"You should be able to talk to your PC"[1]

^ This is a fundamental misunderstanding that reminds me (again) of one of my favorite failed experiments of '90s internet: the online 3D shopping center.[2]

C-levels of the time spared no expense to build a complete VRML model of a shoping center in the browser, where you could walk around, take the escalator for a better view on the virtual fountain or even rent a virtual space for your goods.

What the inventors didn't understand is that of course people don't go to the mall to use the escalator, but to buy stuff.

Online banking, shopping, etc. became popular even over phone-based services because people realized that clicking on stuff is more effective than talking (and walking).

Chatbots are the 3D escalators of todays technology.

[1] https://www.theverge.com/report/822443/microsoft-windows-copilot-vision-ai-assistant-pc-voice-controls-impressions
[2] https://web.archive.org/web/20070610120220/https://index.hu/tech/net/plaza0607/

a new "modern" run dialog is being implemented and what the fuck is this

You fail to realize you are on a honeypot.

https://any.run/cybersecurity-blog/lazarus-group-it-workers-investigation/

#LazarusGroup #SituationalAwareness

Since I started to analyze #CVE-2025-55182 (#React, #NextJS #RCE) at work today, I decided to publish my analysis findings so far, given all the fuzz about the vulnerability: https://github.com/msanft/CVE-2025-55182

Feel free to contribute to the search for a proper RCE sink!

I completely missed that @kaitai v0.11 was finally released with serialization support:

https://kaitai.io/news/2025/09/07/kaitai-struct-v0.11-released.html

This is huge and it's great to see that @nlnet money goes to the right places!

The ChatGPT outage the other day made me wonder if we will see DDoS crews hold AI services for ransom. Many of them have deep pockets and being down a day or two would hurt.

NEW: Staffers at notorious spyware maker Intellexa had live remote access to their customers' surveillance systems.

This allowed them to see the personal data of targets hacked with Intellexa's spyware Predator, according to new research based on a leaked training video.

Needless to say, this is bad for several reasons.

http://techcrunch.com/2025/12/04/sanctioned-spyware-maker-intellexa-had-direct-access-to-government-espionage-victims-researchers-say/

New Project Zero issue:

Samsung: QuramDng TrimBounds Opcode leads to out-of-bounds reads

https://project-zero.issues.chromium.org/issues/443793212

CVE-2025-21074

New Project Zero issue:

Samsung: QuramDng invalid LossyJpeg component assumption, leading to out-of-bounds write

https://project-zero.issues.chromium.org/issues/444346510

CVE-2025-21075

[RSS] DeXRAY v2.36

https://www.hexacorn.com/blog/2025/12/03/dexray-v2-36/

Workforce shortage: a developer changed career to mine stone for Great Leader after infecting his own machine for testing, turning your operation into an online version of the imperialist video game Uplink.

https://www.hudsonrock.com/northkorean

#LummaC2 #ByBit #NorthKorea

This PoC looks convincing enough (I didn't test though!):

https://github.com/msanft/CVE-2025-55182

CVE-2025-55182

@buherator

Confirmed.

Age Verification: Teaching the world how to evade censorship
https://alecmuffett.com/article/132609
#AgeVerification #OnlineSafety #TheVpnEffect #censorship #missouri #surveillance

@synnfynn FTR this was it: https://unix.stackexchange.com/questions/503111/group-permissions-for-root-not-working-in-tmp/503169#503169

High Fidelity Detection Mechanism for RSC/Next.js RCE (CVE-2025-55182 & CVE-2025-66478) https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478/

@synnfynn nah, no SELinux, and with a brilliant move I now just log to the console :)

I'm writing this network thing and there are always problems that you only recognize during implementation - this is why it's so enlightening to implement stuff.

What I didn't expect is getting stuck because I can't write to a damn log file as root...

#Ghidra 11.4.3 is out:

https://github.com/NationalSecurityAgency/ghidra/releases/tag/Ghidra_11.4.3_build

Changes:

https://github.com/NationalSecurityAgency/ghidra/blob/Ghidra_11.4.3_build/Ghidra/Configurations/Public_Release/src/global/docs/ChangeHistory.md

AI Warning: Google has been caught A/B testing replacing real article headlines with AI-generated substitutes, which are of course sometimes wildly misleading/against journalistic ethics. If you see a blatantly horrible headline in a news aggregator, check whether the site's own page matches before blaming the site! https://www.pcgamer.com/software/ai/googles-toying-with-nonsense-ai-made-headlines-on-articles-like-ours-in-the-discover-feed-so-please-dont-blame-me-for-clickbait-like-bg3-players-exploit-children/