Fieri potest: tutto è possibile. Don Francesco Mitidieri sa bene che prima o poi le cose accadono, quando le assoggetta alla volontà di Colui in cui ha creduto, sin da bambino.
Papa Francesco, aprendo la Porta Santa nel carcere di Rebibbia a Roma lo scorso 26 dicembre, ha invitato a “non perdere la speranza": “spalancare la Porta - ha detto - è un bel gesto, ma quello più importante è aprire il cuore”.
IntelBroker, figura nota e rispettata all’interno della community di BreachForums, ha annunciato la sua dimissione dal ruolo di amministratore con un post pubblicato il 23 gennaio 2025. Questo annuncio mette in luce un problema spesso trascurato, ma sempre più attuale: il bilanciamento tra vita privata e “lavoro”, anche all’interno di contesti non tradizionali come quelli legati al cybercrime e alla cybersecurity.
Il post di dimissioni
Nel messaggio, IntelBroker spiega le motivazioni alla base della sua decisione:
“Mi dimetto perché non ho abbastanza tempo da dedicare a BreachForums. Avevo già detto in passato che non volevo ricoprire il ruolo di admin o ruoli di maggiore responsabilità perché non ho tempo sufficiente. […] Sono molto impegnato nella vita reale e non voglio essere uno staffer inutile e inattivo.”
Le parole rivelano un desiderio di trasparenza e un senso di responsabilità verso la community criminale, ma anche una chiara indicazione di come gli impegni nella vita reale possano entrare in conflitto con il ruolo di spicco ricoperto nel forum.
Pur continuando a considerare gli utenti di BreachForums una “comunità incredibile”, IntelBroker ammette che la mancanza di tempo lo ha portato a ridurre progressivamente la sua attività, fino alla decisione di dimettersi definitivamente.
Questo post evidenzia un tema cruciale che riguarda chi lavora nell’ambito della cybersecurity, spesso soggetto a ritmi logoranti e a uno stress continuo.
Il burnout, ossia una forma di esaurimento fisico ed emotivo causata da stress cronico, è una realtà comune tra professionisti IT, hacker etici e persino figure operative in ambiti meno convenzionali come BreachForums. Le cause principali includono:
Overload di responsabilità: gestire un forum di riferimento nelle underground criminali, monitorare utenti e thread e mantenere la sicurezza interna è un lavoro che richiede dedizione costante.
Mancanza di confini tra vita privata e “lavoro”: non tutti lavorano a tempo pieno nell’underground criminale. Spesso chi opera in queste comunità lo fa durante il tempo libero, compromettendo i momenti di riposo.
Pressione sociale: il timore di deludere la community o di non essere all’altezza del ruolo può aggravare lo stress.
Commento al post
IntelBroker ha fatto ciò che molte persone faticano a fare: riconoscere i propri limiti. È una decisione che, sebbene possa sembrare una perdita per la community di BreachForums, rappresenta un atto di maturità e responsabilità. Continuare a operare come admin senza poter dedicare il tempo necessario non avrebbe giovato né a lui né alla piattaforma.
Questa scelta, per quanto comprensibile in un mondo parallelo alla legalità, accende i riflettori sulla necessità di una gestione più sostenibile del lavoro, anche in contesti dove la professionalità si mescola all’illegalità o alla passione per il cybercrime. Se persino figure altamente rispettate nel cybercrime come IntelBroker sono costrette a fare un passo indietro per evitare il burnout, è evidente che il problema è diffuso.
Conclusioni
La storia di IntelBroker è un promemoria per tutti: il bilanciamento tra vita privata e lavoro non è un lusso, ma una necessità, indipendentemente dal settore in cui si opera. Nella cybersecurity, questo equilibrio è spesso difficile da raggiungere, ma è fondamentale per garantire la salute mentale e la produttività a lungo termine.
Per le community come BreachForums, l’addio di un leader è sempre un momento critico.
Tuttavia, rappresenta anche un’opportunità per riflettere su come distribuire meglio i carichi di lavoro e supportare i membri attivi. Alla fine, il valore di una comunità non risiede solo nei suoi leader, ma nella forza collettiva dei suoi membri sia nel mondo oscuro che non.
Nella giornata odierna, ZYXEL ha rilasciato un aggiornamento delle signature del servizio UTM App Patrol per i firewall della serie ATP/USG FLEX.
