Lightnews — Scholar-powered news

LinkPro Linux Rootkit Uses eBPF to Hide and Activates via Magic TCP Packets

Josh Chessman @beansb.bsky.social · 18h

I hate #BPF (Berkeley Packet Filter) but it's mostly unrelated cousin #eBPF is pretty cool. And now it has a new use - helping hide a #rootkit. Bad that #AWS infrastructure was hacked but silver lining that we discovered a new use for eBPF?

Synacktiv uncovered LinkPro, a Golang rootkit using eBPF hide/knock modules activated by TCP window 54321.

thehackernews.com

Josh Chessman @beansb.bsky.social · 1d

#AI struggles to make money. Costs are high and it turns out that if you train people to expect things for free they expect things for free. If 95% of your customers don't pay the other 5% is going to have to pay a lot. Guess we will see how valuable AI really is. #openai #llm #genai #costs #free

: If you build it, they will come and expect the service to be free

Roku accused of selling children’s data to advertisers and brokers

Josh Chessman @beansb.bsky.social · 1d

I've expressed my opinions on Roku in the past and this isn't improving my feelings towards them. While I wish I believed it would make a difference I seriously doubt it. Whatever the punishment it won't be close to enough to stop the actions. #pii #underage #children #data #cutitout

Florida claims Roku ignored clear signs its users were minors, collecting and selling viewing habits, voice recordings and precise locations.

PowerSchool hacker gets sentenced to four years in prison

Josh Chessman @beansb.bsky.social · 2d

It seems so rare that bad actors are caught these days that it is heartening when it does happen. PowerSchool hacker Matthew Lane got 4 years in prison for the cyberattack in 2024. While deserved I do wish companies were better punished for their poor security as well. #security #cybersecurity

19-year-old college student Matthew D. Lane, from Worcester, Massachusetts, was sentenced to 4 years in prison for orchestrating a cyberattack on PowerSchool in December 2024 that resulted in a…

How Attackers Bypass Synced Passkeys

Josh Chessman @beansb.bsky.social · 2d

I dabble with #passkeys a bit but don't use them everywhere. While they offer improved security in many ways it is important to remember that they are not a panacea for security. There are still risks, especially as vendors have to deal with both #passwords and passkeys. #security #cybersecurity

Synced passkeys expose enterprises to cloud takeover, browser hijacks, and downgrade attacks.

thehackernews.com

F5 says hackers stole undisclosed BIG-IP flaws, source code

Josh Chessman @beansb.bsky.social · 3d

F5 is saying it isn't a big deal but I'd say a nation state getting access to your source code, undisclosed vulnerabilities, and more is a really, really, really big deal. No supply chain compromise has been identified (yet) but still concerning. #f5 #big-ip #hackers #security #cybersecurity

U.S. cybersecurity company F5 disclosed that nation-state hackers breached its systems and stole undisclosed BIG-IP security vulnerabilities and source code.

Pixel-stealing “Pixnapping” attack targets Android devices

2

Josh Chessman @beansb.bsky.social · 3d

There is a reason I back haul all my Internet traffic over a VPN when I'm not at home and this is the reason. I'm not doing anything particularly interesting but I don't need everyone and their professor seeing my traffic. #vpn #security #encryption #unencrypted

Josh Chessman @beansb.bsky.social · 4d

Oh goody, a new reason to worry about the safety of 2FA, at least in theory. Could an app steal enough of the correct screen pixels to get a 2FA code? Apparently at least in theory though I do wonder about how the timing would work. #android #2fa #security

Imagine if a rogue app could glimpse tiny bits of your screen—even the parts you thought were secure, like your 2FA codes.

CEO of $8 billion AI company says it’s ‘mind-boggling’ that people think you can work 38 hours a week, have work-life balance, and be successful | Fortune

Josh Chessman @beansb.bsky.social · 4d

Is it really a requirement to work 25 hours a day or is it a self-fulfilling prophecy that if you say you have to you have to? If a VC invested in a company where the CEO only put in 40 hours a week would it succeed? We will likely never know since VC's won't invest in that company. #VC #work #life

Cerebras cofounder Andrew Feldman warned aspiring entrepreneurs they need to be working “every waking minute,” echoing the likes of Zoom CEO Eric Yuan and LinkedIn’s Reid Hoffman.

fortune.com

Researchers break OpenAI guardrails

Josh Chessman @beansb.bsky.social · 5d

#OpenAI released new jail breaking protections which were immediately overcome. Turns out using an LLM to protect an LLM doesn't always work the way you expect. Maybe they need an LLM to protect the LLM that is protecting the LLM?
#llm #ai #jailbreak #guardrails #oops

The maker of ChatGPT released a toolkit to help protect its AI from attack earlier this month. Almost immediately, someone broke it.

Microsoft restricts IE mode access in Edge after zero-day attacks

Josh Chessman @beansb.bsky.social · 5d

For reasons that I fail to understand there are still orgs running web apps that require #IE so vendors like Microsoft provide a compatibility-mode within Edge that leverages Windows built-in #MSHTML rendering engine. Who would have though that would be a #security issue? #web #ie6 #wtf

Microsoft is restricting access to Internet Explorer mode in Edge browser after learning that hackers are leveraging zero-day exploits in the Chakra JavaScript engine for access to target devices.

