Useful reference by @quarkslab #clang #hardening Cheat Sheet - Ten Years Later https://blog.quarkslab.com/clang-hardening-cheat-sheet-ten-years-later.html

A few days ago, a client’s data center "vanished" overnight. My monitoring showed that all devices were unreachable. Not even the ISP routers responded, so I assumed a sudden connectivity drop. The strange part? Not even via 4G. I then suspected a power failure, but the UPS should have sent an […]

Cool bug 🐞 CVE-2025-4802: Arbitrary library path #vulnerability in static setuid binary in #glibc https://hackyboiz.github.io/2025/12/03/millet/cve-2025-4802/

CVE-2025-12543: Host Header Validation Bypass in #undertow https://www.endorlabs.com/learn/cve-2025-12543-host-header-validation-bypass-in-undertow

This is a good #rustinproduction episode “In this episode, we speak with Danilo Krummrich, Linux kernel maintainer and Rust for Linux core team member, about the groundbreaking work of integrating Rust into the Linux kernel.” https://corrode.dev/podcast/s05e06-rust4linux/

Well, I didn't have this on my 2026 Bingo card... "‘Stop sending butt plugs to Bahrain’: Toronto sex store receives letters from U.S. Department of War": https://www.ctvnews.ca/toronto/article/stop-sending-butt-plugs-to-bahrain-toronto-sex-store-receives-letters-from-us-department-of-war/

My MongoDB honeypot is now open source: https://gitlab.com/bontchev/mongopot Visualization (not included in the repo): https://pandora.nlcv.bas.bg/grafana/d/EysKAV4Dz/mongopot

#bugs that survive the heat of continuous #fuzzing by @GitHubSecurityLab https://github.blog/security/vulnerability-research/bugs-that-survive-the-heat-of-continuous-fuzzing/

0x6161616161616161

“The single most common way technical founders kneecap themselves is not starting from a problem but from a solution. Usually they have invented some form of technology that can do something new and impressive, and they are looking around for a problem that could be solved with it. […] A founder […]

We are here

Today I saw this UNIX v4 PDP11 emulator (running simh in the browser) and decided to write an IO plugin for radare2 to load tapes. Here's the source in case you are curious about how tapes are structured and how to extend r2 with new features like IO backends […]

“The crucial lesson was that the scope of things I didn't know wasn't merely vast; it was, for all practical purposes, infinite. That realization, instead of being discouraging, was liberating. If our ignorance is infinite, the only possible course of action is to muddle through as best we can.” […]

I was recently reminded of this. A couple decades ago, I wrote a short paper that described how the basic approaches of cryptography and computer security lead to an efficient and practical privilege escalation attack against master-keyed mechanical lock, which I published in IEEE Security and […]

“We learn different lessons from finishing projects than we do from starting them. Starting teaches us about ideation and initial implementation. Finishing, on the other hand, teaches us about perseverance, attention to detail, and the art of knowing when to let go. These are invaluable skills […]

The documentation for this image processing library is one of the most interesting things I've read in weeks: https://github.com/celoyd/potato/blob/main/docs/personal.md https://github.com/celoyd/potato/blob/main/README.md https://github.com/celoyd/potato/blob/main/docs/concepts.md […]

Oh. yay. "mongobleed" — https://github.com/joe-desimone/mongobleed/blob/main/mongobleed.py CVE-2025-14847 "Exploits zlib decompression bug to leak server memory via BSON field names.” "Technique: Craft BSON with inflated doc_len, server reads field names from leaked memory until null byte.”

Who would’ve thought?! I survived #whamageddon! It’s a proper Christmas miracle 😜

Here's the document release you were waiting for today! The UNIX V4 tape! https://archive.org/details/utah_unix_v4_raw #retrocomputing

#poc for CVE-2025-65945 (Improper Verification of Cryptographic Signature in node-jws) https://github.com/jedisct1/CVE-2025-65945-poc

#freebsd-SA-25:12.rtsold Security Advisory Remote code execution via ND6 Router Advertisements https://www.freebsd.org/security/advisories/FreeBSD-SA-25:12.rtsold.asc

This is my experience with LLMs. To paraphrase @apps3c “sometimes you just need to ask nicely” https://hnsecurity.it/blog/attacking-genai-applications-and-llms-sometimes-all-it-takes-is-to-ask-nicely/ https://mastodon.cloud/@slashdot/115742100395423331

I don’t get why some subjects (so-called #ai in this case) are so polarizing that so many people stop using their brain and express judgment without bothering to at least try to know what they’re talking about. https://infosec.exchange/@raptor/115717312842239363

A bit conflicted about this, 'cause I'm not a big fan of #aiassisted coding... Anyways, the new "Review Solution with AI" action in @jetbrains #rustrover is pretty slick! It's very convenient to have a quick way to check if my #rust code is idiomatic or could be otherwise improved […]