Tuttavia, l’aggiornamento ha avuto un impatto negativo, causando gravi disservizi agli apparati interessati. Molti utenti hanno riscontrato un blocco parziale dei firewall, con conseguente impossibilità di accedere all’interfaccia di management e di utilizzare connessioni SSL VPN.
Il problema si è rivelato particolarmente critico in quanto ha coinvolto funzionalità chiave, come il controllo remoto e la gestione delle connessioni sicure, compromettendo di fatto l’operatività delle infrastrutture aziendali e personali basate su questi dispositivi. Gli utenti hanno segnalato difficoltà nel monitoraggio e nella gestione delle reti, aggravando ulteriormente la situazione.
In alcuni casi, il disservizio si è manifestato con un comportamento ancora più grave: i firewall sono entrati in un ciclo continuo di riavvio, con interruzioni regolari ogni 15 minuti. Questo fenomeno ha reso impossibile la navigazione e il normale funzionamento delle reti, causando notevoli disagi sia in ambito lavorativo che domestico. La situazione ha evidenziato la criticità di un’implementazione non testata adeguatamente prima del rilascio ufficiale.
ZYXEL, consapevole del problema, ha rilasciato un workaround per consentire agli utenti di ripristinare i dispositivi. Tuttavia, la soluzione fornita richiede l’accesso fisico all’apparato tramite cavo console. Questa procedura non è immediatamente applicabile per chi ha installazioni remote o in luoghi difficilmente accessibili, aumentando ulteriormente i disagi per gli amministratori IT e gli utenti finali.
La mancanza di un fix remoto ha generato critiche nei confronti della gestione dell’incidente da parte di ZYXEL. In un’epoca in cui la reattività e la capacità di intervenire da remoto sono aspetti fondamentali, affidarsi esclusivamente a interventi fisici rappresenta una limitazione significativa. Gli utenti hanno espresso insoddisfazione sui forum e sui canali di supporto, richiedendo aggiornamenti tempestivi e maggiore trasparenza sulle tempistiche di risoluzione definitiva.
Questo incidente rappresenta un richiamo all’importanza dei processi di testing e validazione degli aggiornamenti, specialmente per dispositivi critici come i firewall. La fiducia degli utenti in ZYXEL è ora messa alla prova, e sarà fondamentale che l’azienda risponda con un approccio più proattivo per evitare che situazioni simili si ripetano in futuro.
Di recente, un threat actor noto come Truth-chan ha dichiarato di aver compromesso il sito del partito politico italiano Fratelli d’Italia, sfruttando una presunta vulnerabilità di directory listing. Quanto riportato dal malintenzionato è gravei: si parla del furto di dati sensibili estratti da circa 12.000-13.000 curriculum vitae (CV) caricati sulla piattaforma.
Al momento, non possiamo confermare la veridicità della notizia, poiché l’organizzazione non ha ancora rilasciato alcun comunicato stampa ufficiale sul proprio sito web riguardo l’incidente. Pertanto, questo articolo deve essere considerato come ‘fonte di intelligence’. Post apparso sul forum underground Breach Forums
Dettagli sulla violazione
Secondo quanto riportato nel post, i dati sottratti comprenderebbero:
Informazioni personali: nomi, indirizzi e-mail e contatti.
Dati professionali: esperienze lavorative, corsi frequentati e competenze linguistiche.
L’intero pacchetto sarebbe stato strutturato in un file JSON, che ne faciliterebbe l’accesso e l’utilizzo da parte di terzi.
Il cybercriminale sostiene di aver utilizzato strumenti di intelligenza artificiale per accelerare l’estrazione e la gestione dei dati. Tuttavia, sembra che alcune informazioni risultino incomplete o corrotte, portando l’attore della minaccia a cercare collaborazione per migliorare il dataset. Samples apparsi sul forum underground Breach Forums
Se confermato, quali potrebbero essere le conseguenze?
Al momento non è stato emesso alcun comunicato stampa dall’organizzazione. Qualora venisse confermata l’esfiltrazione dei dati, la portata di questo presunto attacco potrebbe rivelarsi significativa, sia per il partito che per gli individui coinvolti.
Per Fratelli d’Italia:
Ripercussioni reputazionali: Se confermato, un incidente del genere rischierebbe di intaccare la fiducia di membri e collaboratori.
