Rodolfo Saccani

@[email protected]
79 Followers
262 Following
128 Posts
CTO / Head of R&D @ Libraesva.
infosec / free flight safety @ FIVL, EHPU and EAS.
Expert @ CEN and UNI.
Opinions are my own because that's how opinions work.
Personal (ITA)https://www.saccani.net
Company (ENG)https://www.libraesva.com
Rodolfo SaccaniOct 3, 2024
Johnny RyanOct 3, 2024
Our new report shows the leakage of sensitive "Real-Time Bidding" (RTB) data by Google and others about Australian defence personnel and political leaders to foreign states and non-state actors
@wolfiechristl
https://www.iccl.ie/digital-data/australias-hidden-security-crisis/
Rodolfo SaccaniAug 29, 2024

Over Half (55%) of US IT and Security Professionals Surveyed Not Prioritizing Email Security, Despite Almost 9 in 10 (88%) Experiencing Successful Attacks in the Last Quarter | Business Wire

https://www.businesswire.com/news/home/20240529500085/en/Over-Half-55-of-US-IT-and-Security-Professionals-Surveyed-Not-Prioritizing-Email-Security-Despite-Almost-9-in-10-88-Experiencing-Successful-Attacks-in-the-Last-Quarter

Over Half (55%) of US IT and Security Professionals Surveyed Not Prioritizing Email Security, Despite Almost 9 in 10 (88%) Experiencing Successful Attacks in the Last Quarter

Libraesva's report highlights the need to plug the gap created by lack of skills, budget and inadequate technology

Rodolfo SaccaniMar 31, 2024
Ivan Enderlin 🦀Mar 31, 2024

xz/liblzma: Bash-stage Obfuscation Explained, https://gynvael.coldwind.pl/?id=782.

#xz #bash

xz/liblzma: Bash-stage Obfuscation Explained

Rodolfo SaccaniMar 31, 2024
lcamtuf   Mar 31, 2024

"The maintainers of libcolorpicker.so can’t be the only thing that stands between your critical infrastructure and Russian or Chinese intelligence services"

https://lcamtuf.substack.com/p/oss-backdoors-the-allure-of-the-easy/?1

OSS backdoors: the allure of the easy fix

Intelligence agencies and Big Tech, not hobbyists, should shoulder the responsibility for preventing the next xz-style hack.

lcamtuf’s thing
Rodolfo SaccaniMar 30, 2024
lcamtuf   Mar 30, 2024

OK, so here's my slightly more eloquent take on the xz thing, complete with a zinger closing paragraph:

https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor

Techies vs spies: the xz backdoor debate

Diving into some of the dynamics and the interpretations of the brazen ploy to subvert the liblzma compression library.

lcamtuf’s thing
Rodolfo SaccaniMar 29, 2024
Show threadEvan B🥥ehsMar 29, 2024

https://boehs.org/node/everything-i-know-about-the-xz-backdoor

I have begun a post explaining this situation in a more detailed writeup. This is updating in realtime, and there is a lot still missing.

#security #xz #linux

Everything I know about the XZ backdoor

Please note: This is being updated in real-time. The intent is to make sense of lots of simultaneous discoveries

Rodolfo SaccaniMar 29, 2024
Steve BellovinMar 29, 2024
If you use Homebrew on MacOS, you're affected—do 'brew update' and 'brew upgrade’.
https://infosec.exchange/@wdormann/112179988525798247
Will Dormann (@[email protected])

Just a backdoor in XZ. Nothing important. https://www.openwall.com/lists/oss-security/2024/03/29/4

Infosec Exchange
Rodolfo SaccaniMar 29, 2024
Show threadAndresFreundTecMar 29, 2024

I was doing some micro-benchmarking at the time, needed to quiesce the system to reduce noise. Saw sshd processes were using a surprising amount of CPU, despite immediately failing because of wrong usernames etc. Profiled sshd, showing lots of cpu time in liblzma, with perf unable to attribute it to a symbol. Got suspicious. Recalled that I had seen an odd valgrind complaint in automated testing of postgres, a few weeks earlier, after package updates.

Really required a lot of coincidences.

Rodolfo SaccaniFeb 19, 2024

Era da qualche giorno che mi guardavo intorno spaesato in cerca di un po' di luciditĂ . Finalmente un articolo sensato:

Email e metadati, i dubbi da DPO sul provvedimento del Garante

https://www.key4biz.it/email-e-metadati-i-dubbi-da-dpo-sul-provvedimento-del-garante-privacy/480013/

Email e metadati, i dubbi da DPO sul provvedimento del Garante

Il documento di indirizzo del Garante, benché di non difficile interpretazione, lascia alcuni dubbi. Ecco quali.

Key4biz
Rodolfo SaccaniDec 16, 2023

IPv4 will outlive me for sure

https://www.theregister.com/2022/01/24/opinion_column_ipv6/

IPv6 is built to be better, but that's not the route to success

Why won't you love me, sobs perennially spurned protocol

The Register