leds

joined 1 year ago
 

I dont know who needs to hear this bit qBittorrent has a nasty vulnerability ( and there are some older ones too)

qBittorrent, on all platforms, did not verify any SSL certificates in its DownloadManager class from 2010 until October 2024. If it failed to verify a cert, it simply logged an error and proceeded.

To be exploitable, this bug requires either MITM access or DNS spoofing attacks, but under those conditions (seen regularly in some countries), impacts are severe.

The primary impact is single-click RCE for Windows builds from 2015 onward, when prompted to update python the exe is downloaded from a hardcoded URL, executed, and then deleted afterwards.

The secondary impact for all platforms is the update RSS feed can be poisoned with malicious update URLs which the user will open in their browser if they accept the prompt to update. This is browser hijacking and arbitrary exe delivery to a user who would likely trust whatever URL this software sent them to.

The tertiary impact is this means that an older CVE (CVE-2019-13640 https://www.cvedetails.com/cve/CVE-2019-13640/) which allowed remote command execution via shell metacharacters could have been exploited by (government) attackers conducting either MITM or DNS spoofing attacks at the time, instead of only by the author of the feed.

Full write up is here: https://sharpsec.run/rce-vulnerability-in-qbittorrent/

[–] leds@feddit.dk 21 points 1 month ago (1 children)

AI seems perfect for renewables load balancing. Got extra power to burn because it is windy at night? Train your models

[–] leds@feddit.dk 17 points 1 month ago* (last edited 1 month ago)

Telegram has been supplying US government with data on its users

https://www.404media.co/telegram-confirms-it-gave-u-s-user-data-to-the-cops/

[–] leds@feddit.dk 11 points 1 month ago (1 children)

OK what about the factory that makes the machines in the chip factory..

[–] leds@feddit.dk 1 points 1 month ago (1 children)

Also relevant:

[–] leds@feddit.dk 2 points 1 month ago

Seems like a good use for android app pinning, I think that locks the phone to that app until unlocked

[–] leds@feddit.dk 1 points 2 months ago (1 children)

Spotify might as well be doing this themselves already to avoid having to pay all those annoying artist

[–] leds@feddit.dk 4 points 2 months ago

what's iffy is smaller AC generators like wind mills

Not so iffy for bigger wind turbines, these also have significant inertia due to the mass of the rotor spinning (with large mass moment) and grid codes demand active grid stabilisation in most countries.

[–] leds@feddit.dk 4 points 4 months ago (1 children)
[–] leds@feddit.dk 3 points 4 months ago

Nah just a regular climber that didn't double check their knot , well I guess free solo now

[–] leds@feddit.dk 1 points 5 months ago

I have an old mac mini running nextcloud on Ubuntu, I did upgrade memory and plug in external ssd

[–] leds@feddit.dk 3 points 5 months ago* (last edited 5 months ago) (1 children)
[–] leds@feddit.dk 36 points 6 months ago (6 children)

Got this:

Hello, Dell Technologies takes the privacy and confidentiality of your information seriously. We are currently investigating an incident involving a Dell portal, which contains a database with limited types of customer information related to purchases from Dell. We believe there is not a significant risk to our customers given the type of information involved.

What data was accessed? At this time, our investigation indicates limited types of customer information was accessed, including:

  • Name
  • Physical address
  • Dell hardware and order information, including service tag, item description, date of order and related warranty information
view more: next ›