the affected versions, and provides remediation steps for impacted users. ⌘ Read more
Ladybird Web Browser Developer Attacked by Unhinged, Dishonest Activists
Activists concoct wild, meritless accusations of “Transphobia” and “Human Slavery”. ⌘ Read more
Attack of the clones: Getting RCE in Chrome’s renderer with duplicate object properties
In this post, I’ll exploit CVE-2024-3833, an object corruption bug in v8, the Javascript engine of Chrome, that allows remote code execution (RCE) in the renderer sandbox of Chrome by a single visit to a malicious site.
The post [Attack of the clones: Getting RCE in Chrome’s renderer with duplicate object properties](https://github.blog/2024-06-26-attack-of-the-cl … ⌘ Read more
How this small non-profit group beat a malicious cyberattack
Hackers attempted to commit credit card fraud against UN Women Australia, but its chief executive says the group managed to beat the attackers with the help of its technology partners. ⌘ Read more
Execute commands by sending JSON? Learn how unsafe deserialization vulnerabilities work in Ruby projects
Can an attacker execute arbitrary commands on a remote server just by sending JSON? Yes, if the running code contains unsafe deserialization vulnerabilities. But how is that possible? In this blog post, we’ll describe how unsafe deserialization vulnerabilities work and how you can detect them in Ruby projects.
The post [Execute c … ⌘ Read more
The Register spins to protect Red Hat in discrimination lawsuit
Tump! Immigration! Insurrection! Muslim Tavel Ban! Elon Musk! What do any of those things have to do with a discrimination lawsuit against Red Hat, the worlds largest Linux company? Well… nothing. Nothing at all. But Tech News outlet, The Register, wants you to stop thinking about Red Hat doing something wrong… and, instead, be angry at anyone who would attack Red Hat. Because Trump. Or something. ⌘ Read more
Frangipani trees in Darwin ‘hammered’ by exotic pest. Can ladybirds stop it from spreading south?
Since its discovery last year, the papaya mealybug has spread across Darwin, impacting a range of host plants such as papaya, hibiscus and frangipanis. ⌘ Read more
OpenSSH and XZ/liblzma: A nation-state attack was thwarted, what did we learn?
Docker CTO Justin Cormack looks at what we can learn from malicious code in upstream tarballs of xz targeted at subset of OpenSSH servers. “It is hard to overstate how lucky we were here, as there are no tools that will detect this vulnerability.” ⌘ Read more
Snikket: Security notice: Snikket not affected by CVE-2024-3094
A security vulnerability was intentionally added to a widely used open-source
project known as ‘xz’. This project is packaged in many operating systems, and
a lot of software depends upon it. The vulnerability has been assigned the
identifier CVE-2024-3094.
Systems with the vulnerable package may allow an attacker to gain unauthorized
access to the system via SSH, if your system’s SSH server was linked to the
affected packages.
Thankfully, the vulne … ⌘ Read more
Linux Foundation says when they used to attack Microsoft… they were actually trying to kill Sun.
*wink wink* ⌘ Read more
@bender@twtxt.net It is the new “politically correct”. Something that was used to describe acting in a more civilized way with one another. Turned into a scapegoat for the other side to label, demonize, and attack.
NJ man saved by police after heart attack
A man in New Jersey is alive today thanks in large part to the quick actions of five police officers after he suffered a heart attack while shoveling snow. ⌘ Read more
‘Drunk’ passenger’s horrific hostie attack
A “drunk” and “extremely violent” passenger on a plane from Dubai was caught on camera headbutting a flight attendant, causing crew members to tackle him and restrain him with cable ties, video shows. ⌘ Read more
Woman battles back after random road rage shooting
Amari Franklin has loved fashion and design ever since she was a little girl and that love is what helped the Clark Atlanta University senior find her way back, and her calling, after being shot in random road rage attack. ⌘ Read more
Atlanta airport official was being stalked, judge says
A judge grants an Atlanta airport official a temporary restraining order against a community activist. The Fulton County Superior Court Judge ruled the outspoken community activist, Alvin Kendall, was guilty of stalking and cannot verbally attack Airport Deputy General Manager Jai Ferrell. ⌘ Read more
Canadian cities ‘not gatekeepers,’ head of mayors’ group tells Poilievre
The president of the Federation of Canadian Municipalities says his members are community builders and not gatekeepers, a term Conservative Leader Pierre Poilievre has commonly used to attack municipal bureaucrats. Scott Pearce made the comment at a news conference the federation held in Ottawa ahead of the spring budget, as the group calls for more federal in … ⌘ Read more
Woman attacked in waist-deep water by two-metre tiger shark in WA
A woman has undergone emergency surgery after a shark attack in Western Australia.
The attack took place near Jurien Bay, north of Perth.
The 46-year-old was in waist-deep water during a sea lion tour when she was bitten just after 11.30am local time yesterday.
She was attacked on her left calf by a two-metre tiger shark.
