The code to report that the wallpaper is ready was inside the wallpaper bitmap code, which means that if you don’t have a wallpaper bitmap, the report is never made, and the logon system waits in vain for a report that will never arrive.

This is the story of how I found one of my favorite iOS vulnerabilities so far. It’s one of my favorites because of how simple it was to implement an exploit for it. There’s also the fact that it uses a legacy public API that’s still relied upon by many components of Apple’s operating systems, and that many developers have never heard of.

However, just as any process on the system can register to receive Darwin notifications, the same is true for sending them. Considering these properties, I began to wonder if there were places on iOS using Darwin notifications for powerful operations that could potentially be exploited as a denial-of-service attack from within a sandboxed app.

source: HN

RWSbCCUoGpcxVRmNb/XFYBbthxWMK7G6fNbJhb993Ohuh29WFaT9vhe2

The hatchlings’ parents, female Mommy and male Abrazzo, are the Zoo’s two oldest residents, each estimated to be around 100 years old.

This article, although in some parts very conversational, aims to demonstrate how it’s possible to build solid, valid, and efficient solutions without the need to use expensive and complex services. Moreover, this is the demonstration of how it’s possible to have your online presence without the need to put your data in the hands of third parties or without necessarily having to resort to complex stacks. Sometimes, less is more.

source: Dfly

These things mean that despite Go having a GC, it’s possible to do manual memory management in pure Go and in cooperation with the GC (although without any help from the runtime package). To demonstrate this, we will be building an untyped, garbage-collected arena abstraction in Go which relies on several GC implementation details.

source: HN

I’ve found a way of describing occurrences through distance functions. This means that instead of implementing logic for all combinations of frequencies and parameters - as that spooky table from before suggests one might do - we can simply compose a couple of distance functions together.

source: HN

The idea is simple: apart from regular numbers (like 4, 3.14 or 43942), you can also input ranges (like 4~6, 3.1~3.2 or 40000~45000). The character between the two extremes of the range is a tilde (~), a little wave symbol. You can find it on most keyboards, but for convenience, I also included it in the keypad above. The range notation says the following to the calculator: I am not sure about the exact number here, but I am 95% sure it’s somewhere in this range.

source: L

But there is currently one smartphone that qualifies for a “Made in the USA” title from the FTC. It’s the Liberty Phone, which is made by a company called Purism. The phone is a version of Purism’s Librem 5. The Made-in-China Librem 5 costs $800, and the Liberty phone costs $2,000. It has 4 GB of memory, and reviewers say that its specs are pretty outdated. Not every single component in the Liberty Phone is made in the USA, but the company has been trying very hard to make it as American-made as possible.

source: HN

Apache ECharts provides more than 20 chart types available out of the box, along with a dozen components, and each of them can be arbitrarily combined to use.

source: HN

In the years leading up to its 7 April 1964 launch, however, the 360 was one of the scariest dramas in American business. It took a nearly fanatical commitment at all levels of IBM to bring forth this remarkable collection of machines and software. While the technological innovations that went into the S/360 were important, how they were created and deployed bordered on disaster. The company experienced what science policy expert Keith Pavitt called “tribal warfare”: people clashing and collaborating in a rapidly growing company with unstable, and in some instances unknown, technologies, as uncertainty and ambiguity dogged all the protagonists.

source: HN

So I took a daylong drive across Cardinal Country and asked 15 law enforcement agencies, using Freedom of Information Act requests, to provide me with the Flock LPR footage of my vehicle. My journey took me over 300 miles through slices of the communities those agencies serve, including the nearly 50 cameras they employ. And this journey may take me to one more place: an April Fool’s Day hearing in a courtroom in Roanoke. There, a judge will be asked to rule on a motion to declare the footage of the public to be beyond the reach of the public.

Using Ctrl-r and fzf roughly doubled my efficiency in the shell overnight. Interestingly, it had an even greater long term effect: I became a more ambitious user of shell commands because I knew I could outsource my memory to fzf. For example, since it’s now very easy to recall past commands, I no longer set global environment variables, which had previously caused me grief when I forgot about them. Now I set environment variables on a per-command basis, knowing that I can recall them with Ctrl-r and fzf.

source: HN

The answer lies in the history of the zip code and its predecessor, the postal zone.

Whilst the Isosceles and Dark Navy posts explained the underlying memory corruption vulnerability in great detail, they were unable to solve another fascinating part of the puzzle: just how exactly do you land an exploit for this vulnerability in a one-shot, zero-click setup? As we’ll soon see, the corruption primitive is very limited. Without access to the samples it was almost impossible to know.

source: HN

The ocean liner SS United States - renowned for her beauty and record-breaking speed - lies in wait in Mobile, Alabama, counting down the days until she is sunk and turned into an artificial reef off the coast of Florida. It is a controversial end for a vessel of such luxury and grandeur; one with a rich and magnificent history as one of the greatest ships to ever grace the waves of the Atlantic. Together, let’s celebrate her legacy through some of my own illustrations, and explore everything that made SS United States truly one of a kind.

I believe a simpler, more powerful parallel computer is possible, and that there are signs in the historical record. In a slightly alternate universe, we would have those computers now, and be doing the work of designing algorithms and writing programs to run well on them, for a very broad range of tasks.

source: L

An attacker within bluetooth range is able to trigger navigation to a FIDO:/ URI from an attacker controlled page on a mobile browser, allowing them to initiate a legitimate PassKeys authentication intent which will be received on the attacker’s device. This results in the attacker being able to “phish” PassKeys credentials, completely breaking this assumption that PassKeys are impossible to phish.

source: HN

The FreeType library is used by Chrome to compute metrics and load hinted outlines from fonts. Overall, use of FreeType has been a huge win for Google. It does a complex job, and does it well, we rely on it extensively and contribute back to it. However, it is written in unsafe code and has its origins in a time when malicious inputs were less likely. Merely keeping up with the stream of issues found by fuzzing costs Google at least 0.25 full time software engineers. Worse, we observably don’t find everything or find things only after the code has shipped to users.

source: HN

Time for me to write this blog post and prepare everyone for the implementation blitz that needs to happen to make defer a success for the C programming language.

source: HN