Chip Mystery: The Case of the Purloined Pin

#microcontrollers #parts #bond #bug #ch32v003 #design #miso #mosi #riscv #sck #sop16 #spi #hackaday
posted by pod_feeder_v2

Chip Mystery: The Case Of The Purloined Pin

Let’s face it — electronics are hard. Difficult concepts, tiny parts, inscrutable datasheets, and a hundred other factors make it easy to screw up in new and exciting ways. Sometimes th…

#CVE-2024-20356: #Jailbreaking a #Cisco appliance to run #DOOM

In this adventure, the Cisco #C195 device family was jailbroken in order to run unintended code. This includes the discovery of a vulnerability in the #CIMC body management controller which affects a range of different devices, whereby an authenticated high privilege user can obtain underlying root access to the server’s #BMC (CVE-2024-20356) which in itself has high-level access to various other components in the system. The end goal was to run DOOM – if a smart fridge can do it, why not Cisco?

source: https://labs.nettitude.com/blog/cve-2024-20356-jailbreaking-a-cisco-appliance-to-run-doom/

#software #security #bug #network #game #news #vulnerability #exploit #hack #hacker

CVE-2024-20356: Jailbreaking a Cisco appliance to run DOOM

The Cisco C195 is a Cisco Email Security Appliance device. Its role is to act as an SMTP gateway on your network perimeter. This device (and the full range of appliance devices) is heavily locked down and prevents unauthorised code from...

#hacker #hack #quote #meme #memes #matrix #wisdom #ethics #internet #philosophy #security #cybersecurity #economy #software #bug #computer #cloud #leak #malware

#LLM Agents can Autonomously #Exploit One-day Vulnerabilities

Source: https://arxiv.org/abs/2404.08144

To show this, we collected a dataset of 15 one-day vulnerabilities that include ones categorized as critical severity in the #CVE description. When given the CVE description, GPT-4 is capable of exploiting 87% of these vulnerabilities compared to 0% for every other model we test (GPT-3.5, open-source LLMs) and open-source vulnerability scanners (ZAP and #Metasploit).

#ai #technology #Software #chatgpt #bug #hack #news #cybersecurity

LLM Agents can Autonomously Exploit One-day Vulnerabilities

LLMs have becoming increasingly powerful, both in their benign and malicious uses. With the increase in capabilities, researchers have been increasingly interested in their ability to exploit cybersecurity vulnerabilities. In particular, recent...

Logiciel "Orphée" médiathèque

#surveillance #vieprivée #fichage #biblio #bibliothécaire #logiciel #médiathèque #privatisation #public #informatique #bureautique

Pour situer depuis un peu plus d'un an j'assure des permanences en tant que bénévole à la médiathèque de mon village de 800 habitants.
Mes collègues et moi bataillons avec cet outil en ligne #coûteux, #labyrinthique, qui fonctionne mal, est lourd, difficile à maîtriser même pour les plus expérimentés d'entre nous. Lorsque qu'il y a un #bug les responsables techniques et commerciaux sont injoignables ..
Quant au respect de la vie privée des #usagers, il y a de quoi être vraiment inquiet.

J'aimerais en discuter sur D* avec d'autres personnes concernées par le problème; comment elles y font face ou pas. Ou si elles ont un avis différent sur ce truc..

#NIST National #Vulnerability #Database Disruption Sees #CVE Enrichment on Hold

Since February 12, 2024, NIST has almost completely stopped enriching software vulnerabilities listed in its National Vulnerability Database (NVD), the world's most widely used software vulnerability database.

Source: https://www.infosecurity-magazine.com/news/nist-vulnerability-database/

#nvd #usa #security #software #problem #exploit #hack #bug #news #cybersecurity

NIST NVD Disruption Sees CVE Enrichment on Hold

Vulnerability data has stopped being added to the most widely used software vulnerability database for over a month, putting organizations at risk – and nobody knows why

#Google don't like C++

Based on this experience we expect that high assurance memory safety can only be achieved via a Secure-by-Design approach centered around comprehensive adoption of languages with rigorous memory safety guarantees. We see no realistic path for an evolution of C++ into a language with rigorous memory safety guarantees that include temporal safety. As a consequence, we are considering a gradual transition of C++ code at Google towards other languages that are memory safe.

