cstross , to random
@cstross@wandering.shop avatar

Apple wouldn't be doing this—at considerable expense—if they didn't consider such attacks to be plausible within the relevant lifetime of currently intercepted and retained messages (ie. not necessarily today, but within the statute of limitations of any crime you might be confessing to in an iMessage).

https://www.theverge.com/2024/2/21/24079081/apple-imessage-pq3-post-quantum-cryptography

francoisknyc ,
@francoisknyc@masto.ai avatar

@cstross Agreed with the general premise, but a part of the justification might also be that they can then use this as a marketing , that their systems are so much more secure than the competition, ahead of anyone else, and in line with the image they're trying to cultivate that people on iPhones don't get hit by viruses or trojans? being everything these days it seems.

Mencjusz , to politicalscience
@Mencjusz@sciences.social avatar

A reminder about tomorrow!

Homeward Bound: Navigating and of Returnees from

https://sta-uwi-edu.zoom.us/webinar/register/WN_KRCma3OdRyGi2zk0J3F4vw#/registration

2-4 pm AST /9-11 pm Damascus, Syria/ 7-9 pm Stockholm, Sweden/ 1-3 pm: New York City / 6-8 pm London, UK.

@politicalscience @criminology @humanrights @humanrightswatch

image/jpeg

helma , to random
@helma@mastodon.social avatar

Bouncing with excitement that my proposal for a talk at @geant Security Days for the educational sector in Prague, April 2024 was accepted. I will attend with other @SURF collegues.
It will be my first international podium in and I hope to inspire CISMs and SecOps professionals of other NRENs. 🤨🤓

Linux_Is_Best , (edited ) to random
@Linux_Is_Best@mstdn.social avatar

⚠️ Mastodon 3.5.x and Mastodon 4.0.x are END OF LIFE. ⚠️

It is strongly recommended you upgrade to Mastodon 4.2.x (or newer, depending on when you see this).

Source: https://github.com/mastodon/mastodon/releases

BaumGeist , (edited ) to opensource in Nginx gets forked by core developer

For the record I agree with @fernandofig, but I also want to add that a DoS is not necessarily a security risk. If it can be leveraged to expose sensitive information, then yes, that's a vulnerability; this isn't that.

Digging into the CVEs:

CVE-2024-24989:

Advisory Description

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. (CVE-2024-24989)

Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3.

Traffic is disrupted while the NGINX process restarts. This vulnerability allows a remote unauthenticated attacker to cause a denial-of-service (DoS) on the NGINX system. There is no control plane exposure; this is a data plane issue only.

CVE-2024-24990 basically says the same.

Some choice clauses:

undisclosed requests can cause NGINX worker processes to terminate

Traffic is disrupted while the NGINX process restarts.

So it doesn't take down the server nor the parent process, it kills some threads which then... restart.

Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental

I was able to find that the affected versions:

NGINX Plus R30 P2 and R31 P1
Open source subscription R5 P2 and R6 P1
Open source mainline version 1.25.4

but most importantly:

The latest NGINX Open source stable version 1.24.0 is not affected.

And saving me the hassle of linking and quoting all 5 of the version history pages for the affected products, the uniting factor is: they're all based on Open Source versions 1.25.*

None of them are using the latest stable version.

It's not even going to affect most sites, and definitely not ones for whom downtime is a major issue: they would not be using the non-stable version, much less enabling experimental features in a non-stable version.

But the part that irks me the most is the dillution of what a CVE is. Back in the day, it meant "something that can lead to security breaches," now it just seems to mean "hey guys, I found a bug." And that's bad because now you have one of two outcomes: 1. unnecessarily panicking users by leading them to believe their software is a security risk when it isn't, or 2. compromising the integrity and usability of CVE reports by drowing the important ones in waves of "look guys, the program crashes when I can leverage root privileges to send it SIGKILL!"

If this was just a bug hunter trying to get paid, that's one thing, but these were internally assigned and disclosed. This was an inside job. And they either ignored or never consulted the actual experts, the ones they have within their own staff: the devs.

Why? To what end? Did they feel left out, what with not having any CVEs since 2022? Does this play some internal political struggle chess move? Do they just hate the idea of clear and unambiguous communication of major security holes to the general public? Are they trying to disrupt their own users' faith in their paid products? Does someone actually think a DoS is the worst thing that can happen? Is there an upper level manager running their own 1.25 instance that needs this fixed out-of-band?

It's just all so asinine.

