📰 Risky Biz News: The EU will make vendors liable for bugs

https://news.risky.biz/risky-biz-news-the-eu-will-make-vendors-liable-for-bugs/

Pixel's Proactive Approach to Security: Addressing Vulnerabilities in Cellular Modems

https://security.googleblog.com/2024/10/pixel-proactive-security-cellular-modems.html

#firmwaresecurity #baseband #pixel9 #mobilesecurity #exploitmitigation #cybersecurity

this latest edition of "Android team posting nothing but Ws for adopting Rust" is super important because it identifies that:

*you don't have to actually rewrite all your old unsafe C/C++ code to get the benefits of adopting safe languages, in terms of reducing vulnerabilites*

because they identify that most bugs are in new/changed code (with exponential decay!), so if you preferentially write new code in a safe language, your vulnerabilities crater even though most of your code is still unsafe!

https://security.googleblog.com/2024/09/eliminating-memory-safety-vulnerabilities-Android.html

The drop in Android's memory safety vulnerabilities is astonishing! It's counterintuitive, but prioritizing memory-safe languages in new code quickly reduces memory-safety risks. Once we turn off the tap of new vulnerabilities, they start decreasing exponentially.
https://infosec.exchange/@jeffvanderstoep/113199270632527576

I’m super excited about this blogpost. The approach is so counterintuitive, and yet the results are so much better than anything else that we’ve tried for memory safety. We finally understand why.

https://security.googleblog.com/2024/09/eliminating-memory-safety-vulnerabilities-Android.html

Rust certainly isn't perfect for everything, but for low-level code, including firmware, I am not aware of any better languages at this time. You get all the control you need, and the biggest class of bugs and vulnerabilities is prevented at compile time.

Rewriting complex code bases from scratch is not a good idea for stability, and therefore the piece by piece conversation really seems like the best way forward if you have a lot of C/C++ legacy code (and no, there is no practical solution to make that code safer without changing to a memory safe language in the process, whichever one it may be).

This post by @lozano gives excellent practical advice on how to do that.

https://infosec.exchange/@lozano/113080200541762841

Hi everyone — especially browser security researchers! Today we’ve announced some pretty significant changes to the Chrome VRP reward structure and amounts. This was all built with the purpose of incentivizing deeper and ever more impactful research of Chromium security issues.

I wrote a little blog about it here: https://bughunters.google.com/blog/5302044291629056/chrome-vrp-reward-updates-to-incentivize-deeper-research

We wanted to acknowledge the challenges faced and skills required to find the more complex and impactful issues in Chrome, especially when it comes to demonstrating the full exploitability and impact.

We hope these changes are helpful inspiring to browser security researchers and signal our continued investment in working with you to make Chrome more secure for all users.

@dmnk and I wrote about how to incrementally adopt rust in existing firmware/bare-metal code bases.

https://security.googleblog.com/2024/09/deploying-rust-in-existing-firmware.html

#rust #firmwaresecurity #embeddedsecurity #cybersecurity #infosec #memorysafety

@dmnk and I wrote about how to incrementally adopt rust in existing firmware/bare-metal code bases.

https://security.googleblog.com/2024/09/deploying-rust-in-existing-firmware.html

#rust #firmwaresecurity #embeddedsecurity #cybersecurity #infosec #memorysafety

Today is my last day at IBM.

I joined Netrex in February 1999 as a Unix admin

In late 1999 Internet Security Security Systems bought Netrex, largely for its managed services business.

In October 2006, when I was the director of IT, IBM bought ISS largely for its managed services business.

I was given lots of opportunities at IBM. Twice I found myself in the wrong place at the wrong time and was on a list to be let go, but other parts of IBM decided to pick me up. I once resigned to take a job at Deloitte, and at the time my manager told me that didn’t work for anyone and made it worth my while to stay. For many years, I led an incident response function for the strategic outsourcing business, which was later spun off to be what is now Kyndryl. I learned a LOT. I learned so much, in fact, that I decided to start a podcast in 2012, partly to make myself smarter, and partly in hopes that I could help the industry avoid the mistakes I was seeing our clients make on a near daily basis. I have deep scars from all the big security events of the 2010’s - heartbleed, shellshock, wannacry, notpetya, and many others.

In 2019, I was leading an internal practice around cyber regulations (in addition to the IR role) and ended up helping the cloud business out of a sticky situation. Unbeknownst to me, cloud had been looking to replace their CISO, and in March 2020, they offered me the job. My first big test was leading Cloud through Covid.