Oracle releases emergency patch for new E-Business Suite flaw

Josh Chessman @beansb.bsky.social · 6d

I'm sure there's nothing to worry about with #OpenAI and #Oracle getting together to build DCs. What could possibly go wrong? Oh yeah, and Oracle released an emergency patch for a(nother) CVE allowing remote access by unauthenticated attackers. #security #cybersecurity #cve #vulnerability #dobetter

Oracle has issued an emergency security update over the weekend to patch another E-Business Suite (EBS) vulnerability that can be exploited remotely by unauthenticated attackers.

Is the AI stock bubble about to explode?

Josh Chessman @beansb.bsky.social · 6d

Nothing to worry about folks, there is no AI bubble! Brian Sozzi of @yahoofinance.com says so. "I talk to CFOs and they walk me through their thinking, which seems logical. They aren't foaming at the mouth with wild-eyed predictions of grandeur similar to the late '90s." #skeptical #ai #bubble

Stop with the AI bubble talk, please!

finance.yahoo.com

Josh Chessman @beansb.bsky.social · 7d

I remember when most things were ad supported (TV, newspapers, magazines, etc.). Then we were told subscription fees would do away with ads. Now we seem to have the worst of all possible worlds: subscription fees and ads. So much for the ad-free future we were promised. #ads #amazon #subscriptions

People regret buying Amazon smart displays after being bombarded with ads

“I’m about to just toss the whole thing…”…

Microsoft warns of new “Payroll Pirate” scam stealing employees’ direct deposits

Josh Chessman @beansb.bsky.social · 7d

Criminals changing direct deposit is not a new scam but that doesn't mean it isn't an important one to be aware of. Especially with them now sitting in the middle to bypass MFA requests. #mfa #cybersecurity #workday #scams #security

Among other things, the scammers bypass multi-factor authentication.

Microsoft adds Copilot adoption benchmarks to Viva Insights

Josh Chessman @beansb.bsky.social · 8d

Interesting new tool from @Microsoft.com. Apparently their CoPilots are so good that they want your boss to know if you aren't actually using it. Because, you know, that's not creepy.
#ai #copilot #microsoft #vivainsights #adoption #wtf

: Viva Insights turns AI guzzling into a leaderboard

SonicWall: Firewall configs stolen for all cloud backup customers

Josh Chessman @beansb.bsky.social · 8d

More bad news from #SonicWall. If you backed up your SonicWall config to their cloud it appears it has been stolen. I'd say SonicWall doesn't seem to be able to catch a break but at some point you have to wonder if something else is up. #firewall #cloud #backup #security

SonicWall has confirmed that all customers that used the company's cloud backup service are affected by the security breach last month.

California just put people back in control of their data

Josh Chessman @beansb.bsky.social · 9d

McKinsey is out with a report on how software vendors can monetize AI (who knew AI needed to make money). It isn't exactly looking good. Turns out orgs want pricing consistency but there's that whole making money thing that no one has figured out yet.
#ai #mckinsey #pricing #money

www.mckinsey.com

Josh Chessman @beansb.bsky.social · 9d

#California seems to be doing it right. I wish more states were focused on protecting their citizens privacy and rights. Sadly, most don't seem to care (including my own).
#pii #personaldata #control #data

California just passed 14 new privacy and AI laws. We’re highlighting a few that give users real control over their personal data.

One stolen iPhone uncovered a network smuggling thousands of devices to China

Josh Chessman @beansb.bsky.social · 10d

I'm as happy as anyone that this happened but it does beg the question of why it took so long for the police to do ANYTHING about it? Stories abound of people calling the police with the location of their stolen device and the authorities having no interest. #theft #police #wtf #smuggling

Turns out Apple’s ‘Find My’ feature isn’t just for when your phone slips down the side of the couch.

Bank of England smells hint of dotcom bubble 2.0 in AI froth

Josh Chessman @beansb.bsky.social · 10d

I try not to be too negative about #AI (though it's difficult) but I do think there is a crash coming and that it will be ugly. I'm seeing more and more commentary that leads me to believe I'm right. #crash #dotcom #bubble #boe

: UK central bank warns of 'sudden correction' in tech stocks

Synology walks back drive restrictions on upcoming NAS models

Josh Chessman @beansb.bsky.social · 11d

I have enough trouble with forcing enterprises to buy "certified" drives at significant additional cost. Doing it to home users is just bad business. Glad @synologyofficial.bsky.social has backpedaled (at least for now). #synology #nas #drives #harddrives #badideas

As of DSM 7.3, Synology no longer mandates validated drives in 2025 DiskStation Plus, Value, and J-series devices.

Employees regularly paste company secrets into ChatGPT

Josh Chessman @beansb.bsky.social · 11d

Yeah, don't do that. PII is supposed to be protected and if you aren't protecting it you're doing it wrong. #pii #chatgpt #ai #llm #openai

: Microsoft Copilot, not so much