I've recently stumbled upon an RCE "exploit" for the Serendipity blog software, which I happen to use and have contributed to in the past. From what I can tell, it does nothing interesting (it does not even work due to broken indents, if one fixes that it uploads a PHP shell given existing credentials, but that won't be executed unless you have a server config that executes .inc files). I'm 95% certain this is bogus. Yet... in case anyone wants to have a look: https://github.com/s9y/Serendipity/issues/940

Nach über 33 Jahren Leserschaft habe ich mein
@ct_Magazin Abo gekündigt. Da die Feedback-Möglichkeit bei der Online-Kündigung begrenzt ist, habe ich eine E-Mail hinterhergeschickt:

*Kündigung meiner Abos aufgrund fehlenden Rückgrats*

Sehr geehrte Damen und Herren,

seit 1992 lese ich regelmäßig die c’t, und seit einigen Jahren auch die mac&i. Leider ist es für mich nun unterträglich, Ihren Verlag weiterhin finanziell zu unterstützen.
[…]
(1/n)

To spare others the difficulty of writing Python🐍 code that simulates a user clicking links in a browser, I am also sharing download bundles of UNFCCC data:

https://industrydecarbonization.com/docs/unfccc.html

Countries submit tables in Excel format (Common Reporting Tables) to the UNFCCC that contain a detailed breakdown of sectoral emissions. A valuable data source. It could often be useful to access not just the data from one country, but from all countries🌍. Yet, that's not so easy.

The UNFCC provides a data interface that allows searching the data, but it hasn't been updated for some years. Automated downloads of all Common Reporting Tables are actively prevented by a "Security Firewall"🔥🧱

The UNFCCC makes it needlessly difficult to download emission data📊📈

The UNFCCC🇺🇳 is most famously known for being the organizer of the climate conferences (COPs). However, they also play an important role in collecting and managing emission data.

https://industrydecarbonization.com/news/why-is-it-needlessly-difficult-to-access-unfccc-emission-data.html

/thread 🧵

»Leistungssportförderung beginnt mit einem funktionierenden Kinder-, Jugend- und Breitensport. Die Lücken dort durch eine aufwendige, kostspielige Bewerbung für Olympische Spiele schließen zu wollen, ist absurd und populistisch«, so Olympionik Christoph Harting. https://www.bund-berlin.de/service/presse/detail/news/fuer-berlin-gegen-olympische-spiele/

A recording of the talk is already online. I've put up a web page with some more information. I am also sharing of test cases that can be used to test software for these vulnerabilities.
https://invoice.secvuln.info/

I quickly found a couple of vulnerabilities in tools that deal with those electronic invoices.
It appears that not much consideration has been given to security while designing these systems. The standards don't contain security considerations. Noone has written any "how to implement EN16931 without having severe security flaws" guidelines. Nothing like that.

Saxon also likes to parse XML according to the spec, which means it is also insecure by default and vulnerable to XXE. From my communication with Saxon's developers, I do not expect that this will change.
So you have: Invoices in XML formats, an ecosystem that likes to use Java (XML parsing insecure by default) and Saxon (XML parsing insecure by default), and the result is what you would expect.

The EU provides validation artifacts for EN16931, using Schematron and XSLT. You can use them to check if an invoice is correct. Nice. But...
Those validation artifacts use a version of Schematron that requires XSLT 2.0. You know, XSLT has three versions. Only XSLT 1.0 is widely supported. XSLT 2.0 and later are... not widely supported. There's only one freely available implementation named Saxon. It is written in Java, but usable from Python, C, PHP.

All that stuff is based on XML. XML is also... more complex than it should be. It has some nice "features", like exfiltrating files. That allows to perform XXE attacks, a well-known and severe attack vector. Despite being known for decades, it is still a problem. Technically, any "correct" XML implementation is insecure. Oracle likes being correct, so Java is insecure. And a lot of software in the electronic invoicing space is written in Java.

There's a european "standard" called EN16931. But it's not really a "standard", it's more a complex network of standards, connected in sometimes mysterious ways. EN16931 has two mandatory XML syntaxes (other optional syntaxes are possible, and I hear a third one may come soon). It can be extended or restricted (a so-called CIUS) by further (often national) standards. All that is more complex than it should be, and very confusing for anyone trying to just understand what's going on.

Today, I gave a presentation at the German OWASP Day @owasp_de about security issues with the EU's electronic invoices🧾💶.
The EU has introduced requirements for "standardized" machine-readable electronic invoices, initially for government procurement, increasingly they'll be required for B2B as well. In principle, not a bad thing, but security wasn't exactly at the center of these developments. https://invoice.secvuln.info/
🧵 /thread

@benedikt_lauenburg The idea of a quantum RNG is to measure physical quantum effects that are random. Some will claim that this is more secure, as it is "true" randomness. Yet, we can use pretty much any cryptographic construct to have random numbers as secure as those cryptographic constructs, and no QRNG salesperson could ever explain what the problem with that is.

OVH claims that they use a "quantum computer" to improve their SSL security. I'm not gonna complain about the marketing term SSL, but... no, a quantum RNG is not a quantum computer. It's also... something that has been around for decades. And QRNGs don't do anything useful. That doesn't stop some companies from selling them for a lot of money.

Avoiding public WiFi, QR codes, or public USB chargers doesn’t prevent you from being hacked. Happy to sign onto this open letter alongside 80+ cybersecurity veterans urging a shift from folklore to guidance that actually helps people avoid the most common attacks. https://www.hacklore.org/

When I saw various cloudflare errors today, I thought there's this web page that says whether something is down for everyone or just for me and I wanted to check it. The meta irony: it only gave me a cloudflare error.

@jon don't dance while holding a stick over your head?

End of Japanese community at Mozilla due to the introduction of AI-based translation.

The community members have expressed disappointment and frustration that their long term volunteer efforts and local knowledge were being replaced by machine translation, which they felt did not match the quality of human provided support.

This is why Mozilla sucks so much, they are going crazy like rest of the industry.

Source
https://support.mozilla.org/en-US/forums/contributors/717446

Added screenshot in case Mozilla decided to remove it