POPULARITY
In dieser Folge geht es um Methoden, mit denen Staaten - und zwar längst nicht nur autoritäre - ihre Bürger bespitzeln. Dissidenten, Journalisten, Politiker und andere Bevölkerungsgruppen waren bereits Opfer von Smartphone-Malware, die im staatlichen Auftrag installiert wurde. Die Hersteller dieser Spionagesoftware sind geheimnistuerische Unternehmen, die viel Geld für ihre Dienste nehmen. Sylvester und Christopher nehmen alle Beteiligten unter die Lupe und klären auch die Frage, ob Whatsapp die NSA verklagt hat. - [Predator-Analyse von Cisco Talos](https://blog.talosintelligence.com/mercenary-intellexa-predator/) - [Google Project Zero zu FORCEDENTRY](https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html) - https://media.ccc.de/v/38c3-from-pegasus-to-predator-the-evolution-of-commercial-spyware-on-ios - https://securitylab.amnesty.org/latest/2024/12/serbia-a-digital-prison-spyware-and-cellebrite-used-on-journalists-and-activists/ - [Details zum iOS Lockdown Mode](https://support.apple.com/de-de/105120) - https://securitylab.amnesty.org/get-help/ - https://securitylab.amnesty.org/partners-and-support/ - [Mobile Verification Toolkit (MVT)](https://docs.mvt.re/en/latest/)
Nicholas Carlini from Google DeepMind offers his view of AI security, emergent LLM capabilities, and his groundbreaking model-stealing research. He reveals how LLMs can unexpectedly excel at tasks like chess and discusses the security pitfalls of LLM-generated code. SPONSOR MESSAGES: *** CentML offers competitive pricing for GenAI model deployment, with flexible options to suit a wide range of models, from small to large-scale deployments. https://centml.ai/pricing/ Tufa AI Labs is a brand new research lab in Zurich started by Benjamin Crouzier focussed on o-series style reasoning and AGI. Are you interested in working on reasoning, or getting involved in their events? Goto https://tufalabs.ai/ *** Transcript: https://www.dropbox.com/scl/fi/lat7sfyd4k3g5k9crjpbf/CARLINI.pdf?rlkey=b7kcqbvau17uw6rksbr8ccd8v&dl=0 TOC: 1. ML Security Fundamentals [00:00:00] 1.1 ML Model Reasoning and Security Fundamentals [00:03:04] 1.2 ML Security Vulnerabilities and System Design [00:08:22] 1.3 LLM Chess Capabilities and Emergent Behavior [00:13:20] 1.4 Model Training, RLHF, and Calibration Effects 2. Model Evaluation and Research Methods [00:19:40] 2.1 Model Reasoning and Evaluation Metrics [00:24:37] 2.2 Security Research Philosophy and Methodology [00:27:50] 2.3 Security Disclosure Norms and Community Differences 3. LLM Applications and Best Practices [00:44:29] 3.1 Practical LLM Applications and Productivity Gains [00:49:51] 3.2 Effective LLM Usage and Prompting Strategies [00:53:03] 3.3 Security Vulnerabilities in LLM-Generated Code 4. Advanced LLM Research and Architecture [00:59:13] 4.1 LLM Code Generation Performance and O(1) Labs Experience [01:03:31] 4.2 Adaptation Patterns and Benchmarking Challenges [01:10:10] 4.3 Model Stealing Research and Production LLM Architecture Extraction REFS: [00:01:15] Nicholas Carlini's personal website & research profile (Google DeepMind, ML security) - https://nicholas.carlini.com/ [00:01:50] CentML AI compute platform for language model workloads - https://centml.ai/ [00:04:30] Seminal paper on neural network robustness against adversarial examples (Carlini & Wagner, 2016) - https://arxiv.org/abs/1608.04644 [00:05:20] Computer Fraud and Abuse Act (CFAA) – primary U.S. federal law on computer hacking liability - https://www.justice.gov/jm/jm-9-48000-computer-fraud [00:08:30] Blog post: Emergent chess capabilities in GPT-3.5-turbo-instruct (Nicholas Carlini, Sept 2023) - https://nicholas.carlini.com/writing/2023/chess-llm.html [00:16:10] Paper: “Self-Play Preference Optimization for Language Model Alignment” (Yue Wu et al., 2024) - https://arxiv.org/abs/2405.00675 [00:18:00] GPT-4 Technical Report: development, capabilities, and calibration analysis - https://arxiv.org/abs/2303.08774 [00:22:40] Historical shift from descriptive to algebraic chess notation (FIDE) - https://en.wikipedia.org/wiki/Descriptive_notation [00:23:55] Analysis of distribution shift in ML (Hendrycks et al.) - https://arxiv.org/abs/2006.16241 [00:27:40] Nicholas Carlini's essay “Why I Attack” (June 2024) – motivations for security research - https://nicholas.carlini.com/writing/2024/why-i-attack.html [00:34:05] Google Project Zero's 90-day vulnerability disclosure policy - https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html [00:51:15] Evolution of Google search syntax & user behavior (Daniel M. Russell) - https://www.amazon.com/Joy-Search-Google-Master-Information/dp/0262042878 [01:04:05] Rust's ownership & borrowing system for memory safety - https://doc.rust-lang.org/book/ch04-00-understanding-ownership.html [01:10:05] Paper: “Stealing Part of a Production Language Model” (Carlini et al., March 2024) – extraction attacks on ChatGPT, PaLM-2 - https://arxiv.org/abs/2403.06634 [01:10:55] First model stealing paper (Tramèr et al., 2016) – attacking ML APIs via prediction - https://arxiv.org/abs/1609.02943
Back with a new episode and song, are David Jhave Johnston and Scott Rettberg. In today's episode, they will discuss AI agents. Secret agents, travel agents, helping you with anything you need. Whether that may be spying on people or booking that holiday you wanted to go on, the AI agents can do it for you. Listen now for this new AI update. References Fourney, Adam, et al. 2024. “Magentic-One: A generalist multi-agent system for solving complex tasks.” Microsoft. Effective November 4, 2024. https://www.microsoft.com/en-us/research/articles/magentic-one-a-generalist-multi-agent-system-for-solving-complex-tasks/ Lu, Yadong. 2024. “OmniParser for pure vision-based GUI agent.” Microsoft. Effective October 8, 2024. https://www.microsoft.com/en-us/research/articles/omniparser-for-pure-vision-based-gui-agent/ Riegler, Michael Alexander. 2024. “Exploring OpenAI's Swarm: An experimental framework for multi-agent systems.” Medium. Effective October 12, 2024. https://medium.com/@michael_79773/exploring-openais-swarm-an-experimental-framework-for-multi-agent-systems-5ba09964ca18 The Big Sleep Team. 2024. “Project Zero. From naptime to big sleep: Using large language models to catch vulnerabilities in real-world code.” Google Project Zero. Effective November 1, 2024. https://googleprojectzero.blogspot.com/2024/10/from-naptime-to-big-sleep.html#bigsleepteam
Three Buddy Problem - Episode 20: We revisit the ‘hack-back' debate, the threshold for spying on adversaries, Palo Alto watching EDR bypass research to track threat actors, hot nuggets in Project Zero's Clem Lecinge's Hexacon talk, Apple's new iOS update rebooting iPhones in law enforcement custody, the mysterious GoblinRAT backdoor, and physical ‘meatspace' Bitcoin attacks and more details on North Korean cryptocurrency theft. Cast: Juan Andres Guerrero-Saade (https://twitter.com/juanandres_gs) (SentinelLabs), Costin Raiu (https://twitter.com/craiu) (Art of Noh) and Ryan Naraine (https://twitter.com/ryanaraine) (SecurityWeek).
Dennis Fisher and Lindsey O'Donnell-Welch reflect on their week in Las Vegas at Black Hat and discuss the talks they liked, including Moxie Marlinspike's keynote and the Google Project Zero retrospective, and the other topics they found interesting, including vulnerability exploitation versus social engineering and the AI ecosystem.
Kim Zatter, investigative journalist for WIRED, POLITICO, The New York Times, The Washington Post, and Motherboard/VICE Media, and author of the popular book "COUNTDOWN TO ZERO DAY: Stuxnet and the Launch of the World's First Digital Weapon" tops FeedSpot's list of the Top 100 Cybersecurity Influencers in 2024. Coming in at No. 2 on the list is Maddie Stone, Security Researcher on Google Project Zero, followed by Steve Morgan, founder of Cybersecurity Ventures and Editor-in-Chief at Cybercrime Magazine, at No. 3. In this episode, host Paul John Spaulding is joined by Steve Morgan, Founder of Cybersecurity Ventures and Editor-in-Chief at Cybercrime Magazine, to discuss. The Cybercrime Magazine Update airs weekly and covers the latest news, interviews, podcasts, reports, videos, and special productions from Cybercrime Magazine, published by Cybersecurity Ventures. For more on cybersecurity, visit us at https://cybersecurityventures.com
The 'Three Buddy Problem' Podcast Episode 2: Ryan Naraine, Costin Raiu and Juan Andres Guerrero-Saade go all-in on the discussion around Google Project Zero disrupting counter-terrorism malware operations. A deep dive on disruption vs exposure, the effects of US government sanctions on private mercenary hacking companies, hypocricy and the tricky relationship between malware researchers are the intelligence community, and the lack of 'success stories' from so-called benevolent malware. We also discuss the implications of the TeamViewer breach by a skilled Russian APT, new Microsoft notifications to Midnight Blizzard victims and share thoughts on the Polyfill.io supply chain compromise.
Türchen Nummer 8 hält Wissenswertes zum Google Project Zero für euch bereit.
