Show newer
modrobert boosted
modrobert boosted

Someone has compromised a bunch of Minecraft plugin developer accounts, and has injected info-stealing malware into a number of widely used plugins for the game. Apparently, this is widespread enough that some involved in the investigation are urging people to just stay off Minecraft for now. Also, it sounds like they need some help.

More info:

prismlauncher.org/news/cf-comp

More structured breakdown:

hackmd.io/B46EYzKXSfWSF35DeCZz

h/t @MrNuclearMonster

modrobert boosted
modrobert boosted
modrobert boosted

Good morning. You look like you could use a little therapy today.

(P.s. If you get a good one, post it below.)

theoatmeal.com/pages/horrible_

modrobert boosted
modrobert boosted
modrobert boosted
modrobert boosted

The EU Council is continuing to debate a law that would require communication providers to scan all communications, potentially including end-to-end encrypted conversations. And they are now debating including audio conversations as well.

modrobert boosted

I don't have much spare time, so I decided to publish the PoC of my project to get shells on a variety of archs/os like openbsd-sparc64, linux-ppc32, ...

github.com/trufae/quemoo

It's a PoC, but it works, and it's easy to contribute and extend, i though about rewriting it in another language like V and provide static binaries, but i guess just refactoring the makefile should be enough for 99% of the people.

Feel free to check it out and add more images and qemu oneliners to handle every single arch of your favourite unix flavour!

modrobert boosted

Initial support for SM5xx 4bit MCUs has been added on git! This is the second 4 bit architecture supported in #radare2 (after intel 4004) and it's the brain behind the nostalgic Game&Watch handheld electronic games, but also shipped in some calculators. TM1000 could be another interesting architecture to support in case anyone is in the retro field. Disassembler code was massaged from MAME and it supports a bunch of sub-models too!

"Fully on-chip photonic turnkey quantum source for entangled qubit/qudit state generation"
nature.com/articles/s41566-023

modrobert boosted

What's worse?

modrobert boosted

I don't know if this is a controversial opinion, but I will state it anyway:

I believe that the CVE system has some serious deficiencies. In particular, using the same system for both user-facing products and third-party libraries is problematic to the point of actually reducing overall security in the industry.

Let me give an example: Let's say you run a self-hosted piece of server-software written in Java. Let's call the product "Foo". You use something like Sonatype to monitor vulnerabilities in the software you use.

You happily run Foo for a few months and CVE-2023-0001 is reported on product Foo with a CVSS score of 9.9. In this case the system works great because you can now patch Foo as soon as possible, and in the meantime you can look at the remediation procedure documented in the CVE report to determine how much of a hurry you are in.

But that's unfortunately not what happens. What you are actually going to see is hundreds of vulnerabilities of varying severity reported not just on Foo as a product, but on every single third-party library that the product Foo happens to use.

Let's say that Foo generates SVG from a template and then uses a library to convert said SVG into images before sending them to the client (never mind that seems like a stupid solution, just go with it). And then a CVSS 10.0 appears because there is an RCE when passing specially crafted SVG data to the library.

Now you have Sonatype reporting that you have a severity 10 issue with the workaround static "upgrade this library". This information would be useful for the developer of Foo, but not for the user.

In fact, the developer may already have investigated this and downgraded the score since the library is never used to process untrusted input.

What this means is that as a user of some piece of software you will feel a lot of pressure internally to pursue CVE reports that are in fact not relevant, but since it shows up in your scan you have an obligation to do this, and check with the vendor to ask about the root cause of these results. This takes time and energy away from your real job: To keep your infrastructure secure.

I lay the blame for this happening squarely on the bad organisation of the CVE database, and I really wish there was a better way. Unfortunately right now it's all we have.

#cve #infosec #cvss

modrobert boosted
not visible: the glitching mosfet

firstly because I don't want nintendo to DMCA me, and secondly because my soldering was really bad and I knocked one of the caps off...
Show thread
modrobert boosted

💥 radare2-5.8.4 is out! and it comes with some exciting changes, read this thread to learn about it!

github.com/radareorg/radare2/r

modrobert boosted
Show older
Qoto Mastodon

QOTO: Question Others to Teach Ourselves
An inclusive, Academic Freedom, instance
All cultures welcome.
Hate speech and harassment strictly forbidden.