Microsoft Recall’s Security & Privacy, Hacking Web APIs, Secure Design Pledge – ASW #288
Looking at use cases and abuse cases of Microsoft's Recall feature, examples of hacking web APIs, CISA's secure design pledge, what we look for in CVEs, a nod to PHP's history, and more!
Announcements
Follow Security Weekly Productions on LinkedIn for exclusive show clips, insights, and updates across our organization! Stay connected with our hosts and fellow community members, and join the conversation that's shaping the future of cybersecurity.
Hosts
- 1. Update on the Recall preview feature for Copilot+ PCs | Windows Experience Blog
- 2. Hacking Millions of Modems (and Investigating Who Hacked My Modem)
- 3. Taking Down Big Laundry – Slug Security
- 4. Risky Biz News: The Linux CNA mess
How do we want to use CVEs? What makes them useful?
- 5. Microsoft overhaul treats security as ‘top priority’ after a series of failures – The Verge
- 6. Secure by Design Pledge | CISA
Goals
- MULTI-FACTOR AUTHENTICATION (MFA)
- DEFAULT PASSWORDS
- REDUCING ENTIRE CLASSES OF VULNERABILITY
- SECURITY PATCHES
- VULNERABILITY DISCLOSURE POLICY
- CVES
- EVIDENCE OF INTRUSIONS
- 7. Evolving the Go Standard Library with math/rand/v2 – The Go Programming Language
Example of secure design considerations
- 8. Real World Cryptography Conference 2024 | NCC Group Research Blog
“Making Signal Messenger Post Quantum / Making Encrypted Messaging Post Quantum” is another example of secure design.
- 9. [HISTORY] Announce: Personal Home Page Tools (PHP Tools)
Announcing the Personal Home Page Tools (PHP Tools) version 1.0. on June 8, 1995.
- 1. Intel whitepaper: Hardware Features and Behavior Related to Speculative Execution
Since we first learned of speculative execution bugs several years ago, there have been many attempts to mitigate. Intel's put a paper together with their hardware capabilities in this space
- 2. 20% of Rust Crates use Unsafe keyword
In Rust, Unsafe is a sudo-type of thing - allowing a programmer to do things which they language attempts to prevent - accessing out-of-scope memory.
I translate this as 20% of Rust programmers are lazy, or don't fully understand the language.
- 3. Path traversal in tar extract in intel cve-bin-tool
In celebration of return of the news, a ../.. just for Mike.
- 4. Netflix hits $1M bug bounty payout
It's the new unicorn.