Tor in a safer language: Network team update from Amsterdam https://lists.torproject.org/pipermail/tor-dev/2017-March/012088.html
"In Praise of Drop-In Libraries"
Just today I was mentioning how SQLite (drop-in library) and youtube-dl (drop-in Python "script") are case studies in how simplicity of adoption can make the success of something (even complex).
Privacy-Enhancing Identity Federation is a very interesting problem. NIST has a call for collaborators to work on federated identity https://www.federalregister.gov/documents/2016/12/09/2016-29482/national-cybersecurity-center-of-excellence-nccoe-privacy-enhancing-identity-federation-building
to reiterate: there will be _no_ #openbsd 6.1 cd set made. and it is very unlikely there will be future cd sets made, either.
Theo talks about it here: https://marc.info/?l=openbsd-misc&m=149232307018311&w=2
Note to Blue Team folks. Anti-phishing education is great. Periodic phishing awareness campaigns are also great. However, make sure to clarify what legit email looks like so if you ever have to mail your employees something that requires them to click on a link, they don't dismiss it as yet another phishing test.
@HalvarFlake in larger organizations and agencies, people and teams specialize. I'm sure you see it in your corporate experiences.
I remember bursting into laughter walking through the halls of NSA when I heard: "specialization... it's not just for insects!". Very true!
More specialization and focus is needed to eek out the remaining wins in a well picked over field. What I don't see, and I think of you as a kindred soul here, are lots of folks really looking for new *applied* green fields. :)
In a surprising twist of the story, serversides aren't dead, they just went underground.
Visited the RSS memorial today. After all these years, it's still amazing to see the lightning hit it—every hour, on the hour—and then watch as the sparks ripple out to the aggregator towers at all the cemeteries that are still subscribed.
@argp I like the 500 chars, mostly. I can't find ppl I know anymore, and I can't really figure out the site. The iOS mobile app is practically unusable, and most of the ppl I have on lists (which dont exist) aren't on here, so I can't replace Twitter. But it does have a more relaxed feeling than Twitter.
Update on the the Linux UDP RCE. From what I've seen from ppl that do kernel exploiting... they can't really see a way to turn it into a useful exploit.
It looks like a vulnerability with the right scary characteristics, but practically not a major concern.
It is not (likely to be) a "one shot remote ring 0" exploit.
me: get me a Celtics football shirt
Friend: where would you wear it?!
me: ...Irish pubs?
Friend: and who owns them?
me:...English Defence League thugs?
Friend: right. You really want one?
me: yeah, but better send an Armalite too...
For any tooters out there who may not know about this yet, please take a look at the BSidesCBR CTF challenges over here: http://buffered.io/posts/bsidescbr-ctf-round-up/ The CTF is all over, so don't be scared to ask for hints; I'm more than happy to give them. The aim here is for people to learn and have a bit of a fun. I know PicoCTF is on right now and that's taking up some attention. These will be here whenever you're ready to try them out. Thanks!
RCE in Linux (inc Android) via UDP. CVSS 10.0. I'm a little confused as to why a bigger fuss isn't being made of this
Is it that the vuln doesn't have a cool brand name and logo and website?
I was pleasantly surprised to find out that my nexus phone was patched for this last week. Other androids are probably going to be fucked