Weak randomness in old JavaScript crypto, lack of encryption in purported end-to-end encryption, a platform engineering maturity model, PyPI's first security audit, vision for a Rust specification, and more!
Mike Shema
- Randstorm: You Can’t Patch a House of Cards — Unciphered
- Rivian Pushes Software Update That Breaks Infotainment System
- Platform Engineering Maturity Model | CNCF TAG App Delivery
- Sunbird / ‘Nothing Chats’ is Not Secure. – Texts.blog, the blog of Texts.com
- GitHub – yunuscadirci/DIALStranger: details about DIAL protocol vulnerabilities
- PyPI has completed its first security audit – The Python Package Index
- Visual Studio Code Security: Deep Dive into Your Favorite Editor (1/3) | Sonar
- Our Vision for the Rust Specification | Inside Rust Blog
John Kinsella
- Weaknesses found in wintel laptops fingerprint readers
Blackwing Intelligence dug into several laptop fingerprint readers at Microsoft's request. While the readers were correctly designed to perform fingerprint matching on the reader module, they had other worrisome flaws: One sensor communicated in plaintext, others were not being properly validated by the laptop. The result, either way, is potential for bypass.
(Are they still referred to as "Wintel"?)
- Reptar – the latest Intel microcode bug
A collection of folks at Intel and Google (including Tavis Ormandy) figured out a new bug where a opcode that was previously ignored now causes...CPU strangeness (my words, but that's the theme).
Interesting to me that Intel didn't catch this...the bug surfaced when new functionality was added to improve performance on "repeat moves" - used for string copying, as an example. One would imagine that there's a test suite that gets executed after enhancements are merged in - why wasn't this caught? It sounds like Google's testing is better than Intel's...
