finally: firefox in the web browser https://developer.puter.com/labs/firefox-wasm/
New blog post!
The title should be self-explanatory, it's an appreciation post for Nightmare Eclipse.
You might notice that the tone is a bit more emotional/angry than my usual style of writing.
This one's personal.
https://ti-kallisti.com/general/ms/nightmare-eclipse.html
#NightmareEclipse #Microsoft #Hackers #InfoSec #SecurityResearch #ChainsawMan #Reze
ASUS bsitf.sys (CVE-2026-13585): Arbitrary Physical Memory Mapping via Unvalidated IOCTL https://blog.ahmadz.ai/asus_bsitf_0_day_poc/
working on a theory that the headphone jack being removed from phones was the turning point towards the tech backlash
New #ToddlerDnD spell:
INTERVENTION
Casting time: 2 hours (5 if at night)
Range: Self
Duration: Varies
Verbal component: A parent uttering the words "date night tomorrow"
This spell generates an immediate mystery illness, non-threatening but enough for Toddler character to require a Long Rest at home. Effects last until the possibility of free time for date night has passed.
Maybe a bit of an explanation why it does this:
When a new user is logging on, Windows needs to load the users class hive. Since the user isn't logged on before logging on (tautology, I know), it can't be loaded in the context of the user. So it is loaded in the context of NT AUTHORITY\SYSTEM.
LegacyHive abuses this.
It messes with the Windows Object Manager and instead of the actual UsrClass.dat hive points at C:\randomGUID\UsrClass.dat. then it places an oplock on that file and starts an (interactive) logon for the user whose Object Manager path has been manipulated.
This leads Windows to try to open the file, but it can't, because of the Oplock. So the process looks at the Object Manager namespace again, finds a symlink (also manipulated by LegacyHive) and loads that instead, attaching it as the class hive for the user it is trying to create an interactive session for.
The load succeeds because, as I mentioned earlier, Windows falls back to NT AUTHORITY\SYSTEM when it doesn't have a user context yet.
Hope this makes at least some sense
V 0.5.2 is out! It's our biggest release yet.
1400+ items in the changelog: https://github.com/vlang/v/releases#release-0.5.2
New: the highly controversial AI music generator Suno was hacked. The hacker sent us Suno source code; it shows the company scraped YouTube Music, Deezer, and Genius. In all, Suno scraped *decades* worth of music from the internet. Obviously didn't pay artists https://www.404media.co/hack-reveals-suno-ai-music-generator-scraped-youtube-deezer-and-genius/
When Peter Stokes (Scattered Spider's "Bouquet") was arrested in Finland this month, people speculated that his real identity had been unmasked by Microsoft using the Windows GDID assigned to his computer. GDID *was* used to trace crimes to his computer, but Unit 221B's Allison Nixon tells me he had been unmasked in 2023, long before he committed the biggest crimes mentioned in his indictment. I spoke with her about tracking Stokes and other members of The Com, and why these cybercriminals brag about their crimes online and are so reckless about drawing attention to themselves and leaving a trail of evidence. We also talked about why, if Stokes had been identified in 2023, it took until 2026 to arrest him.
@jbz
This is how it all started.
"Processing personal information of children is illegal"
"Cool, I'll ask users if they're adult at registration, and if they lie that's their problem"
"Nope, still illegal, still your problem"
"Ok so how do I prevent children from accessing my website so that I don't accidentally process their personal information?"
Thinking in terms of children leads nowhere. We must ban computers from using humans regardless of age, otherwise we'll end up with age verification
RE: https://infosec.exchange/@perfect10_bot/116923952993204894
Hm, pfeeew, "just" the 5.0 betas 
Dear Malta Gaming Authority,
Yes, I hacked you, and the data obtained has been shared with media partners, authorities,….
And yes, we will expose the organized crime enablement schemes you created while presenting yourselves as a “legitimate public service”.
So if you lurk in any AI subreddit, discord, forum, or issue tracker, its pretty obvious that the answer to "how do people trust these things when they make mistakes literally all the time and its impossible to know when" is that there is a general conspiracy theory that whenever the model does bad output it is the AI company nerfing their model on purpose: for anthropic, its that they are compute strapped. For openAI, getting sued or cucked. Google is that google just sort of fucks their own shit up all the time, same with Microsoft.
This kind of post basically dominates all of these forums. That systemic failures are one-off byproducts of the momentary malevolence of the companies. The gambler only complains about the house always winning when the house wins bigger than usual.
RE: https://infosec.exchange/@hnsec/116923239649243702
My #Semgrep C/C++ ruleset is ready for prime time again!
Grab it before our new robot overlords take over the field of #VulnerabilityResearch entirely 🤖
"I'm very glad," said Piglet happily, "that I thought of giving you Something to put in a Useful Pot."