Friday Squid Blogging: New Vulnerability in Squid HTTP Proxy Server
Aug. 8th, 2025 11:22 pm![[syndicated profile]](https://www.dreamwidth.org/img/silk/identity/feed.png){kind=small}
bruce_schneier_feedIn a rare squid/security combined post, a new vulnerability was discovered in the Squid HTTP proxy server.
bruce_schneier_feed
Sidewise Award Announcement
Aug. 8th, 2025 06:21 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
james_davis_nicollThe Sidewise Award for Alternate History is looking for new judges to join the award committee.
This is the first time in the 30 year history of the award that they've made an open call for awards judges.
Apply here.
This is the first time in the 30 year history of the award that they've made an open call for awards judges.
Apply here.
Five User-Friendly Rulesets for Tabletop Roleplaying Games
Aug. 8th, 2025 10:22 amjames_davis_nicoll
Not every gamer finds joy in wildly complicated, esoteric, hard-to-learn rules...
Five User-Friendly Rulesets for Tabletop Roleplaying Games
Aurora Award Livestream
Aug. 8th, 2025 09:48 amjames_davis_nicollHosted by Mark Leslie Lefebvre and Liz May Anderson.
Sunday August 10 at 5 PM: Livestream broadcast of the 2025 Aurora Awards, Canada’s annual English-language Science Fiction and Fantasy Awards.
Hearts of Wulin by Joyce Ch'ng & Lowell Francis
Aug. 8th, 2025 09:28 amjames_davis_nicoll
Righteous characters pursue great justice in this wuxia TTRPG.
Hearts of Wulin by Joyce Ch'ng & Lowell Francis
Google Project Zero Changes Its Disclosure Policy
Aug. 8th, 2025 11:01 ambruce_schneier_feedGoogle’s vulnerability finding team is again pushing the envelope of responsible disclosure:
Google’s Project Zero team will retain its existing 90+30 policy regarding vulnerability disclosures, in which it provides vendors with 90 days before full disclosure takes place, with a 30-day period allowed for patch adoption if the bug is fixed before the deadline.
However, as of July 29, Project Zero will also release limited details about any discovery they make within one week of vendor disclosure. This information will encompass:
- The vendor or open-source project that received the report
- The affected product
- The date the report was filed and when the 90-day disclosure deadline expires
I have mixed feelings about this. On the one hand, I like that it puts more pressure on vendors to patch quickly. On the other hand, if no indication is provided regarding how severe a vulnerability is, it could easily cause unnecessary panic.
The problem is that Google is not a neutral vulnerability hunting party. To the extent that it finds, publishes, and reduces confidence in competitors’ products, Google benefits as a company.
The Old World Character Generation
Aug. 7th, 2025 09:30 pmjames_davis_nicollMore details later but it seems the group is essentially Don Quixote in the form of a Brettonian knight's bastard who has completely bought into chivalric ideals despite the fact no true knight considers him worthy to have such ideals, and an assortment of hangers-on who see him as a meal ticket.
Which is to say, the group is centred on someone who will seek out adventure.
Which is to say, the group is centred on someone who will seek out adventure.
For Want of a Cable
Aug. 7th, 2025 03:10 pmbillroperSome projects get closer to done than others.
Yesterday, I assembled the desktop dual monitor stand and put the two new/refurb monitors on it, one on top of the other. Today, the Amazon shipment arrived with the missing cables and I figured I'd take a few minutes, run down to the basement and hook everything up. Getting the power cords into the monitors was a bit more challenging than I'd hoped, but by picking the tower up and putting it in my lap, I managed to get that done. All I had to do was to plug in the display port cables. I had ordered one with the monitors and another from Amazon last night when I realized that these monitors do not have a display port passthrough.
The cable from Amazon is fine. The cable from the refurb place is an HDMI to display port cable. Since these monitors do not have an HDMI port, that's sort of useless.
I have sent a complaint off to the refurb place. In the meantime, I have ordered yet another display port cable from Amazon which should arrive tomorrow.
*sigh*
In other news, the monitors on my desk are a slightly newer version. They have display port passthrough *and* an HDMI port. And they are going to stay *exactly* where they are. :)
Yesterday, I assembled the desktop dual monitor stand and put the two new/refurb monitors on it, one on top of the other. Today, the Amazon shipment arrived with the missing cables and I figured I'd take a few minutes, run down to the basement and hook everything up. Getting the power cords into the monitors was a bit more challenging than I'd hoped, but by picking the tower up and putting it in my lap, I managed to get that done. All I had to do was to plug in the display port cables. I had ordered one with the monitors and another from Amazon last night when I realized that these monitors do not have a display port passthrough.
The cable from Amazon is fine. The cable from the refurb place is an HDMI to display port cable. Since these monitors do not have an HDMI port, that's sort of useless.
I have sent a complaint off to the refurb place. In the meantime, I have ordered yet another display port cable from Amazon which should arrive tomorrow.
