EricCarroll

jwz, 1 month ago to random

Is Xcode actually a program, or a fractal zipbomb of nested installers?

Software update: "New Xcode!"
I fill with dread.
Two hours later: Finally launch Xcode.
Xcode: "Oh, did you want a compiler?? Update tools! Update components!"
Two hours later: press "Run".
Xcode: "Suddenly you have no simulators! Those old ones, they were no good! Download a single simulator!"
Four hours later...

EricCarroll, 1 month ago to email

If you use #ACM #Email forwarding actively, HEADS UP.

#Google is now enforcing #DKIM policy and as of midnight last night is bouncing email from ACM.ORG addresses that did not come through the ACM #SMTP Relay service.

You need to change your email configuration to use the ACM SMTP Relay service immediately.

Here is a link for how to configure your mail service (including GMAIL) for the Mailroute SMTP Relay.

https://support.mailroute.net/hc/en-us/sections/5551581660819-Configuring-Email-Client-Software-for-MailRoute-s-Outbound-SMTP-Auth-Service

EricCarroll, 1 month ago to generativeAI

$115B for a new HPC supercomputer for "AI" named Stargate.

Is it just me or does the current #GenerativeAI tech business model look like:

1. Hoover up the public internet
2. Build massive billion param transformer models (aka #LLM)
3. ?
4. Massive Profit!!!

Microsoft & OpenAI Will Spend $100 Billion to Wean Themselves Off Nvidia GPUs

https://www.extremetech.com/computing/microsoft-and-openai-will-spend-100-billion-to-wean-themselves-off-nvidia

> The companies are working on an audacious data center for AI that's expected to be operational in 2028.

#GenerativeAiIsGoingGreat

ChristosArgyrop, 2 months ago to ai

Attention @mjgardner , #AI #FAFO alert #infosec
@EricCarroll

AI hallucinates software packages and devs download them – even if potentially poisoned with malware
Simply look out for libraries imagined by ML and make them real, with actual malicious code. No wait, don't do that

https://www.theregister.com/2024/03/28/ai_bots_hallucinate_software_packages/

vwbusguy, 4 months ago to random

Thanks everyone 😂

#gaming #Linux #fediverse

EricCarroll, 4 months ago to random

I have about 3 large bookshelves full of textbooks from 90s-2010 in CS, networking, and math.

For those #decluttering like me (also moving) what did you do with them?

Throwing books out feels like sacrilege to me.

Noone seems to want them. I can't give them away...

I seriously doubt I need them any further.

Any suggestions?

briankrebs, 4 months ago to random

There's a huge disconnect for me rn in the IT space. Companies love to talk about an increasing deficit of smart, talented and skillful people available to help defend the cybers. Welp, a lot of those people are somehow now seeking gainful employment bc they've been laid off. Which is just nuts to me given the sheer scale, resources and effort our adversaries are throwing at everything now.

p.s. AI isn't going to fix anyone's security problems. If anything, it's going to compound them by orders of magnitude (at least in terms of data governance).

EricCarroll, 5 months ago to random

I just accidently domain blocked mastodon.world intending to block a soft core porn spammer.

I have no idea how many followers or follows I just nuked as a result...

tubetime, 6 months ago to random

hey, quick reminder that i'm also on Bluesky. @tubetime.bsky.social. should i migrate over? i don't use twitter anymore, and mastodon doesn't have many non-techy folks.

azonenberg, 7 months ago (edited 7 months ago) to random

Hardware reversing time! Let's have a look at something modern that might be fun to decap and study a bit.

This is a Micron 32GB DDR4 ECC LRDIMM, organized as 2Rx4 (2 ranks, 4 bits per chip, so 18 DRAM chips per rank). It was in active use in one of my servers until it started throwing ECC errors a few months ago.

So now it's microscope food.

arstechnica, 8 months ago to random

US may permanently extend authorizations for key chipmakers operating in China

Report: US weighing new export controls to block China's access to AI chips.

https://arstechnica.com/tech-policy/2023/10/us-may-permanently-extend-authorizations-for-key-chipmakers-operating-in-china/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social

GossiTheDog, 8 months ago to random

deleted_by_author

tubetime, 8 months ago to random

this is a vintage 1985 for a Control Data Wren hard drive. love these cutaway drawings.

dangoodin, 8 months ago to random

Ugh. Google has patched yet another 0day in yet another media-encoding library that's nearly ubiquitous. Libvpx is in a ton of Linux projects (citation: https://pastebin.com/TdkC4pDv). Wikipedia says it's used by YouTube, Netflix, Amazon, JW Player, Brightcove, and Telestream. It also appears to be used in iOS.

If anyone has reasons to think this vulnerability is limited to Chrome, please let me know. Preliminarily, though, I'm inclined to think this is yet another vuln under active exploit that's going to make a ton of software vulnerable to RCE exploits.

The 0day is tracked as CVE-2023-5217.

https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html

thetyee, 8 months ago to random

In the 1970s, conservative activists used the rhetoric of parental rights to oppose protections for lesbians and gay men against discrimination.

Today, the movement is fuelled in the United States by Moms for Liberty — and has made its way to Canada. 🇺🇸🇨🇦

https://thetyee.ca/Opinion/2023/09/21/Parents-Rights-Sexual-Orientation-Gender-Campaign-Push-Back/?utm_source=mastodon&utm_medium=social&utm_campaign=editorial

arstechnica, 8 months ago to random

How Google Authenticator gave attackers one company’s keys to the kingdom

Google's app for generating MFA codes syncs to user accounts by default. Who knew?

https://arstechnica.com/security/2023/09/how-google-authenticator-gave-attackers-one-companys-keys-to-the-kingdom/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social

briankrebs, 8 months ago (edited 8 months ago) to random

This is a terrifying and sobering write-up by Retool on so many levels. It's about about a recent spear-phishing via SMS attack on employees, followed by voice phishing attack that deepfaked an employee's voice.

