@monsieuricon Not really, too much overhead with maintaining/monitoring two social platforms :/
@_spmbt For my application I don't care about these as much, as I care about the benefits I described above.
Introducing Qubes Admin API:
Qubes Security Bulletin #31: Several Xen bugs, practical impact unclear (XSA 216-224):
Congrats to the Xen Team for finding most of the bugs and to Jann Horn of Google Project Zero for the remaining two!
@bcrypt Ok, so that's the GUI frontend, what about the backend(s)?
This picture is more terrifying than any terror attack. https://mastodon.social/media/Oab1Ov3sVToY2o6t-iA
Privilege escalation mind map. https://securitymastod.one/media/jxrKynu5v9qzOZY4yJY
Here's my quest for a project planning & tracking software:
Some features I want:
1. Decompose projects into sub-projects, & further down,
2. Balance incomes & expenses,
3. Dependencies which can span multiple projects,
4. Take declarative description of projects, tasks, deps, people's availability, various constrains, etc,
5. Calendar-time and resource limitations aware.
So far TaskJuggler seems best, anything better/similar?
@HalvarFlake "Defense is politics"?How come? What good is politics for defense if your code/system is vulnerable? Am I missing some context here?
Intel AMT drama:
1. Details by the original discoverer: https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf
2. Independent rediscovery: https://t.co/l0rDyFlb0N
TLDR: trivial auth bug in the AMT web server...
What consequences should face those, who build web servers into our CPUs?
Remember Intel's been keen on mocking OSS for its lack of security & liability. Here's a fragment from the 2014 book by Intel ME architect:
@taoeffect What good is an OS that might not have any bugs, if it cannot protect against apps that might? E.g. can a buggy web browser or email client be effectively constrained if exploited?
Qubes Security Bulletin #30 for another critical Xen bug(s) in PV memory virtualization (XSA 213-214): https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-030-2017.txt
The bugs were found by the same researcher who found the previous Xen bug (XSA 212): Jann Horn of Google P0, congrats!
Also, please read our commentary in the bulletin (linked above) about the general defense approaches we've been working on for Qubes 4.x.
@lattera Virtualization is not a magic solution, but it allows for significantly smaller interfaces, while at the same time to preserve compatibility with unmodified existing apps and drivers.
@DrWhax You use qubes.InputMouse service? Check the qrexec policy permissions?
HackerOne is running a bug bounty program for FlexiSpy, who specialise in spying on spouses https://twitter.com/josephfcox/status/857314960099160067
Their justification: it's "just fixing vulns" https://twitter.com/senorarroz/status/857399800601337856
I don't buy this at all. By providing security testing services to a shady company, you lend legitimacy to them and their brand. I agree with Casey on this one https://twitter.com/caseyjohnellis/status/857362206626689025
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!