In the age of Oppenheimer, nuclear weapons didn't have much to do with computers. And, for a long time, most nukes were running on 1970s-era floppy disk systems. But as technology has advanced the US — and all the other nuclear weapons states — have started putting military communications, early warning systems, and even control of nuclear missiles themselves online. So, in this episode, we ask, “Could our nuclear weapons systems… be hacked?” We talk to researchers, policy experts, a top UN official, and a hacker about how a nuclear cyber attack might go down. And what we can do to stop it. GUESTS: Matt Korda, Senior Research Fellow, Nuclear Information Project; Allison Pytlak, Program Lead of the Cyber Program at the Stimson Center; Page Stoutland, Consultant at the Nuclear Threat Initiative, Maddie Stone, Security Researcher at Google Project Zero; Izumi Nakamitsu, Under-Secretary-General for Disarmament Affairs at the UN Office for Disarmament Affairs ADDITIONAL RESOURCES: Flying Under The Radar: A Missile Accident In South Asia, Federation of American Scientists Addressing Cyber-Nuclear Security Threats, Nuclear Threat Initiative Glitch disrupts Air Force nuke communications, NBC News A 'Worst Nightmare' Cyberattack: The Untold Story Of The SolarWinds Hack, NPR Treaty on the Non-Proliferation of Nuclear Weapons - Preparatory Committee for the Eleventh Review Conference, UNODA The Failsafe Review, Nuclear Threat Initiative
The FIRST Podcasters interview Maddie Stone of Google Project Zero on the current 2022 threat landscape and past Zero Day patterns. Maddie shares insight into how security professionals should work to make exploitations more difficult for attackers. With an evolving approach to Zero Days, we can create continuous solutions that treat patches as an opportunity to dive deeper.
The Forum of Incident Response and Security Teams (FIRST) took place for the time in Ireland. FIRST's 34th Annual Conference, entitled ‘Neart Le Chéile: Strength Together' took place in the Convention Centre, Dublin, from June 26 to July 1, 2022. One of the speakers was Maddie Stone a security researcher on Google Project Zero. Ronan talks to Maddie about what Google Project Zero does and more. Maddie talks about what Google Project Zero does, their most interesting find, where they decide were they will go next, members of the team having their own expertise, flaws in products, only fixing bugs that are exploitable, and what they consider are security bugs. Maddie also talks about why the OS you use is not important to attackers, the dark web, and her FIRST talk, and the serious vulnerabilities they found so far this year. More about Maddie: Maddie Stone is a Security Researcher on Google Project Zero where she focuses on 0-day exploits used in-the-wild. Previously, she was a reverse engineer and team lead on the Android Security team, focusing predominantly on pre-installed and off-Google Play malware. Maddie also spent many years deep in the circuitry and firmware of embedded devices. Maddie has previously spoken at conferences including Black Hat USA, REcon, OffensiveCon, and others. She holds a Bachelors of Science, with a double major in Computer Science and Russian, and a Masters of Science in Computer Science from Johns Hopkins University.
The Forum of Incident Response and Security Teams (FIRST) has chosen the island of Ireland for the first time as the destination for its 34th Annual Conference, entitled ‘Neart Le Chéile: Strength Together' in the Convention Centre, Dublin, from June 26 to July 1, 2022. Over 1,000 people from six continents will participate, as the not-for-profit aims to deliver worldwide coordination and cooperation among computer security and incident response teams. From Tonga to Tanzania, Greece to Guatemala, Australia to America, the participants from nearly 80 countries are the leading lights in their field. Governments, academia, and businesses, all have a critical agenda as cyber security issues continue to rapidly increase worldwide, and global coordination is now vital to make the internet safe for everyone. Google's Maddie Stone delves into the unknown during the conference, focusing on 0-day exploits used in the wild. A security researcher on Google Project Zero, she will disclose crucial insights and learnings from previously detected 0-day attacks – which occur when a cyber attacker abuses a vulnerability that was totally unknown – to help delegates defend organisations and society in future incidents. The five-day event will explore various themes with contributors from industry and academia, from notable organisations such as the World Economic Forum, National Police Agency from Japan, Amnesty International, the US Cybersecurity and Infrastructure Security Agency, and the European Union Agency for Cybersecurity. Other notable discussions on the agenda include the preparation for the Tokyo 2020 Games, analysis of the SolarWinds supply chain compromise, and lessons learned from supporting national responses to COVID-19. Brian Honan, CEO, BH Consulting and FIRST Annual Conference Programme Chair, commented: “Dublin, and Ireland, is a perfect setting to host leading experts in this area with the cyber security sector on a significant growth trajectory on the island. The recent State of Cyber Security Sector in Ireland 2022 report states that by 2030 the industry will be worth €2.5 bn GVA – an increase of €1.4 bn from 2021 – employing over 17,000 people. “This conference is critical for the global community of incident responders and security teams. After two years of pandemic uncertainty, we can all come together in person once more to tackle cyber security issues in a united fashion to create a fix and ensure organisations can continue to operate with limited disruption. Our theme, ‘Neart Le Chéile: Strength Together', is exactly how we, as experts, will beat the criminals and keep people safe from cyber security attacks going forward.” Chris Gibson, CEO, FIRST added: “The conference program this year is both intuitive and timely, with our keynoters' covering topics across the full spectrum of computer security – from the practical to the emotional. “As a membership organisation, we work to ensure that our Annual Conference brings as much value as possible. Over the five days, our goal is to inspire and empower participants to take new thinking and tools back with them to their everyday roles as they continue to defend people across the globe against cyber-attacks.” Cyber specialists must work together to tackle online crime, as many instances do not occur in isolation, or just in one geographical area. FIRST provides a unique platform for everyone to unite and work towards a safer cyber community for all. At the FIRST Conference participants will share goals, ideas, and information on how to improve global computer security, with delegates learning the latest security strategies in incident management, increasing their knowledge and technical insight about security problems and solutions, and gaining insights into analysing network vulnerabilities. Alongside numerous talks and panel discussions, the conference also features Lightning Talks, a Vendor Showcase and Exhibits, and networking opportunities. The full program can be a...
A daily look at the relevant information security news from overnight - 21 June, 2022Episode 249 - 21 June 2022ToddyCat Tracked- https://www.bleepingcomputer.com/news/security/new-toddycat-apt-group-targets-exchange-servers-in-asia-europe/ NTLM Relay Attack - https://thehackernews.com/2022/06/new-ntlm-relay-attack-lets-attackers.htmlOT Insecure by Design- https://www.securityweek.com/basecamp-icefall-secure-design-ot-makes-little-headwayMicrosoft Re-Arms Windows - https://www.zdnet.com/article/microsoft-this-out-of-band-windows-security-update-fixes-microsoft-365-sign-in-issues-for-arm-devices/Beware Zombie Bugs - https://www.theregister.com/2022/06/21/apple-safari-zombie-exploit/Hi, I'm Paul Torgersen. It's Tuesday June 21st, 2022, and from Chicago this is a look at the information security news from overnight. From BleepingComputer.comA new APT group dubbed ToddyCat has been targeting Microsoft Exchange servers throughout Asia and Europe. According to the Kaspersky researchers, it looks like they have been in action since at least December of 2020. Kaspersky has also found a previously unknown passive backdoor they named Samurai and new trojan malware dubbed Ninja Trojan. Both malware strains allow the attackers to take control of infected systems and move laterally within the victims' networks. From TheHackerNews.com:A new Windows NTLM relay attack dubbed DFSCoerce has been uncovered that leverages the Distributed File System: Namespace Management Protocol to seize control of a domain. This follows a similar method called PetitPotam that abuses Microsoft's Encrypting File System Remote Protocol to coerce Windows servers into authenticating with a relay under an attacker's control. To mitigate NTLM relay attacks, Microsoft recommends enabling Extended Protection for Authentication, SMB signing, and turning off HTTP on AD CS servers. From SecurityWeek.com:Ten years after project Basecamp, Forescout has conducted an updated project, dubbed OT:Icefall, to gauge the current state of Security By Design in OT products. They found 56 insecure by design problems stemming from ten manufacturers. Forescout says the flaws are not programming error vulnerabilities, but rather flaws in the protocols, authorizations, and certifications built into the designs. Seems not enough has changed in the last 10 years. From ZDNet.com:Microsoft has issued an out-of-band update for Windows 11 and Windows 10 to fix an issue that emerged with Arm devices after their latest Patch Tuesday update. It seems some users were prevented from signing into applications including VPN connections, Microsoft Teams, and Microsoft Outlook. The issue only affects Windows devices that use Arm processors; machines using other processors are not affected. If that is you and you have not yet applied the June 14 updates, you should use this out of band update instead. And last today, from TheRegister.comBeware of zombie vulnerabilities. The Safari browser had a vulnerability that was completely patched by Apple back in 2013 when it was discovered. Unfortunately that fix was regressed in 2016 during some code refactoring. That same bug was found being exploited earlier this year. It is unsure for how many of those five years the de-patched bug was being exploited in the wild. See the details and a link to the Google Project Zero research in the article. That's all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
This week on the podcast, we discuss the line between ethical security research and malicious activity thanks to a compromised open source software package. After that we cover the latest industry to fall victim to Ransomware and end by highlighting a 0-click vulnerability in Zoom's message system discovered by Google Project Zero.
