This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on.
On March 29th, 2024, a backdoor was discovered in xz-utils, a suite of software that
| const | |
| execute = async function () { | |
| const cmd = await command.execute(...arguments) | |
| if (!cmd.success) { | |
| let acc = `` | |
| for (const argument of arguments) | |
| acc += argument + ` ` | |
| throw Error(`$${acc}\u{2022} ${cmd.reason ?? cmd.reply}`) | |
| } | |
| return cmd.reply |
Research by Grayson Martin
Last Updated 7/8/23
Value Added Services (VAS) is the protocol used by NFC capable passes in Apple Wallet. Access to this protocol is heavily restricted on both the device end (a special certificate issued by Apple is required to create these passes) and the reader end (NDA enforced confidentiality). As such, a desire arose to better understand the protocol in order to explore additional use cases and examine its cryptographic integrity. There are gaps in understanding in certain parts of this protocol, however this document contains the minimum necessary understanding to automatically select, read data from, and decrypt a pass.
Importantly, this specification does not enable a malicious actor to read the data from a pass for which they do not have both the reader's private key, and the pass type identifier. Imp
| Twitter ID | Screen name | Followers | Removal observed | Before | After | |
|---|---|---|---|---|---|---|
| 17461978 | SHAQ | 15612791 | 2022-02-26T22:24:52Z | SHAQ.ETH | SHAQ.SOL | |
| 21910850 | jakeowen | 2119904 | 2022-02-26T15:45:18Z | jakeowen.eth | Jake Owen | |
| 7846 | ijustine | 1811449 | 2022-03-09T14:43:37Z | iJustine.eth | iJustineUltra | |
| 1666038950 | BoredElonMusk | 1752290 | 2022-02-17T08:05:47Z | bored.eth | Bored | |
| 381051960 | ethRuby | 1267133 | 2022-03-19T08:08:11Z | CryptoSolis.eth | Ruby | |
| 1282418324228337665 | wsbmod | 832406 | 2022-02-24T06:52:07Z | wsbmod.eth | wsbmod | |
| 20882981 | EclecticMethod | 495235 | 2022-02-18T04:39:30Z | eclecticm.eth | Eclectic Method | |
| 811350 | alexisohanian | 479340 | 2022-02-08T06:31:55Z | AlexisOhanian.eth 7️⃣7️⃣6️⃣ | Alexis Ohanian 7️⃣7️⃣6️⃣ | |
| 22784458 | Fwiz | 410813 | 2022-03-22T08:54:42Z | Ryan Wyatt - fwiz.eth 💜 | Ryan Wyatt - @ GDC |
To Microsoft Developer Division Leadership,
Those of us who work in the Microsoft Developer Division (DevDiv) would like to respond to the recent controversy surrounding the pulling and reinstating of the "dotnet watch" feature of dotnet 6. While we are grateful that cooler heads prevailed and "dotnet watch" was preserved, we do not feel confident that this will not happen again?quite the opposite.
To show this point, we will look at the recent blog post by Scott Hunter (https://devblogs.microsoft.com/dotnet/net-hot-reload-support-via-cli/). Based on everything we know of the situation and how the Developer Division operates, little of what Scott wrote seems true and contradicts what happened. To be clear, this is not an attack on Scott Hunter; and instead, it shows how far others are willing to go to protect management.
"As a team, we are committed to .NET being an open platform and doing our development in the open. The very fact that we decided to adopt an open posture by default from the start for dev
Ian: Well, hello everyone and welcome to the DDev stage channel. So just the heads up before we get started, we're recording this session. So you don't have to, you still can if you want.
Ian: You can share if your friends missed it afterwards. We'll post it. So, my name is Ian, I'm an engineering manager, and I'm joined here by Mason, the product manager for the Bots and API team at Discord along with pretty much the entire Bots team and about 500 of you.
Ian: And today, we're gonna have some fun. We're gathered here for some updates on some of the latest stuff that engineers on the team are building. And we've narrowed it down to four big changes that we've been cooking up. We've managed to get three Discord engineering staff in here and then there's Mason and together, they will talk through some of the changes that we're making.
Ian: And it's honestly very exciting to me just to be able to straight up present our work to the whole community. This is something that we'd like to do more of earlier. So,
Warning: this post contains bad shell scripts.
I recently wanted to listen to a single episode of a podcast without adding it to any extra software, so I grabbed the URL and went to play it in my browser. Then, I looked it again and noticed something strange - it started with: https://pdst.fm/e/dts.podtrac.com/redirect.mp3/traffic.omny.fm/ So, while the podcast played in the background, I loaded it up in curl and fiddled with it a bit until I saw the following fly by as Location: headers.
The past few weeks has not been fun on IRC, the drama based on false information and assumptions has been insane. I've almost entirely been silent on the drama because I know the fallout that would happen if I spoke up.
A quick TLDR - I'm quitting all IRC development. KiwiIRC project lead, IRCv3 technical board, supporting the multitude of IRC networks, the lot.
Many people seem to think that I am supporting one side in everything that is going on, so just to be clear: I am not supporting any side of the current freenode drama - there is so much false information going around from everywhere that it is impossible to support anybody.
| -----BEGIN PGP SIGNED MESSAGE----- | |
| Hash: SHA512 | |
| My resignation from freenode staff | |
| ================================== | |
| I joined the freenode staff in March 2019 [1]. | |
| Before I joined the staff, Freenode Ltd was sold [2] to a person named | |
| Andrew Lee as part of a sponsorship deal. The informal terms of that |
It's come to my attention that some people have been spamming issue trackers with a link to this gist. While it's a good idea to inform people of the situation in principle, please do not do this. By all means spread the word in the communities that you are a part of, after verifying that they are not aware yet, but unsolicited spam is not helpful. It will just frustrate people.
A number of things have happened since the last update.