Linux_Is_Best , to random
@Linux_Is_Best@mstdn.social avatar

2-step verification on Mastodon

  1. Open a web browser

  2. YOUR Instance /settings/two_factor_authentication_methods

This is how you keep your account safe and secure. Because an A.I. can guess your password.

Linux_Is_Best OP ,
@Linux_Is_Best@mstdn.social avatar

After you enable 2-Step verification

  1. Change your password

YOUR Instance /auth/edit

  1. Revoke your previous sessions, apps, and logins

YOUR instance /oauth/authorized_applications

  1. Generate and safely store some recovery keys

This is useful if you lose your 2-step method.

Your Instance /settings/two_factor_authentication_methods

BaselOne , to random German
@BaselOne@mastodon.social avatar

Die findet am 16./17. Oktober 2024 statt. Du möchtest Dein Expertenwissen mit anderen Softwareentwickler:innen teilen? Dann zögere nicht und reiche Deine Vorschläge zusammen mit einer Kurz-Bio von Dir bis 01. April 2024 unter https://sessionize.com/baselone-2024/ ein. Wir freuen uns auf Einreichungen für Talks und Workshops zu nahezu allen Themen des , z.B. , , , , , , uvm. Weitere Informationen zum unter https://baselone.ch/baselone24-cfp/

rwhitisissle , to programmerhumor in Single-Page Application

HTMX enables arbitrary invocation of ANY api endpoint with cookies included, through html attributes, which inherently can’t be covered by Content Security Policy

I want you to please explain how HTMX bypasses the Content Security Policy connect-src directive, or any -src directive, for that matter, assuming it is specified (which it should be). Because I'm genuinely curious why the HTMX dev team would include a section on CSP in their docs if it did literally nothing, as you say.

Actually, as an even more basic question...you do know that HTMX is literally just an AJAX library, right? It doesn't actually "do" anything via HTML attributes. The additional HTMX attributes, like hx-get, hx-post, etc. just tells HTMX where and how to make the API requests. These requests are executed by the browser's native fetch or XMLHttpRequest APIs, depending on compatibility and implementation. Therefore, HTMX is subject to the same security constraints and policies as any other JavaScript-based operation that makes HTTP requests. Which also, by definition, means that it adheres to the Content Security Policy directives configured for that website.

In other words, an HTML button element with hx-get="https://www.some-endpoint.com/" on it would eventually translate into

const xhr = new XMLHttpRequest();
xhr.open("GET", "https://www.some-endpoint.com/");
xhr.send();

on click.

You do understand that, right?

heisec , to random German
@heisec@social.heise.de avatar

QNAP: Neue Firmware-Versionen beheben Befehlsschmuggel-Lücke

Unter anderem konnten Angreifer aus der Ferne eigene Kommandos auf den Geräten einschleusen. Admins sollten zügig patchen.

https://www.heise.de/news/QNAP-Neue-Firmware-Versionen-beheben-Sicherheitsluecken-9617332.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege

appassionato , to bookstodon
@appassionato@mastodon.social avatar

Bombs and Bandwidth: The Emerging Relationship Between Information Technology and Security

Bombs and Bandwidth, a project of the Social Science Research Council, assembles leading scholars in a range of disciplines to explore the new nature of IT-related threats, the new power structures emerging around IT, and the ethical and political implications arising from this complex and important field.

@bookstodon



ALT
  • Reply
  • Loading...
  • nixCraft , to random
    @nixCraft@mastodon.social avatar
    ALT
  • Reply
  • Expand (4)
  • Collapse (4)
  • Loading...
  • appassionato , to bookstodon
    @appassionato@mastodon.social avatar

    Learning From the Octopus: How Secrets From Nature Can Help Us Fight Terrorist Attacks, Natural Disasters, and Disease

    Sagarin argues that we can learn from observing how nature is organized, how organisms learn, how they create partnerships, and how life continually diversifies on this unpredictable planet.

    @bookstodon





    ALT
  • Reply
  • Loading...
  • davidrypel , to geography
    @davidrypel@sciences.social avatar

    Looking for Everyday Security: A Cross-Disciplinary Workshop (19 April)

    Deadline: 12 February

    This workshop aims to gather from various fields who study or related phenomena in everyday life. It will provide an opportunity for participants to share and reflect on their work, and explore how cross-disciplinary exchanges could enhance research on the topic.

    https://www.ucl.ac.uk/institute-of-advanced-studies/news/2024/jan/cfp-looking-everyday-security-cross-disciplinary-workshop

    @anthropology @sociology @geography @politicalscience @psychology

    amitdoshi , to random
    @amitdoshi@infosec.exchange avatar

    Is really that stressful?

