AMD is warning about a high-severity CPU vulnerability named SinkClose that impacts multiple generations of its EPYC, Ryzen, and Threadripper processors. The vulnerability allows attackers with Kernel-level (Ring 0) privileges to gain Ring -2 privileges and install malware that becomes nearly undetectable.

https://www.bleepingcomputer.com/news/security/new-amd-sinkclose-flaw-helps-install-nearly-undetectable-malware/

Manhattan Bridge, NYC, 2023.

More pixels than should be shown in public at https://www.flickr.com/photos/mattblaze/52841667763

#photography

Time for my monthly reminder to support your instance. Most instances are volunteer run and paid for by donations, including from the instance administrators. I know these are tough times and not everyone can afford it, and that is OK (I am personally out of work, so I understand that first hand).

You can generally find information to donate on youe instance's "about" page. For example, https://infosec.exchange/about, for those on infosec.exchange.

Thank you for being here and making this place awesome, regardless of your ability to donate. 

*One has to wonder how many times some bright twelve-year-old figured out the "Pythagorean Theorem," but nobody wrote it down and everyone forgot about it

https://link.springer.com/article/10.1057/jt.2009.16

🔗 “How Comics Were Made! A Visual History from the Drawing Board to the Printed Page” by @glennf

#book #comics

⚓️ https://nicolas-hoizey.com/links/2023/12/15/how-comics-were-made-a-visual-history-from-the-drawing-board-to-the-printed-page/

#infosec #vulnerability

Disorder in the Court

Insufficient permission check vulnerabilities in public court record platforms from multiple vendors allowed unauthorized public access to sealed, confidential, unredacted, and/or otherwise restricted case documents. Affected documents include witness lists and testimony, mental health evaluations, child custody agreements, detailed allegations of abuse, corporate trade secrets, jury forms, and much more.

https://github.com/qwell/disorder-in-the-court

Catalis - CMS360 is used in Georgia, Mississippi, Ohio, and Tennessee. Catalis is a "government solutions" company that provides a wide array of public record, payment, and regulatory/compliance platforms.

Henschen & Associates - CaseLook is used in Ohio. Henschen & Associates did not respond after multiple reports.

Tyler Technologies - Court Case Management Plus is used in Georgia. In February 2022, a different Tyler Technologies court records platform had a similar vulnerability that allowed the website judyrecords.com to accidentally scrape sensitive data.

Five platforms used by individual courts in Florida -- Brevard County, Hillsborough County, Lee County, Monroe County, and Sarasota County -- are each presumed to be developed "in-house" by the county court.

While all of the platforms allowed unintended public access to restricted documents, the severity varied based on the levels of restrictions that could be bypassed and the discoverability of document IDs. The methods used to exploit each of the vulnerabilities also varied, but could all be performed by an unauthenticated attacker using only a browser's developer tools.

CVE-2023-6341, CVE-2023-6342, CVE-2023-6343, CVE-2023-6344, CVE-2023-6352, CVE-2023-6353, CVE-2023-6354, CVE-2023-6375, CVE-2023-6376

Note: Additional platforms from other vendors that are known to be vulnerable will be included in future disclosures.

I've spent months filing public records requests with local governments about The Pickleball Lobby. After reviewing thousands of pages of docs, here is what I have learned:

- Local governments are overwhelmed by the surge in pickleball's popularity
- Pickleball lobby systematically getting courts for other sports converted to pickleball
- bigtime beef between tennis players and pickleball players
- Happening in context of NIMBYism where it's impossible to build anything

https://www.404media.co/fyi-pickleball-drama-the-pickleball-lobby-is-overwhelming-local-governments-nationwide/