Security leader and developer enabler
I spend more time as @hackthedigital.cloud on Bluesky (https://bsky.app/profile/hackthedigital.cloud)
New blog/whitepaper release:
Shostack + Associates is pleased to release our latest whitepaper, Understanding the Four Question Framework for Threat Modeling! It’s free as part of our Black Friday sale, and uhhh, because we like sharing knowledge it’ll remain free.
I wrote this paper because someone once called the questions “surprisingly nuanced,” which I thought was kind, and because I saw even collaborators varying the words. And as I write in the introduction:
People commonly make the mistake of rephrasing the questions. They don’t realize that there are reasons to use the specific framework questions. There’s nuance and intent in the questions, which are meant to be answerable in many ways. Rephrasings often lose nuance, flexibility, or both. Further, consistency in how we say things contributes to consistency in how we do them.
If this isn’t more fun than listening to your Uncle Jack expound on football on Thanksgiving, double your money back!
"On behalf of the WordPress security team, ..." and then many mentions of "fixing a security issue" without specifying what it is. (The patch is, presumably, public since the plugin is OSS and PHP?)
https://wordpress.org/news/2024/10/secure-custom-fields/
I don't have an opinion on the broader Wordpress situation, but seeing a security exception used to wield power in a broader controversy is extremely worrying.
Open source communities trust security teams with exceptional powers, and weakening that trust damages everyone.
Cars are increasingly surveillance systems on wheels. They spy relentlessly not just on the driver --why are people comfortable with this, or do they not know it's happening? -- but also on the surroundings. Tesla is the worst offender as it keeps trying, unsuccessfully, to do self-driving.
If you own one is these, you are helping make the surveillance state much more pervasive.
Congress and state lawmakers obviously are in favor of all this spying, because they do nothing to stop it.
Microsoft will try the data-scraping Windows Recall feature again in October
Initial Recall preview was lambasted for obvious privacy and security failures.
In a letter to the Federal Trade Commission (FTC) last week, Senators Ron Wyden and Edward Markey urged the FTC to investigate several car companies caught selling and sharing customer information without clear consent. Alongside details previously gathered from reporting by The New York Times, the...
A new report finds Boeing’s rockets are built with an unqualified work force
NASA declines to penalize Boeing for the deficiencies.
I'm....I'm gonna have to sit with this one for a moment.
Because what it says about their development processes is -fucking fascinating-
So what they're saying here is that the -sensor binary-, at the -time of compilation-, did not validate that the definitions file had the correct number of fields.
But
............you don't -do- that at compile time.
Before the compile as part of your overall process for adding code, to make sure that everything that this code connects to has been adjusted, yeah, that's...that's how software review works.
On execution, when you're -loading- the definitions file, having it check that it's got the number that it was expecting, yes, I was screaming at that up above.
But neither of those are at compile time. Why are they bringing up compile time.
Also, this is not one finding. This is -multiple- findings:
1. the actual lack of validation
2. the lack of effective review process exposed by this, where an invalid state was not caught during the development of the new type
3. the lack of effective testing that did not include, e.g., invalid configuration files -to test such a mechanism in normal operative contexts-
Three is more than one, guys.
WHY IS THIS A MITIGATION
YOU ARE NOT DOING IR RIGHT NOW. THIS IS A POST-INCIDENT REVIEW.
MITIGATIONS ARE DURING THE INCIDENT. POST-INCIDENT FINDINGS GET FUCKING
R E M E D I A T I O N S
YOU ARE USING THE WRONG WORDS FOR WHAT YOU ARE DOING
The phrase "input pointer array" appears in the next para, which means "we are doing silly shit with C++ because we're leet yo"
Languages that don't make you do your own fucking pointer math exist for a fucking reason.
Their 'mitigation' here is to bother to check that they're still in allocated memory, something which is only a problem by their choice.
So they talk about how their test cases weren't broad enough in the next para, and they promise swearsie-realsie that they'll put in test scenarios that "better reflect production usage"
Buuuut I don't see one -really fucking obvious standout test case- that, given the context above, really the fuck ought to be separated out:
They say nothing about whether they're gonna test the -failure- of the sensor.
If you ain't testing with invalid inputs and other abuses to bound the behavior of your binary, then you're not testing its full envelope of behavior and you cannot assert anything meaningful about its suitability for production.
Car manufacturers do crash tests to make sure you don't fucking impale your face on the steering column; this is the exact same fucking principle.
There's a -lot- of fascinating subtlety and discussion to be had around testing generally,
but this is kindergarten level horseshit. Maybe when they stop eating the crayons we can talk about the more interesting bits.
So there's a logic error here alright but it sure the fuck ain't with their agent's parsing, which....this is repeating items 1 and 2, but from a different level of abstraction.
This is turd-polishing.
More to the point:
Why the everliving fuck are you hard-coding a specific number of channels into your fucking agent,
when 'channels' are a tagging convention and have no pertinence to the detection logic,
and you could just -fucking allocate the resources to hold the content based on the configuration itself-
You -utter- -assholes-
You are -creating a problem for yourself- and then -doubling down on doing it wrong-
.......
Mister Holmes, sir, we have a -mystery- on our hands!
Why, just this morning the lad Simpkins came into Scotland Yard with the most astonishing tale and -
Mister Holmes, the mudlarks are in an absolute uproar, you must have heard from the Irregulars -
London's entire sewer system has been -scoured utterly bare-
There is -no shit-, Sherlock!
yeah they don't even try to dress this one up
Problem is, they completely fail to talk at all about staged deployment for -any other part of the product- so uh.
Also as one of their mitigations they're deigning to allow customers whether to accept the new content.
You know, the -base expectation- from -literally everyone else-
But only about this 'channel' content. Not anything with the actual definitions or the agent binary itself; none of that is mentioned at all.
Completely the fuck missing.
@masonbially @munin They've added a lot of new abstractions on top of pointer math, sure. But they haven't meaningfully reduced the risk.
Some examples: std::span::operator[] does UB instead of bounds checking. Same for std::string_view. And both the iterator-based std::copy as well as std::ranges::copy do UB if the output buffer is too small. This new stuff may look nicer but it's exactly as dangerous as pointer math.
hey so the pointer math is not the actual issue here; the actual issue is that they made an architectural choice to make the execution of their binary dependent on a fixed integer value hardcoded into the binary, instead of loading options in a way that did not introduce the possibility -of- desynching.
It's a language-independent fundamental architectural situation, showing that they are not coding this to professional standards.
@munin I read that weirdness as "the sensor binary is compiling the loaded config files [into runtime bytecode/JIT code]" since a lot of AVs do that. And that compiler can validate that detail.
EDIT: after reading the rest of it, I'm not sure I can infer anything from what it says anymore. It really does read like whoever (or whatever) wrote it had no goddamn clue what they were writing about...
this is why I suspect llm horseshit. individual bits -seem- to make sense but there's no cohesion.
Tinker ☀️
SwiftOnSecurity
Adam Shostack 
Filippo Valsorda 
Dan Gillmor
Ars Technica
BrianKrebs
Electronic Frontier Foundation
Fi 🏳️⚧️
arclight
Mason Bially
Wanja
Foone🏳️⚧️
⛈️ Information ⛈️
Emelia/Emi
NosirrahSec 🏴☠️ guillotine enthusiast
lake 
Andy S-C