@algernon I've always said parental controls are great to raise little hackers!

[RSS] When irate product support customers demand to speak to Bill Gates

https://devblogs.microsoft.com/oldnewthing/20251223-00/?p=111896

[RSS] Livewire: remote command execution through unmarshaling

https://www.synacktiv.com/en/publications/livewire-remote-command-execution-through-unmarshaling

[RSS] Rest In Peace IBM X-Force Vulnerability Database

https://jericho.blog/2025/12/23/rest-in-peace-ibm-x-force-vulnerability-database/

Interested in Intel Skylake's front end? Not yet bored of me? Then you might enjoy this talk I presented at Jane Street in November:

https://youtu.be/BVVNtG5dgks?si=OK8KlYve_TEMzHkX

I'm sure I've made some errors but I put a ton of work into trying to verify what I could. If you know of any inaccuracies do let me know!

I hope to do a follow-up/updated version for a conference next year sometime!

Exactly 2 years ago, Readeck 0.10 was released 🎂

So today is a good day to publish the 2026 roadmap! With some important news about the hosted service, a sneak peek on upcoming features in January and a few words about AI.

https://readeck.org/en/blog/202512-2026-roadmap/

This Gmail hack is unsettling not because it’s flashy, but because it’s bureaucratic. Attackers aren’t breaking encryption or outsmarting algorithms. They’re filling out forms. By changing an account’s age and abusing Google’s Family Link feature, they can quietly reclassify an adult user as a “child” and assume parental control. At that point, the rightful owner isn’t hacked so much as administratively erased.

The clever part is that everything happens inside legitimate features. Passwords are changed. Two-factor settings are altered. Recovery options are overwritten. And when the user tries to get back in, Google’s automated systems see a supervised child account and do exactly what they were designed to do: say no.

Google says it’s looking into the issue, which suggests this wasn’t how the system was supposed to work. But it’s a reminder of an old lesson. Security failures often happen when protective mechanisms are combined in ways no one quite imagined. The tools aren’t broken. The assumptions are.

There’s no dramatic fix here, only mildly annoying advice that suddenly feels urgent. Review recovery settings. Lock down account changes. Use passkeys. Because once an attacker controls the recovery layer, proving you’re you can become surprisingly difficult.

TL;DR
🧠 Family safety tools are being weaponized
⚡ Account recovery can be shut down entirely
🎓 Legitimate features enable the lockout
🔍 Prevention matters more than appeals

https://www.forbes.com/sites/daveywinder/2025/12/07/google-looking-into-gmail-hack-locking-users-out-with-no-recovery

#Cybersecurity #Gmail #IdentitySecurity #AccountRecovery #DigitalRisk #security #privacy #cloud #infosec

So how about Europe's cloud woes? A lot happened in 2025, and things became much clearer. We truly can't continue to wed our governments to 🇺🇸 clouds. While there are encouraging developments, it is incredibly odd that neither cloud buyers nor the European 🇪🇺 software/hosting industry are seeing the urgency to act. But, governments & regulators could forge a useful path towards a solution in 2026:
https://berthub.eu/articles/posts/the-european-cloud-2025/

[RSS] Digging Through Six Old Sandbox Escapes in ColdFusion (ca. 2001 through 2012)

https://www.hoyahaxa.com/2025/12/digging-through-six-old-sandbox-escapes.html

[RSS] [Joshuas] 2025 Bug Bounty Stories

https://joshua.hu/2025-bug-bounty-stories-fail

When I jump from a github email notification link into a browser, github shows me the „too many requests“ error page.

Because I am not logged into GH on my phone.

So I am treated like an AI crawler.

By Microsoft. To protect itself.

@Viss @schrotthaufen We experienced that a lot but I always thought about it as a desperate attempt to signal competence (pbbly as a result of BS phishing simulations) rather distrust. But yeah, that's also a reasonable way to look at it.

The Innovation team at @Tarlogic explores how to automate function identification in symbol-less ESP32 firmware using Ghidra FIDB, turning opaque binaries into readable code in a matter of minutes ⚙️🔍

#reverseengineering

https://www.tarlogic.com/blog/esp32-firmware-using-ghidra-fidb/

[RSS] All the other cool languages have try...finally. C++ says "We have try...finally at home."

https://devblogs.microsoft.com/oldnewthing/20251222-00/?p=111890

'i wont accept a pdf attachment from you because youre a redteamer and you might try to hack me' isnt the galaxy brain defensive secuity posture that you think it is

The early web was driven by curiosity, openness, and play, not monetization. Creativity flourished because experimentation was encouraged.

Creator Audrey Witters reflects on that era, using her now-famous animated alien GIF as an example of how playful, freely-shared work helped shape digital culture—and why preserving it still matters.

Learn more ⤵️ https://blog.archive.org/2025/12/22/audrey-witters/

#EarlyWeb #DigitalHistory #Creativity @internetarchive

19+ Vulnerabilities + PoCs for the MediaTek MT7622 Wifi Driver https://blog.coffinsec.com/0days/2025/12/15/more-like-mediarekt-amirite.html

@quarkslab Thanks for the confirmation!

@cR0w

@cR0w This one by @quarkslab may cover the details, although the CVE is not mentioned: https://blog.quarkslab.com/k7-antivirus-named-pipe-abuse-registry-manipulation-and-privilege-escalation.html

Did someone get you this air quality monitor as a gift? I wanted to have it log the data, but didn’t quite trust it with internet access. I dug around a bit, got a root shell and untethered it. Read the writeup: https://blog.29b.net/dispatches/cgs2_decloud/