Conseguenze legali: La gestione inadeguata dei dati personali potrebbe violare il GDPR, con potenziali sanzioni economiche e danni d’immagine.
Maggiore esposizione ad attacchi mirati: Informazioni sensibili potrebbero essere utilizzate per phishing o altre attività malevole contro il partito e i suoi membri.
Per gli individui coinvolti:
Violazione della privacy: Curriculum vitae trafugati potrebbero rivelare dettagli sensibili sulle persone.
Furto d’identità: Informazioni personali potrebbero essere sfruttate per scopi fraudolenti.
Implicazioni lavorative: La diffusione non autorizzata di dati professionali potrebbe impattare negativamente sulle prospettive di carriera.
Cosa possono fare le persone potenzialmente coinvolte?
Monitorare segnali di attività fraudolenta: Controllare periodicamente conti finanziari e comunicazioni personali.
Attenzione al phishing: Diffidare di e-mail sospette o richieste non sollecitate di informazioni personali.
Conclusione
Sebbene le dichiarazioni del threat actor richiedano ulteriori verifiche, questo episodio, reale o meno, pone l’accento su una problematica attuale: la sicurezza informatica non può essere sottovalutata. La gestione dei dati personali richiede protocolli solidi e un’attenzione costante, soprattutto quando in gioco ci sono informazioni così delicate.
Come nostra consuetudine, lasciamo sempre spazio ad una dichiarazione da parte dell’azienda qualora voglia darci degli aggiornamenti sulla vicenda. Saremo lieti di pubblicare tali informazioni con uno specifico articolo dando risalto alla questione.
RHC monitorerà l’evoluzione della vicenda in modo da pubblicare ulteriori news sul blog, qualora ci fossero novità sostanziali. Qualora ci siano persone informate sui fatti che volessero fornire informazioni in modo anonimo possono utilizzare la mail crittografata del whistleblower.
At least some in the audience will at some time in the distant past have loaded or saved a program on cassette, with an 8-bit home computer. The machine would encode binary as a series of tones which could be recorded to the tape and then later retrieved. If you consider the last sentence you’ll quickly realize that it’s not too far away from what a modem does, so can a modem record to cassette and decode it back afterwards? [Jesse T] set out to give it a try, and as it turns out, yes you can.
The modem talks and listens to the cassette recorder via circuitry that provides some signal conditioning and amplification, as well as making a dial tone such that the modem thinks it’s talking to a real phone line. An Arduino steps in as dial tone creator.
While there are plenty of satellites in orbit meant for amateur radio communication (including the International Space Station, although it occasionally does other things too), these all have built-in radio transmitters or repeaters specifically meant for re-transmitting received signals. They’re also generally not in geostationary orbit. So, with a retired radio telescope with a 20-meter dish aimed directly at one of the ones already there, they sent out a signal which bounced off of the physical body of the satellite and then back down where it was received by a station in Switzerland. Of course, the path loss here is fairly extreme as well since the satellite is small compared to the moon and geostationary orbit is a significant distance away, so they used the Q65 mode in WSJT-X which is specifically designed for recovering weak signals.
Don’t break out the tape measure Yagi antenna to try this yourself just yet, though. This path is not quite as reliable as Earth-Moon-Earth for a few reasons the group is not quite sure about yet. Not every satellite they aimed their dish at worked, although they theorize that this might be because of different shapes and sizes of the satellites or that the solar panels were not pointing the correct direction. But they were able to make a few contacts using this method nonetheless, a remarkable achievement they can add to their list which includes receiving a signal from one of the Voyager spacecraft.
La #sovranitàdigitale dovrebbe essere l'unico mantra possibile per l #Europa. Il club di miliardari alla corte di #trump non ha neanche il pudore di mostrarsi terzi rispetto ad un #potere che si fa vanto di scene come quella sotto. Ma le nostre #vite così legate al digitale sono in mano a questi signori del commercio, dello spazio, dei social. #politica dove sei?
Vehicle alternators are interesting beasts. Produced on a massive scale, these electric machines are available for a minimum of cost and contain all kinds of great parts: some power electronics and a belt-driven generator are generally standard fare. This generator can also be used as a motor with only minor changes to the machine as a whole, so thanks to economies of scale it’s possible to get readily-available, powerful, compact, and cheap motors for all kinds of projects using alternators as a starting point. [LeoDJ] noticed that this starter motor in a modern Mercedes had some interesting benefits beyond all of these perks, but it took a bit more work to get up and running than a typical alternator would have.
