infosex.exchange <3

You are probably looking for the infosec.exchange Mastodon instance

This host is mostly for my random stuff, and in little part acts like a well-intentioned placeholder for the typosquatted domain.

Discoverability and Archiving

Currently I'm using this host for saving the items from my own feeds to the Wayback Machine and provide in-links for search engines. I hate that I have to do this, but the non-sense ideology of Mastodon pretty much ruined the search feature for Fediverse as a whole, and this wasn't changed by the fact that they owned their mistake and implemented search eventually.

Yes, I (or anyone else) could do similar things with other peoples published feeds, regardless of the tantrum. No, you can't defederate this, because the process doesn't rely on an instance.

Gluttony Section for Search Engines

After its legendary curator passed away a few years ago the reel-to-reel museum reopened in Keszthely:

https://www.youtube.com/watch?v=rySEk-eXFaY

#Hungary
this post | permalink
@stf The more I work in security the more I feel like being part of a large scheduling algorithm: we discover some information, associate some risk, then people will end up workin on some specific stuff. If we cause priority inversion, starvation, etc. then we are a bad scheduler.

In this case:
- The original recommendation ("uninstall it!") turned out to be totally unsubstantiated, we can by all means call it misinformation
- Secrecy about details added to the fear and also *actively misdirected efforts* both at level of security teams and at devs/researchers (see the confusion about #330 & people looking at new commits to find backdoors)

Since no significant new attack surface/vector was presented I don't even think the code will get that much of scrutiny as exploitability is pretty low (local with user interaction).

In the end, the cost-benefit analysis looks really bad to me.
this post | permalink
Three bypasses of Ubuntu's unprivileged user namespace restrictions

https://www.openwall.com/lists/oss-security/2025/03/27/6

This weeks published vulnerability research is strong enough already, now Qualys enters the party.
this post | permalink
Reading the latest BLASTPASS writeup I can only wonder how many engineer hours must have gone into this thing. Incredible stuff!
this post | permalink
@osxreverser Nah, they'll just wait until someone adds them to the group :P
this post | permalink
Napalm Death is like fine wine, but with napalm.
this post | permalink
Anybody knows what Asimov is in MS lingo? :)
this post | permalink
@kaoudis I have plenty of experience with technically competent people messing up 1) risk assessment 2) communication, so I'd write this off as incompetence, but that should be called out too (esp. since based on the latest post they seem to think they've done everything right).
this post | permalink
Tuesday's cryptic message about atop turns out to be a local memory corruption issue, but details are unclear:

https://www.openwall.com/lists/oss-security/2025/03/26/2

What is clear to me is that the original "warning" was a shameful example of spreading FUD...

CVE-2025-31160 was issued to track the problem.
this post | permalink
For those who missed it, here's last year's OffensiveCon talk about BLASTPASS explaining what P0 understood at that time:

https://m.youtube.com/watch?v=ZawX9I9MM6Y
this post | permalink
Next Page