The Federal Trade Commission banned noncompete agreements for most U.S. workers Tuesday with a new rule that will bar employers from enforcing clauses that restrict workers from switching employers within their industry. wapo.st/3Ut2ucM

This may come across as being mean, but if you haven't 'yet' installed security updates from 2021 and 2022, you might want to use this opportunity to do some soul searching about what you really want to be doing.

Well, it's about that time of year again.
You know what to expect, my dear plants.
I do it out of love.

Reminder:
It's never been safe to run a program out of a directory that contains other untrusted files.
insights.sei.cmu.edu/blog/carpet-bo…

If you're a vendor, and you HTML-encode your PGP key to put it on the web, and *also* have it use emdashes instead of dashes...
You don't really want people to use PGP, do you?

A GitHub flaw (or bad design decision) is being abused to distribute malware through URLs linked to Microsoft’s repository, and others, to make the files appear trustworthy.
bleepingcomputer.com/news/security/…

Pennsylvania school board member successfully shields their students from hearing an anti-bullying topic delivered by
*checks notes*
someone proud of their lifestyle.

Whew! That was a close call. Right, Bud Shaffner?

So j00ru//vx published two posts on Windows Registry; given that there were a lot of fixes in Windows Registry in recent months I expect these to be fun ;)
googleprojectzero.blogspot.com/2024/04/the-wi…
googleprojectzero.blogspot.com/2024/04/the-wi…

Has anybody ever been glad that VMware Workstation defaults to enabling 'Accelerate 3D graphics' in Windows VMs?
Like... ever?

What are the consequences of a vendor for a security product choosing to use a feature (shell=true) that's well documented to introduce vulnerabilities?
Oh, right. None.
There aren't any.

Since it's out there now this is what I caught in wild CVE-2024-3400

GET /global-protect/login.esp HTTP/1.1 Host: X User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Accept-Encoding: gzip, deflate, br

Can someone please tell me a reason why AI-generated content in the future will be better than what it is today?
The feedback loop of AI learning from AI-generated content ad infinitum seems... Non-ideal?
There are guardrails in place, right?
Right?

Serious question: at which point do we all, as an industry, finally agree that no Internet-facing middlebox that aggregates and intermediates SSL/TLS traffic is an acceptable approach to implementing a security capability?