Josh and Kurt talk about the Google Project Zero blog post about 0day vulnerabilities in 2021. There were a lot more than ever before, but why? Part of the challenge is the whole industry is expanding while a lot of our security technologies are not. When the universe around you is expanding but you're staying the same size, you are actually shrinking. Show Notes Google Project Zero blog post Apple 0days Joint cyber advisory
Suomi on voittanut Nato CCDCOE:n Locked Shields 2022 -kyberharjoituksenhttps://twitter.com/Puolustusvoimat/status/1517435657966305281CCDCOE palvelunestohyökkäyksen kohteenahttps://www.tivi.fi/uutiset/virolaislehti-naton-kyberosaamiskeskuksen-sivuihin-hyokataan-synkka-viesti-ilmestyi-tallinnaan/e5a201b7-ec4b-47d5-89ae-87dffa5c0d44Dokumentti Hushpuppi-huijaristahttps://www.youtube.com/watch?v=PMenb4TU5xIBloombergin artikkeli Hushpuppistahttps://www.bloomberg.com/features/2021-hushpuppi-gucci-influencer/Fox Hunt 2https://twitter.com/DXBMediaOffice/status/1276133837374926850Ulkoministeriö joutui vuonna 2018 huijauksen uhriksihttps://yle.fi/uutiset/3-12298292Elias Alangon kirjoitus suomalaisista BEC-uhreistahttps://www.linkedin.com/pulse/brief-history-bec-scams-finland-public-6-8-figure-cases-alanko/Google Project Zeron analyysi nollapäivähaavoittuvuuksista vuonna 2021https://googleprojectzero.blogspot.com/2022/04/the-more-you-know-more-you-know-you.htmlBlogikirjoitus Mandiantin näkemistä nollapäivähaavoittuvuuksista vuodelta 2021https://www.mandiant.com/resources/zero-days-exploited-2021Citizen Labin kirjoituksia Spywarestahttps://citizenlab.ca/tag/spyware/Okta on saanut selvitettyä Lapsus$ breachiahttps://therecord.media/okta-apologizes-for-waiting-two-months-to-notify-customers-of-lapsus-breach/https://www.okta.com/blog/2022/04/okta-concludes-its-investigation-into-the-january-2022-compromise/https://www.crn.com/news/security/okta-breached-by-lapsus-exposing-customer-data-group-claims
Vulnerabilities is part of life. It is even more so in the cyber world. This week we will look in to the type of vulnerabilities that are there. Once thing is for sure, they are not all exploited equally. Some are more damaging, others take time, resources and perseverance to pull them off. Simply put they are part of the firebrick of modern technology.Also coming up, a number of security updates, including this week-Google Project Zero tracked a record exploited in the wild-Microsoft Windows Autopatch-https://googleprojectzero.blogpost.com: Google Project Zero tracked a record exploited-in-the-wild-https://docs.google.com: 0day "In the Wild" sheet-https://thehackernews.com: Google project zero detects record Zero-Day exploits in 2021-https://techcommunity.microsoft.com: Get current and stay current with Windows Autopatch -https://www.sans.org: Top 25 software errorsBe sure to subscribe! If you like the content. Follow me @iayusuf or read my blog at https://yusufonsecurity.com You will find a list of all previous episodes in there too.
Porozprávame sa o banálnych problémoch ako to, že Samsung Galaxy S22 nie je najlepší telefón a nazrieme do štatistík Google Project Zero.
Ubuntu 20.04.4 LTS is released, plus we talk about Google Project Zero's metrics report as well as security updates for the Linux kernel, expat, c3p0, Cyrus SASL and more.
Links: Has its own vulnerability that's actively under exploit: https://arstechnica.com/information-technology/2021/12/patch-fixing-critical-log4j-0-day-has-its-own-vulnerability-thats-under-exploit/ Google Project Zero deep dive into the NSO group's iMessage exploit: https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html Three flaws: https://thehackernews.com/2021/12/hackers-begin-exploiting-second-log4j.html How to customize behavior of AWS Managed Rules for WAF: https://aws.amazon.com/blogs/security/how-to-customize-behavior-of-aws-managed-rules-for-aws-waf/ Using AWS security services to protect against, detect, and respond to the Log4j vulnerability: https://aws.amazon.com/blogs/security/using-aws-security-services-to-protect-against-detect-and-respond-to-the-log4j-vulnerability/ Update for Apache Log4j2 Issue: https://aws.amazon.com/security/security-bulletins/AWS-2021-006/ An innocent question: https://Twitter.com/QuinnyPig/status/1473382549535662082?s=20 TranscriptCorey: This is the AWS Morning Brief: Security Edition. AWS is fond of saying security is job zero. That means it's nobody in particular's job, which means it falls to the rest of us. Just the news you need to know, none of the fluff.Announcer: Are you building cloud applications with a distributed team? Check out Teleport, an open-source identity-aware access proxy for cloud resources. Teleport provides secure access for anything running somewhere behind NAT: SSH servers, Kubernetes clusters, internal web apps, and databases. Teleport gives engineers superpowers. Get access to everything via single sign-on with multi-factor, list and see all of SSH servers, Kubernetes clusters, or databases available to you in one place, and get instant access to them using tools you already have. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. And best of all, Teleport is open-source and a pleasure to use. Download Teleport at goteleport.com. That's goteleport.com.Corey: The burning yule log that is the log4j exploit and its downstream issues continues to burn fiercely. Meanwhile the year winds down, and it's certainly been an eventful one. I'll talk to you next week because that is what I do.Now, let's see from the community what happened. The patch to fix the log4j vulnerability apparently has its own vulnerability that's actively under exploit. Find your nearest InfoSec friend and buy them a beer or forty because this is going to suck for a long time and basically ruin everyone's holiday.Also, I've seen the most hair-raising thing I can remember in InfoSec-land, which is the Google Project Zero deep dive into the NSO group's iMessage exploit. Seriously, this thing requires no clicks on the part of the victim, the exploit uses a bug in the GIF processing inherent to iMessage to build a virtual CPU and assembly instruction set. There is no realistic defense against this short of hurling your phone into the sea, which I heartily recommend at this point as a best practice.Oh, and everything is on fire and somehow worse. There are now at least three flaws in the log4j library that we're counting, so far. Everything is terrible and we clearly should never log anything again.Corey: This episode is sponsored in part by my friends at Cloud Academy. Something special for you folks: If you missed their offer on Black Friday or Cyber Monday or whatever day of the week doing sales it is, good news, they've opened up their Black Friday promotion for a very limited time. Same deal: $100 off a yearly plan, 249 bucks a year for the highest quality cloud and tech skills content. Nobody else is going to get this, and you have to act now because they have assured me this is not going to last for much longer. Go to cloudacademy.com, hit the ‘Start Free Trial' button on the homepage and use the promo code, ‘CLOUD' when checking out. That's C-L-O-U-D. Like loud—what I am—with a C in front of it. They've got a free trial, too, so you'll get seven days to try it out to make sure it really is a good fit. You've got nothing to lose except your ignorance about cloud. My thanks to Cloud Academy once again for sponsoring my ridiculous nonsense.Now, AWS had a few things to say. The most relevant of them are How to customize behavior of AWS Managed Rules for WAF. So, if you're a WAF vendor and you don't link to this blog post as part of your, “Why should I pay you?” sales material, you're missing a golden opportunity. Every time I dig into AWS's Web Application Firewall offering, I end up regretting it, and with a headache.There was also a post on Using AWS security services to protect against, detect, and respond to the Log4j vulnerability. I'm disappointed to see AWS starting to use the log4nonsense stuff to pitch a dizzying array of expensive security services that require customers to do an awful lot of independent work to get stuff configured properly. This kind of isn't the time for that.And they have an update page that they continue to update called Update for Apache Log4j2 Issue, and this post has more frequent updates than AWS's “What's new” RSS feed. It really drives home the sheer scope of the issue, how pervasive it is, and just how much empathy we should have for the AWS security team. Their job has pretty clearly been not fun for the last couple of weeks.And lastly, the tip of the week is more of a request for help, honestly. I asked what I thought was an innocent question on Twitter: “What are people using to read and consume CloudTrail logs?” The answers made it clear that the answer was basically, “A bunch of very expensive enterprise grade things,” or, “Nothing.” This feels like a missed opportunity for some enterprising company out there. If you've got a better answer here, please whack reply and let me know. You know where to find me. Thanks for listening. That's what happened last week in AWS security. Enjoy the time off if you're lucky enough to get any, and I'll talk to you next week.Corey: Thank you for listening to the AWS Morning Brief: Security Edition with the latest in AWS security that actually matters. Please follow AWS Morning Brief on Apple Podcast, Spotify, Overcast—or wherever the hell it is you find the dulcet tones of my voice—and be sure to sign up for the Last Week in AWS newsletter at lastweekinaws.com.Announcer: This has been a HumblePod production. Stay humble.
