203 private links
A collection of malware
The project also has a website https://vx-underground.org/
It simply handles it. The service is a simple binary in Rust 😃
During the Pwn2Own competition. From the outside, this competition seems crazy: so much vulnerabilities are found.
Data minimization is really a slept-on security control that gets almost no press or attention outside narrow industry verticals.
En Français
La minimisation des données est en réalité une sécurité invisible qui ne reçoit pratiquement pas de presse ou d'attention en dehors de secteurs verticaux étroits.
Auf Deutsch
Datenminimierung ist wirklich eine schlafende Sicherheitskontrolle, die außerhalb enger Industriezweige fast keine Aufmerksamkeit erhält.
Devant l’ampleur de la violation, la présidente de la CNIL a décidé de mener très rapidement des investigations afin de déterminer notamment si les mesures de sécurité mises en œuvre préalablement à l’incident et en réaction à celui-ci étaient appropriées au regard des obligations du Règlement général sur la protection des données (RGPD).
Spoiler: non, car les données n'étaient même pas chiffrée.
Memory safe languages.
Better metrics to measure software security. One example is through time: how fast a vendor patches to a security vulnerability.
The white house post https://www.whitehouse.gov/oncd/briefing-room/2024/02/26/press-release-technical-report/
The report Back to the building blocks:
a path toward secure and mesureable software
The official support of universities and companies or industries: Statements of Support for Software Measurability and Memory Safety
Site Scout is a tool that can identify and report issues that are triggered in the wild. A URL or a collection of URLs must be provided. All results are collected and reported.
Most of the security vulnerabilities come from IEF: Insecure Exposed Functions. They are functions available to the outside that should not, such as a public dropDatabase() for example.
Next comes Routing Abuse tied for second with memory corruption issues. Rust has strongly type strings, so these errors occur less in Rust. The example of HTTP headers is great: Rust does not parse the header name as strings. They are present or not instead.
The average developer is more concerned with shipping the product now and worry about fixing bugs later than how security can be designed from the start.
JS code can be executed in svgs. Crazy as this can be a security issue!
Trusted types are interesting indeed. They won't fit all cases though: what happens if I want to insert HTML? These are cases though, and the majority could use these.
TL;DR security vulnerabilities introduced by new Rust contributors are largely less than C++ contributors. They use the amount of commits to measure it as experience. It confirms the claim of the
Namely, while it may still be true that Rust may feel like a more difficult language to learn, in at least some ways, new contributors benefit from its adoption, with their first contributions being less than 2% as likely to introduce vulnerabilities as C++, and first-time contributors appearing at a notably higher rate in the projects examined.
The results should not be used as is, as there are some effects:
- does Rust increase the number of contributors or does Rust act as its own filter and
reduce the rate of new contributors entirely - it is possible Rust developers are more experienced with programming in general. Note that the study focused on new contributors, not new maintainers.
- at around 18,000 commits, a C++ developer will be less likely to introduce a vulnerability than an equivalently experienced Rust developer.
- Finally, there is some limitation to these results in that they
all come from Oxidation projects.
A rust malicious postgress package was used to retrieve information and send it to a secret Telegram channel.
The rust foundation and crates.io removed the package.
How links with an @ in the URL becomes insecure, because they can redirect to a .zip domain simulating a file
les systèmes de Microsoft utilisent une technique de « brute force » pour tenter de passer outre la protection par mot de passe.
Ils utilisent les mots de passe contenus dans une liste prédéfinie, et « ils extraient aussi les mots de passe contenus dans les emails »