Would you like to join the #CMS Virtual Visit today? Go to the CMS Youtube Channel at 14:30PM CET and join the LIVE streaming!

https://www.youtube.com/@cmsexperiment

#CERN

Sam Altman’s Studio Ghibli memes are another distraction from OpenAI’s money troubles

https://pivot-to-ai.com/2025/03/27/sam-altmans-studio-ghibli-memes-are-another-distraction-from-openais-money-troubles/ -text
https://www.youtube.com/watch?v=38T84uF771U - video

The IP-law debate around #LLM's reminded me of this old joke:

A cute little girl walks up to the ice cream stand:
- Hello, how much is an empty cone?
- Oh, I can give you that for free - smiles the shop owner
- OK, then I'd like to have 5000 of them!

OpenAI is using Studio Ghibli-style memes as an ad hoc promotional campaign for its new image generator—despite Ghibli founder Hayao Miyazaki's famous hatred of AI. Sam Altman even made his X avatar a 'Ghiblified' portrait.

Disgracing Miyazaki is part of the point: It's more proof to the industry's biggest boosters that they have won—that they're free to use, appropriate, and commoditize art however they see fit.

https://www.bloodinthemachine.com/p/openais-studio-ghibli-meme-factory

The root cause of the Chrome 0-day logical vulnerability CVE-2025-2783, which we discovered used in attacks with sophisticated malware, also affects the Firefox! New CVE-2025-2857 has just been fixed in Firefox 136.0.4 https://www.mozilla.org/en-US/security/advisories/mfsa2025-19/

AppSec Ezine - 580th https://pathonproject.com/zb/?94fef6e1d88cee84#fBDZtrz8GV61O1oJd+9JWBeCO0Kuzyeb3/rheyA/NLA= #AppSec #Security

CVE-2025-27407: Inside the Critical GraphQL-Ruby RCE Vulnerability https://cenobe.com/blog/cve-2025-27407/

[RSS] CrushFTP Authentication Bypass: Indicators of Compromise

https://www.horizon3.ai/attack-research/crushftp-authentication-bypass-indicators-of-compromise/

CVE-2025-2825

[RSS] MindshaRE: Using Binary Ninja API to Detect Potential Use-After-Free Vulnerabilities

https://www.thezdi.com/blog/2025/3/20/mindshare-using-binary-ninja-api-to-detect-potential-use-after-free-vulnerabilities

[RSS] The Evolution of Dirty COW (1)

https://u1f383.github.io/linux/2025/03/27/the-evolution-of-COW-1.html

After its legendary curator passed away a few years ago the reel-to-reel museum reopened in Keszthely:

https://www.youtube.com/watch?v=rySEk-eXFaY

#Hungary

wait3() system call as a side-channel in setuid programs (nvidia-modprobe CVE-2024-0149)

https://seclists.org/oss-sec/2025/q1/254

We have been aware of a bypass for that protection since May last year.

@stf The more I work in security the more I feel like being part of a large scheduling algorithm: we discover some information, associate some risk, then people will end up workin on some specific stuff. If we cause priority inversion, starvation, etc. then we are a bad scheduler.

In this case:
- The original recommendation ("uninstall it!") turned out to be totally unsubstantiated, we can by all means call it misinformation
- Secrecy about details added to the fear and also *actively misdirected efforts* both at level of security teams and at devs/researchers (see the confusion about #330 & people looking at new commits to find backdoors)

Since no significant new attack surface/vector was presented I don't even think the code will get that much of scrutiny as exploitability is pretty low (local with user interaction).

In the end, the cost-benefit analysis looks really bad to me.

Three bypasses of Ubuntu's unprivileged user namespace restrictions

https://www.openwall.com/lists/oss-security/2025/03/27/6

This weeks published vulnerability research is strong enough already, now Qualys enters the party.

Reading the latest BLASTPASS writeup I can only wonder how many engineer hours must have gone into this thing. Incredible stuff!

seems close

My small child BlogFlock (https://blogflock.com) is a social RSS feed reader - share the blogs you follow with friends and strangers!

BlogFlock will always be free to use and never show you ads.

But running a feed aggregator is expensive at scale.

On top of BlogFlock's pretty decent feature set (if I say so myself), what features or service guarantees would convince you to spend $25/year on a social feed reader?

"The designer of a new system must not only be the implementor and the first large-scale user; the designer should also write the first user manual. If I had not participated fully in all these activities, literally hundreds of improvements would never have been made, because I would never have thought of them or perceived why they were important."

-- Donald Knuth, “The Errors of TeX”

looks like the AI + MCP-assisted reverse engineering hype train is gaining steam! 🚂✨

in just the past few days, we've seen:
• @itszn13 integrating MCP into @vector35’s Binary Ninja (https://x.com/itszn13/status/1903227860648886701)
• @jh_pointer casually dropping his IDA MCP project, which I had to nerdsnipe myself into trying (https://github.com/MxIris-Reverse-Engineering/ida-mcp-server, https://x.com/bl4sty/status/1904631424663379973)
• @mrexodia rolling out a clean (judging by a quick code quality check) MCP implementation for IDA (https://github.com/mrexodia/ida-pro-mcp)
• @lauriewired dropping GhidraMCP for @nsagov’s Ghidra (https://github.com/LaurieWired/GhidraMCP)

these tools are early-stage but already hint at the potential for interactive RE software running on (semi) autopilot.

makes me wonder—should we formalize a set of MCP primitives across RE tools and unify them under one overarching framework? 🤔

of course, these aren’t silver bullets. but much like typical LLM usage, in the right hands, they could be powerful time-savers.

curious to see what comes next! might be time for hacking competitions focused on small/constrained binaries to start thinking about countermeasures against AI-assisted cheesing. 👀

https://bird.makeup/@itszn13/1903227860648886701