Also:

-MACE Act passes in US
-ASEAN casinos are laundering cybercrime profits
-Ransomware dwell time plummets from 5 to 1 day
-Hacker steals $100k crypto from Python devs
-Rootkits spotted on npm
-China's semiconductor espionage
-Operation Jacana
-macOS DirtyNIB vulnerability
-Cisco, X.org, cURL, and printer bugs
-NSA& CISA publish Top 10 misconfigs
-NSA&CISA publish IAM guidance for vendors
-CISA publishes Security Planning Workbook
-BlackBerry to split in two
-New tool—OpenPubkey

https://files.mastodon.social/media_attachments/files/111/187/293/978/736/376/original/129dee8b6eda4954.png 

 @14abadff 

Interesting, breaking down their proposed corrections to #infosec Article 11:

Agencies should explicitly be prohibited from using or sharing vulnerabilities disclosed through the CRA for intelligence, surveillance, or offensive purposes.

Morally right, but hard to enforce granted that nearly all of these are happening in secret anyway.

The CRA should not require reporting of vulnerabilities that are exploited through good faith security research.

That’s essentially to protect bug bounties, pentesting and zero-day traders from mandatory disclosure of vulnerabilities that are subject to NDA with their customers. This one I have a problem with because it only reinforces the effect of zero-days being a tradeable commodity and reduces Article 11 exclusively to situations where such a zero-day is caught in the wild, and even then you never know if it’s not “a friendly agency” using it “in good faith”.

Require reporting to agencies of mitigatable vulnerabilities only, within 72 hours of effective mitigations (e.g., a patch) becoming publicly available.

Granted that you always can mitigate a service last resort by simply switching it off, this one is rather harmful nonsense.