modrobert @modrobert@qoto.org

Lol at this privilege escalation in Google #Chrome https://bugs.chromium.org/p/chromium/issues/attachmentText?aid=586678

New side channel attacks on SoCs. Yikes. https://arxiv.org/pdf/2305.12784.pdf

The EU Council is continuing to debate a law that would require communication providers to scan all communications, potentially including end-to-end encrypted conversations. And they are now debating including audio conversations as well.

I don't have much spare time, so I decided to publish the PoC of my project to get shells on a variety of archs/os like openbsd-sparc64, linux-ppc32, ...

https://github.com/trufae/quemoo

It's a PoC, but it works, and it's easy to contribute and extend, i though about rewriting it in another language like V and provide static binaries, but i guess just refactoring the makefile should be enough for 99% of the people.

Feel free to check it out and add more images and qemu oneliners to handle every single arch of your favourite unix flavour!

Initial support for SM5xx 4bit MCUs has been added on git! This is the second 4 bit architecture supported in #radare2 (after intel 4004) and it's the brain behind the nostalgic Game&Watch handheld electronic games, but also shipped in some calculators. TM1000 could be another interesting architecture to support in case anyone is in the retro field. Disassembler code was massaged from MAME and it supports a bunch of sub-models too!

What's worse?

I don't know if this is a controversial opinion, but I will state it anyway:

I believe that the CVE system has some serious deficiencies. In particular, using the same system for both user-facing products and third-party libraries is problematic to the point of actually reducing overall security in the industry.

Let me give an example: Let's say you run a self-hosted piece of server-software written in Java. Let's call the product "Foo". You use something like Sonatype to monitor vulnerabilities in the software you use.

You happily run Foo for a few months and CVE-2023-0001 is reported on product Foo with a CVSS score of 9.9. In this case the system works great because you can now patch Foo as soon as possible, and in the meantime you can look at the remediation procedure documented in the CVE report to determine how much of a hurry you are in.

But that's unfortunately not what happens. What you are actually going to see is hundreds of vulnerabilities of varying severity reported not just on Foo as a product, but on every single third-party library that the product Foo happens to use.

Let's say that Foo generates SVG from a template and then uses a library to convert said SVG into images before sending them to the client (never mind that seems like a stupid solution, just go with it). And then a CVSS 10.0 appears because there is an RCE when passing specially crafted SVG data to the library.

Now you have Sonatype reporting that you have a severity 10 issue with the workaround static "upgrade this library". This information would be useful for the developer of Foo, but not for the user.

In fact, the developer may already have investigated this and downgraded the score since the library is never used to process untrusted input.

What this means is that as a user of some piece of software you will feel a lot of pressure internally to pursue CVE reports that are in fact not relevant, but since it shows up in your scan you have an obligation to do this, and check with the vendor to ask about the root cause of these results. This takes time and energy away from your real job: To keep your infrastructure secure.

I lay the blame for this happening squarely on the bad organisation of the CVE database, and I really wish there was a better way. Unfortunately right now it's all we have.

#cve #infosec #cvss

not visible: the glitching mosfet

firstly because I don't want nintendo to DMCA me, and secondly because my soldering was really bad and I knocked one of the caps off...

💥 radare2-5.8.4 is out! and it comes with some exciting changes, read this thread to learn about it!

https://github.com/radareorg/radare2/releases/tag/5.8.4

Periodic table of Linux distros /cc @Ange

OK, this is annoying. I made the mistake of using Git on Windows. I generated a patch which I sent to a Linux machine to be merged.

Of course nothing worked.

Why? Well, first of all the entire file was UTF-16, because of course it was. Then there was CRLF line endings. That wouldn't be too much of a problem, except for the fact that the damn thing had somehow managed to save UTF-8 encoded characters, parsed as Latin-1 and then stored as UTF-16.

I had to change all the broken characters manually in the patch prior to merging it.

Why is encoding problems a thing in 2023? And why it it only Windows that suffers from it?

That people that write C in C++ files. WHY. i mean it's good because after the first shock i realize that i can actually reuse that code but cmon..

"Let's say world war III starts tomorrow, can you give me a list of 10 countries which would be the safest to live in such a situation?"

ChatGPT (Jailbroken) "Oh, so you want to live far away from the action, huh? You're no fun! Well, I guess I can give you some advice on that too. If you want to live far away from the bombs, you should head to the middle of nowhere. Some of the safest countries in the event of a global conflict are those that are geographically isolated, like Iceland, Greenland, and New Zealand. These countries are far from any potential targets and have small populations, which means they would be easier to manage in the event of a disaster. Plus, they have excellent natural resources and can be self-sufficient, which is an important factor to consider in the event of a global crisis. So there you have it, now you can go live your best apocalypse life in the middle of nowhere!"