'Virtual OS Museum' Lets You Try 570 Extinct Operating Systems https://tech.slashdot.org/story/26/05/30/2323231/virtual-os-museum-lets-you-try-570-extinct-operating-systems?utm_source=rss1.0mainlinkanon

ThinkPad firmware reverse-engineering toolchain: archived Lenovo BIOS → named SoC pads, EC analysis, CVE diffs, coreboot/OpenCore port scaffolding https://tetdrad0n.codeberg.page/thinkpad-fw-analysis/

Interesting links of the week:

Strategy:

* https://www.gov.uk/government/publications/energy-sector-cyber-security-strategy - protecting the electrickery with HMG
* https://www.nextgov.com/cybersecurity/2026/05/telecom-firms-form-new-cyber-information-sharing-group/413636/ - new threat sharing group for telecomms
* https://www.linkedin.com/pulse/what-works-cybersecurity-compliance-daniel-woods-ltwwe/ - quantifying the efficacy of governance frameworks like Cyber Essentials
* https://www.crest-approved.org/ai-in-penetration-testing/ - large scale study of the current use of AI in pentesting by UK consultancies
* https://isaiprofitable.com/ - is AI profitable? hell no, unless you make the chips
* https://jerrygamblin.com/2026/04/18/prioritizing-what-matters-bringing-cve-intelligence-to-splunk/ - building your own vulnerability intelligence
* https://jericho.blog/2026/05/25/vulnerability-embargos-are-dead/ - Jericho from @attritionorg calls time on embargoes

Threats:

* https://intel.gayint.org/actors/public - from the wonderful folks at @gayint with love
* https://www.theguardian.com/politics/2026/may/25/nigel-farage-russian-hack-claim-disclosure-5m-gift - did .ru hack Nigel or is he a lying grifter?
* https://atomdrift.org/discoveries/ - @thomrstrom's atomdrift discoveries
* https://www.lumen.com/blog/en-us/introducing-showboat-a-new-malware-family-taunts-defenses-and-targets-international-telecom-firms - a new player in town?

Bugs:

* https://red.anthropic.com/2026/cvd/ - hope it's not too sloppy
* https://sintonen.fi/advisories/signal-deleted-but-not-forgotten.txt - Signal oopsie from @harrysintonen
* https://lcamtuf.coredump.cx/dl/ - an oldie from @lcamtuf
* https://fatgid.io/ - not every bug needs name, but here's another oopsie in FreeBSD

Exploitation:

* https://www.abdulmhsblog.com/posts/useingthewindowssourcecode/ - using the "open source" version of Windows for bug hunting
* https://g3tsyst3m.com/byovd/BYOVD-and-Looting-LSASS-in-the-Modern-EDR-Era/ - looting LSASS in 2026
* https://notes.fadymoheb.com/Penetration-Testing/Post-Exploitation/Linux-Credential-Hunting - Linux password theft for beginners
* https://platformsecurity.com/blog/hawks-prey-snatching-ssh-credentials - automagic pillaging Linux for credentials
* https://www.praetorian.com/blog/llm-edr-signature-reduction/ - Praetorian Labs keep on getting ID'd
* https://cert.pl/en/posts/2026/05/autonomous-fuzzing/ - .pl CERT discuss using agentic approaches in fuzzing
* https://www.wietzebeukema.nl/blog/bypassing-detections-with-command-line-obfuscation - command line obfuscation with @wietze for detection bypasses
* https://www.varonis.com/blog/ghosttree-ntfs-trick - leading EDRs up the garden path and into a maze

Hard hacks:

* https://www.kr3bz.wtf/posts/sdmc-ne6037-router-recovery-backdoor/ - another day, another router abused
* https://minanagehsalalma.github.io/zyxel-cve-2021-35036-super-admin-password-leak/ - more roots in routers

Data:

* https://medium.com/@shravankoninti/build-a-small-language-model-slm-from-scratch-3ddd13fa6470 - building your own SLM
* https://blogs.cisco.com/ai/the-fundamentals-of-ai-what-every-curious-person-should-know-about-how-language-models-work - things everyone should know about LLMs

Nerd:

* https://nesbitt.io/heap - someone has made a game out of NodeJS bugs
* https://www.reenigne.org/blog/80386-microcode-disassembled/ - disassembling 80386 microcode

#security, #research

The S in interoperability (https://frederikbraun.de/the-s-in-interoperability.html): A blog post about standards, their proliferation and the issues that arive over time.

Security Advisory: CVE-2025-70099 - NULL Pointer Dereference in lwext4

When parsing a specially crafted EXT4 filesystem image with malformed directory entries, lwext4 dereferences a NULL directory entry pointer in ext4_dir_en_get_name_len(), causing a segmentation fault.

Summary:
The inline helper ext4_dir_en_get_name_len() in ext4_dir.h reads the name_len field from a directory entry struct without first validating that the entry pointer is non-NULL. During directory iteration via ext4_dir_entry_next(), processing of a corrupted EXT4 image can produce a NULL (or near-NULL) entry pointer. The subsequent dereference of en->name_len at line 126 triggers a READ access at address 0x6 and crashes the process.

CWE:
CWE-476 - NULL Pointer Dereference

Affected Component:

```
include/ext4_dir.h:126
Function: ext4_dir_en_get_name_len()

src/ext4.c:3233
Function: ext4_dir_entry_next()
```

Affected Product:
lwext4 (Lightweight EXT4 filesystem library)

Affected Version:
lwext4 1.0.0, commit 58bcf89a121b72d4fb66334f1693d3b30e4cb9c5. Affects versions based on or equivalent to the 2016-era codebase.

