When will we learn?
Congratulations to Rust for its first (but not its last) supply-chain attack this week! They join a growing club of broken-by-design package managers which publish packages uploaded by vendors directly, with no review step, and ship those packages directly to users with no further scrutiny.
Improved Process Isolation in Firefox 100 - Mozilla Hacks - the Web developer blog
Firefox uses a multi-process model for additional security and stability while browsing: Web Content (such as HTML/CSS and Javascript) is rendered in separate processes that are isolated from the rest of the operating system and managed by a privileged parent process. This way, the amount of control gained by an attacker that exploits a bug in a content process is limited.
Ever since we deployed this model, we have been working on improving the isolation of the content processes to further limit the attack surface. This is a challenging task since content processes need access to some operating system APIs to properly function: for example, they still need to be able to talk to the parent process.
In this article, we would like to dive a bit further into the latest major milestone we have reached: Win32k Lockdown, which greatly reduces the capabilities of the content process when running on Windows. Together with two major earlier efforts (Fission and RLBox) that shipped before, this completes a sequence of large leaps forward that will significantly improve Firefox’s security.
Although Win32k Lockdown is a Windows-specific technique, it became possible because of a significant re-architecting of the Firefox security boundaries that Mozilla has been working on for around four years, which allowed similar security advances to be made on other operating systems.
A tale of a trailing dot
Trailing dots on host names in URLs is the gift that keeps on giving.
Let me take you through a dwindling story of how the dot is handled differently in different places through the stack of an Internet client. The evil trailing dot.
IBM/Red Hat and Fedora Leftovers
14 Open-source Text To Speech TTS apps and libraries
In 1961, physicist John Larry Kelly, Jr and his colleague Louis Gerstman used an IBM 704 computer to synthesize speech, an event among the most prominent in the history of Bell Labs.
Latest Steam Client Update Improves the File Picker on Linux and Fixes Many Bugs
For GNU/Linux users, the new Steam Client update improves the file picker by adding home and mounted drive paths to the file picker quick bar, as well as the ability for the file picker to remember the previous location when selecting Library custom art. It also fixes the file picker’s extension filters to appear when selecting Library custom art. Also for Linux users, the new Steam Client update addresses an issue that made media pre-caching files to be re-downloaded when updating the graphics drivers and fixes the ability to add non-Steam shortcuts with spaces in the path.
