Pinned toot

Hey everybody!

We just finished uploading the 20.10 #release of #ManjaroARM for all our supported devices.

Check out the announcement:

forum.manjaro.org/t/manjaro-ar

You can spend 3 months writing a 0day for some obscure mach kernel handling bug to sneak your way to local root but did you try just asking the user for their password? You know which one has a higher ROI? The most simplistic one. This is why you get $22million dollar thefts from a UI, if you ask a user persistently enough in a manner that does not disrupt their usage of the machine or raise inconsistency in machine behavior - the user almost always enters the passwords as normal at the machine.

Show thread

Exploitation of human behavior always gives better results than a single bug. I wrote this example for macOS in Swift. It's a great LPE attack, by presenting every 15 minutes a UIKit dialog that mimics precisely Apple notices, users will just enter the local admin (or iCloud) password. On every run, this stores clipboard and passwords input from a launchd daemon, once the user gives the right password and it authenticates to root - it clears out the persistence and transmits the logs back to me.

Fake pop-ups through ElectrumX update notifications have been used to steal $22 million worth of BTC. Security experts need to understand that attackers use *whatever* *works* -if you ask the user to give you access to their computer - they frequently will - as simple as a pop-up notification and trojan wallet installer was all that anyone ever required to exploit the open nature of code and crypto. zdnet.com/article/bitcoin-wall

If I were to redo this project I’ve been working on the last few years, I would not have been pedantic about building the GUI in C++ despite the power it’s given me, features take weeks to implement that would take minutes in other languages. I’m glad I chose Lua and Jit VM technology for numerous reasons but the thing that amuses me the most is that innovation in Lua obfuscation is coming from a bunch of Roblox hackers that just want to cheat at video games and protect their mods.

How come corporations are allowed to leak their data onto the Internet without reprisal, yet when you help leak their data it’s a crime? ​:htp:

Traditional development methods do not scale into the #IoT sphere. Find out how DevOps can reduce complexity in multi-component stacks in our new whitepaper.

bit.ly/2YdFyTs

Apple’s T2 security chip has an unfixable flaw - Checkm8 vulnerability used to jailbreak iPhones hits Macs as well arstechnica.com/information-te

“Sometimes, the field office is not totally aware of all the neat gadgets and whizzbang stuff coming out of the lab,” - FBI FlyTeam sounds like it has some cool toys :)

Show more
Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!