The woman was airlifted to Royal Perth Hosp … ⌘ Read more
Man attacked with hatchet, hit in the head at SEPTA station
Philadelphia police say the man was walking through the SEPTA concourse when he was attacked from behind by a man wielding a hatchet and demanding his valuables in an apparent robbery attempt. ⌘ Read more
Starmer says Sunak ‘too weak’ to call out ‘Islamophobia’ after Lee Anderson comments
Sir Keir Starmer said Rishi Sunak “lacks the backbone” to call out “Islamophobia” after Lee Anderson’s attack on Sadiq Khan. Speaking to reporters in Shrewsbury, the Labour leader said: “I think this is straightforward. It’s Islamophobia and the Prime Minister should call it out for what it is. “The reason he won’t is because he is so w … ⌘ Read more
Israeli jets bomb eastern Lebanon for the first time since Gaza war began
Hezbollah says at least two killed in attack near Baalbek, its stronghold some 100km from the border with Israel. ⌘ Read more
WTO pushes for reform, warns multilateralism ‘under attack’
The World Trade Organization pushed for reform at a high-level ministerial meeting in Abu Dhabi on Monday, warning that economic headwinds and geopolitical tensions are threatening global commerce and multilateral trading systems. ⌘ Read more
How to stay safe from repo-jacking
Repo-jacking is a specific type of supply chain attack. This blog post explains what it is, what the risk is, and what you can do to stay safe.
The post How to stay safe from repo-jacking appeared first on The GitHub Blog. ⌘ Read more
Retailers say illicit tobacco trade ‘needs to be stopped’
After a string of firebombing attacks at tobacco stores across Melbourne, the Federal Government have stepped in to tackle illicit tobacco trade on the black market. ⌘ Read more
Securing our home labs: Frigate code review
This blog post describes two linked vulnerabilities found in Frigate, an AI-powered security camera manager, that could have enabled an attacker to silently gain remote code execution.
The post Securing our home labs: Frigate code review appeared first on The GitHub Blog. ⌘ Read more
So.. Of y’all that had covid. Did you have at the end a night where for no reason your brain amped up to 11 and can’t sleep at all? It happened to me last night and my FIL the night before.
I went to bed at 8 and woke up full on anxiety attack at 12 and could not calm my head until around 7 am. Today has sucked a lot.
What’s The Difference Between Heart Attacks and Cardiac Arrest? #neildegrassetyson href=”https://we.loveprivacy.club/search?q=%23startalk”>#startalk** ⌘ Read more
Under the counter deals, ‘chop-chop’ and arson attacks: Inside Victoria’s illegal tobacco market
Police are stepping up their efforts to tackle the illegal tobacco market, after a string of arson attacks against shops in Victoria. ⌘ Read more
JMP: CertWatch
As you may have already seen, on October 21st, it was reported that a long-running, successful MITM (Machine-In-The-Middle) attack against jabber.ru had been detected. The nature of this attack was not specific to the XMPP protocol in any way, but it was of special interest to us as members of the XMPP community. This kind of attack relies on being able to present a TLS certificate which anyone trying to connect will accept as valid. In this case, it was done b … ⌘ Read more
Snikket: On the jabber.ru MITM attack
This post is about a recent security incident on a public XMPP service, which
provides jabber.ru and xmpp.ru. We have received a few questions from Snikket
users about whether they should be concerned about the security of their own
servers (Snikket also uses XMPP).
The good news is that Snikket was not affected by this incident - this was a
targeted attack against the jabber.ru/xmpp.ru service specifically. Later in
the post we’ll share more information about what we’ve done, and … ⌘ Read more
How Google Authenticator made one company’s network breach much, much worse | Ars Technica
🤦♂
WHY are these big companies treated as though they are the be all and end all of infosec? These are rookie mistakes Google’s making, at scale.
Unfortunately Google employs dark patterns to convince you to sync your MFA codes to the cloud, and our employee had indeed activated this “feature”. If you install Google Authenticator from the app store directly, and follow the suggested instructions, your MFA codes are by default saved to the cloud. If you want to disable it, there isn’t a clear way to “disable syncing to the cloud”, instead there is just a “unlink Google account” option.
Like, never ever put your multi-factor tokens into a single cloud storage location! The whole point of this being “multi” factor is that there is a separate, independent physical factor involved in the authentication process. If the authenticator app on your phone puts the tokens in the cloud, then it reduces the security that comes from having a second factor. This is basic stuff.
Of course, never ever use Google Authenticator. All it does is generate TOTP and HOTP codes, which you can do with any OTP app, preferably an open source one that’s been vetted.
Ignite Realtime Blog: CVE-2023-32315: Openfire vulnerability (update)
A few months ago, we published details about an important security vulnerability in Openfire that is identified as CVE-2023-32315.
To summarize: Openfire’s administrative console (the Admin Console), a web-based application, was found to be vulnerable to a path traversal attack via the setup environ … ⌘ Read more
mTLS: When certificate authentication is done wrong
In this post, we’ll deep dive into some interesting attacks on mTLS authentication. We’ll have a look at implementation vulnerabilities and how developers can make their mTLS systems vulnerable to user impersonation, privilege escalation, and information leakages.
