October 18, 2024
October 18, 2024
The answer to most questions about passkeys is "it depends on how your OS, your browser, and your service providers implement it".
— lcamtuf (@lcamtuf) October 17, 2024
But if prior art teaches us anything, the answer to that answer may be "it will be done in the least convenient and least interoperable way"
In case you missed it, it's possible to go directly from unauthenticated to DC password. Coerce the DC auth and crack the hash or relay to another DC. Here's a sloppy demo I did last year. High five for the assist @Bandrel https://t.co/3GOHsmVRj0 https://t.co/UQSQ5qLchU
— Tech Brandon (@TechBrandon) October 16, 2024
Microsoft has been running massive deception campaigns that flood new phishing sites with bogus credentials for bogus companies on MS tenants. When attackers log in, they deliver a torrent of fresh threat intelligence that can be used to defend: #infosec https://t.co/hFqljCGndq
— Jeremy Kirk (@jkirk@infosec.exchange) (@Jeremy_Kirk) October 17, 2024
Oooo. I like this!
Software liability comes to the EU.
— Weld Pond | Chris Wysopal (@WeldPond) October 16, 2024
The new EU liability law extends the definition of “defective products” to include software, holding manufacturers accountable for harm caused by software vulnerabilities.
If a software flaw leads to damage, manufacturers can now be held…
Microsoft has open sourced its new cross-platform virtual machine layer written in Rust: https://t.co/RtHaf3oDx5 From many of the same team who created WSL, including @benhillis.
— Hayden Barnes (@unixterminal) October 16, 2024