“Eden” aspired to remake society altogether. What could go wrong?

Who’s excited for the end of the world?

The video player has decided to hate me. In lieu of that, some written commentary.

Day 2: https://www.scaleft.com/blog/real-world-crypto-2017-day-2/

Program: https://www.realworldcrypto.com/rwc2017/program

What does that mean? What could it mean? Why is it there? This sounds like something that should be featured on Screenshots of Despair. Still empty - can be used. It’s like a mantra.

I’m still empty. I can be used.

But the signature says it’s safe!

The good news is I’ve poked at 6 popular crates now, and I’ve got not a single actually exploitable vulnerability. I am impressed. When I poked popular C libraries a few years ago it quickly ended in tears security vulnerabilities. The bad news is I’ve found one instance that was not a security vulnerability by sheer luck, plus a whole slew of denial-of-service bugs.

source: L

Old news I guess, but a recap.

The way I have written services has changed over the years, so I wanted to share how I write the services today — in case the patterns are useful to you and your work.

source: L

If a handle is provided to a directory, it should imply access to resources within that directory (and additionally, their subdirectories). Unfortunately, however, a holdout from POSIX prevents directory handles from cleanly integrating with these concepts in a capability system: “..”. If a handle is provided to a directory, the client can simply request “..”, and the handle will be “upgraded” to access the parent directory, with broader scope. As a consequence, this implies that a handle to a directory can be upgraded arbitrarily to access the entire filesystem.

source: HN

In most cases, witnesses are unreliable, and the stories are too complicated to be true.

Is fixing sporting events such a complicated story? No. Does it have a clear motive? Yes. Would we expect many deathbed confessions from those athletes and gangsters who promulgated it? Probably not.

source: MR

This will allow unveiled and chrooted processes to access the malloc options without having to do anything special in the code or chroot dir.

source: L

Web page rendering is one of the most interesting and active development areas in computer graphics. There are multiple approaches with pros and cons. In the post I’ll go into details about how we do HTML rendering in Coherent Labs’ Hummingbird and LensVR browser and how it compares to Chrome and Mozilla’s WebRender.

source: L

PLASMA is an interactive disassembler. It can generate a more readable assembly (pseudo code) with colored syntax. You can write scripts with the available Python api (see an example below). The project is still in big development.

source: grugq

This article explains how I figured out how Cypress’s jury-rigged “supervisor” mode in the PSoC4 family works, dumped the secret unreadable SROM, exploited it, and found a way to unlock extra flash in the PSoC4 as well as how you can develop scary rootkits for touchpads and touchscreens that use Cypress chips.

source: grugq

“Without a doubt, this is, by design, less space than you have in cabins for our customers who desire a different product.”

To prepare for the project, Quixel spent a month in cold and wet locations in Iceland, scanning all kinds of objects found in the natural environment using. The team returned with over 1,000 scans that captured the details of the landscape.

This looks great, but no mention of hardware or frame rates? Not sure when you’ll be seeing this on your desktop.

source: K

The more you conceal, the more you reveal.

In this blog, we look at two recent kernel-level zero-day exploits used by multiple activity groups. These kernel-level exploits, based on CVE-2016-7255 and CVE-2016-7256 vulnerabilities, both result in elevation of privileges. Microsoft has promptly fixed the mentioned vulnerabilities in November 2016. However, we are testing the exploits against mitigation techniques delivered in August 2016 with Windows 10 Anniversary Update, hoping to see how these techniques might fare against future zero-day exploits with similar characteristics.

Some things will change, especially with 1.3, but still a good introduction to how TLS works.

And a guide to certificates: http://www.cem.me/pki/index.html

First few milliseconds of TLS: http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html

Slightly updated: https://security.stackexchange.com/questions/131724/the-first-few-milliseconds-of-an-https-connection-tls-1-2-tls-echde-rsa-with/133708#133708

Despite their growing numbers and valuations, the performance of unicorns has been a mixed bag. On the whole, an investor in the second half of the decade was likelier to have put money into a unicorn that was unprofitable and whose value has dropped as a public company than an investor in the decade’s first half, The Wall Street Journal found.

source: ML

Here’s an example. You specify a certain exact RGB color in your CSS for a web page. Then you make a graphic for that web page, with the exact same RGB value for the background color. But when you put the graphic on the web page, the background colors don’t match up. But only in some browsers, on some platforms. What the hell is going on?