    From the constant threat of cyber-attacks, it's no wonder the stress levels are skyrocketing.

    To all the warriors out there, how do you manage your stress?

    Share your tips!

    https://myturn.careers/blog/is-cybersecurity-stressful/

    usul , to random French
    @usul@piaille.fr avatar

    Coming to fosdem this year? you use ? Want to sign your key? Good news, I'm organizing a key signing party (https://en.wikipedia.org/wiki/Key_signing_party).

    details are at https://ludovic.hirlimann.net/2024/01/key-signing-party-at-fosdem-2024.html

    please boost or share, so people come and attend.

    majorlinux , to random
    @majorlinux@toot.majorshouse.com avatar

    I wonder how hard this will hit 2FA usage going forward.

    Authy to sunset desktop apps - Desk Chair Analysts

    https://dcanalysts.net/authy-to-sunset-desktop-apps/

    nixCraft , to random
    @nixCraft@mastodon.social avatar

    This wrench can get infected by ransomware. DRILLCRYPT, to be precise.

    Essential for precision manufacturing, the Bosch device can be exploited with no authentication, disrupting an entire factory floor.

    Torque values can be subtly changed to cause chaos in an assembly line.

    23 vulnerabilities were discovered by researchers at Nozomi, which malicious actors can form into an attack chain resulting in production line stoppage. https://x.com/lauriewired/status/1744770156205850809?s=46

    ALT
  • Reply
  • Expand (17)
  • Collapse (17)
  • Loading...
  • stahlbrandt ,
    @stahlbrandt@infosec.exchange avatar

    @nixCraft The very same Bosch Group is capable of producing advanced security systems, video surveillance, intrusion detection, central alarm control panels, realtime systems for automotive and much, much more. The size and number of companies acquired over the years seemingly do not always lead to the pollination one hope for.

    stefing , to random
    @stefing@mastodon.world avatar

    "The Gmail confidential mode for emails is neither secure nor private. At its best, it is a fun feature to help your recipient achieve inbox zero. At its worst, it is a privacy-intrusive feature that does not achieve true confidentiality. In fact, for sending a confidential and secure email, end-to-end encryption is a minimum requirement, and Gmail has long abandoned this approach."

    @Tutanota

    https://tuta.com/blog/gmail-privacy-problem

    Mencjusz , to politicalscience
    @Mencjusz@sciences.social avatar

    Earlier in December, together with my former student, we published an article Assessing the Responsiveness of the Public Health Agency (CARPHA) and the Government of : The and Outbreaks.

    It is an explorative small sample size that, hopefully, one day will be expanded into cross-national comparison.

    Link:
    https://www.researchgate.net/publication/376296597_Assessing_the_Health_Security_Responsiveness_of_the_Caribbean_Public_Health_Agency_CARPHA_and_the_Government_of_Trinidad_and_Tobago_The_Zika_and_COVID-19_Outbreaks

    @politicalscience

    jaseg , to random
    @jaseg@chaos.social avatar

    Wow this is bad. Some Italian researchers decided there wasn't enough anti-right-to-repair hardware in the world already, and developed a way to physically profile and recognize individual battery cells that can be combined with classic DRM technologies to prevent non-OEM battery cells from working inside a device, even if the classic DRM portion is circumvented. Whyyyyyy?!

    https://dl.acm.org/doi/pdf/10.1145/3576915.3623179

    SirTapTap , to random
    @SirTapTap@mastodon.social avatar

    we call him Forky for short

    polgeonow , to geography
    @polgeonow@mstdn.social avatar
    ThatOneKirbyMain2568 , to fediverse
    @ThatOneKirbyMain2568@kbin.social avatar

    I've noticed that a lot of people on the aren't particularly welcoming to those who don't initially get it or have trouble with it. You'd think that if multiple people say they have trouble picking an instance, it might be a genuine barrier to entry that we need to consider when introducing them to the fediverse. But no, instead of suggesting an instance to get rid of that barrier everyone gives unhelpful advice like "just pick one" or "it's not that hard." We'd have a much easier time getting people on the fediverse if there weren't so many people with this attitude of "the fediverse is simple, and the people who don't get it are lazy and should try harder."

    ContentConsumer9999 ,

    @carturo222 As far as I know that's a Mastodon feature. Probably because it could cause some massive issues.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • updates
  • testing
  • tech
  • drbboard
  • programming
  • til
  • wanderlust
  • bitcoincash
  • Sacramento
  • All magazines