RE: https://infosec.exchange/@wdormann/116721467477050827
Can anyone tell me what the status is of YellowKey, MiniPlasma and the other vulns disclosed by Nightmare Eclipse? Have they been patched?
| Site: | https://arstechnica.com/author/dan-goodin/ |
Dan Goodin
- 15.7K Followers
- 1.2K Following
- 5.4K Posts
Reporter covering security at Ars Technica. DM me on Signal: DanArs.82.
You too can turn a Bluetooth device into a PC-pwning proxy
If it wasn't already, 2FA spraying is now a thing
Can’t make sense of Dashlane’s vault theft notification? You’re not alone.
There's so much I don't understand in Dashlane's disclosure that an attack on its user accounts resulted in the threat actor obtaining 20 encrypted vaults.
What does it mean to brute force 2fa? Are we talking about TOTPs? That doesn't make sense because TOTPs change every 30-90 seconds, so there's no way for an attacker to meaningfully exhaust key space before it resets all over -- unless the attacker has the ability to pump all 7,700 combinations in <90 seconds, and DL doesn't have any sort of rate limiting.
Also, if the attacker is brute forcing 2fa, doesn't that by necessity mean the attacker already defeated the first factor? How did that occur?
I don't know if my confusion is the result of me not knowing the how the Dashlane product works or if it's just Dashlane being opaque.
Can anyone help me read the tea leaves?
Are MP3 players even a thing these days? What are some good brands/models?
Can anyone help me find my AirTag attached keys? The FindMy app shows me their general location, which is a large public building where I last had them. When I go on site, my app is mostly unable to see them at all. Occasionally my app seems to be able to see a very weak signal but I can't seem to zero in on it. This is driving me nuts. I've looking now for two weeks. Anybody got tips?
Would this move by Debian, requiring byte-for-byte reproducible builds, have caught any real-world supply chain attacks seen in the past?
https://itsfoss.com/news/debian-makes-reproducible-builds-mandatory/
Anybody know of any Linux distributions that have released fixes for Dirty Frag?
There's a ton of skepticism over the true value of AI-assisted vulnerability discovery, and with good reason. Maybe the new details Mozilla has revealed don't tip the scales in favor of it being beneficial, but people should at least sift through them in good faith and with an open mind before declaring all of them bullshit.
