Maybe I'll go apply to #TikTok, and secure the american app and fix it. TikTok's current #algorithm is #insidious, I think designed to create #division and #radicalize people. Soon TikTok will tell me its #secrets, but I have to work on some #vulns system for a few weeks. Designing some brains for other important non-hobby smtask lol

My initial #scans for #TikTok are #worrying and I was concerned after my initial scans. My #AI systems were flagging everything. The #content never scored high like other #socialmedia platforms. The content is worrying not just from #radical left or right. There is something non-biased about how it tries to #radicalize. Like it is learning based off #heuristics, like time spent hovering over a #videotile. This triggers an #alert, where you didn't interact but it detected the most likely #video. Then provided more #content. It also gives a heavy weight to #interactions. Which then changes the #algorithm and how it provides #content. None of this is really bad, it is trying to be helpfulful. What I find concerning is the videos it provides. Like a stream of #bothsides #content. Trying to figure you out and provide more content. There isn't even #educational poop on TikTok. So most of the content is #madness Lol

Airoha Chip Vulns Put Sony, Bose Earbuds & Headphones at Risk
https://www.darkreading.com/vulnerabilities-threats/airoha-chip-vulns-sony-bose-earbuds-headphones

#Infosec #Security #Cybersecurity #CeptBiro #AirohaChip #Vulns #Sony #Bose #EarbudsAndHeadphones #Risk

My keynote from CypherCon 7 is now online: 25 Years of Years of Vulnerability. Thanks again to Michael Goetzman and the whole @CypherCon crew for a warm welcome and an amazing event!

https://www.youtube.com/watch?v=qcyIyLrQGLg

#infosec #conference #vulns

Others have already provided good criticism of the #cups #vulns, so i'll just add this:

unless it's in the kernel, systemd or openssh, I don't think you can claim a vuln will affect "all GNU/Linux systems". even stuff like coreutils, bash, etc aren't installed by default on a lot of the lightweight distros that get used for containers or k8s clusters these days.

CUPS in particular is ancient shit that isn't anywhere near our prod infra, and isn't even installed on desktop distros any more AFAIK.

The more nothingburger vuln disclosures we see making the rounds, the less seriously everyone will take #infosec, which makes all of our lives harder.

Watch @becojo's #NorthSec talk at 10:45 EDT on YouTube!
https://www.youtube.com/watch?v=YUJu8qkkz-o

https://mastodon.social/@becojo/112447336397151405

#nsec #foss #GitHubActions #vulns

I wrote a blog about ongoing exploitation of CVE-2023-22527, an Atlassian Confluence vulnerability from January of this year. What the attacker's up to, what their payload does, etc. (TL;DR: it's crypto.. it seems like it's always crypto these days)

https://www.labs.greynoise.io/grimoire/2024-03-confluence-where-are-they-now/

#vulns #vulnerabilities #atlassian #confluence #poc #greynoise

The latest release of my favourite downstream consumer of OSV.dev, OSV-Scanner, just dropped and includes "guided remediation" for npm: https://google.github.io/osv-scanner/experimental/guided-remediation/

This uses the amazing insights available from deps.dev to resolve dependency graphs, suggest fixes and to help prioritise upgrades based on #vulns fixed, dependency depth etc.

Check it out!

#osv

Yet More Unauth Remote Command Execution #Vulns in #Firewalls - #Sangfor Edition

https://labs.watchtowr.com/yet-more-unauth-remote-command-execution-vulns-in-firewalls-sangfor-edition/

The second vulnerability impacting #OSDP our researchers discovered: downgrade attack potential.

As Dan Petro writes, "Just because an OSDP controller and reader support encryption doesn’t mean that they both enforce that it actually be used. One of the first things that happens when a reader comes online is that it transmits a list of capabilities to the controller. This tells the controller all sorts of things, such as whether it has a fingerprint reader, tactile buttons, and (importantly) whether it supports encryption. For chicken-and-egg reasons, this message cannot itself be encrypted. Thus, an intercepting device in the wire can modify this capability message to lie about the reader’s capabilities and claim that it does not support #encryption."

Check out the breakdown of the other #vulns in the write-up. https://bfx.social/3OFWOsT