Napalm Death, Throes Of Joy In The Jaws Of Defeatism (2020).

https://www.youtube.com/playlist?list=OLAK5uy_kWcUQiY1m-s4mdg2Tbu1ZFykF20UkVbG4

#Grindcore #Metal

I published a correction to my slides/blogposts regarding rename(). I have incorrectly stated that rename("./a", "./b") was racy. It is not.
For most situations this is not a huge deal, but I still feel bad that I misled you all, so beers are on me.

https://gergelykalman.com/corrections-regarding-rename.html

Micropatches Released for SCF File NTLM Hash Disclosure Vulnerability (No CVE) https://blog.0patch.com/2025/03/micropatches-released-for-scf-file-ntlm.html

I have too many reasons to worry about this but that’s not really the point. The thing I’m worried about is that, as the only encrypted messenger people seem to *really* trust, Signal is going to end up being a target for too many people.

Signal was designed to be a consumer-grade messaging app. It’s really, really good for that purpose. And obviously “excellent consumer grade” has a lot of intersection with military-grade cryptography just because that’s how the world works. But it is being asked to do a lot!

Right now a single technical organization is being asked to defend (at least) one side in a major regional war, the political communications of the entire US administration, the comms of anyone opposed to them globally, big piles of NGOs, and millions of “ordinary” folks to boot.

(There is no such thing as “ordinary user” cryptography BTW. Those ordinary users include CEOs, military folks, people doing many-million-dollar crypto trades through the app, etc. It’s a lot to put on one app and one non-profit.)

On top of this, it’s only a matter of time until governments (maybe in the US or Europe) start putting pressure on the infrastructure that Signal uses — which is mostly operated by US companies. I’m not sure how this will go down but it’s inevitable.

If you are at the Microsoft MVP Summit this week, and in the Windows Server space, please add your voice for the release of eval ISOs of Windows Server on ARM. We need these for *local* testing, training, and development.

Trigon: developing a deterministic kernel exploit for iOS by @alfiecg_dev

https://alfiecg.uk/2025/03/01/Trigon.html

PRE-RELEASE: I wrote a Linux Binary Runtime Crypter - in BASH 😅. Would love you fine people to TEST it _BEFORE_ release: https://github.com/hackerschoice/bincrypter

The first round of the CFP for Recon Montreal will end this Friday March 28, during that phase we preselect a few talk. The CFP end on April 25. #reverseengineering #cybersecurity #offensivesecurity https://recon.cx/2025/cfp.html

“The real problem with sharing Top Secret data over Signal is not the security of the app, it’s the security of the phone. And mobile phones are not secure against state level threat actor” | @thegrugq is correct, BUT…
https://alecmuffett.com/article/113007
#EndToEndEncryption #signal #trump

Frida 16.7.0 is out w/ brand new APIs for observing the lifecycles of threads and modules, a profiler, multiple samplers for measuring cycles/time/etc., MemoryAccessMonitor providing access to thread ID and registers, and more 🎉 https://frida.re/news/2025/03/13/frida-16-7-0-released/

A code generation tool that gets you 80-90% of the way there is like a boat that gets you 80-90% of the way.

You'll need to be a strong swimmer.

The Practical Limitations of End-to-End Encryption

Internet discussions about end-to-end encryption are plagued by misunderstandings, misinformation, and some people totally missing the point. Of course, people being wrong on the Internet isn't exactly news. XKCD: Duty Calls "What do you want me to do? LEAVE? Then they'll keep being wrong!" Yesterday, a story in The Atlantic alleged that the Trump Administration accidentally added their editor, Jeffrey Goldberg, to a…

http://soatok.blog/2025/03/25/the-practical-limitations-of-end-to-end-encryption/

When Signal was designed, our threat model was protecting the communications of civil society, journalists, just regular citizens ...

The threat model of military operations & sharing your hate of Europeans was not what Signal was designed for. Ephemeral messages and cryptographic deniability are not fit for communications that require accountability.
But I appreciate their effort to make government more efficient by adding journalists to the chat instead of requiring to go through FOIA.

It finally happened - I got phished. Impact is limited to the Mailchimp mailing list for my blog, brief blog post with details here and more to come later: https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/

When you get invited to the NatSec group chat....

Today, Wiz (Woogle?) released an advisory detailing an attack chain they’ve dubbed IngressNightmare, which, if left exposed and unpatched, can be exploited to achieve remote code execution by unauthenticated attackers. The advisory, covering five separate vulnerabilities, was published after a brief embargo period, once the Kubernetes folks got their patches together.

You can find a brief writeup and search queries for runZero at: https://www.runzero.com/blog/ingress-nightmare/