About the security content of iOS 18.4.1 and iPadOS 18.4.1 – Apple Support
Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.
Author: alecm
-
“Processing an audio stream in a maliciously crafted media file may result in code execution”
-
London Security Engineering Meetup: Alec Muffett “End to End Encryption: Why You Should Implement It” (May 08, 1800h)
Join us for the May edition of the London Security Engineering meetup at Wise’s London offices!
We are thrilled to host Alec Muffett, a distinguished technologist and security consultant with over 30 years of experience in cryptography and security.
https://www.meetup.com/london-security-engineering-group/events/307320393/
I’m going to try something a little more experimental with this presentation, aiming avoid slides and foster a little more audience discussion than the usual “slide deck and slick talk” typical of some meetups; given the nature of the audience my hope is for people who build systems and solutions to come away with a greater understanding of how to shape their code and solutions to build a product with a smaller attack surface and less risk.
If you have questions or issues that you would like to raise, please feel free to post a comment below.
-
MITRE / CVE is being killed by the Trump Government
This is incalculable harm to coordination of infosec response; via Brian Krebs:
MITRE has announced that its funding for the Common Vulnerabilities and Exposures (CVE) program and related programs, including the Common Weakness Enumeration Program, will expire on April 16.
The CVE database is critical for anyone doing vulnerability management or security research, and for a whole lot of other uses. There isn’t really anyone else left who does this, and it’s typically been work that is paid for and supported by the US government, which is a major consumer of this information, btw.
I reached out to MITRE, and they confirmed it is for real. Here is the contract, which is through the Department of Homeland Security, and has been renewed annually on the 16th or 17th of April.[…]
Yosry Barsoum, vice president and director at MITRE’s Center for Securing the Homeland, said:
“On Wednesday, April 16, 2025, funding for MITRE to develop, operate, and modernize the Common Vulnerabilities and Exposures (CVE®) Program and related programs, such as the Common Weakness Enumeration (CWE™) Program, will expire. The government continues to make considerable efforts to support MITRE’s role in the program and MITRE remains committed to CVE as a global resource.”https://www.linkedin.com/feed/update/urn:li:activity:7318006192021143554
-
Google rolling out auto-restart security feature to Android phones | One of the things I really love…
…about companies attempting to copy and outdo each other in terms of individual privacy protection, is that this bar-raising exercise is very much in the spirit of improving security for everybody, in spite of what various government might think is in their own narrow best interest:
https://9to5google.com/2025/04/14/android-auto-restart-security/
-
The Pall Mall Pact and why it matters | Malwarebytes | …I don’t entirely agree that this is a good thing
Speaking as an author of “hacking tools” which have inspired the “hacking tools” of today — tools used by the kinds of people who *found* companies like Malwarebytes — I find perspectives such as this to be problematic, hypocritical, and lacking in dual-use perspective:
Commercial hacking tools have enabled intrusive surveillance practices that undermine fundamental freedom and human rights.
With a starting position like this, I worry about where we may end up for software freedom. The ITAR encryption regime and the Wassenaar “export control of malware” debacle need not be repeated.
https://www.malwarebytes.com/blog/news/2025/04/the-pall-mall-pact-and-why-it-matters
-
Boarding passes and check-in could be scrapped in air travel shake-up | The Guardian | …this is a really bad idea in several obvious ways
Dead batteries, lost documents, enabling “search” by customs & immigration… hell, no:
The [ICAO] plans to dramatically shake up existing rules for airports and airlines through the introduction of a “digital travel credential”. This would allow passengers to store passport information on their devices to be used for travel.
-
Why I Emphatically Oppose Online Age Verification Mandates | Technology & Marketing Law Blog
Eric Goldman on fire, again:
I hold uncompromising views on this topic. For reasons I explain in 63 anguished and tear-stained pages, I am a categorical “no” on all online age authentication mandates. To me…
To me, it doesn’t matter what the laws are called, how the authentication duties are styled, what sales hooks the vendors use to obfuscate their solutions’ deficiencies, or what hypothetical fantasy outcomes policymakers think will materialize if the technologists just “nerd harder”–I oppose them all.
-
tariff | PyPI
If you need a laugh this morning:
The GREATEST, most TREMENDOUS Python package that makes importing great again!
-
So You Want to Be a Dissident? | The New Yorker
We analyzed the literature of protest and spoke to a range of people, including foreign dissidents and opposition leaders, movement strategists, domestic activists, and scholars of nonviolent movements. We asked them for their advice … for those who want to oppose these dramatic changes but harbor considerable fear for their jobs, their freedom, their way of life, or all three.
https://www.newyorker.com/news/the-weekend-essay/so-you-want-to-be-a-dissident
Via: