The U.S. government has a Microsoft problem.

Market dominance, inertia, and savvy PR have almost completely insulated the hack-plagued company from meaningful oversight, even as Biden officials preach corporate accountability.

My new WIRED story: wired.com/story/the-us-g…

The problem with trying to sell developer tooling is that developers have no purchasing authority

Salesperson needs to spend $1000? No big deal.
Finance needs to spend $100,000? No big deal.
Engineer wants to buy a $50 book? They need forms signed from their VP in triplicate.

I applied to 100 jobs using a resume with the name, 'Kismma D. Nhuhts' and I got 29 interviews.

This is what I've learned about resumes:

It's nice to have a positive Outlook.

Akamai researchers have discovered another critical vulnerability that bypasses the patch for the custom sound vuln from March 2023.

Psst: this one can also be triggered in Explorer 👀

Full write-up:
akamai.com/blog/security-…

NEW: CISA has confirmed that Russian government hackers stole emails from several U.S. federal agencies as a result of an ongoing cyberattack at Microsoft.

CISA said the latest theft presents 'a grave and unacceptable risk' to U.S. federal agencies.

techcrunch.com/2024/04/11/us-…

Please read if you want to understand the stakes right now in Ukraine. The attack on the country's civilian infrastructure right now, this week, is the worst since the war began

My personal blog which contains writeups about malware analysis (uperesia.com) has been blocklisted by Google safebrowsing. Does anyone know how to 'fix' this effectively? (Maybe VirusTotal team?)

New —> The Commerce Department is preparing to prohibit US companies and persons from using Kaspersky anti-virus software, citing national security concerns that the company has dismissed as unfounded, w/ Zachary Cohen, Phil Mattingly & Evan Pérez cnn.com/2024/04/09/pol…

It is challenging to obfuscate the 'core dating information' (needed to facilitate a 'dating match') in a good way. Many similar challenges have been documented in the past, e.g. by this blog I wrote 7 years ago: uperesia.com/reverse-engine…

the xz sshd backdoor rabbithole goes quite a bit deeper. I was just able to trigger some harder to reach functionality of the backdoor. there's still more to explore.. 1/n

Today World Central Kitchen lost several of our sisters and brothers in an IDF air strike in Gaza. I am heartbroken and grieving for their families and friends and our whole WCK family. These are people…angels…I served alongside in Ukraine, Gaza, Turkey, Morocco, Bahamas, Indonesia. They…

I've been reverse engineering the xz backdoor this weekend and have documented the payload format and written a proof-of-concept exploit for the RCE. The payloads are signed with an ED448 key, so I patched my own key into the backdoor for testing. :-)

github.com/amlweems/xzbot

That sound you hear is a flurry of people asking ChatGPT to write a business plan to monetize the XZ incident.

NEW: A yearlong investigation by The Insider, 60 Minutes and DER SPIEGEL has uncovered evidence suggesting that Havana Syndrome may have its origin in the use of directed energy weapons wielded by the Russian GRU’s infamous Unit 29155.  theins.press/en/politics/27…

🤯 The level of sophistication of the XZ attack is very impressive! I tried to make sense of the analysis in a single page (which was quite complicated)!

I hope it helps to make sense of the information out there. Please treat the information 'as is' while the analysis…

The xz backdoor was the final part of a campaign that spanned two years of operations. These operations were predominantly HUMINT style agent operations. There was an approach that lasted months before the Jia Tan persona was well positioned to be given a trusted role.

Wow. Michigan Republican Representative Tim Walberg, on Gaza:

“We shouldn’t be spending a dime on humanitarian aid. It should be like Nagasaki and Hiroshima. Get it over quick.”

Lots of analysis of the xz/liblzma vulnerability. Most skip over the first step of the attack:

0. The original maintainer burns out, and only the attacker offers to help (so the attacker inherits the trust of the project built by the maintainer).

Read their words👇🏻 1/

Bad Sector Labs Heartbleed bug that leaked keys was introduced into OpenSSL in late December 2011. The fix was released on April 8, 2014.

Depending on the many (unpaid) eyes was always a flaw.