The post mTLS: When certificate authentication is done wrong appeared first on [The Gi … ⌘ Read more
Hardening repositories against credential theft
Some best practices and important defenses to prevent common attacks against GitHub Actions that are enabled by stolen personal access tokens, compromised accounts, or compromised GitHub sessions.
The post Hardening repositories against credential theft appeared first on The GitHub Blog. ⌘ Read more
↳
In-reply-to
»
I've only been using
⤋ Read More
snac/the fediverse for a few days and already I've had to mute somebody. I know I come on strongly with my opinions sometimes and some people don't like that, but this person had already started going ad hominem (in my reading of it), and was using what felt to me like sketchy tactics to distract from the point I was trying to make and to shut down conversation. They were doing similar things to other people in the thread so rather than wait for it to get bad for me I just muted them. People get so weirdly defensive so fast when you disagree with something they said online. Not sure I fully understand that.
@prologic@twtxt.net attacking the person, not the idea. It’d be like if you said “yarn is better than mastodon because it isn’t push based” and someone who disagreed with you said “well you think that because you’re an idiot” or something like that.
Power LED Attack - Computerphile ⌘ Read more
Crypto collapse? Get in loser, we’re pivoting to AI – Attack of the 50 Foot Blockchain
Someone on here gave me a hard time when I suggested that the crypto grifters were pivoting to AI after crypto collapsed. But, they were and they still are.
@movq@www.uninformativ.de wow. I’d trade crow sounds for car sounds, or jet sounds, or leaf blower sounds, or lawn mower sounds, or…..100% of the time.
As far as fighting the birds goes, maybe they’re right, but probably it’d be better to re-balance the ecosystem so that crows aren’t so dominant? At least there are things to try. When it comes to reducing how much air travel people use, it takes a terrorist attack or a pandemic to affect it.
Orcas attacking boats wasn’t on my 2023 bingo card but amused all the same
@stigatle@yarn.stigatle.no @prologic@twtxt.net @eldersnake@we.loveprivacy.club I love VR too, and I wonder a lot whether it can help people with accessibility challenges, like low vision.
But Meta’s approach from the beginning almost seemed like a joke? My first thought was “are they trolling us?” There’s open source metaverse software like Vircadia that looks better than Meta’s demos (avatars have legs in Vircadia, ffs) and can already do virtual co-working. Vircadia developers hold their meetings within Vircadia, and there are virtual whiteboards and walls where you can run video feeds, calendars and web browsers. What is Meta spending all that money doing, if their visuals look so weak, and their co-working affordances aren’t there?
On top of that, Meta didn’t seem to put any kind of effort into moderating the content. There are already stories of bad things happening in Horizon Worlds, like gangs forming and harassing people off of it. Imagine what that’d look like if 1 billion people were using it the way Meta says they want.
Then, there are plenty of technical challenges left, like people feeling motion sickness or disoriented after using a headset for a long period of time. I haven’t heard announcements from Meta that they’re working on these or have made any advances in these.
All around, it never sounded serious to me, despite how much money Meta seems to be throwing at it. For something with so much promise, and so many obvious challenges to attack first that Meta seems to be ignoring, what are they even doing?
↳
In-reply-to
»
(#l4nwadq) @prologic omg yes! They are both ultra-right-wing assholes! The worst of the worst! Please tell me you don't listen to these guys' brain poison?
⤋ Read More
@prologic@twtxt.net Because they are rightwing assholes with a huge platform and they are literally HURTING PEOPLE. People get attacked because of things people like Shapiro and Peterson say. This is not just idle chitchat over coffee. They are saying things like it’s OK to rape women (and NO I am not going to dig out the videos where they say that –that’s up to YOU to do, do your own homework before defending these ghouls).
LogJam Attack - Computerphile ⌘ Read more
SUSE CEO out effective immediately, replacement CEO not available until later.
A failed IPO, political attacks, and purchased “awards” are the legacy of the departing CEO of the oldest Linux company. ⌘ Read more
お知らせ:J-CLICS攻撃経路対策編 ⌘ Read more
GitHub Security Lab audited DataHub: Here’s what they found
The GitHub Security Lab audited DataHub, an open source metadata platform, and discovered several vulnerabilities in the platform’s authentication and authorization modules. These vulnerabilities could have enabled an attacker to bypass authentication and gain access to sensitive data stored on the platform. ⌘ Read more
PEP 708: Extending the Repository API to Mitigate Dependency Confusion Attacks
Dependency confusion attacks, in which a malicious package is installed instead of the one the user expected, are an increasingly common supply chain threat. Most such attacks against Python dependencies, including the recent PyTorch incident, occur with multiple package repositories, where a dependency expected to come from one repository (e.g. a custom index) is installed from another (e.g. PyPI). ⌘ Read more