New Mexico’s Meta Ruling and Encryption

Mike Masnick points out that the recent New Mexico court ruling against Meta has some bad implications for end-to-end encryption, and security in general: If the "design choices create liability" framework seems worrying in the abstract, the New Mexico case provides a concrete example of where it...

Block the Prompt, Not the Work: The End of "Doctor No"

There is a character that keeps appearing in enterprise security departments, and most CISOs know exactly who that is. It doesn’t build. It doesn’t enable. Its entire function is to say "No." No to ChatGPT. No to DeepSeek. No to the file-sharing tool the product team swears by. For years, this...

Landmark verdicts put Meta’s “addiction machine” platforms on trial

Meta faced two major legal setbacks this week as courts in New Mexico and California both found the company liable for harm to children. A New Mexico jury just ordered Meta to pay $375 million for misleading parents about child safety on Instagram and Facebook. Jurors found the company violated...

Hand over the keys for Shannon’s shenanigans

Welcome to this week's edition of the Threat Source newsletter. Last week, yet another security AI tool made the rounds on social media: Shannon, a fully autonomous AI penetration testing tool created by Keygraph. It "autonomously hunts for attack vectors in your code, then uses its built-in...

Future G Network'S New Reality: Opportunities and Security Challenges

Future G network's new reality is a widespread cyber-physical environment created by Integrated Sensing and Communication ISAC. It is a crucial technology that transforms wireless connections into ubiquitous sensors. ISAC unlocks transformative new capabilities, powering autonomous systems,...

EUVD-2020-27362

Malware in sbrugna...

EUVD-2019-5828

Malware in sbrugna...

EUVD-2020-22732

Malware in sbrugna...

FreeBSD : ISC KEA -- Multiple vulnerabilities (34744aab-3bf7-11f0-b81c-001b217e4ee5)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 34744aab-3bf7-11f0-b81c-001b217e4ee5 advisory. Internet Systems Consortium, Inc. reports: Tenable has extracted the preceding description blo...

CVE-2025-22921

FFmpeg git-master,N-113007-g8d24a28d06 was discovered to contain a segmentation violation via the component /libavcodec/jpeg2000dec.c...

Exploit for Missing Authentication for Critical Function in Paloaltonetworks Pan-Os

Disclaimer: The vulnerabilities described in this article, alo...

Spyware Maker NSO Group Found Liable for Hacking WhatsApp

A judge has found that NSO Group, maker of the Pegasus spyware, has violated the US Computer Fraud and Abuse Act by hacking WhatsApp in order to spy on people using it. Jon Penney and I wrote a legal paper on the case...

Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak: Im speaking twice at RSA Conference 2024 in San Francisco. Ill be on a panel on software liability on May 6, 2024 at 8:30 AM, and Im giving a keynote on AI and democracy on May 7, 2024 at 2:25 PM. The list is maintained on this pag...

On Software Liabilities

Over on Lawfare, Jim Dempsey published a really interesting proposal for software liability: "Standard for Software Liability: Focus on the Product for Liability, Focus on the Process for Safe Harbor." Section 1 of this paper sets the stage by briefly describing the problem to be solved. Section ...

On IoT Devices and Software Liability

New law journal article: Smart Device Manufacturer Liability and Redress for Third-Party Cyberattack Victims Abstract: Smart devices are used to facilitate cyberattacks against both their users and third parties. While users are generally able to seek redress following a cyberattack via data...

Film companies lose battle to unmask Reddit users

An interesting case marking the limits of what data big business can expect to dig up has concluded its day or to be more accurate, many days in court. Ars Technica reports that film companies have lost their battle to make social site Reddit identify anonymous users discussing piracy. No fewer...

The growth of commercial spyware based intelligence providers without legal or ethical supervision

Attackers have long used commercial products developed by legitimate companies to compromise targeted devices. These products are known as commercial spyware. Commercial spyware operations mainly target mobile platforms with zero- or one-click zero-day exploits to deliver spyware. This threat...

How Attorneys Are Harming Cybersecurity Incident Response

New paper: "Lessons Lost: Incident Response in the Age of Cyber Insurance and Breach Attorneys": Abstract: Incident Response IR allows victim firms to detect, contain, and recover from security incidents. It should also help the wider community avoid similar attacks in the future. In pursuit of...

Music Gallery Site v1.0 - SQL Injection Vulnerability (2)

Exploit Title: Music Gallery Site v1.0 - SQL Injection on page viewmusicdetails.php Exploit Author: Muhammad Navaid Zafar Ansari CVE Assigned: CVE-2023-0961 mitre.org nvd.nist.org Author Name: Muhammad Navaid Zafar Ansari Vendor Homepage: https://www.sourcecodester.com Software Link: Music Galler...

Facebook illegally processed user data, says court

The Amsterdam court has ruled that Facebook illegally processed user data in a case started by the Dutch Data Privacy Stichting DPS, a foundation that acts on behalf of victims of privacy violations in the Netherlands. According to the ruling, Facebook used personal data for advertising purposes ...