I'm confused about why CVE-2024-30078 hasn't gotten nearly any attention.

Is it the proximity need, by way of it being Wi-Fi?

I figured a pre-auth RCE in ALL VERSIONS OF WINDOWS would be getting some really hard attention.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30078

#CVE_2024_30078

Do Fortinet make remote access devices?

Kinda…

Chris Inglis does an excellent job laying out why applying a “duty to care” and increased liability for vulnerable products to software companies is an important step toward a safer cyberspace writ large.

Meanwhile, the rebuttal is some of the weakest and most hand-wavy nonsense I’ve encountered since a prominent technology executive suggested that we need a “cyber Geneva convention” that makes it some kind of cyber war crime to exploit gaping vulnerabilities in ubiquitous software.

The code quality epidemic is real, it is sustained, and the hard fact is that it will only improve if it starts to cost tech companies something besides reputational risk and a little stock bounce after their products get exploited at scale by adversaries like China or Russia.

You know what might have been the most effective “left of boom” effort with regards to the monumental shift in initial access techniques over the last few years away from phishing and towards exploitation of external-facing network devices (at scale, I might add)?

A bit of high-grade QA driven by the fear of the liability and regulatory gods.

https://www.wsj.com/articles/should-software-companies-be-held-liable-security-flaws-d2a3f5db

If the US government is serious about all its talk of cyber norms and what not, it may want to consider dialing back rhetoric about how cyber espionage with the potential to serve as prepositioning for disruptive/destructive cyber attacks is “unacceptable” — especially on the basis of such activity’s “scope and scale”.

1. That kind of prepositioning, also known as operational preparation of the environment (OPE), is a common enough practice for US cyber elements. Abandoning cyber OPE would be voluntarily placing the USG at a tremendous disadvantage compared to adversaries, trading real national security benefits for a type of moral high ground that no one will functionally care about us occupying.

2. Conducting cyber operations at scale is basically the US intelligence community’s whole deal. This is the same kind of hypocrisy that showed up when people acted outraged that the SVR used SolarWinds to affect a supply chain compromise as if that tactic was somehow morally abhorrent to US intelligence.

3. Nothing in any of the public reporting released in the last few days credibly points to these China-nexus intrusions as being about prepositioning. It all looks like pretty standard cyber espionage against valid intelligence collection targets. Just because a line of access could conceivably be repurposed for effects — which is a super weak line of argument in my opinion since people only tend to trot it out when they are looking at a compromise and trying to raise the scare factor rather respond to operational reality — doesn’t mean it will be repurposed for effects.

Performative morality in national security is no substitute for maintaining substantive morality while successfully navigating gray areas in pursuit of actual strategic advantage.

https://amp.cnn.com/cnn/2023/05/26/politics/us-chinese-hackers-rob-joyce/index.html

if your boss says “you should focus on work-life calibration, rather than work-life balance”, run for the fucking hills.

jobs will never, ever, ever love you back no matter how fulfilling they are; and when you’re facing the immortal wall of silent howling darkness that is death, I promise you won’t be thinking about all the work you did — you’ll be wishing you could re-experience some little sensory moment from life one last time before the gaping maw of incomprehensible blackness and silence takes you far away.