Dans cet épisode avec Benoit et Sébastien il sera encore question de la vulnérabilité découverte récemment dans la bibliothèque Log4j d'Apache dont on vous parlait la semaine dernière, et de certains effets inattendus de ce large problème de sécurité. Vos enfants vous font de beaux dessins ? Meta va les animer grâce à une intelligence artificielle. Après avoir développé un navigateur en version mobile, DuckDuckGo s'applique à en créer un pour macOS. Après les robots humanoïdes, les robots chiens, les robots volants, voici le poisson robot. Pour répondre à quel shushi ? Explication dans ce numéro. Bienvenue et d'avance merci de vous abonner au Technos, merci également pour les partages de nos contenus dans vos réseaux. C comme Chine (00:02:27) Quand la Chine annule ses contrats. Le gouvernement chinois annule ses contrats avec Alibaba suite à Log4J. (source) D comme Dell (00:07:14) Pari. Concept de webcam du futur. (source) F comme Facebook (00:13:03) Quand l'AI anime vos dessins. Facebook développe un prototype pour animer les dessins de vos enfants. (source) G comme DuckDuckGo (00:21:31) Navigateur de bureau. Un navigateur macOS respectueux de la vie privée. (source) L comme Log4j (00:28:20) Quand en verra-t-on la fin ? Les failles se suivent et se ressemblent avec Log4J. (source, source) P comme Perche (00:43:38) La perche robot. On l'appelle aussi L'Achigan à grande bouche. (source, source) P comme Project Zero (00:49:48) Google Project Zero détaille FORCEDENTRY. Des détails sur la faille iMessage (FORCEDENTRY) exploitée par NSO. (source, source) W comme Wordle (01:00:59) Jeu de mot. Motus en anglais. (source)
Dans cet épisode avec Benoit et Sébastien il sera encore question de la vulnérabilité découverte récemment dans la bibliothèque Log4j d'Apache dont on vous parlait la semaine dernière, et de certains effets inattendus de ce large problème de sécurité. Vos enfants vous font de beaux dessins ? Meta va les animer grâce à une intelligence artificielle. Après avoir développé un navigateur en version mobile, DuckDuckGo s'applique à en créer un pour macOS. Après les robots humanoïdes, les robots chiens, les robots volants, voici le poisson robot. Pour répondre à quel shushi ? Explication dans ce numéro. Bienvenue et d'avance merci de vous abonner au Technos, merci également pour les partages de nos contenus dans vos réseaux.C comme Chine (00:02:27) Quand la Chine annule ses contrats. Le gouvernement chinois annule ses contrats avec Alibaba suite à Log4J. (source)D comme Dell (00:07:14) Pari. Concept de webcam du futur. (source)F comme Facebook (00:13:03) Quand l'AI anime vos dessins. Facebook développe un prototype pour animer les dessins de vos enfants. (source)G comme DuckDuckGo (00:21:31) Navigateur de bureau. Un navigateur macOS respectueux de la vie privée. (source)L comme Log4j (00:28:20) Quand en verra-t-on la fin ? Les failles se suivent et se ressemblent avec Log4J. (source, source)P comme Perche (00:43:38) La perche robot. On l'appelle aussi L'Achigan à grande bouche. (source, source)P comme Project Zero (00:49:48) Google Project Zero détaille FORCEDENTRY. Des détails sur la faille iMessage (FORCEDENTRY) exploitée par NSO. (source, source)W comme Wordle (01:00:59) Jeu de mot. Motus en anglais. (source)
Probably best known as the Twitter handle @pwnallthethings, Matt Tait is the chief operating officer of Corellium. Previously, he was a hacker for GCHQ, the British version of the National Security Agency, he was the CEO of Capital Alpha Security, and he worked at Google Project Zero, among other things. Most of this podcast was recorded before the news of the Kaseya ransomware attack broke over the weekend (Matt wrote a piece on Lawfare entitled, "The Kaseya Ransomware Attack is a Really Big Deal"). They talked a bit about Kaseya at the beginning of the episode before turning to a more general discussion of ransomware, other current cybersecurity threats and what Matt is worried about as he looks into the future. See acast.com/privacy for privacy and opt-out information.
Half-Double, la nueva vulnerabilidad de Google Project Zero que mejora el impacto de RowHammer, un vector de ataque de película. Tarjetas de aprendizaje de soldados americanos accesibles públicamente en Internet exponen secretos sobre ubicaciones de búnkeres de misiles nucleares en Europa. Una aplicación móvil centrada en reportar y actuar contra el crimen, tiene un lado muy oscuro. El informe Dunhammer descubre la operación de espionaje de la NSA contra políticos europeos gracias a un pacto secreto con el Servicio de Inteligencia de Defensa danés. Anonymous declara la guerra a nada más y nada menos que a Elon Musk. El FBI retira una citación de registros web que incluye direcciones IP que hubieran podido identificar a lectores de una historia en USA TODAY publicada este febrero. Notas y referencias en tierradehackers.com Twitch: twitch.tv/tierradehackers
iOS upgrade (some apps may be buggy), printing pictures on canvas (Costco is a good option), changing Google Region Settings (while on travel), transferring files with USB bridge cable, CAPCHA effectiveness (at the expense of user experience), eater address for cryptocurrency (what is it necessary), Profiles in IT (Jacobus Cornelis Haartsen, father of Bluetooth), importance of standards and of standards groups, Google Project Zero (increases time to fix window), and is Wikipedia the most reliablie soirce on the Internet. This show originally aired on Saturday, June 5, 2021, at 9:00 AM EST on WFED (1500 AM).
iOS upgrade (some apps may be buggy), printing pictures on canvas (Costco is a good option), changing Google Region Settings (while on travel), transferring files with USB bridge cable, CAPCHA effectiveness (at the expense of user experience), eater address for cryptocurrency (what is it necessary), Profiles in IT (Jacobus Cornelis Haartsen, father of Bluetooth), importance of standards and of standards groups, Google Project Zero (increases time to fix window), and is Wikipedia the most reliablie soirce on the Internet. This show originally aired on Saturday, June 5, 2021, at 9:00 AM EST on WFED (1500 AM).
- www.scmagazine.com: As US takes sweeping action against Russia for years of hacking, industry skeptical of impact - www.darkreading.com: FBI Operation Remotely Removes Web Shells From Exchange Servers - www.bleepingcomputer.com: CISA gives federal agencies until Friday to patch Exchange servers - www.zdnet.com: Google Project Zero testing 30-day grace period on bug details to boost user patching - www.cyberscoop.com: Hundreds of electric utilities downloaded SolarWinds backdoor, regulator says - edscoop.com: Accellion breach exposed 300,000 records, University of Colorado says - www.govinfosecurity.com: Kentucky Unemployment Insurance Site Shuttered After Attack - www.zdnet.com: Critical Zoom vulnerability triggers remote code execution without user input Share that link with your friends, or share this one, either helps this podcast grow! Follow me on twitter at: @attiliojr Feeling Generous and want to show your support? algorand: E3HYLC56IHAFXPPA2WZCLBYAVFX42GVFDC7BDAXAQWNI3BXGHF3KDILMSY bitcoin: bc1qls47sszwqxwpad66pn6awxr0ex9s4d33t3t2zw Cosmos: cosmos107ng80lsqhwqxeawajjt6cywmu5nhlt3drvddf BAT: 0x1d17d7Ee7d1BF9F53DEF2CEf4558D05ed9172A86 Paypal: https://streamelements.com/professorcyberrisk/tip --- This episode is sponsored by · Anchor: The easiest way to make a podcast. https://anchor.fm/app --- Send in a voice message: https://anchor.fm/professor-cyber-risk/message Support this podcast: https://anchor.fm/professor-cyber-risk/support
Patrick Howell O’Neill is the cybersecurity senior editor for MIT Technology Review. In this out-of-band episode of the show, Patrick joins Ryan to discuss his latest scoop (https://securityconversations.com/on-disrupting-gov-malware-attacks/) on Google Project Zero's visibility into malware used in a Western .gov counter-terrorism operation, the tricky nature of attributing nation-state backed attacks, Apple's iOS becoming a hot target and the controversies surrounding all of these conversations. Follow Patrick on Twitter (https://twitter.com/howelloneill).
Josh and Kurt talk about the Google Project Zero report titled "A Year in Review of 0-days Exploited In-The-Wild in 2020". It's a cool report but we don't agree on the conclusion. The answer isn't to security harder, it's to stop using C. Show Notes Google Project Zero Year of 0-days Kurt's CUPS tweet
HelSecin virtuaalinen tapaaminen 21.1.2021https://www.meetup.com/HelSec/events/275770212/FISC:n kyberennusteet-tapahtuman nauhoitushttps://vimeo.com/497972925Antin mielipidekirjoitus Hesarissahttps://www.hs.fi/mielipide/art-2000007732835.htmlOutreachin tuore julkaisu Stalkewarestahttps://medium.com/outrch/whos-watching-you-d70460bdf390Whatsappin käyttöehtosopimuksen todelliset vaikutukset Euroopassahttps://www.whatsapp.com/legal/updates/privacy-policy-eeahttps://www.bbc.com/news/technology-55573149 SolarLeaks-sivusto julkaistuhttps://www.bleepingcomputer.com/news/security/solarleaks-site-claims-to-sell-data-stolen-in-solarwinds-attacks/JetBrains-toimitusketjuhyökkäysepäilyhttps://www.nytimes.com/2021/01/06/us/politics/russia-cyber-hack.htmlJetBrainssin vastike epäilyksiinhttps://blog.jetbrains.com/blog/2021/01/06/statement-on-the-story-from-the-new-york-times-regarding-jetbrains-and-solarwinds/Microsoft Exchange-haavoittuvuushttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-16875Steven Steeley:n blogikirjoitus haavoittuvuudestahttps://srcincite.io/blog/2021/01/12/making-clouds-rain-rce-in-office-365.htmlUbiquitin tunnukset mahdollisesti vuotaneethttps://www.bleepingcomputer.com/news/security/networking-giant-ubiquiti-alerts-customers-of-potential-data-breach/amp/Luodinkestäviä-palveluntarjoajiahttps://www.recordedfuture.com/bulletproof-hosting-services/Pfizerin tietoa levitetty informaatiovaikuttamistarkoituksessahttps://www.bleepingcomputer.com/news/security/hackers-leaked-altered-pfizer-data-to-sabotage-trust-in-vaccines/Google Project Zeron havaitsema Android/Windows-kampanjahttps://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.htmlhttps://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html Arstechnica julkaisu Google Project Zeron 0-päivälöydöksistähttps://arstechnica.com/information-technology/2021/01/hackers-used-4-0days-to-infect-windows-and-android-devices/
Felix Wilhelm of Google Project Zero found an injection Vulnerability affecting GitHub Actions and Workflow Commands specifically related to setting malicious environment variables by parsing STDOUT Resources https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/ https://bugs.chromium.org/p/project-zero/issues/detail?id=2070&can=2&q=&colspec=ID%20Type%20Status%20Priority%20Milestone%20Owner%20Summary&cells=ids https://www.zdnet.com/article/google-to-github-times-up-this-unfixed-high-severity-security-bug-affects-developers/ --- Send in a voice message: https://anchor.fm/hnasr/message
Thomas Dullien (Halvar Flake) is the co-founder of optimyze, a company that helps businesses optimize their cloud spend with better code. He started his career by founding a company called zynamics, a research-centric technology company that was acquired by Google in 2011. After the acquisition, he stayed on at Google as a staff engineer for eight years before launching optimyze. Join Corey and Thomas as they discuss why cloud optimization is increasingly important in a SaaS-driven world, why Thomas believes that cloud costs can be reduced by optimizing code, how rewriting code the way Google wants means your app can scale to the sky immediately, the difference between working on Google’s internal infrastructure and GCP, how Google hasn’t traditionally been good at explaining why their products are beneficial, why you should treat a data center as a computer that happens to be the size of the warehouse, Google Project Zero, and more.