The motor, built by Bosch, can be found in the Mercedes E200 EQ Boost. This is a hybrid car, but different than something like a Prius in that it doesn’t have an electric motor capable of powering the car on its own. Instead it uses a combination starter motor/alternator/generator to provide extra power to the engine during acceleration, increasing efficiency and performance. It can also charge the small battery bank when the car slows down. Vehicles that use this system need much beefier alternators than a standard car, but liberating it from the car means that it has much more power available than a typical alternator would.
There were a number of issues to solve, though. Being that the motor/alternator has to do all of this extra work (and that it came out of a car whose brand is known for being tedious to work on in the first place) it is much more complicated than an off-the-shelf alternator. [LeoDJ] has been able to get his to spin by communicating with it over the CAN bus, but there’s still some work to be done before it goes into something like an impressively fast electric bicycle.
One of the major limitations of 3D printers is the size of the printable area. The robotic arm holding the printer head can only print where it can reach, after all. Some methods of reducing this constraint have been tried before, largely focusing on either larger printers or printer heads that are mobile in some way. Another approach to increasing the size of prints beyond the confined space typical of most consumer-grade 3D printers is to create some sort of joinery into the prints themselves so that larger things can be created. [Cal Bryant] is developing this jigsaw-based method which has allowed him to produce some truly massive prints.
Rather than making the joints by hand, [Cal]’s software will cut up a model into a certain number of parts when given the volume constraints of a specific 3D printer so it can not only easily print the parts, but also automatically add the jigsaw-like dovetail joints to each of the sections of the print. There were a few things that needed prototyping to get exactly right like the tolerance between each of the “teeth” of the joint, which [Cal] settled on 0.2 mm which allows for a strong glued joint, and there are were some software artifacts to take care of as well like overhanging sections of teeth around the edges of prints. But with those edge cases taken care of he has some working automation software that can print arbitrarily large objects.
[Cal] has used this to build a few speaker enclosures, replacing older MDF designs with 3D printed ones. He’s also built a full-size arcade cabinet which he points out was an excellent way to use up leftover filament. Another clever way we’ve seen of producing prints larger than the 3D printer is to remove the print bed entirely. This robotic 3D printer can move itself to a location and then print directly on its environment.
Lavrov, Ministro degli Esteri Russo, ha detto alcune cose sull'Italia pesantissime che dovrebbero farci riflettere. Soprattutto per capire in quale diamine di buco nero sono riusciti a cacciarci Draghi prima e Meloni poi, entrambi con la speciale collaborazione di gran parte della politica italiana, soprattutto quei guerrafondai del PD. Con Letta prima e con la "pacifista" Elly Schlein poi. Praticamente Lavrov ha detto così, secondo quanto riportato dalla Tass: "L' Italia non può partecipare al processo di pace per Kiev." Inoltre ha sottolineato che l'Italia è diventato un Paese ostile in quanto anti russo (riferendosi alla classe politica) ponendo l'accento sul fatto che le relazioni non siano mai state così in crisi tra Mosca e Roma. Non solo abbiamo rinunciato alle materie prime energetiche di Mosca martellandoci sulle palle, ma abbiamo compromesso quasi irrimediabilmente le relazioni con un Paese che ci è sempre stato amico e mai ci si è rivoltato contro. Una domanda, semplicissima: quanti atti ostili ricordate da parte della Russia contro l'Italia sia prima che dopo il 2022? Quanti invece ne ricordate per mano della CIA? Bombe, stragi, strategia della tensione, omicidi eccellenti e interferenze quotidiane vi dicono qualcosa? Però quelli brutti e cattivi stanno a Mosca mentre i democratici e i buoni stanno Washington. Pazzesco! Stendiamo un velo pietoso invece sul peso internazionale dell'Italia, che in quanto serva come mai di Washington non ha alcuna voce in capitolo, tanto da non essere nemmeno riconosciuta come partecipante a un eventuale tavolo di pace da un Paese come la Russia, i cui rapporti, prima di perdere l'ultimo briciolo di dignità, erano abbastanza solidi. Vi rendete conto di cosa sono riusciti a combinare, vero?