*sigh*
In other news, the monitors on my desk are a slightly newer version. They have display port passthrough *and* an HDMI port. And they are going to stay *exactly* where they are. :)
Gaudeamus Igitur: A Misktatonic University LARP Report
Aug. 7th, 2025 11:16 amdavidlevineI am writing at the airport on the way home from Philadelphia, where I played in the Miskatonic University North America LARP organized by Chaos League in conjunction with Reverie Studio. This was a Live Action Role Play game loosely based on the stories of H.P. Lovecraft, which took place at Miskatonic University in Arkham, Massachusetts in 1924.
This report contains SPOILERS.
( Read more... )
This report contains SPOILERS.
( Read more... )
The Integral Trees (Integral Trees, volume 1) by Larry Niven
Aug. 7th, 2025 08:47 amjames_davis_nicoll
Climate change provides a tribal leader a pretext to dispatch his least favourite tribe members on an ill-fated expedition from which none will return.
The Integral Trees (Integral Trees, volume 1) by Larry Niven
China Accuses Nvidia of Putting Backdoors into Their Chips
Aug. 7th, 2025 11:05 ambruce_schneier_feedThe government of China has accused Nvidia of inserting a backdoor into their H20 chips:
China’s cyber regulator on Thursday said it had held a meeting with Nvidia over what it called “serious security issues” with the company’s artificial intelligence chips. It said US AI experts had “revealed that Nvidia’s computing chips have location tracking and can remotely shut down the technology.”
I guess I have to stop reviewing current and upcoming Viz manga
Aug. 6th, 2025 11:31 pmWiring It Up
Aug. 6th, 2025 10:03 pmbillroperI have managed to assemble the dual monitor stand and get the new refurbished monitors hooked up. Unfortunately, I have discovered that the ports on these monitors are not what I had expected -- or else my memory of what the ports are on the monitors in my office is faulty. But these monitors do not have a display port passthrough to allow you to daisy chain them, which I *thought* the monitors in the office had. Maybe they do, but I'm not going to go messing around in there to try to figure it out.
So I have verified that the rather peppy processor in the new studio computer should run up to *four* displays on the Intel Integrated Graphics at the stunningly high 1080p resolution that I need here. All I need is a display port splitter. I have ordered one. And another display port cable. And a USB adapter brick to power the display port splitter. And another power strip so that I don't have to steal every extension cord in the house. *And* a mini-DP to display port cable which I am pretty sure will work with the monitor that I am sending to school with K and the new laptop that is waiting for her there.
Gretchen sent me a text asking when I would be done in the studio and I explained that I was ordering cables. This made her laugh, because *every* time I go to wire something in the studio, more cables are in order.
So I have verified that the rather peppy processor in the new studio computer should run up to *four* displays on the Intel Integrated Graphics at the stunningly high 1080p resolution that I need here. All I need is a display port splitter. I have ordered one. And another display port cable. And a USB adapter brick to power the display port splitter. And another power strip so that I don't have to steal every extension cord in the house. *And* a mini-DP to display port cable which I am pretty sure will work with the monitor that I am sending to school with K and the new laptop that is waiting for her there.
Gretchen sent me a text asking when I would be done in the studio and I explained that I was ordering cables. This made her laugh, because *every* time I go to wire something in the studio, more cables are in order.
Back on pilgrimage
Aug. 6th, 2025 09:36 pmmrissaGood news, fellow humans! My short story A Pilgrimage to the God of High Places, which appeared last year in Beneath Ceaseless Skies, is a finalist for the WSFA Small Press Award for short fiction.
I am seriously chuffed about this for a number of reasons. One, you know how everyone always says it's an honor just to be a finalist? You know why they say that? Because it is in fact an honor just to be a finalist. So many wonderful stories come out in this field every year that--well, you've seen my yearly recommendation lists. They're quite long. Winnowing them to any smaller group? Amazing, thank you, could easily have been a number of other highly qualified stories by wonderful writers, I am literally just glad to be on the team and hope I can help the ball club. Er, programming staff.
But here's another reason: if you've read that story--which you can do! please do! it's free, and it turns out people like it!--you will immediately see that it is a story about a disabled person. That disabled person is not me, does not have my family or my career or anything like that. But it is my disability. I put my own disability into this story. I gave someone with my disability a story in which they do not have to be "fixed" to be the hero. And...this is not a disability-focused award. This is just an award for genre short fiction. So I particularly appreciate that the people who were selecting stories looked a story with a disabled protagonist whose disability is inherent to the story without being the problem that needs solving and said, yeah, we appreciate that. Thank you. I appreciate you too.
Bundle of Holding: Fight With Spirit
Aug. 6th, 2025 02:06 pmjames_davis_nicoll
Fight With Spirit, the sports drama tabletop roleplaying game from Storybrewers Roleplaying (Good Society).
Bundle of Holding: Fight With Spirit
Blue Eye of Horus, volume 2 by Chie Inudou
Aug. 6th, 2025 09:01 amjames_davis_nicoll
With her brother/husband Seti off crushing Egypt's enemies, future Pharaoh Hatshepsut expands her power at home by freeing slaves, alienating priests, and inconveniencing a homicidal concubine. Results are mixed.