- La NSA sigue con sus políticas de introducir puertas traseras en productos comerciales. - La ley CPRA, la versión californiana de la GDPR, promete muchas mejoras para la protección de la privacidad. - Una transferencia de mil millones de dólares en bitcoin y muchas preguntas abiertas. - La Oficina de Aduanas y Protección Fronteriza de USA podría estar abusando de los datos de ubicación de los residentes americanos. - Estados Unidos abusa del uso de herramientas de análisis forense para obtener toda la información almacenada en teléfonos móviles. - Google Project Zero publica una vulnerabilidad crítica en GitHub que todavía no está arreglada. Notas y referencias en tierradehackers.com
- La NSA sigue con sus políticas de introducir puertas traseras en productos comerciales. - La ley CPRA, la versión californiana de la GDPR, promete muchas mejoras para la protección de la privacidad. - Una transferencia de mil millones de dólares en bitcoin y muchas preguntas abiertas. - La Oficina de Aduanas y Protección Fronteriza de USA podría estar abusando de los datos de ubicación de los residentes americanos. - Estados Unidos abusa del uso de herramientas de análisis forense para obtener toda la información almacenada en teléfonos móviles. - Google Project Zero publica una vulnerabilidad crítica en GitHub que todavía no está arreglada. Notas y referencias en tierradehackers.com
Докладно про головне Схоже, що Твіттер-аккаунт Дональда Трампа знову хакнули підібравши пароль – «maga2020!» А веб сайт його виборчої кампанії зазнав атаки вірусу-вимагача США висунули санкції проти російського науково-дослідного інституту через розробку вірусу Triton, який був націлений на системи індустріального контролю Bellingcat опублікував розслідування діяльності спеціального відділу ГРУ РФ, що займається розробкою хімічної зброї, в тому числі “Новічка” Facebook хоче закрити проект університету Нью-Йорку з дослідження політичної реклами Offensive Security випустили новий курс та сертифікацію Коротко про важливе Github прибрав 18 репозиторіїв через позов Асоціації Індустрії Звукозапису Розслідування діяльності ransomware-групи Ryuk Огляд історії Phantom Secure – компанії, що розробляла “безпечні” телефони для злочинців Анонси OWASP Ukraine 2020, що пройде 5 грудня в онлайн форматі, відкрив Call for Papers Вразливості тижня Google Project Zero виявив вразливість нульового дня для Windows та декілька вразливостей у Chrome Рекомендації Інтервью з інженером NASA, який займається кібербезпекою Awesome Android Security на GitHub Огляд розв’язків FlareOn - Reverse Engineering CTF’у від FireEye Bellingcat Podcast https://www.bellingcat.com/category/resources/podcasts/
Well, we are the most non-partisan tech podcast on the internet, so this episode was recorded before Election Day here in the US. We've got all of the week's tech news, some great picks, and very useful tips for you in case you need a break from politics. Followup: Election (00:25) iPhone Preorders (02:15) AirPods Pro Service Program (07:00) Google Meet starts rolling out custom backgrounds (08:15) Wyze Cam v.3 (09:00) Facebook launches cloud games (11:20) Dave’s Pro Tip of the Week: YouTube keyboard short cuts (14:10) From Jared: iOS Back Touch (22:05) Takes: Apple Clips App gets a major update (24:05) Senate Committee Hearing - Twitter, Google, Facebook (26:55) Twitter launches ‘pre-bunks’ to get ahead of voter misinformation (28:05) Microsoft is going to force people away from Internet Explorer (29:15) Security/Privacy: Profile of Maddie Stone, Google Project Zero reverse engineer (33:10) Almost 2,000 Robinhood Markets accounts hacked (35:05) Bonus Odd Take: Winners of the 2020 Drone Photo Awards (36:35) Picks of the Week: Dave: Microsoft OneNote (37:55) Nate: Aukey 20W charger (42:40) Ramazon™ purchase (46:45) Check out the Notnerd YouTube channel for great videos Support Notnerd on Patreon and get cool stuff Subscribe and Review Contact Info: www.Notnerd.com Twitter - @N0tnerd, Nate - @NetBack, Dave - @DavyB Instagram - @n0tnerd Notnerd Youtube Channel Notnerd Facebook Email - info@Notnerd.com Call or text 608.618.NERD(6373) If you would like to help support Notnerd financially, mentally, or physically, please contact us via any of the methods above. Consider any product/app links to be affiliate links.
Продолжаем защищать наши приложения от злоумышленников. Готовим марафон вопросов, чтобы составить четкий гайд как обеспечить защиту наших продуктов. Гость выпуска - Артем Кулаков, Android TeamLead в Redmadrobot. Интересуется безопасностью приложений и серверов. Любит все виды reverse engineering и вообще всякие низкоуровневые вещи. Автор Telegram канала "Android Guards" https://t.me/android_guards Полезные ссылки:
This month there has been a lot going on in the world of cybersecurity. With major IT firm Sopra Steria getting hit by a cyberattack, Apple paying out over $250,000 to a team of bug hunters for finding 55 vulnerabilities in Apple systems, as well as the USA indicting 6 Russian Intelligence Officers for a range of attacks such as attacks against the Ukrainian Power Grid and the 2017 NotPetya attack. Key Points: 0'20m Google Project Zero, Zero Days and Chrome Vulns 3'14m Fifty-five Apple Bugs and over $250,000 in bounty pay-outs 6'15m Hackney Council Hit by "Hack Attack" 8'06m Six GRU Officers indicted for major hacks 11'00m Sopra Steria hit by cyberattack Useful links: https://chromereleases.googleblog.com/ https://samcurry.net/ Listen Time: 14 minutes Host: Holly Grace Williams, MD at Secarma
Welcome to the Geekscorner podcast where we cover everything tech related in short segments. Google Launch Night In Review, Apple acquires Google Project Zero member and more Install iOS 14.2vbeta from here Follow us on: Twitter Facebook Youtube
Welcome to the Geekscorner podcast where we cover everything tech related in short segments. Google Launch Night In Review, Apple acquires Google Project Zero member and more Install iOS 14.2vbeta from here Follow us on: Twitter Facebook Youtube
Josh and Kurt talk about the updated Google Project Zero disclosure policy. What's the new policy, what does it mean, and will it really matter? We suspect it will improve some things, but won't drastically change much. Show Notes Google and 90 day patch disclosure Upgrading all Windows versions
Google Project Zero found and reported a flaw in the widely used password manager.
Premier épisode de septembre 2019 Préambule Shameless plug Prochaines activités 26 septembre 2019 - QuebecSec - Sujet à déterminer 7-9 octobre 2019 - ISACA-Quebec - Congrès international sur les opportunités et les défis des technologies émergentes 1-2 novembre 2019 - Hackfest - Hackfest Upsidedown edition 20 avril 2020 - Québec Numérique - SéQCure Shownotes and Links How Twitter CEO Jack Dorsey's Account Was Hacked Twitter disables SMS-to-tweet feature after its CEO got hacked last week Real-ID data surge raises real dangers DoD unveils new cybersecurity certification model for contractors Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations Cybersecurity Maturity Model Certification Ransomware Attacks Are Testing Resolve of Cities Across America While one Texas county shook off ransomware, small cities took full punch Texas Towns Recover, but Local Governments Have Little Hope for Contractors have questions about DOD's cyber requirements When Ransomware Cripples a City, Who's to Blame? This I.T. Chief Is Rockville Center School District pays $88,000 ransom Eurofins Scientific: Cyber-attack leads to backlog of 20,000 forensic samples UK Police Investigations Still Affected by Ransomware Attack Rash of ransomware continues with 13 new victims—most of them schools Ransomware ‘halts everything' in Connecticut school district A very deep dive into iOS Exploit chains found in the wild A message about iOS security Android PDF app with just 100m downloads caught sneaking malware into mobes AWS to scan for misconfigurations Women in Security [Applying