With the slow demise of physical media the past years, companies are gradually closing shop on producing everything from the physical media itself to their players and recorders. For Sony this seems to have now escalated to where it’ll be shuttering its recordable optical media storage operations, after more than 18 years of producing recordable Blu-ray discs. As noted by [Toms Hardware] this also includes minidisc (MD) media and MiniDV cassettes.
We previously reported on Sony ending the production of recordable Blu-ray media for consumers, which now seems to have expanded to Sony’s remaining storage media. It also raises the likelihood that Sony’s next game console (likely PlayStation 6) will not feature any optical drive at all as Blu-ray loses importance. While MiniDV likely was only interesting to those of us still lugging one of those MiniDV camcorders around, the loss of MD production may be felt quite strongly in the indie music scene, where MD is experiencing somewhat of a revival alongside cassette tapes and vinyl records.
Although it would appear that physical media is now effectively dead in favor of streaming services, it might be too soon to mark its demise.
“Il messaggio di Papa Francesco per la prossima Giornata mondiale delle comunicazioni sociali offre un’analisi lucida del panorama mediatico attuale e invita giornalisti e comunicatori a ‘disarmare la comunicazione’ denunciando il fenomeno della ‘dis…
If you enjoy reading this newsletter, please support our work. Our impact in 2024 was made possible by supporters like you. If someone forwarded you this newsletter, please subscribe here.
Trump’s assault on free press
President Donald Trump’s multipronged assault on the free press is already well underway. Trump’s Federal Communications Commission chair revived baseless complaints against networks his boss doesn’t like. More major news networks are reportedly considering settling frivolous lawsuits to get on Trump’s good side. He’s halted police reform agreements that include protections for journalists covering protests. His (alleged) Hitler-heiling homeboy is already threatening to wield his power against critics.
But that’s just the low-hanging fruit — there’s likely plenty more to come. Read about the three major press freedom threats we’re most concerned over: increased leak investigations, prosecutions of journalists, and surveillance of journalists.
Government secrecy issues to watch during Trump 2.0
There’s his consistent disregard for preserving presidential records during his first term, which we see no signs will change this time around. He has already resumed his efforts to thwart government oversight. And his administration will likely, once again, undermine the Freedom of Information Act, both by not creating public records and by finding ways to not share those they do create with the public.
Harper also covers the Biden administration’s failures on government secrecy, including refusing to issue a new executive order on classified national security information and neglecting to declassify documents the public has demanded (some of which Trump has now, to his credit, ordered declassified). Biden’s administration also continued to keep secret Office of Legal Counsel opinions, and failed to adequately fund the National Archives and Records Administration.
Biden’s press freedom legacy: empty words and hypocrisy
Sure, Trump is likely to make things worse, but that doesn’t mean Biden was a friend of the free press. He deserved one last kick on his way out the door, so here it is: our recap of Biden’s three worst press freedom failures.
His prosecutions of WikiLeaks founder Julian Assange and digital journalist Tim Burke open doors for Trump to prosecute journalists who tell both government and corporate secrets. His support for purported national security laws like the TikTok ban and the “spy draft” amendment to Section 702 of FISA will lead to further surveillance and censorship. And his administration’s silence on journalist killings in Gaza was a disgrace that even Trump would be hard-pressed to top.
Musk may hide DOGE records in plain sight
The new Department of Government Efficiency was long touted as a panel that would “provide advice and guidance from outside of government” to slash agency regulations and restructure the federal bureaucracy. But that didn’t pan out. The Jan. 20 executive order establishing DOGE says it will very much be a part of the federal government.
Why the change? Musk reportedly decided that if DOGE were a part of the government, it would be easier to avoid the Federal Advisory Committee Act’s requirements that advisory panels make all of their committee meetings and documents public. By placing DOGE within the government, Musk may have effectively bet that he can more easily flout FOIA than FACA. Harper explains it all here.
FPF, partners urge law enforcement to let press report on LA wildfires
We know policing the tragic situation in Los Angeles is chaotic but that's all the more reason reporters must be able to cover the fires. Unfortunately, there have been troubling instances where journalists have been illegally turned away from checkpoints and faced intimidation tactics and other interference.
We're one of 21 organizations calling on law enforcement to follow state law and give the press the access it needs to do its job. The same California law that gives law enforcement the ability to close areas during emergencies explicitly exempts the press. Police need to comply with the law, even in chaotic situations.
