Kali Linux

#Zyxel is warning of nearly a dozen #vulnerabilities in a wide array of its products. If left unpatched, some of them could enable the complete takeover of the devices, which can be targeted as an initial point of entry into large #networks @kalilinux source

Telegram founder Pavel Durov arrested in Paris: 'Taken into custody by French secret services' @kalilinux source-fr source-en

A new version of the Open Source AI Definition has been released with one new feature and a cleaner text, based on comments received from public discussions and recommendations. You can also join the community and participate in this historic moment by providing precise feedback on the text of the latest draft. @kalilinux https://opensource.org/blog/community-input-drives-the-new-draft-of-the-open-source-ai-definition

Is "open source" AI, really open? What is an #open_source Ai? Is it possible to have one? How? The license for Meta’s LLaMa 2 restricts usage by any organization with 700 or more million monthly active users. Other licenses explicitly prohibit using #AI for illegal activities, which can vary widely country by country. Are those models open source? @kalilinux https://leaddev.com/tech/be-careful-open-source-ai

Let's have a glance on the fragility of the open-source software supply chain. Experts believe "The community model of just trusting [the code] because it’s open source was never a great model" and it needs to be changed. When trust meets transparency in open-source, security risks aren’t far behind. @kalilinux https://cyberscoop.com/open-source-security-trust-xz-utils/

https://shiftmag.dev/unhappy-developers-stack-overflow-survey-3896/?utm_source=changelog-news @kalilinux Spoiler Alert: Working with imperfect systems demoralizes programmers, making it difficult to do quality work.

Joseph Cox asked Signal's president whether the FBI has approached any of Signal's engineers to put certain code into Signal (the CEO of Telegram recently said FBI did approach Telegram engineers to try to do this). @kalilinux

404media is reporting that #Reddit is blocking ALL search engine crawls EXCEPT #Google – which is currently paying $60,000,000/year for the right to scrape Reddit for #AI training data. More information: https://www.404media.co/google-is-the-only-search-engine-that-works-on-reddit-now-thanks-to-ai-deal/ @kalilinux Source

ESET researchers discovered a #zero_day Telegram for Android exploit that allows sending #malicious files disguised as videos. @kalilinux

We were able to locate an example of the exploit, allowing us to analyze it further, and report it to Telegram on June 26th, 2024. On July 11th, they released an update that fixes the vulnerability in Telegram versions 10.14.5 and above.

The #exploit only works on #Android #Telegram versions 10.14.4 and older. Source

A CrowdStrike update is breaking computers running Windows, causing them to crash and display the blue screen of death. Across industries, companies around the world haven’t been able to reboot, according to reports. Firms affected by the outage include Sky News, which has been unable to broadcast. Microsoft said it is taking “mitigation actions” after service issues it said started at about 6 p.m. Eastern Time. The company says it is investigating issues with cloud services in the U.S. and “an issue impacting several of its apps and services,” Sky News reported. “We are aware of a scenario in which customers experience issues with their machines causing a bug check (blue screen) due to a recent CrowdStrike update,” a Microsoft spokesperson said. “We recommend customers to follow guidance provided by CrowdStrike.” @kalilinux https://www.forbes.com/sites/kateoflahertyuk/2024/07/19/crowdstrike-windows-outage-what-happened-and-what-to-do-next/

🚨🚨AT&T allegedly Paid a Hacker $370,000 to Delete Stolen Phone Records. "A security researcher who assisted with the deal says he believes the only copy of the complete dataset of call and text records of “nearly all” AT&T customers has been wiped—but some risks may remain." 🙂 @kalilinux https://www.wired.com/story/atandt-paid-hacker-300000-to-delete-stolen-call-records/

When visiting a *.google.com domain, the Google site can use the API to query the real-time CPU, GPU, and memory usage of your browser, as well as info about the processor you're using, so that whatever service is being provided – such as video-conferencing with Google Meet – could, for instance, be optimized and tweaked so that it doesn't overly tax your computer. The functionality is implemented as an API provided by an extension baked into Chromium – the browser brains primarily developed by Google and used in Chrome, Edge, Opera, Brave, and others. https://www.theregister.com/2024/07/12/chromium_api_system_information/ @kalilinux

Massive AT&T data breach exposes call logs of 109 million customers. AT&T says that the stolen data contains the call and text records of nearly all AT&T mobile clients and customers of mobile virtual network operators (MVNOs) made from May 1 to October 31, 2022 and on January 2, 2023. The stolen data includes:

. Telephone numbers of AT&T wireline customers and customers of other carriers.
. Telephone numbers with which AT&T or MVNO wireless numbers interacted.
. Count of interactions (e.g., the number of calls or texts).
. Aggregate call duration for a day or month.
. For a subset of records, one or more cell site identification numbers.

source @kalilinux

Among the privacy-conscious, Proton is a very well-known name, thanks to their wide range of products and services that make it a major player in the space. Just recently, Proton Pass launched Secure Links for safe, convenient password sharing. Only the recipient can see the contents of these secure links, with the sender having a great deal of control over the link. Using the Proton Pass app (Web and Mobile), they can set an expiry period (1 hour-30 days), limit how many times it can be viewed, and, of course, revoke access to it. And for a limited time, they are helping more people take advantage of secure sharing and other advanced features by offering a year of Pass Plus for only $12. You not only get Secure Links but also unlimited vaults and hide-my-email aliases, Dark Web Monitoring, the Proton Sentinel security program, integrated 2FA authenticator, and more. This offer ends July 21. Check this link for more details on the new feature and the discount. @kalilinux

Early last year, a hacker gained access to the internal messaging systems of OpenAI, the maker of ChatGPT, and stole details about the design of the company’s A.I. technologies. The executives did not consider the incident a threat to national security because they believed the hacker was a private individual with no known ties to a foreign government. The company did not inform the F.B.I. or anyone else in law enforcement! Fears that a hack of an American technology company might have links to China are not unreasonable. Last month, Brad Smith, Microsoft’s president, testified on Capitol Hill about how Chinese hackers used the tech giant’s systems to launch a wide-ranging attack on federal government networks. Read more... @Kalilinux

A rather interesting Bitcoin transaction was published and confirmed somewhere around two days ago. it sends BTC to a non-standard bitcoin address that only contains 2 bytes ("bc1pfeessrawgf") where the standard is for addresses to be 20 bytes long. that nonstandard address should appear on bitcoin explorers as the plain text term "non-standard" but the transaction author knew that mempool.space has a naive/buggy address parser and exploited that to make the address look like a valid-but-incredibly-short segwit address. the transaction seems to attempt use every form of valid bitcoin input and output type: p2pk (the oldest output type, where you send money directly to someone's public key), legacy (the format widely used from 2010 to 2017 -- also tied for oldest, since Satoshi included this format as a non-default option in bitcoin v0), "bare multisig" where the output is a list of two or more public keys, P2SH multisig where the output is a "hash" of two or more public keys, "nested segwit," "native segwit v0," segwit v1 (i.e. taproot), plus two unusual lightning-related utxos: an in-flight HTLC and a force closure tx. the input amounts contain several interesting numbers: . 6102 is the executive order by which Roosevelt implemented a partial ban on self-custodied gold in the USA . 1913 is the year he did that . 1971 is the year the USA abandoned the gold standard . 2140 is the year bitcoin's block subsidy stops and so many more interesting references. And its OP_RETURN is "Not your inputs, not your outputs"! You can check this transaction here and read about it here in the stacker.news @Kalilinux