CALL FOR PAPERS PERIODIC REMINDER

You have an offensive, defensive, audit research or dev mixing Security and FLOSS or open protocol/format?

Go ahead and submit your proposal!

👉 https://cfp.pass-the-salt.org/pts2025/cfp

A question, doubt? Our support team is listening to you: speaker-support@pass-the-salt.org

📅 The deadline is March, 30 2025!
D-40

Boost REALLY appreciated 🙏

Reminder for those using the iOS Patreon app to support their creators: Apple is now taking a 30% cut for new donations through the app, plus whatever Patreon takes. Consider alternate donation methods (including direct to the Patreon website rather than the Apple mobile app).

I’ve found, btw, that ko-fi has the best deal for creators - for a $72 annual fee, they do not take any cut of donations.

libxml2 vulnerabilities https://www.openwall.com/lists/oss-security/2025/02/18/2
Fixed in 2.12.10, 2.13.6 and upcoming 2.14.0.
CVE-2024-56171: Use-after-free in xmlSchemaIDCFillNodeTables
CVE-2025-24928: Stack-buffer-overflow in xmlSnprintfElements
Null-deref in xmlPatMatch

Breaking: Apple pulls end-to-end encrypted storage option from UK after secret order for a back door. https://www.washingtonpost.com/technology/2025/02/21/apple-yanks-encrypted-storage-uk-instead-allowing-backdoor-access/

@Toasterson Seems someone has never seen German C-PASCAL?

So, the story goes back to @q3k and my old reverse engineering project, where we created a keygen for Toshiba Portégé BIOS password backdoor [1]. At one point, q3k was tasked with dumping the Embedded Controller firmware, but he fucked up and mistakenly desoldered a wrong chip, which we then started analyzing thinking it was the EC. It was TLCS-870/C1 (??) and we weren't able to find a disassembler for it, but... there was an open-source assembler! [2]

Written in German C-PASCAL 😬
All thanks to a totally normal #include "pascstyle.h" at the beginning.

[1] https://youtu.be/JyuVFa2X7AU
[2] http://john.ccac.rwth-aachen.de:8000/as/

Microsoft is paywalling features in Notepad and Paint

There’s some bad news for Windows users who want to use all of the built-in features of the operating system and its integrated apps. Going forward, Microsoft is restricting features in two iconic apps, which you’ll need to unlock with a paid subscription.

The two apps in question? Notepad and Paint. [...]

Windows Insiders

https://www.osnews.com/story/141773/microsoft-is-paywalling-features-in-notepad-and-paint/

#Windows

📢Call for beta testers!📢
The beta for "Fuzzing 1001: Introductory Fuzzing" will start ~ March 7th. It will take ~6 hours to complete. If you're interested in participating, please sign up below.
https://forms.gle/fxCM9Y1CprUJgQi59

Lesser known tricks, quirks and features of #C

https://jorenar.com/blog/less-known-c

CP/M-86 for Newbies is a starter kit for CP/M-86 with everything ready to unpack and run. It bundles the PCe PC emulator (Windows only), preconfigured PCe environments for running different CP/M-86 versions including Concurrent CP/M-86 and Concurrent DOS, and other software such as the Pirx Commander file manager.

https://github.com/MarekStarobrat/Pirx.Commander/tree/main/Releases/CPM-86

#cpm #retrocomputing

Our latest issue of ThinkstScapes is now available for download.

For this issue (covering the last quarter of 2024) we tracked over over 1400 talks and scoured content from almost 1100 blog posts.

As always, PDF, ePUB and an audio summary are available free (with no reg-wall) at https://thinkst.com/ts

We've issued our first short-lived (6 day) certificate! https://letsencrypt.org/2025/02/20/first-short-lived-cert-issued/

Come learn Windows Internal with
@yarden_shafir at Recon Montreal on June 23-26 #reverseengineering #cybersecurity https://recon.cx/2025/training.html#trainingWindowsInternals

Updates on Paragon scandal in Italy via Guardian:

-Journalist union filed criminal complaint due to Meloni's government not answering Qs.

• President of 🇮🇹 parliament invoked rule to not respond Qs claiming all unclassified info has been made public.

-Italy's foreign intelligence agency AISE, confirmed it is a customer of Paragon in Parliament, and that the the contract is suspended.

Still lots of unanswered questions.

https://www.theguardian.com/world/2025/feb/19/journalists-launch-legal-action-against-italian-government-over-spyware-claims

thanks "security researchers" !

https://github.com/curl/curl.dev/pull/6

After what feels like a century of delays.. Apple's new C1 baseband aka 'Sinope' aka 'INITIUM' etc. looks pretty interesting; PAC, ASLR & repurposed iBoot on the bb with some very familiar Synopsys licensed IP blocks + EM4 ARCv2 cores ;) good luck doing exdev on this platform lol

Obsidian is now free for work.

Starting today, the #Obsidian Commercial license is optional. Anyone can use Obsidian for work, for free. Explore the organizations that support Obsidian on our site.

https://obsidian.md/blog/free-for-work/

New Parallels "victim"-assisted LPE 0day dropped due to ZDI not playing well with the reporter:
https://jhftss.github.io/Parallels-0-day/

I've confirmed that it works fine on Intel. Though ARM may require some retooling (if it's vulnerable)

Project: openssl-static-gcc-dwarf 3.4.0
File: openssl
Address: 005b45b0

aes_gcm_ctrl

SVG:
dark https://tmr232.github.io/function-graph-overview/render/?graph=https%3A%2F%2Fraw.githubusercontent.com%2Fv-p-b%2Fghidra-function-graph-datasets%2Frefs%2Fheads%2Fmain%2F%2Fopenssl-static-gcc-dwarf%2F005b45b0.json&colors=dark
light https://tmr232.github.io/function-graph-overview/render/?graph=https%3A%2F%2Fraw.githubusercontent.com%2Fv-p-b%2Fghidra-function-graph-datasets%2Frefs%2Fheads%2Fmain%2F%2Fopenssl-static-gcc-dwarf%2F005b45b0.json&colors=light

ICYMI: I am now selling print books directly from my store. Buy print, get the ebook free.

Only Run Your Own Mail Server and Dear Abyss right now, but it's a start!

https://mwl.io/archives/23992