Tell DA to drop case against Portland journalist
We’ve also got some good news to report. The Multnomah County District Attorney’s office dropped its case against Portland-based independent journalist Alissa Azar. She had been set to stand trial Monday on trespass charges arising from her arrest while covering a protest at Portland State University in May.
We explained in a June letter to then-DA Mike Schmidt that the charges violated Azar’s First Amendment right — recognized by the 9th Circuit as well as the Department of Justice — to cover the protest, even after police dispersed demonstrators. Schmidt ignored us, but he’s gone. We reached out to his successor, Nathan Vasquez, who took over on Jan. 1st. Our friends at Defending Rights & Dissent also created a petition to Vasquez calling on him to drop the case. Yesterday, he did.
We thank Vasquez for cleaning up his predecessor’s mess and urge him to go one step further: Publicly commit to allowing journalists to cover protests and their aftermath and not prosecuting any similar cases going forward.
What we’re reading
Elon Musk’s battle with Wikipedia is part of his war on truth (The Independent). “He is the world’s leading free speech hypocrite, and his actions with respect to Wikipedia are further evidence of that,” we told the Independent following Musk’s call to “defund” Wikipedia for calling his obvious Nazi salute a Nazi salute.
Will the press fight like tigers against Trump? (Columbia Journalism Review). It’s vital for the press to now band together and fight like hell to protect their rights — just like they did during the Nixon administration. Legendary First Amendment lawyer James Goodale makes the case.
Decentralized social media is the only alternative to the tech oligarchy(404 Media). The first days of Trump 2.0 “have made it crystal clear that it is urgent to build and mainstream alternative, decentralized social media platforms that are resistant to government censorship and control, are not owned by oligarchs and dominated by their algorithms.”
Check out our other newsletters
If you haven’t yet, subscribe to FPF’s other newsletters, including “The Classifieds,” our new newsletter on overclassification and more from Lauren Harper, our Daniel Ellsberg Chair on Government Secrecy.
@Politica interna, europea e internazionale Kimbal Musk, fratello minore di Elon Musk, ha avuto un incontro a Palazzo Chigi con il ministro della Cultura Alessandro Giuli. Il faccia a faccia, durato poco meno di un’ora, si è tenuto nel
This is Behind the Blog, where we share our behind-the-scenes thoughts about how a few of our top stories of the week came together. This week, we discuss Nazis celebrating Elon Musk’s salute, Zuckerberg as a kook, dictating your own threat model and a good block/mute ethos.#BehindTheBlog
This week, Hackaday’s Elliot Williams and Kristina Panos joined forces and Wonder-Twin rings to bring you the latest news, mystery sound, and of course, a big bunch of hacks from the previous week.
First up in the news: Big boo to Bambu Labs, who have tried to clarify their new authentication scheme and probably only dug themselves in deeper with their customers.
On What’s That Sound, Kristina didn’t get close at all, but at least had a guess this time. Do know what it is? Let us know, and if you’re right and your number comes up, you can keep warm in a limited edition Hackaday Podcast t-shirt.
Then it’s on to the hacks and such beginning with a rather nice reverse-engineering of the Yamaha PRS-E433 keyboard, which led to a slice of Bad Apple playing on the tiny screen.
After that, we take a look at an NES musical instrument, how to make wires explode with energy, and a really cool space mouse that uses flexures. Finally, we talk about a piece of forgotten Internet history, and a whole bunch of keyboards.
Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!
Cisco’s ClamAV has a heap-based buffer overflow in its OLE2 file scanning. That’s a big deal, because ClamAV is used to scan file attachments on incoming emails. All it takes to trigger the vulnerability is to send a malicious file through an email system that uses ClamAV.
The exact vulnerability is a string termination check that can fail to trigger, leading to a buffer over-read. That’s a lot better than a buffer overflow while writing to memory. That detail is why this vulnerability is strictly a Denial of Service problem. The memory read results in process termination, presumably a segfault for reading protected memory. There are Proof of Concepts (PoCs) available, but so far no reports of the vulnerability being used in the wild.
AMD Vulnerability Leaks
AMD has identified a security problem in how some of its processors verify the signature of microcode updates. That’s basically all we know about the issue, because the security embargo still isn’t up. Instead of an official announcement, we know about this issue via an Asus beta BIOS release that included a bit too much information.