I had the extreme privilege to lead a team of 184 remarkably talented professionals. We did some cool things, but I regret the long list of things that didn’t get done.

As well published in the news, IBM took a hard line on return to office, particularly for executives. They gave people like me a choice: relocate to a key site (Atlanta was not one of them) and work from the office 3 days a week (with tight attendance tracking), or be let go. I have been working from home full time since shortly after IBM bought ISS in 2006 - nearly 18 years. I spend about 1/3 of my time at my beach place, which I was not willing to part with. Plus, I fundamentally disagree with the return to office approach and with how people have been treated, so I opted to “let it happen”, and so today is the day IBM terminates me.

I’ve saved up enough money that I can take a break for a while. It’s been 32 years since I’ve had more than a week off work, and at least 20 since I’ve had any sort of vacation that wasn’t disrupted by urgent meetings, crises, and so on. I’m going to spend some time with my family, especially my extremely patient wife, in ways that I haven’t been able to.

I have a very long list of things I’ll be doing during this downtime. I intend to get back into podcasting; I am going to write some including maybe a book; I am going to focus more on the fediverse instances I manage to ensure they are enduring; I am going to way too many baseball games with my wife (she is a mega baseball fan); and I am going to take way too many pictures and hopefully find some creative ways to make money with those pics.

TL;DR: today is the end of a long journey for me, and the start of a new one. And it’s a good day.

My new Project Zero blog post, Driving Forward in Android Drivers is live! 🥳
https://googleprojectzero.blogspot.com/2024/06/driving-forward-in-android-drivers.html

Attacking Android Binder: Analysis and Exploitation of CVE-2023-20938

An article by @abc_sup, Gulshan Singh, and @vxradius about exploiting a vulnerability in the Android Binder device driver that leads to a slab use-after-free.

Article: https://androidoffsec.withgoogle.com/posts/attacking-android-binder-analysis-and-exploitation-of-cve-2023-20938/

Zi and Eugene also gave a talk about this work at OffensiveCon last month. There, they also shared the details about finding this vulnerability with a custom Linux Kernel Library–based fuzzer.

Video: https://www.youtube.com/watch?v=U-xSM159YLI
Slides: https://androidoffsec.withgoogle.com/posts/attacking-android-binder-analysis-and-exploitation-of-cve-2023-20938/offensivecon_24_binder.pdf

ME: *points at my "World's Greatest Dad" shirt*

CO-WORKER: *points at his own "World's Greatest Dad" shirt*

ME: *takes a sip from my "World's Greatest Dad" mug*

CO-WORKER: *sips from his own "World's Greatest Dad" mug*

ME: [eyes narrow] *draws "World's Greatest Dad" sword*

two of the best feelings when programming are:
1. figuring out a really clever way to solve a problem
2. figuring out a really stupid way to solve a problem

#Compiler Options #Hardening Guide for C and C++

https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html

I taunt astronomers in other EM regimes because unlike us cool radio astro folks, they mostly can't do astronomy during the day (where we can).

Now, folks from our uni (Macquarie Uni) and fellow PhD'er Sarah Caddy, are building telescopes for daytime obs.

THIS IS BETELGEUSE IN THE DAY! 🤯

To get these results, we've built a telescope that has MANY eyes, and named it after the huge spider we have here called 'The Huntsman' (which of course, has many eyes).

Some nice work coming from this 'scope!

More: shorturl.at/D3IKL

Paper: shorturl.at/kp2Xj

#Telescopes #Astronomy #Astrodon

There is a new release of "The SELinux Notebook" out today!

https://github.com/SELinuxProject/selinux-notebook/releases/tag/20240430

#selinux

Some spectacular panoramas captured by the Martian rovers these past few days

1. Curiosity - Sol 4162
2. Perseverance - Sol 1130
3. Perseverance - Sol 1131

Credit images: NASA/JPL-Caltech/MSSS & NASA/JPL-Caltech/ASU

#Curiosity #Perseverance #Mars #rover #rovers #GaleCrater #JezeroCrater #craters #space #astrodon #science #panorama #STEM #rocks #dunes #mountains #martian #landscape #Sol4162 #Sol1130 #Sol1131

Wooo C23 will standarize add/sub/mul overflow checks at language level! Finally! Rust and Zig already could do that without relying on inline assembly or complex bitwise checks.
https://mastodon.social/@c_discussions/112343391996308159