@hnsec These posts are our go-to sources these days for Montoya dev, thank you!

We’ve just published on the @hnsec blog the seventh article on the creation of extensions for @burp_suite "Extending Burp Suite for fun and profit - The Montoya way", by @apps3c.

Topic: using the #Collaborator in #BurpSuite plugins

https://security.humanativaspa.it/extending-burp-suite-for-fun-and-profit-the-montoya-way-part-7/

Extending Burp Suite for fun and profit - The Montoya way - Part 7 (Using the Collaborator) https://security.humanativaspa.it/extending-burp-suite-for-fun-and-profit-the-montoya-way-part-7/

@joxean She clearly wasn't the mastermind behind the heist...

[RSS] Heather 'Razzlekhan' Morgan sentenced to 18 months in prison, ending Bitfinex saga

https://therecord.media/razzlekhan-bitfinex-sentenced-18-months-bitcoin-laundering

The Crocodile of Wall Street spends some time in the sewers... https://www.youtube.com/watch?v=_DIuPPmY9mw

This week my brain is completely stuck on wanting an Alphasmart Neo. Half of my brain knows that buying tech to write a novel with is not actually the same as writing my novel. The other half of my brain... wants the tech. But also, just look at it, isn't it perfect?

#TrustYourTechnolust

The report of the #FreeBSD audit conducted by @masthoon and @jbcayrou is finally out!
https://freebsdfoundation.org/blog/strengthening-freebsd-addressing-vulnerabilities-through-synacktivs-code-audit/

@quad @hj tbh if it turned out that Google no longer has a reason to fund Mozilla, making Mozilla even more stagnant, and at the same time the new owner of Chrome tried putting things behind paywalls to squeeze revenue out of chrome, enshitiffied it in the process, making people dowmgrade...

And then both browsers went bankrupt

Like if it turned out endlessly adding new JS APIs wasn't sustainable

I think that would be a pretty good outcome.

[RSS] Salamander/MIME - Just because it's encrypted doesn't mean it's secure | Lutra Security

https://lutrasecurity.com/en/articles/salamander-mime/

@jullrich @screaminggoat I only got this old one at hand sry

CVE-2024-52316: Apache Tomcat: Authentication bypass when using Jakarta Authentication API

https://seclists.org/oss-sec/2024/q4/103

Sounds pretty esoteric, but I may be wrong:

"If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail"

CVE-2024-52317: Apache Tomcat: Request/response mix-up with HTTP/2

https://seclists.org/oss-sec/2024/q4/104

This looks fun! /cc @albinowax

This starts to look coordinated:
"Following Finnish media reports that an unexplained failure of an undersea telecommunications cable has disrupted communication services between Finland and Germany, Telia’s Chief Technology Officer Andrius Šemeškevičius says that the communications cable between Lithuania and Sweden was also damaged." (via @ErikJonker)
https://www.lrt.lt/en/news-in-english/19/2416006/undersea-cable-between-lithuania-and-sweden-damaged-telia

#SubmarineCables #Russia

Fixing a Bunch of Scripting Engine Vulnerabilities by Disabling Just-In-Time Compiler (CVE-2024-38178) https://blog.0patch.com/2024/11/fixing-bunch-of-scripting-engine.html

Since about half of browser vulnerabilities are JIT-related, and Scripting Engine (JScript9.dll) is unlikely to be used for JIT-able tasks, we decided to disable JIT with this patch, blocking many old and all future JIT-related vulnerabilities in Scripting Engine.

We would like to thank Hosu Choi and Minyeop Choi (@cmy981224 ) of S2W Talon (https://s2w.inc/en) for sharing their analysis and proof-of-concept, which made it possible for us to create a micropatch for this issue.

I know it seems like all of the good ideas for plugins are already implemented in our large plugin collection (https://github.com/Vector35/community-plugins) , but we also maintain a public list of ideas to get you started if you're interested in contributing:

https://github.com/Vector35/binaryninja-api/discussions/626

I haven't had as much time to work on it as I'd like, but I've pushed an update to the Emerald Source Code Commentary because I intend to use it as a demonstration of my technical writing. Do *you* want to know everything that happens from the instant you power on your GBA until Pokemon Emerald begins displaying graphics? https://0xabad1dea.github.io/emeraldscc/

It’s the academic paper on phishing sims I’ve been waiting for and the abstract alone is 🔥🔥 https://www.computer.org/csdl/proceedings-article/sp/2025/223600a076/21B7RjYyG9q

📼 The video edition is done! 🔥 You can now watch all the workshops (friday), conference presentations (saturday) and online talks (sunday) by checking our Youtube channel or following the links from the website!

➡️ https://radare.org/con/2024/