https://www.andrea-allievi.com/blog/a-minikvm-to-rule-all-machines-remotely/ Finally after hours and hours of assembling a YouTube video... MiniKvm 1.0 is there :-) Have fun and let me know if you find it useful...

When I was a student, I read a lot about how Silicon Valley companies were looking for 'problem solvers' rather than people with experience with specific technologies. At the time, this struck me as odd because problem solvers are not rare. Most people can solve a problem if you explain it to them. Indeed, the lesson from most of the formal verification classes was that a sufficiently detailed description of a problem is indistinguishable from a solution to that problem.

The real rare skill is working out which problems are the right ones to solve. Without that, you keep falling down dead-end rabbit holes and chasing local optima.

Everything I've seen in the last decade or so indicates what happens when problem solvers end up in senior leadership positions. You get companies that are great at solving completely the wrong problems.

This is outrageous. Where are the armed men who come in to take the spammers away? Where are they? This kind of behavior is never tolerated in Cascadia. You phish like that they put you in jail. Right away. No trial, no nothing. Cloudflare sites, we have a special jail for Cloudflare sites. You use QR codes: right to jail. You are domain squatting: right to jail, right away. Too many URL parameters: jail. Too few: jail. You are asking for gift cards, Monero, Bitcoin: you right to jail. You text a journalist? Believe it or not, jail. You receive a text, also jail. Send, receive. You use a hyphen in your domain name, believe it or not, jail, right away. We have the best users in the world because of jail.

smbfs is a fuck

Please remember that what you see on social media is what people choose to present, and not an accurate representation of their life. Few people post about their horror.

Don't put off seeing friends because "they're having fun" or "they're busy" and "you'll see them later". You do not know that any of these things are true.

Project: microsoft/TypeScript https://github.com/microsoft/TypeScript
File: src/compiler/scanner.ts:1890 https://github.com/microsoft/TypeScript/blob/cbac1ddfc73ca3b9d8741c1b51b74663a0f24695/src/compiler/scanner.ts#L1890

function scan(): SyntaxKind

SVG:
dark https://tmr232.github.io/function-graph-overview/render/?github=https%3A%2F%2Fgithub.com%2Fmicrosoft%2FTypeScript%2Fblob%2Fcbac1ddfc73ca3b9d8741c1b51b74663a0f24695%2Fsrc%2Fcompiler%2Fscanner.ts%23L1890&colors=dark
light https://tmr232.github.io/function-graph-overview/render/?github=https%3A%2F%2Fgithub.com%2Fmicrosoft%2FTypeScript%2Fblob%2Fcbac1ddfc73ca3b9d8741c1b51b74663a0f24695%2Fsrc%2Fcompiler%2Fscanner.ts%23L1890&colors=light

🦘🛜 Our second part of the “Diving Into JumpServer” series is live:
Read more on how an attacker who bypassed authentication can execute code and fully compromise the JumpServer instance and internal hosts:

https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-2-2?utm_medium=social&utm_source=mastodon&utm_campaign=research&utm_content=blog-diving-into-jumpserver-attackers-gateway-to-internal-networks-250325-&utm_term=&s_category=Organic&s_source=Social%20Media&s_origin=social

#appsec #security #vulnerability

I probably sound like a broken record at this point, but we're not sold yet on the world-ending nature of Next.js CVE-2025-29927.

The fact that the bug isn't known to have been successfully exploited in the wild despite the huge amount of media and industry attention it’s received sure feels like a reasonable early indicator that it's unlikely to be broadly exploitable (classic framework vuln), and may not have any easily identifiable remote attack vectors at all.

https://www.rapid7.com/blog/post/2025/03/25/etr-notable-vulnerabilities-in-next-js-cve-2025-29927/

Auth bypass vuln in VMWare Tools for Windows. Nice.

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25518

sev:HIGH 7.8 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

VMware Tools for Windows contains an authentication bypass vulnerability due to improper access control. A malicious actor with non-administrative privileges on a guest VM may gain ability to perform certain high privilege operations within that VM.

https://nvd.nist.gov/vuln/detail/CVE-2025-22230

Napalm Death, Throes Of Joy In The Jaws Of Defeatism (2020).

https://www.youtube.com/playlist?list=OLAK5uy_kWcUQiY1m-s4mdg2Tbu1ZFykF20UkVbG4

#Grindcore #Metal

I published a correction to my slides/blogposts regarding rename(). I have incorrectly stated that rename("./a", "./b") was racy. It is not.
For most situations this is not a huge deal, but I still feel bad that I misled you all, so beers are on me.

https://gergelykalman.com/corrections-regarding-rename.html

Micropatches Released for SCF File NTLM Hash Disclosure Vulnerability (No CVE) https://blog.0patch.com/2025/03/micropatches-released-for-scf-file-ntlm.html

That RCE in Appsmith from December has a write-up.

https://rhinosecuritylabs.com/research/cve-2024-55963-unauthenticated-rce-in-appsmith/

https://github.com/appsmithorg/appsmith/releases/tag/v1.52

While reviewing the Appsmith Enterprise platform, Rhino Security Labs uncovered a series of critical vulnerabilities affecting default installations of the product. Most severe among them is CVE-2024-55963, which allows unauthenticated remote code execution due to a misconfigured PostgreSQL database included by default. Two additional vulnerabilities (CVE-2024-55964 and CVE-2024-55965) enable unauthorized access to sensitive data and application denial of service.

Unfortunately, the CVE still isn't in NVD.

https://nvd.nist.gov/vuln/detail/CVE-2024-55963

I have too many reasons to worry about this but that’s not really the point. The thing I’m worried about is that, as the only encrypted messenger people seem to *really* trust, Signal is going to end up being a target for too many people.

Signal was designed to be a consumer-grade messaging app. It’s really, really good for that purpose. And obviously “excellent consumer grade” has a lot of intersection with military-grade cryptography just because that’s how the world works. But it is being asked to do a lot!

Right now a single technical organization is being asked to defend (at least) one side in a major regional war, the political communications of the entire US administration, the comms of anyone opposed to them globally, big piles of NGOs, and millions of “ordinary” folks to boot.

(There is no such thing as “ordinary user” cryptography BTW. Those ordinary users include CEOs, military folks, people doing many-million-dollar crypto trades through the app, etc. It’s a lot to put on one app and one non-profit.)

On top of this, it’s only a matter of time until governments (maybe in the US or Europe) start putting pressure on the infrastructure that Signal uses — which is mostly operated by US companies. I’m not sure how this will go down but it’s inevitable.

If you are at the Microsoft MVP Summit this week, and in the Windows Server space, please add your voice for the release of eval ISOs of Windows Server on ARM. We need these for *local* testing, training, and development.

Trigon: developing a deterministic kernel exploit for iOS by @alfiecg_dev

https://alfiecg.uk/2025/03/01/Trigon.html

PRE-RELEASE: I wrote a Linux Binary Runtime Crypter - in BASH 😅. Would love you fine people to TEST it _BEFORE_ release: https://github.com/hackerschoice/bincrypter

The first round of the CFP for Recon Montreal will end this Friday March 28, during that phase we preselect a few talk. The CFP end on April 25. #reverseengineering #cybersecurity #offensivesecurity https://recon.cx/2025/cfp.html