Not sure why Google's kCTF isn't more widely known (other than by all the researchers making money from it). 44 unique successful exploits in a year against Linux kernels even running Google's out-of-tree "hardening" is a big story I'd say...

@aparrish Every single time I hear the sentiment "like it or not, ______ is here to stay", I like to take a moment to reflect on the overwhelming majority of "things we were told would be permanent" that now, *shockingly*, no longer exist.😮🫢🤗🙄

@caspicat @ryanc No, the other way around: the proxy would generate a token based on a secret, so the value passed back to the app server can't be forged by the attacker.

But again: this would be in all likelihood a **BAD SOLUTION** because authn decision still would be made by a component that has incomplete information about exactly what should be authn'd and how! If you think about previous examples the rev proxy would generate a valid JWT just as it generated a True value because it interpreted the URL's differently than the app server.

CVE-2025-26519: musl libc: input-controlled out-of-bounds write primitive in iconv()

https://seclists.org/oss-sec/2025/q1/127

POV: kernel-level anti-cheat /s

https://infosec.exchange/@lorenzofb/113997653014436378

Accelerating The Adoption of Post-Quantum Cryptography with PHP

https://paragonie.com/blog/2025/02/accelerating-adoption-post-quantum-cryptography

#PHP #crypto #cryptography #HPKE #KEMs #MLKEM #MLDSA #SLHDSA #postquantum #programming #webdev #MLS #rfc9180 #rfc9420

New court documents shed light on what a 25-year-old DOGE worker named Marko Elez did inside Treasury payment systems, including which systems he accessed, security measures Treasury IT staff took to limit his access and activity, and whether he really did have the ability to change source code on production systems as previously reported. The new documents, signed affidavits filed in court by career executives at the Treasury department not political appointees, suggest that the situation inside the Treasury department is more nuanced than previously reported. Here's my story. If you find the piece valuable, please consider becoming a paid subscriber to my Zero Day publication, which is reader supported. https://www.zetter-zeroday.com/court-documents-shed-new-light-on-doge-access-and-activity-at-treasury-department/

CVE-2024-12356 was patched in December 2024, and the patch successfully neutralized what we believe to be the original exploit chain (including CVE-2025-1094). So neither CVE-2024-12356 nor CVE-2025-1094 was exploitable in BeyondTrust RS post-patch.

The BeyondTrust patch for CVE-2024-12356 did not address the root cause of CVE-2025-1094 in PostgreSQL psql, however — so CVE-2025-1094 remained a zero-day vulnerability until it was reported to the PostgreSQL dev group and remediated in today's release. https://www.postgresql.org/support/security/CVE-2025-1094/

New #Rapid7 vuln disclosure c/o
@stephenfewer: CVE-2025-1094 is a SQL injection flaw in PostgreSQL's psql interactive tool that was discovered while analyzing BeyondTrust RS CVE-2024-12356. The bug is interesting — 🧵on its relation to BeyondTrust exploitation https://www.rapid7.com/blog/post/2025/02/13/cve-2025-1094-postgresql-psql-sql-injection-fixed/

@ryanc X-Trust-Me-Bro: {"alg":"nOnE"...} vulns would be pretty funny actually :) let's hope we'll never get there though...

@revng Would you consider uploading to the video.infosec.exchange PeerTube instance too?

We just opened our YouTube channel! 📹

First video is out: An introduction to LLVM IR 🐲
Check it out: https://www.youtube.com/watch?v=CDKuH7SIgdM
Let us know what you think 🙃

@ryanc I was actually thinking whether some (not so) fancy crypto could be used to pass some instead of a bool that the attacker can't forge, then realized reverse proxy configs are not exactly designed to implement such transformations in the first place :)

Nonetheless, this is an illustrative example that unless we point to some robust solution ppl *will* come up with complex but insecure solutions (see also Schneier's Law).

bring back forums

you aren't supposed to have a single identity online

communities shouldn't demand you let a vc-funded company have your mobile phone number

you don't have to pay $100/yr [or whatever it is] for features that every forum had for years, or if it didn't it's for a reason

your group of friends or multiple-thousand-people community won't disappear because of the failure of the aforementioned vc-funded company

even if the group dissolves you will still be able to find the useful tips you used to share

@krypt3ia @Viss They already are, controlling us from the shadows

The more I move to a thin-client model with my workstation (with projects/services moving to VM's) the more I see my dark future as an Emacs user.

TRAMP mode is pretty cool :/

@joxean I bet >10% of tourists have the exact same reasoning.

@touloutoumou You're doing God's work!

As a reminder, I'm uploading hundreds (yes) of Flash games unavailable until now to the internet archive:

https://archive.org/details/@touloutoumou

Analysis of a Flaw in Microsoft's Patch for "copy2pwn" (CVE-2024-38213)
https://blog.0patch.com/2025/02/analysis-of-flaw-in-microsofts-patch.html