EUVD-2025-37211

Nagios XI versions prior to 2024R2 contain an improperly owned script, processperfdata.pl, which is executed periodically as the nagios user but owned by www-data. Because the file was writable by www-data, an attacker with web server privileges could modify its contents, leading to arbitrary cod...

CVE-2025-34287 Nagios XI < 2024R2 Privilege Escalation via process_perfdata.pl

Nagios XI versions prior to 2024R2 contain an improperly owned script, processperfdata.pl, which is executed periodically as the nagios user but owned by www-data. Because the file was writable by www-data, an attacker with web server privileges could modify its contents, leading to arbitrary cod...

PT-2025-44524

Name of the Vulnerable Software and Affected Versions Nagios XI versions prior to 2024R2 Description Nagios XI versions prior to 2024R2 contain an improperly owned script, process perfdata.pl, which is executed periodically as the nagios user but owned by www-data. Because the file was writable b...

EUVD-2025-8429

Malicious code in bioql PyPI...

AI Agents Need Data Integrity

Think of the Web as a digital territory with its own social contract. In 2014, Tim Berners-Lee called for a "Magna Carta for the Web" to restore the balance of power between individuals and institutions. This mirrors the original charter's purpose: ensuring that those who occupy a territory have ...

Seven Security Challenges That Must Be Solved in Cross-Domain Multi-Agent LLM Systems

Large language models LLMs are rapidly evolving into autonomous agents that cooperate across organizational boundaries, enabling joint disaster response, supply-chain optimization, and other tasks that demand decentralized expertise without surrendering data ownership. Yet, cross-domain...

Privacy for Agentic AI

Sooner or later, it's going to happen. AI systems will start acting as agents, doing things on our behalf with some degree of autonomy. I think it's worth thinking about the security of that now, while its still a nascent idea. In 2019, I joined Inrupt, a company that is commercializing Tim...

CVE-2025-20230

In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and versions below 3.8.38 and 3.7.23 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could edit and delete other user data in App Key Value...

CVE-2025-20230

In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and versions below 3.8.38 and 3.7.23 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could edit and delete other user data in App Key Value...

CVE-2025-20230 Missing Access Control and Incorrect Ownership of Data in App Key Value Store (KVStore) collections in the Splunk Secure Gateway App

In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and versions below 3.8.38 and 3.7.23 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could edit and delete other user data in App Key Value...

CVE-2025-20230 Missing Access Control and Incorrect Ownership of Data in App Key Value Store (KVStore) collections in the Splunk Secure Gateway App

In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and versions below 3.8.38 and 3.7.23 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could edit and delete other user data in App Key Value...

MDR + SIEM: Why Full Access to Your Security Logs is Non-Negotiable

Many Managed Detection and Response MDR providers promise world-class threat detection, but behind the scenes they lock away your security logs, limiting your visibility and control. It’s your data — so why don’t you have full access to it? Isn’t the whole point of security to see everything...

Data Wallets Using the Solid Protocol

I am the Chief of Security Architecture at Inrupt, Inc., the company that is commercializing Tim Berners-Lees Solid open W3C standard for distributed data ownership. This week, we announced a digital wallet based on the Solid architecture. Details are here, but basically a digital wallet is a...

CVE-2021-41571

In Apache Pulsar it is possible to access data from BookKeeper that does not belong to the topics accessible by the authenticated user. The Admin API get-message-by-id requires the user to input a topic and a ledger id. The ledger id is a pointer to the data, and it is supposed to be a valid it f...

The Problem with Treating Data as a Commodity

Excellent Brookings paper: "Why data ownership is the wrong approach to protecting privacy." From the introduction: Treating data like it is property fails to recognize either the value that varieties of personal information serve or the abiding interest that individuals have in their personal...

Governance Considerations for Democratizing Your Organization's Data in 2021

With the continuing rise of IoT devices, mobile networks, and digital channels, companies face a lot of pressure to generate meaningful and actionable insights from the wealth of data they capture. Gartner Research lists data democratization as one of the top strategic technology trends to watch...

Inrupt, Tim Berners-Lee's Solid, and Me

For decades, I have been talking about the importance of individual privacy. For almost as long, I have been using the metaphor of digital feudalism to describe how large companies have become central control points for our data. And for maybe half a decade, I have been talking about the...

Online privacy in 2019: a legislative review

For decades, the United States treated data privacy like an aging home, patching individual leaks and drafts only when a new storm hit. The country passed a law protecting healthcare-related information, and not much else. It then passed a law protecting video rental information, and not much els...

How Do We Bring Equality to Data Ownership and Usage?

Computational biologist Laura Boykin says scientists are “asleep at the wheel”; activist Malkia Devich-Cyril says citizens also need to pressure technology companies to change...

CVE-2016-5374

NetApp Data ONTAP 9.0 and 9.1 before 9.1P1 allows remote authenticated users that own SMB-hosted data to bypass intended sharing restrictions by leveraging improper handling of the ownerrights ACL entry...