🚨 New advisory was just published! 🚨

A critical Remote Code Execution (RCE) vulnerability has been discovered in Calix. This vulnerability arises due to improper sanitation of user input in a CWMP (CPE WAN Management Protocol) service. Exploiting this flaw allows an attacker to execute arbitrary system commands with root privileges, leading to full system compromise: https://ssd-disclosure.com/ssd-advisory-calix-pre-auth-rce/

I just published a post on my blog about the IBM i 7.6 announcement - enjoy!

https://www.ibmi4ever.com/posts/20250409-ibmi-76-has-been-announced/

#IBMi #ACS

Static Analysis via Lifted PHP (Zend) Bytecode | Eptalights https://eptalights.com/blog/04-php-support

Our new Testing Handbook section on snapshot fuzzing helps security engineers test software that's traditionally difficult to analyze, such as kernel components and antivirus, where a single crash can take down the entire system.

Snapshot fuzzing captures memory and register states at critical execution points, allowing security engineers to:

- Test thousands of code paths without time-consuming system restarts
- Ensure fully deterministic testing where the same input always produces the same result
- Eliminate unreproducible crashes by starting each test from identical states
-Easily track code coverage and detect failures in emulated environments

In this section, we provide step-by-step instructions for building custom harnesses, fuzz campaigns, and more using What the Fuzz (wtf), an open-source snapshot-based fuzzer.

https://blog.trailofbits.com/2025/04/09/introducing-a-new-section-on-snapshot-fuzzing-for-kernel-level-testing-in-the-testing-handbook/

New blog post: With Carrots & Sticks - Can the browser handle web security? https://frederikbraun.de/madweb-keynote-2025.html - This is the blog version of my keynote from MADWeb 2025 earlier this year. It's about how web security could become the browser's responsibility.

OK, I stand corrected. There are European CNA's that you can report to which accept "not in another CNA’s scope"-vulnerabilities.

I was fooled (multiple times!) by this page in the past: https://www.cve.org/ReportRequest/ReportRequestForNonCNAs
It first tells you to "find the CNA partner whose scope includes the product affected by the vulnerability".
It does not really tell you, that there are CNA's that accept everything that is not explicitly in scope by any other CNA.
If you fail to find a CNA due to that, there are two links to the CNA-LR's that should "direct you to the appropriate CNA". But those links are the CVE request forms of the CNA-LR's, they don't direct you anywhere.

The more you know!

okay. if you ever want to get the previous version of a file that Windows Update has updated, do i have an utility for you https://github.com/whitequark/ApplyDeltaB

We've open-sourced another core Binary Ninja feature: SCC. If you're not familiar with it, the Shellcode Compiler has been built-in to BN from the beginning, allowing you to build small PIE shellcode in a variety of architectures right from the UI: https://scc.binary.ninja/ (Source: https://github.com/Vector35/scc)

Seriously, this HAS to be insider trading.

Come on! First you announce tariffs, every stock tanks, you play the hard to get dude and proclaim with a swollen chest that there will be no delays, everything tanks even more.

And now you delay everything by 90 days? In the mean time your buddies bought everything at a low and now the stock recovers.

Come the fuck on!

pleased to hear the penguins have won the trade bargains

#USpolitics #USpol

NEW: A recently published court document shows the locations of WhatsApp victims targeted with NSO Group's spyware.

The document lists 1,223 victims in 51 countries, including Mexico, India, Morocco, United Kingdom, United States, Spain, Hungary, Netherlands, etc.

This targeting was over a span of around two months in 2019, according to WhatsApp's lawsuit against NSO Group.

http://techcrunch.com/2025/04/09/court-document-reveals-locations-of-whatsapp-victims-targeted-by-nso-spyware/

Just saw it mentioned on LWN, handy site for checking which distros enable a certain config option: https://oracle.github.io/kconfigs/?config=UTS_RELEASE&... Just replace UTS_RELEASE with whatever config option name minus CONFIG_, for example: https://oracle.github.io/kconfigs/?config=CFI_CLANG&...

Splitting water into hydrogen and oxygen takes more energy than it theoretically should, which is partly why it's not used on a large scale to generate hydrogen fuel.

Now scientists know why – and it's all down to a feat of nanoscale gymnastics.

https://physicsworld.com/a/splitting-water-takes-more-energy-than-theory-predicts-and-now-scientists-know-why/

#physics #chemistry #science

So, what happened with that whole crowdstrike debacle? Did companies like Delta get a huge payout or discount?

#crowdstrike

🔴 Our @reconmtl talk of last year has been published!

"Path of rev.ng-ance: from raw bytes to CodeQL on decompiled code"

Check it out: https://www.youtube.com/watch?v=0lrhCV14nVE