In this latest article in our long-running series on #burpsuite #extension #development, Federico Dotta illustrates how to extend the Active and Passive Scanner in your favorite #webapplication #penetrationtesting tool with Custom Scan Checks […]

i finally gave in and started using uv to manage the dependencies for my Python scripts and it’s great https://jvns.ca/til/python-inline-dependencies/

A cool new project by a friend Zynk - Move anything Between everything Send folders, photos, and multi‑gig archives across phones, laptops, TVs, and servers. End‑to‑end encrypted, resumable, no size limits. https://zynk.it/

Check out pipetap! A new Windows named pipe proxy/tool byb @leonjza https://infosec.exchange/@leonjza/115676998634958935

Yesterday, after various bogus AI slopped "PoC"s, eventually a functional PoC for the React RCE emerged: https://github.com/msanft/CVE-2025-55182 We now have a PoC from the reporter of the vulnerability as well: https://github.com/lachlan2k/React2Shell-CVE-2025-55182-original-poc #react2shell

#downdetectorsdowndetectorsdowndetectorsdowndetector #downdetector https://downdetectorsdowndetectorsdowndetectorsdowndetector.com/

#cloudflare seems broken again

"The Dutch government has quietly removed #google #tracking tools from job listings for its intelligence services over concerns that the data would expose aspirant spies to U.S. #surveillance," according to POLITICO. "The intervention would put an end to Google’s processing of the data of job […]

You see what happens? You see what happens Larry? You see what happens when you let Javascript people do RPC servers in The Cloud? This is what happens when you let Javascript people do RPC servers in The Cloud, Larry […]

"We did a number of refactors [...] This also fixes a critical security vulnerability." 👀 CVE-2025-55182, an RCE in React Server Components just landed: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components Enjoy your patching, and make sure to check […]

Hey developers and vulnerability researchers! I'm currently working on improving my #semgrep ruleset for C/C++ static code analysis, and I've just published the new v1.1.0 release: https://github.com/0xdea/semgrep-rules Some notable changes since the previous battle-tested release: new rules […]

continually astonished that every package delivery service on earth seems unaware that the #1 reason people are visiting their website is to use the track-and-trace and not to read their mission statement

It's here, phase out bosses: https://replaceyourboss.ai/ Courtesy of @GossiTheDog

👀 Before the #radare2 6.0.6 release during the testing stage I spotted a crash on Windows and decided to write a post explaining how I fixed it using only the cmd interface 👉 https://trufae.github.io/aiblog/WinCdbNull-en.html As a UNIX person I'm not comfortable on #windows but i was happy to […]

[meta] When I watch sector specific experts tell me their sector is special.<snark />. They're more like other sectors than they necessarily think.

While cleaning a storage room, our staff found this tape containing #unix v4 from Bell Labs, circa 1973 Apparently no other complete copies are known to exist: https://gunkies.org/wiki/UNIX_Fourth_Edition We have arranged to deliver it to the Computer History Museum #retrocomputing

Our senior security analyst @[email protected] has published a follow-up to his popular #groovy Template Engine #exploitation writeup: https://hnsecurity.it/blog/groovy-template-engine-exploitation-part-2/ Check out some new practical exploitation tricks that he figured out while working on […]

The release candidate of the OWASP Top 10 2025 has been released owasp.org/Top10/2025/0... The definitive release should be out on November 20th

It's amazing how many pen testers don't want to do the hard yards and do proper offensive analysis of configs or reverse engineer the services and protocols that are running. Firing up nmap and Nessus is all well and good but it's *not* an effective analysis of the attack surfaces. Looking at a […]

I wrote up some notes on two new papers on prompt injection: Agents Rule of Two (from Meta AI) and The Attacker Moves Second (from Anthropic + OpenAI = DeepMind + others) https://simonwillison.net/2025/Nov/2/new-prompt-injection-papers/

infosec has a lot to learn about understanding failure conditions and accurate, understandable error messages from roadies

The other day we had our first ever chained AI tool success on the #curl factory floor: - tool A found a possible flaw in code and reported it. - using the plain English description from tool A, tool B could create a reproducible by itself that verified the finding The sense of magic is […]

#brida 0.6 is here! The bridge between #burpsuite and #frida is now fully compatible with Frida 17+. As of this release, Brida 0.6 supports only Frida 17 and later. For users who still rely on older Frida versions, Brida 0.6pre remains available on GitHub. Get the latest release here […]

New, long, oral history of Ken Thompson, my and everyone's hero. From the Computer History Museum: https://computerhistory.org/blog/a-computing-legend-speaks/ Click thru a while to get a text transcript.

Mem3nt0 mori – The #hacking Team is back! “In March 2025, #kaspersky detected a wave of infections that occurred when users clicked on personalized #phishing links sent via email. No further action was required to initiate the infection; simply visiting the malicious website using Google […]