Large Language Models (LLMs) are being distributed across many devices and platforms. Having these models available on-device can help reduce the need for sending private data to cloud-hosted systems.
At the @w3c member meeting last month in #Hiroshima 🇯🇵, Chunhui Mo (Huawei) explored what it would take to expose these LLMs to #WebApps through a Web #API and the advantages it could bring in terms of #privacy, #security and #performance.
In the evolving digital landscape, "Identity on the Web" is crucial for online interaction, #privacy and #security.
At the @w3c member meeting in #Hiroshima 🇯🇵, Heather Flanagan, co-chair of the newly created W3C Federated Identity #WorkingGroup discussed challenges in establishing a common understanding of #identity and explored this topic's technological, social, and #ethical dimensions in relation to the W3C’s mission.
For the record I agree with @fernandofig, but I also want to add that a DoS is not necessarily a security risk. If it can be leveraged to expose sensitive information, then yes, that's a vulnerability; this isn't that.
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. (CVE-2024-24989)
Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3.
Traffic is disrupted while the NGINX process restarts. This vulnerability allows a remote unauthenticated attacker to cause a denial-of-service (DoS) on the NGINX system. There is no control plane exposure; this is a data plane issue only.
NGINX Plus R30 P2 and R31 P1
Open source subscription R5 P2 and R6 P1
Open source mainline version 1.25.4
but most importantly:
The latest NGINX Open source stable version 1.24.0 is not affected.
And saving me the hassle of linking and quoting all 5 of the version history pages for the affected products, the uniting factor is: they're all based on Open Source versions 1.25.*
None of them are using the latest stable version.
It's not even going to affect most sites, and definitely not ones for whom downtime is a major issue: they would not be using the non-stable version, much less enabling experimental features in a non-stable version.
But the part that irks me the most is the dillution of what a CVE is. Back in the day, it meant "something that can lead to security breaches," now it just seems to mean "hey guys, I found a bug." And that's bad because now you have one of two outcomes: 1. unnecessarily panicking users by leading them to believe their software is a security risk when it isn't, or 2. compromising the integrity and usability of CVE reports by drowing the important ones in waves of "look guys, the program crashes when I can leverage root privileges to send it SIGKILL!"
If this was just a bug hunter trying to get paid, that's one thing, but these were internally assigned and disclosed. This was an inside job. And they either ignored or never consulted the actual experts, the ones they have within their own staff: the devs.
Why? To what end? Did they feel left out, what with not having any CVEs since 2022? Does this play some internal political struggle chess move? Do they just hate the idea of clear and unambiguous communication of major security holes to the general public? Are they trying to disrupt their own users' faith in their paid products? Does someone actually think a DoS is the worst thing that can happen? Is there an upper level manager running their own 1.25 instance that needs this fixed out-of-band?
W3C is seeking a full-time staff member to lead our Privacy standardization efforts.
The position is for remote work from anywhere in the world.
Requirements include: extensive knowledge of privacy technologies and methodologies, including authentication, identity management, cryptography and familiarity with core web technologies, such as HTML, HTTP, Web APIs, and scripting #hiring#webprivacy See more at: https://www.w3.org/news/2024/hiring-privacy-lead/
I've noticed that a lot of people on the #fediverse aren't particularly welcoming to those who don't initially get it or have trouble with it. You'd think that if multiple people say they have trouble picking an instance, it might be a genuine barrier to entry that we need to consider when introducing them to the fediverse. But no, instead of suggesting an instance to get rid of that barrier everyone gives unhelpful advice like "just pick one" or "it's not that hard." We'd have a much easier time getting people on the fediverse if there weren't so many people with this attitude of "the fediverse is simple, and the people who don't get it are lazy and should try harder."
Nginx gets forked by core developer ( mailman.nginx.org )