TIL: Some surprising code execution sources in bash
https://yossarian.net/til/post/some-surprising-code-execution-sources-in-bash
TIL: Some surprising code execution sources in bash
https://yossarian.net/til/post/some-surprising-code-execution-sources-in-bash
Redmond business leaders line up to say what’s new in #Windows #security.
#Microsoft vice presidents David “dwizzzle” Weston (pictured) and Pavan Davuluri (errm, not) are among the anointed ones making noise this week. They’re telling all—about preventing a repeat of July’s #CrowdStrike débâcle.
#MicrosoftIgnite 2024 is their nexus of (ahem) “learnings.” In #SBBlogwatch, we hunker down in the windy city. At @TechstrongGroup’s @SecurityBlvd: https://securityboulevard.com/2024/11/microsoft-ignite-2024-security-crowdstrike-richixbw/?utm_source=richisoc&utm_medium=social&utm_content=richisoc&utm_campaign=richisoc
Running the final Privacy Fundamentals class for the year, tomorrow.
Who is this for?
This class is designed for you, the non-techie, also for activists, advocates, privacy enthusiasts, OSINT beginners concerned about their digital footprint. A good refresh for seasoned professionals too.
What's included:
- Understanding & evaluating digital risk
- Account security
- Device security & safety
- Safer online searches
- Secure Communications
- Online abuse & protecting your data
Class will be recorded.
Are we PEP 740 yet? now has a new category, colored in magenta, for top projects that come from source repos that PyPI doesn't support for attestations (yet!)
This will hopefully ameliorate some of the social pressure/confusion that people have (very reasonably!) expressed around the previous render: if a project is colored in magenta, that means PyPI doesn't support attestations (yet) from that host and thus the project can't reasonably be asked to support them itself.
And note: if you're a supply chain person who nags *any* project to enable attestations just because you want a little green checkbox on your VC-funded CRUD dashboard, I *will* find you and shame you.
Let's Encrypt is 10 years old today!
Let's Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG). Huge thanks to everyone involved in making HTTPS available to everyone for free
Oha, das ist provokativ: Dieser Blogartikel sagt:
- Nutzt kein #PGP / #GPG
- Nutzt kein #XMPP + OMEMO
- Nutzt kein #Matrix (im Sinne: verlasst euch nicht auf die Verschlüsselung)
- E-Mails verschlüsseln ist sinnlos
Ich kenne den Autor nicht und würde ihn nicht erwähnen, würde der Artikel nicht in ernstzunehmenden ITSec-Newslettern zitiert
Please spread this as much as possible https://themarkup.org/the-breakdown/2024/11/14/privacy-guide-go-incognito - I'd actually go even further and suggest to stop using ANY services located in USA (such as GMail, Facebook, Instagram etc.).
Overall, the fact that we even speak about this in 2024 shows the state of United States. I'm not talking about the content here, but the fact that in USA women need significant level of secrecy as if they're whistleblowers
@trailofbits the PyPI blog also contains an official announcement, which has more user-facing information:
https://blog.pypi.org/posts/2024-11-14-pypi-now-supports-digital-attestations/
i'm really excited to share the work my team at @trailofbits has been doing for the last year: Sigstore-based attestations are now live and generally available on PyPI!
if you're already using Trusted Publishing with the canonical pypi-publish action, you don't need to change anything: the action will generate and upload an attestation on your behalf.
we've written a blog post on some of the technical details behind PyPI's attestation features, including Sigstore and PEP 740, here: https://blog.trailofbits.com/2024/11/14/attestations-a-new-generation-of-signatures-on-pypi/
hot off #KubeCon: cert-manager has been approved for CNCF graduation!
86% of new #kubernetes production clusters are deployed with cert-manager as standard practice!
Congrats to Jetstack (now Venafi, CyberArk) and all the maintainers and contributors
Read the Cloud Native Computing Foundation ( #cncf ) announcement for more details:
https://www.cncf.io/announcements/2024/11/12/cloud-native-computing-foundation-announces-cert-manager-graduation/
I've seen a number of toots today advising people against scanning random #QRCodes because they can be used in a number of malicious ways.
There are a number of legitimate ways people can use such codes to trick others, and it can require some deeper understanding of how systems work to avoid them. For that reason, I'm not going to contradict that recommendation, but I will add to it.
QR codes are usually just URLs encoded in a visual, machine-readable form, so they aren't necessarily more dangerous than a link. The danger comes from the fact that most scanner apps will directly open whatever URL you scan without giving you the opportunity to consider whether that's a good idea.
You can reduce the risk of scanning such codes by installing a better app which requires manual interaction to open URLs after decoding them.
For android users I recommend "BinaryEye", since it's open-source, ad-free, and has a bunch of other useful features.
Its github page links to both F-Droid and the play store:
The US government wants developers to stop using C and C++ https://www.theregister.com/2024/11/08/the_us_government_wants_developers/ by @sjvn
Yes, they're serious. They have good #programming #security reasons for doing this. But, it's not going to happen anytime soon.
“Cybercriminals steal cookies to get into your accounts: how to stay safe. The FBI Atlanta division is warning the public of a rising cookie-stealing issue affecting the area in which cybercriminals use Remember Me cookies to log in to users’ accounts.” #ai #cybersecurity #security #cookies https://cybernews.com/security/cybercriminals-steal-cookies-to-access-accounts/
New Candidate JEPs for adding Quantum-Resistant Cryptographic Algorithms to the Java Platform:
- ML-KEM: https://openjdk.org/jeps/496
- ML-DSA: https://openjdk.org/jeps/497
I'm working on Software Bill-of-Materials (SBOM) and attempting to solve the "phantom dependency" problem for Python packages.
As always, I try to work in public, so if you'd like to follow along you can do so:
https://discuss.python.org/t/sboms-for-python-packages-project/70261
I noticed a pattern of replacing HDMI cables with USB-C ones to connect to monitors and projectors in shared/public places like offices, meeting rooms, co-working spaces, and such.
Beyond the obvious convenience of USB-C (finally, one plug/socket to rule them all!), I wonder how safe this is from a security perspective.
I just get as far as using a "stranger's HDMI plug", but USB-C? No way.
Please prove me wrong.
OpenPaX, a New Linux Memory Security Patch, Arrives: This patch mitigates common memory safety errors and enhances system hardening. https://thenewstack.io/openpax-a-new-linux-memory-security-patch-arrives/
"Privacy. That's Apple." (as long as we upload your passwords to the cloud unbeknownst to you and keep it forever)
I wonder if this is something that might fall as a breach of #GDPR rules... https://lapcatsoftware.com/articles/2024/10/4.html