for Internships as a Woman in Tech Findings from a Survey of GWC-Affiliated Women](http://girlswhocode.com/wp-content/uploads/2019/08/GWC_Advocacy_InternshipApplicationExperiences_PDF_z6.pdf) For Young Female Coders, Internship Interviews Can be Toxic Patel v. Facebook: Federal Appeals Court Says Consumers Can Sue Facebook for Facial Recognition Proposal to Make HTPPS Certificate Expire Yearly Back on the Table Why the United States needs more cybersecurity experts — badly Why blockchain-based voting could threaten democracy New Weaknesses Found in WPA3 An update on disabling VBScript in Internet Explorer 11 Google Project Zero: 95.8% of all bug reports are fixed before deadline expires Newly stringent FAA tests spur a fundamental software redesign of Boeing's 737 MAX flight controls Chances of destructive BlueKeep exploit rise with new explainer posted online What You Should Know About the Equifax Data Breach Settlement Ex-Equifax CIO Gets 4-Month Prison Term for Insider Trading Kazakhstan government is now intercepting all HTTPS traffic N.S.A. Contractor Who Hoarded Secrets at Home Is Sentenced to Nine Years in Prison The Road to Zero Trust (Security) Defense Innovation Board wants to help DOD understand zero trust Crew Nicolas-Loïc Fortin Crédits Montage audio par Intrasecure inc Music Twin Cobra “Blade Pitch” par Sir_NutS via OverClocked ReMix Locaux réels par Intrasecure inc
30/08/19 - Evento da Apple dia 10 de setembro às 14h e LIVE DoctorApple 21h, Google Project Zero descobre vulnerabilidade no iOS, Aumento de tarifa de produtos chineses, Programa de Reparo para não autorizados Apple, Foco da Apple em fotografia nos iPhones, AirPod perde para Samsung Galaxy Buds em qualidade de som, Encontrado no Egito, sósia de Steve Jobs, Futuros teclados da Apple e tecnologia com luz, Empresas aéreas não permitem MacBook Pro em mala despachada, Atualizações para iOS 12.4.1 tvOS 12.4.1 macOS 10.14.6, Apple começa a vender pelo Mercado Livre. https://www.doctorapple.com.br Aqui você encontra: doctorapple, doctor apple, drapple, doutorapple, computador apple, curso apple, curso mac, curso iphone, curso macbook, curso imac, curso basico apple, curso basico mac, curso basico iphone, curso basico macbook, curso basico imac, curso iniciante apple, curso iniciante mac, curso iniciante iphone, curso iniciante macbook, curso iniciante imac, curso completo apple, curso completo mac, curso completo iphone, curso completo macbook, curso completo imac, aula apple, aula mac, aula iphone, aula macbook, aula imac, aula básica apple, aula básica mac, aula básica iphone, aula básica macbook, aula básica imac, aula iniciante apple, aula iniciante mac, aula iniciante iphone, aula iniciante macbook, aula iniciante imac, começando no apple, começando no mac, começando no iphone, começando no macbook, começando no imac, aprender apple, aprender mac, aprender iphone, aprender macbook, aprender imac, primeiros passos no apple, primeiros passos no mac, primeiros passos no iphone, primeiros passos no macbook, primeiros passos no imac, introdução apple, introdução mac, introdução iphone, introdução macbook, introdução imac, suporte técnico apple, suporte técnico mac, suporte técnico iphone, suporte técnico macbook, suporte técnico imac, ajuda apple, ajuda mac, ajuda iphone, ajuda macbook, ajuda imac, tutorial apple, tutorial mac, tutorial iphone, tutorial macbook, tutorial imac, treinamento apple, treinamento mac, treinamento iphone, treinamento macbook, treinamento imac, ajuda apple, ajuda mac, ajuda iphone, ajuda macbook, ajuda imac,
These days there are no slow weeks in tech news. This one might be a little slower than some but we found some important stories to cover alongside some great tips, tricks and picks to help you tech better! Make sure to join the Notnerd Facebook Group and let us know how you tech better. We're also looking for your ProTips and Picks of the Week. Show Notes and Links: Reminder: Not a good time to buy a phone (00:50) Dish get’s Boost Mobile, Virgin Mobile and Sprint Prepaid (02:10) ByteDance purchases JukeDeck (04:15) Dave’s Pro Tip of the Week: Check your spam filter (05:30) Detoxify.app (09:20) Apple quarterly results - Google's cash pile (12:05) Ninja is moving to Mixer (15:45) Uber lays off 400 (17:20) Google offered people $5 to scan their faces (18:55) Security/Privacy: No More Ransom project has prevented at least $108 million in ransomware profits (22:05) Google Project Zero: 95.8% of all bug reports fixed before the 90-day deadline (22:45) Capital One breach of credit card applications (23:55) Bonus Odd Take: https://www.buttsss.com/ (25:20) Picks of the Week: Dave: Bebop 2 drone (26:55) Nate: Fat: A Documentary - Amazon Prime Video - Amazon Physical Copy - iTunes (30:45) Ramazon™ purchase (34:10) Check out the Notnerd YouTube channel for great videos Leave an iTunes Review and be featured on the Podcast Support Notnerd on Patreon and get cool stuff Brought to you by #OneBackupIsNoneBackup Shop Amazon: Amazon.Notnerd.com Subscribe and Review in iTunes Contact Info: www.Notnerd.com Twitter - @N0tnerd, Nate - @NetBack, Dave - @DavyB Notnerd Youtube Channel Notnerd Facebook Email - info@Notnerd.com Call or text 608.618.NERD(6373) If you would like to help support Notnerd financially, mentally or physically, please contact us via any of the methods above. Consider any product/app links to be affiliate links.
Om Shownotes ser konstiga ut så finns de på webben här också: https://www.enlitenpoddomit.se/e/en-liten-podd-om-it-avsnitt-221 Avsnitt 221 spelades in den 30:e juni och eftersom ananas gör så att fingeravtrycken försvinner så handlar dagens avsnitt om: FEEDBACK OCH BACKLOG * David bestämde att alla har haft en skön vecka * Data fortsätter läcka i från S3 lagring (när folk gör fel så blir det knasigt) * BONUSLÄNK: tror att det var den här länken: https://buckets.grayhatwarfare.com/ * En till stad i Florida har betalat ransom för att ha attackerade * En enkel fix för att få både USB och nätverk och grejjer för David * vi pratade om Playpilot förra veckan, johan tar upp det igen - Rätt Serie, rätt säsong väljer inte rätt avsnitt. :( MICROSOFT * INFO: Omorganisationer kommer ske typ nästa vecka, så få inte panik om det börjar gå en masa rykten om att folk får sparken. * Lite mer säkerhet i OneDrive. Länk nr1 och Länk nr2 * Kort: Azure Premium files * Tips: följ "Azure marketplace blogg" * Kommer Microsoft att trots allt tillåta Android appar i Windows? * Lite mindre tracking! * Planerar Microsoft en liten vikbar enhet med dubbla skärmar? * BONUSLÄNK: Marketshare IOS i sverige * BONUSLÄNK: för oss som inte kommer ihåg vad Google Project Zero är APPLE * iOS 13 beta finns att ladda ned nu * Apple håller inte med Spoitify om att de är elaka GOOGLE * NOPE, inga nyheter alls där faktiskt i det här avsnittet... ÖVRIGA NYHETER: * (Tips från lyssnaren Jimmy), https://www.tomshardware.com/reviews/raspberry-pi-4-b,6193.html, https://www.raspberrypi.org/products/raspberry-pi-4-model-b/ , https://9to5toys.com/2019/06/24/raspberry-pi-4-announcement/ SHUT UP AND TAKE MY MONEY: * Johan: En ny internetoperatör * Mats: https://www.netonnet.se/art/hem-hushall/koksmaskiner-koksredskap/kylbox/andersson-crx-3-0/1006886.13595/ * Björn: GPS klocka till sonen https://cdon.se/accessoarer/gps-smartklocka-for-barn-bla-p43784632 * David: https://www.native-instruments.com/en/products/komplete/keyboards/komplete-kontrol-m32/ EGNA LÄNKAR * En Liten Podd Om IT på webben * En Liten Podd Om IT på Facebook LÄNKAR TILL VART MAN HITTAR PODDEN FÖR ATT LYSSNA: * Apple Podcaster (iTunes) * Overcast * Acast * Spotify * Stitcher LÄNK TILL DISCORD DÄR MAN HITTAR LIVE STREAM + CHATT https://discord.gg/gfKnEGQ (tack för att du har läst hela vägen hit, du får veckans guldstjärna!)
Josh and Kurt talk about the disclosure of security vulnerabilities. It's still not a settled topic, we frame the conversation around a recent disclosure from Tavis Ormandy of Google Project Zero.
