Opens profile photo
Follow
Click to Follow taviso
Tavis Ormandy
@taviso
Vulnerability researcher at Google. This is a personal stream, opinions expressed are mine. I'm also @taviso@social.sdf.org
Californialock.cmpxchg8b.comJoined April 2008

Tavis Ormandy’s Tweets

FYI, I decided to report this to the FTC Inspector General. I doubt anything will happen -- too much time has passed, but I believe there was very clearly misconduct involved when I was threatened with criminal action on behest of friends at Cloudflare. 🤷‍♂️
Quote Tweet
I've been told something improper may have happened here. Thank you, I'm looking into it. twitter.com/taviso/status/…
4
102
Weird x86 Question: I've been tracking down flakey in a checkpointing library. It turns out XINUSE flags seem to be changing non-deterministically... what is causing that? (click recompile ↻ and notice the number of tests change) godbolt:
1
15
Show this thread
I think it never been archived, but I found a demo version in a shareware archive. I wasn't sure if it would work in the UNIX version, but it does seem to! It's an interactive puzzle game built with 1-2-3 macros... amazing lol😂 3/3
1
74
Show this thread
I've been reading back issues 😆 In the December 1987 reviews section it mentioned "Templates of Doom" - a text adventure game that runs inside a spreadsheet??? This was a real game you could buy for $49.95?? 2/3
Section of an article about "Templates of Doom"
Front cover of "Templates of Doom"
2
55
Show this thread
I've mentioned before I'm a Lotus 1-2-3 history nerd. In the 80s there was a Lotus magazine. Yeah, a monthly print magazine about spreadsheets... believe it or not, it had a respectable 8 year run lol. 🧵1/3
Three covers of Lotus magazine.
The first features a bearded man leaning on a monitor displaying a DOS spreadsheet. There is a flask of beer to the side, the headline reads "Distillery thrives with 1-2-3".
The second has an illustration of a circus, the headline is "A carnival of features".
The third has an illustration of a suited man parting a sea to reveal some forms. The headline is "17 tax tools put you in charge".
8
107
Show this thread
"It exploits CVE-2021-42298, a bug in the JavaScript engine of Microsoft Defender Malware Protection that was fixed in November 2021." Good time to quote twitter.com/taviso/status/ blog.google/threat-analysi
Quote Tweet
Replying to @taviso and @martijn_grooten
Here is the problem, if antivirus *just* didn't work, nobody would care. The problem is it doesn't work *and* makes people with targeted attackers unsafe. If you fixed that second problem, fair enough. But is there *any* vendor in your industry who will implement sandboxing?
2
75
Show this thread
Hey, help me codegolf this! 😂 c='children';[...document.querySelectorAll('div:has(>svg[aria-label="Verified account"])')].filter(b=>{for(p in b)if(p.match(/^__reactP/))return b[p][c].props[c][0][0].props.isBlueVerified}).map(b=>b.style.backgroundColor='red')
Image
10
64
This sounds like a Halloween story, but I got an email with just an audio attachment. I don't speak the language, so fun opportunity to try out #whisper translation, right? Well, it was just creepy gibberish...🎃 This better not be like that tape from The Ring 😂
Machine transcription of an audio file in an xterm. The first line is "Yesterday I asked for a needle, how much do you need to go to lose the blood?"
7
74
Interesting bug of the day, user reported some code was hanging if they had recently rebooted. Turns out it was calibrating a delay loop using times().... which counts ticks since "(2^32/HZ) - 300 seconds before boot time", 300 seconds after boot it started working fine 😂
1
123
Interesting question for exchange admins! There's a discussion about whether a heavily redacted video of an email is authentic. In the video (3:47), part of a Thread-Index is briefly visible. The timestamp is a week later than the Date header, is that possible?
Image
Image
Image
8
180
Show this thread
I found this old screenshot of my desktop from 2003. That's fvwm on Linux. For some reason I really wanted it to look like QNX photon! 😂
Screenshot of a Linux desktop. Xmms and a terminal is open.
23
239
The remind(1) man page turned out to be quite an adventure, there are sections explaining how the Hebrew calendar works and how to calculate with nautical and lunar events, etc... surprisingly fascinating! 😂
2
68
Show this thread
I've been reading man pages on my kindle lately, it works great! I think the secret to getting something readable is MANROFFOPT="-rS12 -rIN=0.25i -dpaper=a5 -P-pa5" man -Tpdf page > page.pdf
Photo of a Kindle displaying a UNIX man page for the remind(1) command.
9
260
Show this thread
I asked on an Archimedes fan forum, other people report a different starting location, and there is YouTube footage confirming that. Now I'm thinking it's maybe punishment if an anti-piracy check fails? Totally evil if true 😈 3/3
Screenshot of a youtube video playing the game UIM, the current location is hilighted and "Suspected punishment start location" is written in red text.
Screenshot of a youtube video playing the game UIM, the current location is hilighted and "Suspected correct start location" is written in red text.
2
50
Show this thread
Except... something isn't right, it's like the most boring game of all time. The starting location requires hours and hours of grinding math heavy trading runs to escape...I was a nerdy kid, but there is absolutely no way I had that much patience? 😂 2/3
screenshot of riscos with icons visible and the "UIM" game manual open. The icon bar is visible along the bottom of the screen, similar to the task bar in Windows.
2
13
Show this thread
Using standard sh only, and without cheating (cheating = perl, cc, dpkg, cap_dac_*, etc), how do you fix this? There are lots of correct answers, it's just for fun 😛
Quote Tweet
Replying to @singe
Another good one is `chmod 0 /bin/chmod`, it's funny but also a little puzzle😆
35
111
I've been told something improper may have happened here. Thank you, I'm looking into it.
Quote Tweet
Replying to @k8em0
True story: After cloudbleed, cloudflare literally lobbied the FTC to investigate me and question the legality of openly discussing security research. How come they're not lobbying their DC friends to investigate the legality KF? 🤷‍♂️
1
87
I tried out imhex, it is a really good hex editor. I really like hiew, it's absurd how powerful it is, but it has a very steep learning curve. You can get started in imhex really quickly. I know about 010 -- hiew and imhex are both better imo! 😛
10
122