Retool said just one of its employees fell for it, which is of course all it takes. Here's the scary part:

"The voice was familiar with the floor plan of the office, coworkers, and internal processes of the company. Throughout the conversation, the employee grew more and more suspicious, but unfortunately did provide the attacker one additional multi-factor authentication (MFA) code.

The additional OTP token shared over the call was critical, because it allowed the attacker to add their own personal device to the employee’s Okta account, which allowed them to produce their own Okta MFA from that point forward. This enabled them to have an active GSuite session on that device. Google recently released the Google Authenticator synchronization feature that syncs MFA codes to the cloud. As Hacker News noted, this is highly insecure, since if your Google account is compromised, so now are your MFA codes.

Unfortunately Google employs dark patterns to convince you to sync your MFA codes to the cloud, and our employee had indeed activated this “feature”. If you install Google Authenticator from the app store directly, and follow the suggested instructions, your MFA codes are by default saved to the cloud. If you want to disable it, there isn’t a clear way to “disable syncing to the cloud”, instead there is just a “unlink Google account” option. In our corporate Google account, there is also no way for an administrator to centrally disable Google Authenticator’s sync “feature”. We will get more into this later."

https://retool.com/blog/mfa-isnt-mfa/

dangoodin, 8 months ago to random

Curious to get thoughts from people with subject matter expertise in passwords and MFA. The Retool people are saying that a feature turned on by default in Google Authenticator made what would have been a less-serious breach much, much worse.

Yes, I know that the REAL moral of this story is to use FIDO, but I'm still interested in understanding how valid Retool's criticism is.

"The caller claimed to be one of the members of the IT team, and deepfaked our employee’s actual voice. The voice was familiar with the floor plan of the office, coworkers, and internal processes of the company. Throughout the conversation, the employee grew more and more suspicious, but unfortunately did provide the attacker one additional multi-factor authentication (MFA) code.

The additional OTP token shared over the call was critical, because it allowed the attacker to add their own personal device to the employee’s Okta account, which allowed them to produce their own Okta MFA from that point forward. This enabled them to have an active GSuite session on that device. Google recently released the Google Authenticator synchronization feature that syncs MFA codes to the cloud. As Hacker News noted, this is highly insecure, since if your Google account is compromised, so now are your MFA codes."

"The fact that Google Authenticator syncs to the cloud is a novel attack vector. What we had originally implemented was multi-factor authentication. But through this Google update, what was previously multi-factor-authentication had silently (to administrators) become single single-factor-authentication, because control of the Okta account led to control of the Google account, which led to control of all OTPs stored in Google Authenticator. We strongly believe that Google should either eliminate their dark patterns in Google Authenticator (which encourages the saving of MFA codes in the cloud), or at least provide organizations with the ability to disable it. We have already passed this feedback on to Google."

malwaretech, 8 months ago to random

Does anyone ever wonder how rich they'd be if every time they foiled a ransomware attack companies who would have paid the ransom instead gave you some of the ransom amount. I think I'd actually be a billionaire lol

briankrebs, 9 months ago (edited 9 months ago) to random

Adobe, Apple, Google and Microsoft all in the past week have released critical security updates to tackle zero-day flaws in their software that are being exploited in the wild.

Microsoft today patched two zero-day bugs (among 60+ other flaws).

Apple last week pushed out iOS 16.16.1, which addresses a "zero-click" flaw in iPhones and iPads that researchers at Citizen Lab say is being used to install spyware from the NSO Group.

Google fixed a heap overflow in Chrome which was already seeing active exploitation (Google says that bug was reported by Apple and Citizen Lab).

And if you're still using Adobe Reader or Acrobat, there's a zero-day update for that, too.

Update: Mozilla also has fixed zero-day flaw in Firefox and Thunderbird, as did the Brave browser. It appears the common theme here is any software that uses a code library called “libwebp,” and that this vulnerability is being tracked as CVE-2023-4863.

“This includes Electron-based applications, for example – Signal,” writes StackDiary.com. “Electron patched the vulnerability yesterday. Also, software like Honeyview (from Bandisoft) released an update to fix the issue. CVE-2023-4863 was falsely marked as Chrome-only by Mitre and other organizations that track CVE’s and 100% of media reported this issue as “Chrome only”, when it’s not.”

More here: https://krebsonsecurity.com/2023/09/adobe-apple-google-microsoft-patch-0-day-bugs/

https://stackdiary.com/critical-vulnerability-in-webp-codec-cve-2023-4863/

moira, 9 months ago to Electronics

HEY INTERNET!

Anybody know the proper way to test a high-voltage self-discharging capacitor?

(Don't say Mr. Carlson's, it's a fine device but it doesn't test caps like this. Will it show a leak? Yes. That's by design.)

With a regular meter it tests in range and it's correctly self-discharging but all that's at meter voltage which is not exactly this thing's operating range.

(It's from a cabinet-fit microwave. Everything works except the magnetron doesn't actually do anything. I hear the relay click but no zappy. So it's probably that. But I'm not willing to replace that part because that involves breaking radiation containment shields and I don't have a microwave detector.)

#electronics #diy

EricCarroll, 9 months ago to random

Wow I just found the @ietf account.

Awesome. Followed.

schizanon, 9 months ago to linux

I don't understand what #Nix is for

Is it a #Linux distro? Or is it a #container orchestration tool?

At my last job our #webDev env was managed by it, but I was using it on #MacOS and we also had to have #Docker, so I could honestly never figure out what it was there for.

#nixOS #programming #devops

molly0xfff, 9 months ago to ai

excuse me what the fuck

#AI #AIEthics #TechEthics