Show notes for Security Endeavors Headlines for Week 5 of 2019Check out our subreddit to discuss this week's headlines!InfoSec Week 6, 2019 (link to original Malgregator.com posting)The Zurich American Insurance Company says to Mondelez, a maker of consumer packaged goods, that the NotPetya ransomware attack was considered an act of cyber war and therefore not covered by their policy.According to Mondelez, its cyber insurance policy with Zurich specifically covered “all risks of physical loss or damage” and “all risk of physical loss or damage to electronic data, programs or software” due to “the malicious introduction of a machine code or instruction.” One would think that the language in the cyber insurance policy was specifically designed to be broad enough to protect Mondelez in the event of any kind of cyber attack or hack. And NotPetya would seem to fit the definition included in the cyber insurance policy – it was a bit of malicious code that effectively prevented Mondelez from getting its systems back up and running unless it paid out a hefty Bitcoin ransom to hackers.Originally, Zurich indicated that it might pay $10 million, or about 10 percent of the overall claim. But then Zurich stated that it wouldn't pay any of the claim by invoking a special “cyber war” clause. According to Zurich, it is not responsible for any payment of the claim if NotPetya was actually “a hostile or warlike action in time of peace or war.” According to Zurich, the NotPetya cyber attack originated with Russian hackers working directly with the Russian government to destabilize the Ukraine. This is what Zurich believes constitutes "cyber war."https://ridethelightning.senseient.com/2019/01/insurance-company-says-notpetya-is-an-act-of-war-refuses-to-pay.html Reuters reports that hackers working on behalf of Chinese intelligence breached the network of Norwegian software firm Visma to steal secrets from its clients. According to investigators at cyber security firm Recorded Future, the attack was part of what Western countries said in December is a global hacking campaign by China’s Ministry of State Security to steal intellectual property and corporate secrets. Visma took the decision to talk publicly about the breach to raise industry awareness about the hacking campaign, which is known as Cloudhopper and targets technology service and software providers in order reach their clients.https://www.reuters.com/article/us-china-cyber-norway-visma/china-hacked-norways-visma-to-steal-client-secrets-investigators-idUSKCN1PV141 A new vulnerability has been discovered in the upcoming 5G cellular mobile communications protocol. Researchers have described this new flaw as more severe than any of the previous vulnerabilities that affected the 3G and 4G standards.Further, besides 5G, this new vulnerability also impacts the older 3G and 4G protocols, providing surveillance tech vendors with a new flaw they can abuse to create next-gen IMSI-catchers that work across all modern telephony protocols.This new vulnerability has been detailed in a research paper named "New Privacy Threat on 3G, 4G, and Upcoming5G AKA Protocols," published last year.According to researchers, the vulnerability impacts AKA, which stands for Authentication and Key Agreement, a protocol that provides authentication between a user's phone and the cellular networks.The AKA protocol works by negotiating and establishing keys for encrypting the communications between a phone and the cellular network.Current IMSI-catcher devices target vulnerabilities in this protocol to downgrade AKA to a weaker state that allows the device to intercept mobile phone traffic metadata and track the location of mobile phones. The AKA version designed for the 5G protocol --also known as 5G-AKA-- was specifically designed to thwart IMSI-catchers, featuring a stronger authentication negotiation systemBut the vulnerability discovered last year allows surveillance tech vendors to create new models of IMSI-catchers hardware that, instead of intercepting mobile traffic metadata, will use this new vulnerability to reveal details about a user's mobile activity. This could include the number of sent and received texts and calls, allowing IMSI-catcher operators to create distinct profiles for each smartphone holder. https://www.zdnet.com/article/new-security-flaw-impacts-5g-4g-and-3g-telephony-protocols/ The Debian Project is recommending the upgrade of golang-1.8 packages after a vulnerability was discovered in the implementation of the P-521 and P-384 elliptic curves, which could result in denial of service and in some cases key recovery. In addition this update fixes two vulnerabilities in the “go get” command, which could result in the execution of arbitrary shell commands.https://www.debian.org/security/2019/dsa-4380 It is possible to trick user’s of the Evolution email application into trusting a phished mail via adding a forged UID to a OpenPGP key that has a previously trusted UID. It's because Evolution extrapolates the trust of one of OpenPGP key UIDs into the key itself. The attack is based on using the deficiency of Evolution UI when handling new identifiers on previously trusted keys to convince the user to trust a phishing attempt. More details about how the flaw works, along with examples are included in the article, which is linked in the show notes. Let’s take a minute to cover a bit of background on Trust Models and how validating identities work in OpenPGP and GnuPG:The commonly used OpenPGP trust models are UID-oriented. That is, they are based on establishing validity of individual UIDs associated with a particular key rather than the key as a whole. For example, in the Web-of-Trust model individuals certify the validity of UIDs they explicitly verified.Any new UID added to the key is appropriately initially untrusted. This is understandable since the key holder is capable of adding arbitrary UIDs to the key, and there is no guarantee that new UID will not actually be an attempt at forging somebody else's identity.OpenPGP signatures do not provide any connection between the signature and the UID of the sender. While technically the signature packet permits specifying UID, it is used only to facilitate finding the key, and is not guaranteed to be meaningful. Instead, only the signing key can be derived from the signature in cryptographically proven way.GnuPG (as of version 2.2.12) does not provide any method of associating the apparent UID against the signature. In other words, from e-mail's From header. Instead, only the signature itself is passed to GnuPG and its apparent trust is extrapolated from validity of different UIDs on the key. Another way to say this is that the signature is considered to be made with a trusted key if at least one of the UIDs has been verified.https://dev.gentoo.org/~mgorny/articles/evolution-uid-trust-extrapolation.html If you’re up for some heavy reading about manipulation and deceit being perpetrated by cyber criminals, it may be worth checking out a piece from buzzfeednews. It tells a woeful and dark tale that does not have a happy ending. A small excerpt reads: “As the tools of online identity curation proliferate and grow more sophisticated, so do the avenues for deception. Everyone’s familiar with the little lies — a touch-up on Instagram or a stolen idea on Twitter. But what about the big ones? Whom could you defraud, trick, ruin, by presenting false information, or information falsely gained? An infinite number of individual claims to truth presents itself. How can you ever know, really know, that any piece of information you see on a screen is true? Some will find this disorienting, terrifying, paralyzing. Others will feel at home in it. Islam and Woody existed purely in this new world of lies and manufactured reality, where nothing is as it seems.”https://www.buzzfeednews.com/article/josephbernstein/tomi-masters-down-the-rabbit-hole-i-go Security researchers were assaulted by a casino technology vendor Atrient after responsibly disclosed critical vulnerabilities to them. Following a serious vulnerability disclosure affecting casinos globally, an executive of one casino technology vendor Atrient has allegedly assaulted the security researcher who disclosed the vulnerability at the ICE conference in London. The article covers the story of a vulnerability disclosure gone bad, one involving the FBI, a vendor with a global customer base of casinos and a severe security vulnerability which has gone unresolved for four months without being properly addressed.https://www.secjuice.com/security-researcher-assaulted-ice-atrient/ Article 13, the new European Union copyright law is back and it got worse, not better. In the Franco-German deal, Article 13 would apply to all for-profit platforms. Upload filters must be installed by everyone except those services which fit all three of the following extremely narrow criteria:Available to the public for less than 3 yearsAnnual turnover below €10 millionFewer than 5 million unique monthly visitorsCountless apps and sites that do not meet all these criteria would need to install upload filters, burdening their users and operators, even when copyright infringement is not at all currently a problem for them.https://juliareda.eu/2019/02/article-13-worse/ Researchers from Google Project Zero evaluated Apple's implementation of Pointer Authentication on the A12 SoC used in the iPhone XS. There are bypasses possible, but the conclusion says it is still a worthwhile exploitation mitigation technique.Among the most exciting security features introduced with ARMv8.3-A is Pointer Authentication, a feature where the upper bits of a pointer are used to store a Pointer Authentication Code (PAC), which is essentially a cryptographic signature on the pointer value and some additional context. Special instructions have been introduced to add an authentication code to a pointer and to verify an authenticated pointer's PAC and restore the original pointer value. This gives the system a way to make cryptographically strong guarantees about the likelihood that certain pointers have been tampered with by attackers, which offers the possibility of greatly improving application security.There’s a Qualcomm white paper which explains how ARMv8.3 Pointer Authentication was designed to provide some protection even against attackers with arbitrary memory read or arbitrary memory write capabilities. It's important to understand the limitations of the design under the attack model the author describes: a kernel attacker who already has read/write and is looking to execute arbitrary code by forging PACs on kernel pointers.Looking at the specification, the author identifies three potential weaknesses in the design when protecting against kernel attackers with read/write access: reading the PAC keys from memory, signing kernel pointers in userspace, and signing A-key pointers using the B-key (or vice versa). The full article discusses each in turn.https://googleprojectzero.blogspot.com/2019/02/examining-pointer-authentication-on.html There is a dangerous, remote code execution flaw in the LibreOffice and OpenOffice software. While in the past there have been well documented instances where opening a document would result in the executing of malicious code in paid office suites. This time LibreOffice and Apache’s OpenOffice are the susceptible suites. The attack relies on exploiting a directory traversal flaw, identified as CVE-2018-16858, to automatically execute a specific python library bundled within the software using a hidden onmouseover event.To exploit this vulnerability, the researcher created an ODT file with a white-colored hyperlink (so it can't be seen) that has an "onmouseover" event to trick victims into executing a locally available python file on their system when placing their mouse anywhere on the invisible hyperlink.According to the researcher, the python file, named "pydoc.py," that comes included with the LibreOffice's own Python interpreter accepts arbitrary commands in one of its parameters and execute them through the system's command line or console.https://thehackernews.com/2019/02/hacking-libreoffice-openoffice.html Nadim Kobeissi is discontinuing his secure online chat Cryptocat. The service began in 2011 as an experiment in making secure messaging more accessible. In the eight ensuing years, Cryptocat served hundreds of thousands of users and developed a great story to tell. The former maintainer explains on the project’s website that other life events have come up and there’s no longer available time to maintain things. The coder says that Cryptocat users deserve a maintained secure messenger, recommends Wire.The Cryptocat source code is still published on GitHub under the GPL version 3 license and has put the crypto.cat domain name up for sale, and thanks the users for the support during Cryptocat's lifetime.https://twitter.com/i/web/status/1092712064634753024 Malware For Humans is a conversation-led, independent documentary about fake news, big data, electoral interference, and hybrid warfare. Presented by James Patrick, a retired police officer, intelligence analyst, and writer, Malware For Humans covers the Brexit and Trump votes, the Cambridge Analytica scandal, Russian hybrid warfare, and disinformation or fake news campaigns.Malware For Humans explains a complex assault on democracies in plain language, from hacking computers to hacking the human mind, and highlights the hypocrisy of the structure of intelligence agencies, warfare contractors, and the media in doing so. Based on two years of extensive research on and offline, Malware For Humans brings the world of electoral interference into the light and shows that we are going to be vulnerable for the long term in a borderless, online frontier. A complete audio companion is available as a separate podcast, which can be found on iTunes and Spotify as part of The Fall series and is available for free, without advertisements.https://www.byline.com/column/67/article/2412 Security Endeavors Headlines is produced by SciaticNerd & Security Endeavors with the hope that it provides value to the wider security community. Some sources adapted for on-air readability.Special thanks to our friends at malgregator dot com, who allow us to use their compiled headlines to contribute to show’s content. Visit them at Malgregator.com. Additional supporting sources are also be included in our show notesWhy not start a conversation about the stories from this week on our Subreddit at reddit.com/r/SEHLMore information about the podcast is available at SecurityEndeavors.com/SEHL Thanks for listening and we'll see you next week!