Blue Eye of Horus, volume 2 by Chie Inudou
The Semiconductor Industry and Regulatory Compliance
Aug. 6th, 2025 04:35 ambruce_schneier_feedEarlier this week, the Trump administration narrowed export controls on advanced semiconductors ahead of US-China trade negotiations. The administration is increasingly relying on export licenses to allow American semiconductor firms to sell their products to Chinese customers, while keeping the most powerful of them out of the hands of our military adversaries. These are the chips that power the artificial intelligence research fueling China’s technological rise, as well as the advanced military equipment underpinning Russia’s invasion of Ukraine.
The US government relies on private-sector firms to implement those export controls. It’s not working. US-manufactured semiconductors have been found in Russian weapons. And China is skirting American export controls to accelerate AI research and development, with the explicit goal of enhancing its military capabilities.
American semiconductor firms are unwilling or unable to restrict the flow of semiconductors. Instead of investing in effective compliance mechanisms, these firms have consistently prioritized their bottom lines—a rational decision, given the fundamentally risky nature of the semiconductor industry.
We can’t afford to wait for semiconductor firms to catch up gradually. To create a robust regulatory environment in the semiconductor industry, both the US government and chip companies must take clear and decisive actions today and consistently over time.
Consider the financial services industry. Those companies are also heavily regulated, implementing US government regulations ranging from international sanctions to anti-money laundering. For decades, these companies have invested heavily in compliance technology. Large banks maintain teams of compliance employees, often numbering in the thousands.
The companies understand that by entering the financial services industry, they assume the responsibility to verify their customers’ identities and activities, refuse services to those engaged in criminal activity, and report certain activities to the authorities. They take these obligations seriously because they know they will face massive fines when they fail. Across the financial sector, the Securities and Exchange Commission imposed a whopping $6.4 billion in penalties in 2022. For example, TD Bank recently paid almost $2 billion in penalties because of its ineffective anti-money laundering efforts
An executive order issued earlier this year applied a similar regulatory model to potential “know your customer” obligations for certain cloud service providers.
If Trump’s new license-focused export controls are to be effective, the administration must increase the penalties for noncompliance. The Commerce Department’s Bureau of Industry and Security (BIS) needs to more aggressively enforce its regulations by sharply increasing penalties for export control violations.
BIS has been working to improve enforcement, as evidenced by this week’s news of a $95 million penalty against Cadence Design Systems for violating export controls on its chip design technology. Unfortunately, BIS lacks the people, technology, and funding to enforce these controls across the board.
The Trump administration should also use its bully pulpit, publicly naming companies that break the rules and encouraging American firms and consumers to do business elsewhere. Regulatory threats and bad publicity are the only ways to force the semiconductor industry to take export control regulations seriously and invest in compliance.
With those threats in place, American semiconductor firms must accept their obligation to comply with regulations and cooperate. They need to invest in strengthening their compliance teams and conduct proactive audits of their subsidiaries, their customers, and their customers’ customers.
Firms should elevate risk and compliance voices onto their executive leadership teams, similar to the chief risk officer role found in banks. Senior leaders need to devote their time to regular progress reviews focused on meaningful, proactive compliance with export controls and other critical regulations, thereby leading their organizations to make compliance a priority.
As the world becomes increasingly dangerous and America’s adversaries become more emboldened, we need to maintain stronger control over our supply of critical semiconductors. If Russia and China are allowed unfettered access to advanced American chips for their AI efforts and military equipment, we risk losing the military advantage and our ability to deter conflicts worldwide. The geopolitical importance of semiconductors will only increase as the world becomes more dangerous and more reliant on advanced technologies—American security depends on limiting their flow.
This essay was written with Andrew Kidd and Celine Lee, and originally appeared in The National Interest.
Synchronicity
Aug. 5th, 2025 10:47 pmbillroperI am very fond of the movie "That Thing You Do" and regard the sound track as a master class in how to write musical pastiches. The title track was written by the late Adam Schlesinger and is clearly a Beatles pastiche. I concluded a while back that the Beatles source song which had been twisted around was "Please Please Me", given the way that you can segue neatly from the pastiche to the original and back.
Now, if you've seen the movie, you know that one of the plot points was that the original version of "That Thing You Do" was a slow, boring ballad. It was then shifted to be up tempo and became a much, much better song and a big hit.
So this morning, I read the article linked below about how Decca Records didn't sign the Beatles based on the demo they were given, apparently for good reasons. And near the end of the article, there is a discussion about how "Please Please Me" started out as a slow ballad and was of no interest to the label, but then the Beatles took it up tempo, the label recorded it, and the song became a big hit.
Uh huh. Ok.
Why Decca Didn't Sign the Beatles
Now, if you've seen the movie, you know that one of the plot points was that the original version of "That Thing You Do" was a slow, boring ballad. It was then shifted to be up tempo and became a much, much better song and a big hit.
So this morning, I read the article linked below about how Decca Records didn't sign the Beatles based on the demo they were given, apparently for good reasons. And near the end of the article, there is a discussion about how "Please Please Me" started out as a slow ballad and was of no interest to the label, but then the Beatles took it up tempo, the label recorded it, and the song became a big hit.
Uh huh. Ok.
Why Decca Didn't Sign the Beatles