Source: https://research.google/pubs/secure-by-design-googles-perspective-on-memory-safety/

#Rust. #Go and #Java will be used.

#software #development #code #language #future #memory #security #bug #exploit #program #news

Hackers exploited #Windows 0-day for 6 months after #Microsoft knew of it

Source: https://arstechnica.com/security/2024/03/hackers-exploited-windows-0-day-for-6-months-after-microsoft-knew-of-it/

Even after Microsoft patched the #vulnerability last month, the company made no mention that the North Korean threat group #Lazarus had been using the vulnerability since at least August to install a stealthy #rootkit on vulnerable computers. The vulnerability provided an easy and stealthy means for #malware that had already gained administrative system rights to interact with the Windows #kernel. Lazarus used the vulnerability for just that. Even so, Microsoft has long said that such admin-to-kernel elevations don’t represent the crossing of a security boundary, a possible explanation for the time Microsoft took to fix the vulnerability.

#software #news #security #cybercrime #bug #exploit #0day #fail #economy #problem #politics #hack #Hackers #trust #risk

Hackers exploited Windows 0-day for 6 months after Microsoft knew of it

Technically, Microsoft doesn't consider such bugs vulnerabilities. It patched it anyway.

Was?! 353 GB?! So groß ist die Platte in dem Rechner doch gar nicht… aber weia, habe ich mich erschrocken und nochmal nachgedacht, bevor ich doch auf »j« gedrückt habe. Natürlich gab es kein Problem. Das war »nur« eine falsche Berechnung/Anzeige. | #Bug #Ubuntu #Unbuntu #Debian #Update #Fail

GNOME Is Malicious

So says the MPV (the media player) man page.

I agree. I hate GNOME 3. They also ignore XDG (freedesktop.org) standards.

GNOME is one of the worst offenders, and ignores even the now widely supported idle-inhibit protocol. (This is either due to a combination of malice and incompetence, but since implementing this protocol would only take a few lines of code, it is most likely the former. You will also notice how GNOME advocates react offended whenever their sabotage is pointed out, which indicates either hypocrisy, or even worse ignorance.)\
\
Such incompatible desktop environments (i.e. which ignore standards) typically require using a DBus API. This is ridiculous in several ways. The immediate practical problem is that it would require adding a quite unwieldy dependency for a DBus library, somehow integrating its mainloop into mpv, and other generally unacceptable things.\
\
However, since mpv does not officially support GNOME, this is not much of a problem. If you are one of those miserable users who want to use mpv on GNOME, report a bug on the GNOME issue tracker: https://gitlab.gnome.org/groups/GNOME/-/issues

#gnome #gnome3 #standards #malice #ignorance #screensavers #idle-inhibit #bug #mpv #de #desktop-environment #hypocrisy #sabotage

Haiku UserlandFS SshFS Connection Bug Fixed

#software #bug #haikuos #hrev57554 #sshfs #waddlesplash
posted by pod_feeder_v2

Haiku UserlandFS SshFS Connection Bug Fixed - Desktop On Fire!

A bug in Haiku's UserlandFS sshfs mount has been fixed. The bug was causing applications to freeze when trying to copy or open files from an sshfs share.

Due to insufficient origin validation in all #Mastodon, attackers can impersonate and take over any remote account.

Source: https://github.com/mastodon/mastodon/security/advisories/GHSA-3fjr-858r-92rw

#security #software #update #bug #problem #microblogging #server #internet #danger #warning

Remote user impersonation and takeover

### Summary Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account. Every Mastodon version prior to 3.5.17 is vulnerable, as well as...

