c3nav is out!!! come hang out with your favorite has-beens and get lectured about the good old days at the console hackers retirement home! non-retired hackers also welcome we are here to support the new generation 🫡

Console Hackers Retirement Home
Assembly, F6, Hall 3, Level 0

#39c3

https://39c3.c3nav.de/l/nintenbros/

Christmas Eve miracle: Fortinet admits new exploitation of a 2020 bug

https://www.fortinet.com/blog/psirt-blogs/product-security-advisory-and-analysis-observed-abuse-of-fg-ir-19-283

does anyone know of an artist taking commissions who has a sense of humour and a style somewhere in the realms of Hieronymus Bosch / medieval era classical painting, who would be willing to make me a t-shirt design? (paid work, of course.)

I'm looking to get a seasonal parody recreation of Slayer's Seasons In The Abyss album cover, in the theme of "Sleigher - Season's Greetings In The Abyss".

I didn't sleep well last night so had way way way too much caffeine to compensate and that usually leads me to strange thoughts. Today's strange thought: I see parallels between what cell phones did to telephone service audio quality and what Cloudflare is doing to internet availability.

My fellow hose drinkers will remember the MCI ads about hearing a pin drop on a phone call to the other side of the world, and from there it was a race to have the best audio quality. Then cell phones came and the convenience was so compelling that no one gives a crap about audit quality now, so long as it's intelligible.

I see the same sort of thing happening with Cloudflare - it's so convenient that we are coming to accept outages (NB: it's not just cloudflare, they are just on my mind - also AWS, Azure, et al), and it makes me wonder if 5 years how we are going to be thinking about high availability Internet services.

He was covered in cables, from head to his foot,
patched 'em in switchports, he doubled throughput!
He opened his laptop, his terminal: no hype.
No Electron, no XCode, only in 'vi' did he type.

His code -- so readable! His Makefiles how clean!
His scripts were well structured, his includes pristine!
His CFLAGS? Warn 'all', warn 'extra', be extra pedantic
Turn warnings to errors, it's almost romantic!

We (Orange Cyberdefense) are attempting to become a CVE CNA & in prep for that collected the various vulns we had reported over the years that had corresponding public information. 108 of them! It’s mostly a vanity list but will be where we publish new vulns in future. https://advisories.orangecyberdefense.com/advisories

Lately I have noticed that when you purchase a ticket you don’t get a static PDF/PNG anymore.

Increasingly often, you get a .pkpass file, which is supposed to be opened in wallet apps (like Google Wallet or any 3rd-party).

Since I don’t like to share information about the events I attend with strangers on the Internet, I have decided to take a closer look at these .pkgpass files.

They are usually just zip files that contain a background image, an icon and a pass.json with the actual information about the ticket. Nothing that can’t be handled by a script rather than a 3rd-party 100 MB mobile app.

I have thus put together a simple #shell script that does exactly that.

Dependencies:

• jq
• zint
• magick
• unzip
• curl or wget

Usage:

pkpass2png https://domain.tld/myticket.pkpass ticket.png

https://gist.manganiello.tech/fabio/pkpass2png

The US is sanctioning Thierry Breton and Trusted Flaggers that are critical for the application and enforcement of the #DSA.

Full solidarity with the unjustly sanctioned individuals. As Breton called out, 90% of the European Parliament and all 27 Member States unanimously voted the DSA.

This bullying into vassalisation of Europe is unacceptable.

Interested in Intel Skylake's front end? Not yet bored of me? Then you might enjoy this talk I presented at Jane Street in November:

https://youtu.be/BVVNtG5dgks?si=OK8KlYve_TEMzHkX

I'm sure I've made some errors but I put a ton of work into trying to verify what I could. If you know of any inaccuracies do let me know!

I hope to do a follow-up/updated version for a conference next year sometime!

Exactly 2 years ago, Readeck 0.10 was released 🎂

So today is a good day to publish the 2026 roadmap! With some important news about the hosted service, a sneak peek on upcoming features in January and a few words about AI.

https://readeck.org/en/blog/202512-2026-roadmap/

This Gmail hack is unsettling not because it’s flashy, but because it’s bureaucratic. Attackers aren’t breaking encryption or outsmarting algorithms. They’re filling out forms. By changing an account’s age and abusing Google’s Family Link feature, they can quietly reclassify an adult user as a “child” and assume parental control. At that point, the rightful owner isn’t hacked so much as administratively erased.

The clever part is that everything happens inside legitimate features. Passwords are changed. Two-factor settings are altered. Recovery options are overwritten. And when the user tries to get back in, Google’s automated systems see a supervised child account and do exactly what they were designed to do: say no.

Google says it’s looking into the issue, which suggests this wasn’t how the system was supposed to work. But it’s a reminder of an old lesson. Security failures often happen when protective mechanisms are combined in ways no one quite imagined. The tools aren’t broken. The assumptions are.

There’s no dramatic fix here, only mildly annoying advice that suddenly feels urgent. Review recovery settings. Lock down account changes. Use passkeys. Because once an attacker controls the recovery layer, proving you’re you can become surprisingly difficult.

TL;DR
🧠 Family safety tools are being weaponized
⚡ Account recovery can be shut down entirely
🎓 Legitimate features enable the lockout
🔍 Prevention matters more than appeals

https://www.forbes.com/sites/daveywinder/2025/12/07/google-looking-into-gmail-hack-locking-users-out-with-no-recovery

#Cybersecurity #Gmail #IdentitySecurity #AccountRecovery #DigitalRisk #security #privacy #cloud #infosec

So how about Europe's cloud woes? A lot happened in 2025, and things became much clearer. We truly can't continue to wed our governments to 🇺🇸 clouds. While there are encouraging developments, it is incredibly odd that neither cloud buyers nor the European 🇪🇺 software/hosting industry are seeing the urgency to act. But, governments & regulators could forge a useful path towards a solution in 2026:
https://berthub.eu/articles/posts/the-european-cloud-2025/