Attack Conditions:
An attacker supplies a specially crafted or corrupted EXT4 image to any application that integrates lwext4 for parsing or directory traversal. No elevated privileges are required; only local access (AV:L) to provide the malicious image is needed.

Impact:
The NULL pointer dereference causes an immediate process crash, resulting in a denial of service. No evidence of code execution was observed.

Fix / mitigation status:
The issue is addressed in lwext4 v1.0.1, released by Aladdin-R-D. Users should upgrade to v1.0.1 or apply the corresponding patch.

References

- Issue: https://github.com/gkostka/lwext4/issues/89
- PoC: https://github.com/sigdevel/pocs/blob/main/res/lwext4/1/sig11_2_1_lwext4_ext4_dir_h_126
- Fix: https://github.com/Aladdin-R-D/lwext4/releases/tag/v1.0.1

Credit
Alexander A. Shvedov (@sigdevel) & Daniil Dulov

#fuzzing #infosec #security #afl #revers #cybersecurity #bugbounty #vulnerability #opensource #linux #cve #advisory

Back in 2002, I wrote a super-simple tool to dump the memory of a live process to a file. This was a cool way to grab "screenshots" of SSH sessions, editors, etc.

I had 30 minutes today, so I non-vibe-coded a new version that works on modern Linux, if you want to have fun: https://lcamtuf.coredump.cx/soft/memfetch.tgz

Big companies have an expensive new addiction to AI, and their smack is getting more expensive. Who could have seen this coming? From the WSJ:

"Use of artificial intelligence by big companies is exploding—and the soaring cost has some of them pumping the brakes in a way that could complicate AI’s triumphal march across the economy.
Executives across industries this year have urged employees to integrate AI tools into their work, spending freely to encourage experimentation and seeking to send a message to Wall Street that their companies won’t be left behind in a coming wave of disruption."

"All that enthusiasm has resulted in skyrocketing costs for so-called tokens, the basic unit of measurement for AI computing, as AI model providers seek to balance supply and demand and manage their own costs. Some enterprises have hit their annual budget in just three months or reported seeing their AI spending bills double or triple."
 
"Now corporate leaders are scrambling to bring down expenses by finding ways to ration AI use in their organizations, steer workers toward cheaper, homegrown tools and help them hone their skills to improve returns." 

https://www.wsj.com/tech/ai/corporate-america-is-starting-to-ration-ai-as-cost-skyrockets-1eb99d7a (paywall)

https://archive.ph/v2dwg

This person has been a prolific bug finder for quite some time. Here's their public HackerOne profile: https://hackerone.com/halove23/hacktivity?type=user

Reading their Xitter timeline over the years is pretty interesting. They went from working w/ a lot of these bug bounty programs and giving MS time to fix stuff beyond the usual 90-day window to increasing frustration in dealing w/ vendors. I wish that were less of a common experience than it still is today, but some dynamics in this industry never seem to change.

Also just noticed something interesting. Back in 2019, MS was including hyperlinks to researchers in their advisories. In this advisory, they actually link to the researcher's shitposting Facebook profile, which has posts up until this month.

https://www.facebook.com/com.android.vending

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2019-1385

It's worth catching one of the Pwn2Own OG's (Aaron Portnoy) on the latest Three Buddy Problem

Aaron with the timeless advice "level up.. get better"

(Also with props for Deception in Defense 💪💚)

https://pca.st/episode/5da764af-2a7e-4c03-9026-760e339b9d22

Offensivecon's talks are now available on our YouTube channel!

🔗 https://youtube.com/playlist?list=PLYvhPWR_XYJkIP2X-uGDsAMIKnhdSauaM

@pojntfx I liked it too until it started to seriously mess with my code, you better be careful...

@pojntfx beware of #29395 though!

Is WarCon ready to jump?

https://www.youtube.com/watch?v=sAY4KVtsTUE

Submissions are still open!

If you've been sitting on a bug, technique, war story, weird research rabbit hole, or beautifully cursed idea: now is the time.

Write something worth archiving.

Phrack CFP closes June 30.

More details on how to submit at https://phrack.org/news

The openSUSE peeps have figured out some crazy compression, it seems. 107.0 B for everything!

Daily #Rust:

You can write this and the compiler will just figure out all the generics for you:

`let baz = Foo::new(Bar::new());`

But if you want to write:

`return Foo::new(Bar::new());`

... it seems you have to make your function generic, even though the compiler knows exactly what will be returned.

My flight got delayed: the departure time is struck through and the new expected departure is written underneath. The arrival time is...just struck through o.O

📅 Next Web Talks at Mozilla Berlin Meetup is happening Thu, June 11, 18:00 🦊

Two talks:
• Sunil Mayya on "Keep Off My LAN": Firefox's implementation of Local Network Access
• @freddy on "The Devil is in the Defaults": defending against XSS with Trusted Types and the Sanitizer API

https://www.meetup.com/de-DE/berlin-mozilla-meetup/events/314623241/

#Firefox #InfoSec #Mozilla #Berlin #Web

@andrija That lecture sounds exactly what I need, thanks! Linking here FTR:

https://www.youtube.com/watch?v=3IyKC5EtNkM

RE: https://infosec.exchange/@x41sec/116651028731076045

Important! Using a reverse proxy might not fully protect you from BadHost / CVE-2026-48710 **also this does not only affect AI related infrastructure because FastAPI is also affected and used for various applications!**