#Piped #Issue #Issues
Exemple : https://piped.adminforge.de/watch?v=uTrP3escs0s&start=8&end=372
La #vidéo démarre bien à start, mais ne s'arrête pas à end .
The #video starts well at start, but doesn't stop at end .

La page issues : https://github.com/TeamPiped/Piped/issues
Je ne crois pas voir cet item, mais je n'ai peut-être pas assez regardé.... (m'y connais pas trop non plus, pour fouiller dans cette partie)
Si quelqu'un a un compte pour faire remonter le #Bug ?

À noter qu'avec #Invidious, là, la vidéo commence et s'arrête comme demandé.
Exemple : https://yt.artemislena.eu/watch?v=uTrP3escs0s&start=8&end=372

J'en profite pour indiquer que, si sur une page Piped, il pouvait y avoir un lien vers l'URL youtube, ça serait un plus, car ça permet de basculer sur une autre instance Piped ou Invidious facilement, grâce notamment à un #add-on comme #LibRedirect ..
J'dis ça, j'dis rien. :)
Et merci, surtout, à ceux qui ont créé Piped.

Piped

An alternative privacy-friendly YouTube frontend which is efficient by design.

#panne #bug #diaspora-fr.org
je ne vois plus les images et vavatars des autres pods, c.est grave docteur???

Hey, let's use #AI to generate #bug reports and #spam the bug trackers of open source projects ...

The I in #LLM stands for #intelligence

source: https://daniel.haxx.se/blog/2024/01/02/the-i-in-llm-stands-for-intelligence/

When reports are made to look better and to appear to have a point, it takes a longer time for us to research and eventually discard it. Every #security report has to have a human spend time to look at it and assess what it means.

#curl #openSource #fail #software #troll #problem #time #news #technology #disaster

They are sharing SSH CVE-2023-48795 (Terrapin attack) vulnerable instances found in their IPv4/IPv6 scans

Nearly 11M instances (by unique IP) found vulnerable (~52%).

Background on the #vulnerability: https://terrapin-attack.com

fedivers: https://infosec.exchange/@shadowserver/111691389140858555

#cve #network #internet #security #bug #cyberwar #software #terrapin #attack #danger #administration #update #patch #ssh

A giant crawling #brain: the jaw-dropping world of #termites

source: https://www.theguardian.com/news/2018/sep/18/a-giant-crawling-brain-the-jaw-dropping-world-of-termites

Back in the 1930s, the other Marais didn’t write a #termite #science book, but a book about how humans could understand termites – as a #bug, a #body, a #soul, a force on the #landscape. Looking at termites this way changed how I see the #world, science, the #future and myself.

#nature #environment #knowledge #understanding

Nothing like a #solstice #Postfix #security #bug to brighten your day.

Happy holidays!

https://www.postfix.org/smtp-smuggling.html

#Lazarus Group Is Still Juicing #Log4Shell, Using RATs Written in 'D'

source: https://www.darkreading.com/threat-intelligence/lazarus-group-still-juicing-log4shell-rats-written-d

Two years on and multiple “the sky is falling” headlines later, Veracode reported last week that more than a third (38%) of all in-use applications are still using vulnerable versions of #Log4j.

#software #fail #bug #security #NorthKorea #attack #problem #news #cybersecurity #update #economy

Lazarus Group Is Still Juicing Log4Shell, Using RATs Written in 'D'

The infamous vulnerability may be on the older side at this point, but North Korea's primo APT Lazarus is creating new, unique malware around it at a remarkable clip.

#5Ghoul: Unleashing sChaos on #5G Edge Devices

Source: https://asset-group.github.io/disclosures/5ghoul/

An attacker within radio range can trigger a denial of service (reachable assert) within the #Qualcomm’s X55/X60 #modem #firmware by means of sending invalid downlink MAC frame to the target 5G UE (e.g., #smartphone) from a nearby malicious gNB.

#mobile #network #attack #news #vulnerability #danger #dos #communication #software #bug