@ryanc I was actually thinking whether some (not so) fancy crypto could be used to pass some instead of a bool that the attacker can't forge, then realized reverse proxy configs are not exactly designed to implement such transformations in the first place :)

Nonetheless, this is an illustrative example that unless we point to some robust solution ppl *will* come up with complex but insecure solutions (see also Schneier's Law).

bring back forums

you aren't supposed to have a single identity online

communities shouldn't demand you let a vc-funded company have your mobile phone number

you don't have to pay $100/yr [or whatever it is] for features that every forum had for years, or if it didn't it's for a reason

your group of friends or multiple-thousand-people community won't disappear because of the failure of the aforementioned vc-funded company

even if the group dissolves you will still be able to find the useful tips you used to share

@krypt3ia @Viss They already are, controlling us from the shadows

The more I move to a thin-client model with my workstation (with projects/services moving to VM's) the more I see my dark future as an Emacs user.

TRAMP mode is pretty cool :/

@joxean I bet >10% of tourists have the exact same reasoning.

@touloutoumou You're doing God's work!

As a reminder, I'm uploading hundreds (yes) of Flash games unavailable until now to the internet archive:

https://archive.org/details/@touloutoumou

Analysis of a Flaw in Microsoft's Patch for "copy2pwn" (CVE-2024-38213)
https://blog.0patch.com/2025/02/analysis-of-flaw-in-microsofts-patch.html

@infosecdj Don't brag about being the Chosen One

https://youtu.be/fSxVN4csfTI?si=hzKmtkqJcsBzbmHv&t=21

I'm still looking for that brain activity sensor that someone used to make a propeller hat that spins faster when you think harder.

Re: CVE-2025-0108

Can we agree that "X-Trust-Me-Bro: $boolean" headers set by reverse proxies are an anti-pattern?

If so, what is the best practice?

Microsoft: So you've disabled the advertisements for Microsoft products we put on the lock screen.

Me: Yes

Microsoft: And you've disabled the weather widget in the start bar.

Me: Yes.

Microsoft: So you don't want notices on the start screen OR weather.

Me: Correct

Microsoft: Well good news this is start screen AND weather. You never said you didn't want them TOGETHER.

Me: Can I disable it

Microsoft: Sure, if you can solve this Rubik's cube

[RSS] Hack That Broken Zipper!

https://hackaday.com/2025/02/09/hack-that-broken-zipper/

[RSS] Nginx/Apache Path Confusion to Auth Bypass in PAN-OS (CVE-2025-0108)

https://www.assetnote.io/resources/research/nginx-apache-path-confusion-to-auth-bypass-in-pan-os

Full analysis

Congrats to the IOActive marketing team for moving their blog to a platform with no RSS :P

[RSS] The Key to COMpromise - Downloading a SYSTEM shell, Part 3

https://neodyme.io/en/blog/com_hijacking_3/

I don't understand how Windows 10 is discontinued yet Microsoft still finds ways to add new types of advertisements to it

@cR0w @silverwizard PR has to show their worth, I'm pretty sure this wasn't composed by the offensive team

@silverwizard @cR0w To be fair, they could've pushed a silent patch...

@schrotthaufen That would mean there is an unrelated problem in the signing process that would deserve a separate CVE/advisory.