tedu

joined 1 year ago
[–] tedu@azorius.net 24 points 5 months ago (1 children)

We're all trying to figure out where these headlines came from. The stable channel with all the fixes does not (at this time) bundle the warning. How is that users have become confused and believe the dev channel is the only way to get security fixes?

[–] tedu@azorius.net 2 points 5 months ago

I don't know why you'd jump to the dev channel, though. Just apply the stable channel update.

[–] tedu@azorius.net 97 points 5 months ago (18 children)

I'm going to go way out on a limb here and guess nothing will happen if I do neither.

[–] tedu@azorius.net -5 points 5 months ago

Thoughts and prayers for scarjo.

[–] tedu@azorius.net -3 points 5 months ago (2 children)

People are concerned about non issues all the time.

[–] tedu@azorius.net 8 points 5 months ago (1 children)

Should have gone with Barclay as Kovitch.

[–] tedu@azorius.net 6 points 5 months ago

I'm sure it still works in photoshop or whatever, just not the windows stuff.

[–] tedu@azorius.net 2 points 5 months ago

Because it comes from a laptop with rounded corners on the top of the lid and a flat hinge on the bottom.

[–] tedu@azorius.net 23 points 5 months ago (8 children)

What critical information are people putting in the six missing pixels?

[–] tedu@azorius.net 35 points 5 months ago (2 children)

Now people want recall?

[–] tedu@azorius.net 27 points 5 months ago (6 children)

It's so weird.

Due to the fact that Facebook has chosen to involve software that will allow the theft of my personal information, I do declare the following: on this day, 30th November 2014, in response to the new Facebook guidelines and under articles L.111, 112 and 113 of the code of intellectual property, I declare that my rights are attached to all my personal data, drawings, paintings, photos, texts etc... published on my profile since the day I opened my account. For commercial use of the foregoing my written consent is required at all times. Those reading this text can copy it and paste it on their Facebook wall. This will allow them to place themselves under the protection of copyright. By this release, I tell Facebook that it is strictly forbidden to disclose, copy, distribute, broadcast, or to take any other action against me on the basis of this profile and/or its contents. The actions mentioned above apply equally to employees, students, agents and/or other staff under the direction of Facebook. The contents of my profile include private information. The violation of my privacy is punished by the law (UCC 1 1-308 - 308 1 -103 and the Rome Statute). Facebook is now an open capital entity. All members are invited to post a notice of this kind, or if you prefer, you can copy and paste this version. If you have not published this statement at least once, you will tacitly allow the use of elements such as your photos as well as the information contained in your profile update. Do not share. Just copy on paste on your wall.

32
DIY Espresso (www.fourbardesign.com)
 

High pressure, high forces, long lever arms...all of that meant heavy and strong (read: expensive) parts which I was not looking forward to having to fabricate. Instead, I settled on the simpler idea of harnessing the power of compressed gas. Instead of using a high mechanical advantage lever to push a piston, compressed CO2 would be dispensed from a small and inexpensive 12g or 16g cartridge which would then generate the requisite pressure to properly extract espresso. This concept is not actually novel; both an unsuccessful kickstarter and a now-defunct handheld espresso maker (with a fanatical user base) employed this mechanism.

 

It was obvious already before that NVD really does not try very hard to actually understand or figure out the problem they grade. In this case it is quite impossible for me to understand how they could come up with this severity level. It’s like they saw “integer overflow” and figure that wow, yeah that is the most horrible flaw we can imagine, but clearly nobody at NVD engaged their brains nor looked at the “vulnerable” code or the patch that fixed the bug. Anyone that looks can see that this is not a security problem.

 

The vulnerability should be obvious: at some point in the boot process, the VMK transits unencrypted between the TPM and the CPU. This means that it can be captured and used to decrypt the disk.

 

The flaw is tracked as CVE-2023-40477 and could give remote attackers arbitrary code execution on the target system after a specially crafted RAR file is opened.

RARLAB released WinRAR version 6.23 on August 2nd, 2023, effectively addressing CVE-2023-40477.

https://www.zerodayinitiative.com/advisories/ZDI-23-1152/

 

Espresso coffee is among the most consumed beverages in the world. Recent studies report a protective activity of the coffee beverage against neurodegenerative disorders such as Alzheimer′s disease. Alzheimer′s disease belongs to a group of disorders, called tauopathies, which are characterized by the intraneuronal accumulation of the microtubule-associated protein tau in fibrillar aggregates. In this work, we characterized by NMR the molecular composition of the espresso coffee extract and identified its main components. We then demonstrated with in vitro and in cell experiments that the whole coffee extract, caffeine, and genistein have biological properties in preventing aggregation, condensation, and seeding activity of the repeat region of tau. We also identified a set of coffee compounds capable of binding to preformed tau fibrils. These results add insights into the neuroprotective potential of espresso coffee and suggest candidate molecular scaffolds for designing therapies targeting monomeric or fibrillized forms of tau.

In vitro results, take with a grain of salt or shot of espresso.

7
Summary: MTE As Implemented (googleprojectzero.blogspot.com)
 

MTE = Memory Tagging Extension

In mid-2022, Project Zero was provided with access to pre-production hardware implementing the ARM MTE specification. This blog post series is based on that review, and includes general conclusions about the effectiveness of MTE as implemented, specifically in the context of preventing the exploitation of memory-safety vulnerabilities.

Despite its limitations, MTE is still by far the most promising path forward for improving C/C++ software security in 2023. The ability of MTE to detect memory corruption exploitation at the first dangerous access provides a significant improvement in diagnostic and potential security effectiveness. In comparison, most other proposed approaches rely on blocking later stages in the exploitation process, for example various hardware-assisted CFI approaches which aim to block invalid control-flow transfers.

Implementation Testing

Mitigation Case Studies

The Kernel

 

41 in-the-wild 0-days were detected and disclosed in 2022, the second-most ever recorded since we began tracking in mid-2014, but down from the 69 detected in 2021. Although a 40% drop might seem like a clear-cut win for improving security, the reality is more complicated.

 

Yael Tauman Kalai’s breakthroughs secure the digital world, from cloud computing to our quantum future.

My master’s thesis was titled “How to Leak a Secret.” Here’s the problem: We know how to digitally sign — to say, “This is me that wrote this message.” But say I want to sign something as an MIT professor, but I don’t want people to know it’s me? That way the secret does hold some water because you know an MIT professor signed it, but you don’t know who.

We solved this with something we called ring signatures, which were inspired by a notion in computer science called witness-indistinguishable proofs. Let’s say there’s a statement and two different ways to prove it. We say there’s two “witnesses” to the statement being correct — each of the proofs. A witness-indistinguishable proof looks the same no matter which you use: It hides which witness you started with.

view more: next ›