La fuite est encore incertaine, mais peut être réelle.

Adding a proof-of-work algorithm can work with this experience.

I guess that the main lesson was that these particular spammers, are really low-effort creatures. You raise the bar a little, and they stop being effective.

How to better use JWTs

Icedrive
pCloud
Icedrive
Seafile
Tresorit

Each company reacts differently.

Mais certains experts en sécurité ont exprimé récemment de fortes inquiétudes quant au fait que le ME [Management Engine des processeurs] pourrait cacher une porte dérobée, car il fonctionne indépendamment du système d’exploitation et a accès à la mémoire, au réseau et au matériel.

Korben revient sur l'historique de securité de Intel, avec plusieurs failles démontrées...

En plus des problèmes de sécurité, la CSAC critique la fiabilité des produits Intel et son attitude face aux plaintes des utilisateurs.

À suivre car la CSAC n'a encore publié aucune preuve, et qu'Intel n'a pas encore répondu.

The purpose of the attack appears to be for intelligence collection as the hackers might have had access to systems used by the U.S. federal government for court-authorized network wiretapping requests.

This is why putting a backdoor is risky

ICMP packets with "LOVE" in ASCII.
TCP packets with different window sizes.

This strange traffic mimics legitimate data streams, and while it's not known if it's malicious, its true purpose remains a mystery.

quick recap

• arc boosts can contain arbitrary javascript
• arc boosts are stored in firestore
• the arc browser gets which boosts to use via the creatorID field
• we can arbitrarily chage the creatorID field to any user id

thus, if we were to find a way to easily get someone elses user id, we would have a full attack chain

when someone referrs you to arc, or you referr someone to arc, you automatically get their user id in the user_referrals table, which means you could just ask someone for their arc invite code and they'd likely give it

Context:

To understand what’s happening here you need to remember that it’s a category error to treat LLMs as thinking entities.
They are statistical models that work with numbers – tokens – that represent language and the relationships between the words. It’s statistics about language wrapped up in an anthropomorphic simulation.

Attack:

The token stream (Strategic Text Sequence) itself – the numbers not the words – is an attack surface.

Reality of the threat:

This is going to get automated, weaponised, and industrialised. Tech companies have placed chatbots at the centre of our information ecosystems and butchered their products to push them front and centre. The incentives for bad actors to try to game them are enormous and they are capable of making incredibly sophisticated tools for their purposes.

Vu que les fuites de données ne sont pas vraiment évitables, est-ce que ces sociétés vont moins collecter des données?
(via https://sebsauvage.net/links/?Qgk2LA)

Constatant que le TLD .mobi (TLD qui est par ailleurs une mauvaise idée, mais c'est une autre histoire) avait changé son serveur whois, de whois.dotmobiregistry.net à whois.nic.mobi, et que le nom de domaine dotmobiregistry.net, non renouvelé, avait expiré et était donc libre, les chercheurs ont enregistré le nom dotmobiregistry.net, mis en place un serveur whois (je rappelle que le protocole est très simple et que n'importe quel·le étudiant·e peut programmer un serveur whois en un quart d'heure) et récolté d'innombrables requêtes provenant de clients whois qui n'avaient pas mis leur base à jour.

Les chercheurs ont ensuite analysé ces requêtes.

Afin d'éviter cette faille et "si on veut faire les choses proprement, on ne doit plus utiliser whois mais son successeur RDAP"

Un article détaillé de ArsTechnica est disponible à https://arstechnica.com/security/2024/09/rogue-whois-server-gives-researcher-superpowers-no-one-should-ever-have/

generates electromagnetic radiation from a device's RAM to send data from air-gapped computers.

The RAMBO attack achieves data transfer rates of up to 1,000 bits per second (bps), equating to 128 bytes per second, or 0.125 KB/s.
Transmissions are limited to a maximum range of 3 meters, with an error rate being 2-4%.

EICAR files in different file formats.

CoPilot can be encouraged to launch HTTP requests on the server side, potentially enabling access to data from other companies.

A server-side request forgery (SSRF) bug in Microsoft's tool for creating custom AI chatbots potentially exposed info across multiple tenants within cloud environments.

Though the research proved inconclusive about the extent that the flaw could be exploited to gain access to sensitive cloud data

The official website can be found on https://www.cedarpolicy.com/en

Cedar is a language for defining permissions as policies, which describe who should have access to what. It is also a specification for evaluating those policies. Use Cedar policies to control what each user of your application is permitted to do and what resources they may access.

It's called Mastodon Stampede: a link shared on an instance gets downloaded by all instances. A DDoS follows for small hostings.