Apple's Homepod is leaving rings on Wood Furniture. We discuss how this might have happened and is Apple stretching themselves too thin to catch glaring mistakes. Google Project Zero has found a bug in a competitors software - Microsoft Edge. Project Zero is a company run by Google that finds bugs in other companies software and we discuss how we feel about a company like this. And we end on our favorite podcasts and what makes them special. Mikee's favorite is The Message and Titus' is Reply All. The Message is a bingeable high quality audio drama and Reply All is show that exposes interesting stories from the internet. We do admit Reply All is a bit hit and miss. Also the Search for Awesome Podcast is moving to it's own channel - and we discuss why and the direction of it. If you have questions or want to leave feedback: podcast@thesearchforawesome.co Audio Podcast Links: iTunes: https://itunes.apple.com/us/podcast/the-search-for-awesome/id1346377747?mt=2 Soundcloud: https:/ --- Support this podcast: https://anchor.fm/s4a/support
Software Engineering Radio - The Podcast for Professional Software Developers
Natalie Silvanovich from Google Project Zero talks with Kim Carter about what attack surface is in regards to software, how to identify risks and reduce the attack surface of the software you as a Software Engineer are creating. Natalie found over 100 0 day security defects in flash in her first year at Google, and […]
There are many advantages to being first, especially in the business world. Securing a first place finish usually rewards the winner with monopoly-like status and securing the largest and most dominant market share. A byproduct, however, of the winner takes all mentality is sacrificing security. That’s what Thomas Dullien, Google Project Zero presenter suggested in his latest presentation on the relationship between complexity and failure of security. He is onto something because we’re seeing strange incidents occur that we would have never imagined. A Melbourne man got shot because his image in Google’s database is associated with criminals. A contractor’s access passes were revoked because his direct manager didn’t perform his entitlement reviews. What’s going on? Other articles discussed: Verizon to stop sharing customer location with 3rd parties Amazon urged not to sell facial recognition technology to police Panelists: Cindy Ng, Matt Radolec, Kilian Englert, Mike Buckbee
Google Project Zero call Windows 10 Edge Defense ACG flawed, Wapiti Web Application vulnerability scanner 3.0.1 packet storm, CIA's "Vault 7" Mega-Leak, and Trump eliminates national cyber-coordinator! Full Show Notes: https://wiki.securityweekly.com/Episode560 Subscribe to our YouTube channel: https://www.youtube.com/securityweekly Visit our website: http://securityweekly.com Follow us on Twitter: https://www.twitter.comsecurityweekly
Google Project Zero call Windows 10 Edge Defense ACG flawed, Wapiti Web Application vulnerability scanner 3.0.1 packet storm, CIA's "Vault 7" Mega-Leak, and Trump eliminates national cyber-coordinator! Full Show Notes: https://wiki.securityweekly.com/Episode560 Subscribe to our YouTube channel: https://www.youtube.com/securityweekly Visit our website: http://securityweekly.com Follow us on Twitter: https://www.twitter.comsecurityweekly
Episode 252: ControlTalk NOW — Smart Buildings Videocast and PodCast for week ending Jan 28, 2018 features the 2017 ControlTrends Award winners, as well as coverage of KMC’s 2018 Genius Summit event, and Ken Sinclair’s Sixth Annual Connection Community Collaboratory. Must read Tridium Technical Bulletin: Mitigating “Meltdown” and “Spectre” Vulnerabilities; Brett Pascone wins the 2017 EasyIO Wireless Controller Application of the Year; and News Releases on LonMark International Award Winners for 2017 and CyberPower’s new UPS System. Episode 252 ControlTalk Now from Eric Stromquist on Vimeo. Welcome to Chicago and the KMC Genius Summit! KMC Controls once again hosted its semi-annual customer event, the 2018 KMC Genius Summit at the beautiful Langham Luxury Hotel in Chicago, KMC re-equipped its customers with product knowledge, best practices training and a heavy dose of innovation. As KMC prepares to launch its latest iteration of the KMC Commander IoT platform, partners couldn’t be more thrilled to attend the event. KMC provided two fantastic keynote headliners Mike Abrashoff, Friday and Josh Linkner, Saturday. In addition, Rick Lisa, Intel, and Luis Alvarez, Alvarez Technology Group gave keynote presentations. ControlTrends Awards Announces the 2017 CTA Award Winners, Young Guns, Petock Award Recipient, and Hall of Fame Inductees. Sunday evening, the 2017 ControlTrends Awards took front and center stage at the Hard Rock Cafe in Chicago. Marc Petock and Kimberly Brown co-hosted the ControlTrends Awards ceremony the superstars and heroes of the HVAC and Building Automation industries. The 2017 Top Gun Awards recipients were recognized, as was the 2017 Petock Award winner Trevor Palmer, and the ControlTrends Awards Hall of Fame inductees. Photo and video highlights to follow! In The News: CyberPower Introduces UPS System Designed for Building and Industrial Automation. Shakopee, Minn. – January 22, 2018– Cyber Power Systems (USA), Inc., a leader in power protection and management products, today introduced an uninterruptible power supply (UPS) system designed to protect building and industrial controls and devices from power failure, interruptions, over-voltages and surges. The CyberPower BAS34U24V protects controller and server platforms, networking devices, data loggers, remote facility monitors, and other equipment from power disruptions to avoid loss of vital data and service failures. Meet Brett Pascone, Northeast Services, Winner of the 2017 EasyIO Wireless FW-Series Application of the Year. Brett Pascone (middle) and Daniel Edelman (right), of Northeast Services, join Frank Witmer (left), Chief Engineer Support, Broudy Precision, at the ControlTrends Awards in Chicago, January 21, 2018. Brett Pascone was the winner of the 2017 EasyIO Wireless FW-Series Application of the Year Competition and his prize was an all-expense paid, round trip ticket to the 2017 ControlTrends Awards in Chicago. Tridium Technical Bulletin: Mitigating “Meltdown” and “Spectre” Vulnerabilities. Mitigating Meltdown and Spectre Vulnerabilities. Dear valued partner, On January 3, 2018, a group of researchers from Google Project Zero, Cyberus Technology and several universities revealed two major flaws in computer chips that could leave a huge number of computers and smartphones vulnerable to security concerns. Called “Meltdown” and “Spectre,” the flaws exist in processor families and could allow an attacker to read sensitive data stored in the memory, like passwords, or look at what tabs someone has open on their computer. Researchers indicate almost every computing system – desktops, laptops, smartphones, and cloud servers – is affected by these flaws. LONMARK INTERNATIONAL AWARDS “BEST OF YEAR” WINNERS FOR 2017. AHR EXPO, Chicago, IL. Jan. 22, 2018- LonMark® International, a non-profit international association recognized for the certification, education and promotion of interoperability standards for control networking, today announced the winners of its “Best of the Year” awards for 2017. LonMark certified products, people and companies have been the basis for thousands of open, interoperable systems across the globe. These annual awards reflect the vision and innovation shared among the members of the LonMark community. Ken Sinclair’s Sixth Annual Connection Community Collaboratory — A Panel of Industry Thought Leaders Deliver a Successful Session! Moderator Ken Sinclair, Automated Buildings, was joined by a panel of veteran industry experts: Marc Petock, Trevor Palmer, Troy Davis, George Thomas, and John Petze at the Sixth Annual Connection Community Collaboratory held at the AHR 2018 in Chicago. The session was very well-attended by a mixed audience of Manufacturers, Building Owners, Engineers, System Integrators, and HVAC Contractors. The post Episode 252: ControlTalk NOW — Smart Buildings Videocast and PodCast for Week Ending Jan 28, 2018 appeared first on ControlTrends.
Detroit’s hottest dubstep DJs Spectre and Meltdown live at the Music Institute Thursday, January 4th 2018. Get your tickets today at ticketmeister.org. Spectre and Meltdown are actually two serious security vulnerabilities discovered in nearly every computer processor made since 1995. So what does it mean? Is this the end of computing? Should we throw our computers on the campfire and live among mother nature? I wanted to find out, so I talked to security expert Wu-chang Feng at Portland State University. The verdict? You might just want to break out the abacus, because we’re all in big trouble. Spectre takes advantage of something called speculative execution. Processors make educated guesses about what’s going to happen next, then run through those steps to save time. It makes modern processors much faster, but it turns out that malicious code can sneak in during this speculation and reveal whatever’s floating around in memory—usernames and passwords, for instance. Meltdown breaks the barrier between applications and system memory, again letting malware take a peek at system memory. The vulnerabilities were found by university researchers and the security team Google Project Zero. As far as anyone knows, no hackers have taken advantage of either vulnerability, but Microsoft, Apple, and Linux distributors have released patches for meltdown and are working on ways to counteract Spectre. For more information on Spectre and Meltdown, I recommend http://meltdownattack.com by Graz University of Technology in Austria. The site has a breakdown of both vulnerabilities for laypersons and technical documents for computer scientists.
In this Risk & Repeat podcast, SearchSecurity editors discuss the latest Symantec vulnerabilities reported by Google Project Zero and the Shadow Brokers' Cisco exploit.
In this Risk & Repeat podcast, SearchSecurity editors discuss the latest Symantec vulnerabilities reported by Google Project Zero and the Shadow Brokers' Cisco exploit.
In this Risk & Repeat podcast, SearchSecurity editors discuss a new Google Project Zero report on yet another round of critical Symantec vulnerabilities.
In this Risk & Repeat podcast, SearchSecurity editors discuss a new Google Project Zero report on yet another round of critical Symantec vulnerabilities.
SearchSecurity's Risk & Repeat podcast discusses the Symantec vulnerability disclosed by Google Project Zero and what the bug means for the antivirus industry.
SearchSecurity's Risk & Repeat podcast discusses the Symantec vulnerability disclosed by Google Project Zero and what the bug means for the antivirus industry.
Au programme :Gros sujet sur la conférence Microsoft ! Du PC aux mobiles et de la XBox à la "Surface Hub", en passant bien sûr par l'annonce des Hololens.Les projets fous d'Elon Musk (et des autres).Facebook at Work.Google Project Zero.Le blocage administratif (suite).Et plus encore... Pour soutenir l'émission, rendez-vous sur http://patreon.com/RDVTech Plus d'infos sur l'épisode : Les animateurs sont Cédric Bonnet, Cassim Ketfi et Patrick Beja. Le générique est composé par Daniel Beja. Ses morceaux libres de droit sont sur musicincloud.fr. La mise en ligne est assurée par Florent Berthelot.Pour suivre Patrick sur les réseaux sociaux : Facebook.com/NotPatrick Twitter.com/NotPatrick Google.com/+PatrickBeja Voir Acast.com/privacy pour les informations sur la vie privée et l'opt-out.