#Tag
Well this one is new.
Got a SPAM email. (That part's not new). And at the end of it it says:
"Important:
This email comes to you via a secondary domain to secure the core domain system of Claymore Capital’s primary domain..."
The email domain it's coming from is @withdfai.com
Company name is DealFlow...
Ohhhh Nice way to tuck the fucking "AI" in where nobody notices.
So you're securing your domain from your ai?
Let's take CVE-2025-38352 for example. CISA added it to the KEV because Google said that there is evidence of exploitation in the context of Android.
If you use CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y the fix is not needed.
Linux distros aren't affected but release "fixes" anyway. https://forums.rockylinux.org/t/rocky-8-10-cve-2025-38352/19590/3
Let's take CVE-2025-38352 for example. CISA added it to the KEV because Google said that there is evidence of exploitation in the context of Android.
If you use CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y the fix is not needed.
Linux distros aren't affected but release "fixes" anyway. https://forums.rockylinux.org/t/rocky-8-10-cve-2025-38352/19590/3
Thinking about #InfoSec organizational behaviors derived from cognitive bias. In particular, availability bias from things that are memorable.
#Log4j#Heartbleed #SolarWinds#ShellShock#Spectre#Meltdown#SQLSlammer
Thinking about #InfoSec organizational behaviors derived from cognitive bias. In particular, availability bias from things that are memorable.
#Log4j#Heartbleed #SolarWinds#ShellShock#Spectre#Meltdown#SQLSlammer
I definitely recommend folks read the paper linked in the first post. Here's a TL;DR summary in the form of Figure 1: " "A hypothetical graph of risks of loss from penetration and from application of a bad patch. The optimal time to apply a patch is where the risk lines cross."
Folks who like that paper may light this one as well.
It studies Microsoft "Patch Tuesday" updates in particular, which are much different (in my opinion) than your typical open source software updates that are labeled with a CVE.
While many things have not changed since this paper was published in 2002, the landscape around #CVE and open source software has, in my opinion.
This paper mainly contemplates official patches and bulletins from commercial vendors, or at least a CVE that was reviewed by a panel of editors. It rightly calls out that the quality of fixes varies widely.
However, today a CVE in a FOSS package may mean little to nothing in context of a production product or system.
#FOSS
@smb @adamshostack
I definitely recommend folks read the paper linked in the first post. Here's a TL;DR summary in the form of Figure 1: " "A hypothetical graph of risks of loss from penetration and from application of a bad patch. The optimal time to apply a patch is where the risk lines cross."
Freeradical.zone is a Mastodon server about infosec, privacy, technology, leftward politics, cats and dogs.
This server has been online since 2017.
You can find out more at https://freeradical.zone/about or contact the admin @tek
#FeaturedServer #InfoSec#Privacy#Technology#Mastodon #Fediverse#FreeFediverse
"As a perhaps amusing aside, if everyone were to follow our suggested delay practice, it would become much less effective. Fortunately, we have no expectation that everyone will listen to us."
Unpopular opinion: more people should follow this advice.
Unfortunately, many feel they have no choice but to deploy patches with a "security fix" label on them more quickly than they normally would make changes to complex systems.
#CVE #InfoSec
https://shostack.org/files/papers/time-to-patch-usenix-lisa02.pdf
Freeradical.zone is a Mastodon server about infosec, privacy, technology, leftward politics, cats and dogs.
This server has been online since 2017.
You can find out more at https://freeradical.zone/about or contact the admin @tek
#FeaturedServer #InfoSec#Privacy#Technology#Mastodon #Fediverse#FreeFediverse
Guess I'm off to install Vivaldi and give it a try.
They had me at no #AI
https://www.theregister.com/2025/08/28/vivaldi_capo_doubles_down_on/
@Vivaldi#infosec
Guess I'm off to install Vivaldi and give it a try.
They had me at no #AI
https://www.theregister.com/2025/08/28/vivaldi_capo_doubles_down_on/
@Vivaldi#infosec
puts the tinfoil hat on
What if "AI" is just a pretext for building out massive GPU datacenters to create insane capacity for cracking cryptographic keys? 🤔
takes the tinfoil hat off
Oh I see the absurdly, negligently insecure Tea app is now getting the "hackers hacked" treatment, so that it can comfortably deflect blame to some unspecified scary hackers?
Cool, cool.
takes out a bullhorn
📢 Tea kept drivers license photos of thousands of women in an unprotected Google Firebase storage bucket.
📢 Centering "hackers" means helping let those responsible for the horrendous negligence at Tea off the hook.
👏 There is no "hack", only other people's negligence.
"SUSE Multi-Linux Manager provides automated patching, content lifecycle management, and realtime monitoring to keep your mixed Linux environment secure"
Oh I see the absurdly, negligently insecure Tea app is now getting the "hackers hacked" treatment, so that it can comfortably deflect blame to some unspecified scary hackers?
Cool, cool.
takes out a bullhorn
📢 Tea kept drivers license photos of thousands of women in an unprotected Google Firebase storage bucket.
📢 Centering "hackers" means helping let those responsible for the horrendous negligence at Tea off the hook.
👏 There is no "hack", only other people's negligence.
A space for Bonfire maintainers and contributors to communicate
