Comments

Comments

A Curl contributor replaced an ASCII letter with a Unicode alternative in a pull request, writes Curl lead developer/founder Daniel Stenberg. And not a single human reviewer on the team (or any of their CI jobs) noticed. The change "looked identical to the ASCII version, so it was not possible to visually spot this..." The impact of changing one or more letters in a URL can of course be devastating depending on conditions... [W]e have implemented checks to help us poor humans spot things like this. To detect malicious Unicode. We have added a CI job that scans all files and validates every UTF-8 sequence in the git repository. In the curl git repository most files and most content are plain old ASCII so we can "easily" whitelist a small set of UTF-8 sequences and some specific files, the rest of the files are simply not allowed to use UTF-8 at all as they will then fail the CI job and turn up red. In order to drive this change home, we went through all the test files in the curl repository and made sure that all the UTF-8 occurrences were instead replaced by other kind of escape sequences and similar. Some of them were also used more or less by mistake and could easily be replaced by their ASCII counterparts. The next time someone tries this stunt on us it could be someone with less good intentions, but now ideally our CI will tell us... We want and strive to be proactive and tighten everything before malicious people exploit some weakness somewhere but security remains this never-ending race where we can only do the best we can and while the other side is working in silence and might at some future point attack us in new creative ways we had not anticipated. That future unknown attack is a tricky thing. In the original blog post Stenberg complained he got "barely no responses" from GitHub (joking "perhaps they are all just too busy implementing the next AI feature we don't want.") But hours later he posted an update. "GitHub has told me they have raised this as a security issue internally and they are working on a fix."

Read more of this story at Slashdot.

Comments

Comments

Comments

Comments

Comments

"Shares of Ubisoft sank 18% on Thursday," reports CNBC, "after the French video game firm reported full-year earnings that disappointed investors... The company's shares have lost almost 60% of their value in the past 12 months, as the firm faced financial struggles, development hurdles, and underperformance of some of its key titles." Ubisoft said its latest Assassin's Creed game "delivered the second-highest Day 1 sales revenue in franchise history and set a new record for Ubisoft's Day 1 performance on the PlayStation digital store," according to Reuters. And AFP notes that according to data from consultancy Circana, that game become the second-best-selling game of the year so far in the U.S. But... [A] string of disappointing releases undermined this year's performance, with a net loss of 159 million euros ($178 million) on revenues of 1.9 billion — down 17.5 percent year-on-year. Over the past 12 months, Ubisoft's would-be blockbuster "Star Wars Outlaws" fell short of sales expectations on release, while it cancelled multiplayer first-person shooter "XDefiant" for lack of players. "This year has been a challenging one for Ubisoft, with mixed dynamics across our portfolio, amid intense industry competition," chief executive Yves Guillemot said in a statement. But a string of disappointing releases undermined this year's performance, with a net loss of 159 million euros ($178 million) on revenues of 1.9 billion — down 17.5 percent year-on-year. The group expects the measure to hold steady in the coming 2025-26 financial year, during which it will release a new "Prince of Persia" game, strategy title "Anno 117: Pax Romana" and mobile versions of shooters "Rainbow Six" and "The Division"... Moving to address its business woes, Ubisoft said in late March that it would create a new subsidiary to manage its three top franchises: "Assassin's Creed", "Far Cry" and "Rainbow Six". "Since January, the shares have lost more than 12 percent, touching their lowest price in over a decade in April."

Read more of this story at Slashdot.

Comments