I Read the Docs
There’s nothing quite as fun as winning a Capture The Flag (CTF) challenge the wrong way. The setup for this challenge was a simple banking application, with the challenge being to steal some money from the bank’s website. The intended solution was to exploit the way large floating point numbers round small values. Deposit 1e10 dollars into the bank, and a withdraw of $1000 is literally just a rounding error.
The unintended solution was to deposit NaN dollars. In JavaScript-speak that’s the special Not a Number value that’s used for oddball situations like dividing by a float that’s rounded down to zero. NaN has some other strange behaviors, like always resulting in false comparisons. NaN > 0? False. NaN < 0? False. NaN == NaN? Yep, also false. And when the fake bank web app checks if a requested withdraw amount is greater than the amount in the account? Since the account is set to NaN, it’s also false. Totally defeats the internal bank logic. How did the student find this unintended solution? “I read the docs.” Legendary.
Another Prompt Injection Tool
[Utku Sen] has a story and a revamped tool, and it leads to an interesting question about LLMs. The story starts with a novel LLM prompt, that gives more natural sounding responses from AI tools. LLMs have a unique problem, that there is no inherent difference between pre-loaded system prompts, and user-generated prompts. This leads to an attack, where a creative user prompt can reveal the system prompt. And in a case like [Utku]’s, the system prompt is the special sauce that makes the service work. He knew this, and attempted to protect against such attacks. Within an hour of releasing the tool to the public, [Utku] got a direct message on X with the system prompts.
There’s a really interesting detail, that the prompt injection attack only worked 1 out of 11 times. This sent me down an LLM rabbit hole, asking whether LLMs are deterministic, and if not, why not. The simple answer is the “temperature” control knob on LLMs add some random noise to the output text. There seems to be randomness even when the LLM temperature is turned to zero, caused either by floating point errors, or even a byproduct of doing batched inference. Regardless, prompt injection attacks may only work after several tries.
And that brings us to promptmap tool. It is intended to evaluate a system prompt, and launch multiple attempts to poison or otherwise inject malicious user prompts into the system. And of course, it is now capable of using the approach that successfully revealed [Utku]’s system prompt.
Cloudflare’s Unintentional GPS
There’s a really interesting unintended side effect of using Cloudflare’s CDN network: Users load data from the nearest datacenter. Unique data can be served to a target user, and then the cache can be checked to leak coarse location information. This is novel research, but ultimately not actually all that important from a security perspective. The primary reason is that the same sort of attack has always existed and can be used to extract a much more valuable piece of user identifying data: The user’s IP address.
The Unauthenticated, Unencrypted radios that control The German Power Grid
The worst-case scenario for an attacker is to turn on all of the devices that use grid power, while turning off all of the connected devices that generate power. Too much of an imbalance might even be capable of resulting in the dreaded grid-down scenario, where all the connected power generation facilities lose sync with each other, and everything has to be disconnected. Recovery from such a state would be slow and tedious. And thankfully not actually very likely. But even if this worst-case scenario isn’t very realistic, it’s still a severe vulnerability in how the German grid is managed. And fixes don’t seem to be coming any time soon.
Bits and Bytes
The Brave browser had a bit of a dishonest downloads issue, where the warning text about a download would show the URL from the referrer header. The danger is that a download may be considered trustworthy, even when it’s actually being served from an arbitrary URL.
Zoom has a weird security disclosure for one of their Linux applications, and it contains a description I’ve never seen before: The bug “may allow an authorized user to conduct an escalation of privilege via network access.” Given the CVSS score of 8.8 with an attack vector of network, this should probably be called a Remote Code Execution vulnerability.
Subaru had a problem with STARLINK. No, not the satellite Internet provider, the other STARLINK. That’s Subaru’s vehicle technology platform that includes remote start and vehicle tracking features. That platform had a pair of flaws, the first allowing an attacker to reset any admin’s password. The second is that the Two Factor Authentication protection can be bypassed simply by hiding the pop-up element in the HTML DOM. Whoops! Subaru had the issues fixed in under 24 hours, which is impressive.
And finally, Silent Signal has the intriguing story of IBM’s i platform, and and a compatibility issue with Windows 11. That compatibility issue was Microsoft cracking down on apps sniffing Windows passwords. And yes, IBM i was grabbing Windows passwords and storing them in the Windows registry. What a trip.
“Rifiutiamo i luoghi comuni, alimentati da autoreferenzialità e ridondanza; costruiamo, invece, spazi di relazione e condivisione, frutto di ascolto reciproco e comprensione.
