We will not forget

https://truthout.org/articles/us-and-hungary-stand-alone-at-icj-in-favor-of-israels-blockade-on-gaza/

New aardwolf version 0.2.12 is out on Github and pip.
The frame decoder now has less imports and supports pyo3 with abi3 to keep it working on "all" python versions. This has the effect that 3.12 and above is now supported on Windows as well.
https://github.com/skelsec/aardwolf/releases/tag/0.2.12

The full webinar recording is out. 🔴
Watch time travel debugging in action: https://youtu.be/tEzumvwjUzo

#windows #crashanalysis #kernel

- There is no point using single letter identifiers in modern programming languages, make your names descriptive!
- `pe_mofs_to_fofs_ex`

(not sure which meme template would fit this one)

"Use TeleMessage, use Tor"

it's so fucking excruciating to watch everyone slowly get lobotomized by a dumb pile of linear algebra that burns forests to lie

[RSS] What are we on? A survey on substance use among cybersecurity professionals.

https://forms.gle/GdfVJDPnZHVz1jY67

On Google Forms of course /o\

How was it like to attend the exclusive #ZeroDayQuest event? How did a Unix #hacker even qualify in the first place? How can you become one of the #Microsoft MVRs?

Our technical director @raptor answers these and other questions in his latest article:

https://security.humanativaspa.it/my-zero-day-quest-bluehat-podcast

Happy birthday to Wolfenstein 3D, released on this day, 33 years ago on 5th May 1992!

The tech industry is a teenage industry. Rebelling against what it sees as old and uncool while desperately following fads and fashions as it tries to fit in with what everyone else is doing.

If you've ever struggled with trait/typeclass compiler errors, or if you're interested in better user interfaces for compiler diagnostics, check out our upcoming PLDI paper: "An Interactive Debugger for Rust Trait Errors"

Rust famously has good error messages. But we found that with the right interface, people become ~3x faster at identifying the root cause of a trait error. See our blog post, including a live demo in your browser:

https://cel.cs.brown.edu/blog/an-interactive-debugger-for-rust-trait-errors

“I started a spreadsheet, which is what middle-class professionals do when faced with systemic problems — we quantify things, as if converting human suffering into Excel cells might render it more manageable.” Via @gvwilson.

https://www.huffpost.com/entry/utah-school-lunch-debt-relief-free-student-meals_n_681258fbe4b03207b5ba49fa/amp

did you know that GDB includes a bytecode compiler? specifically, it has a private [edit: it's documented] bytecode format used between it and the GDB server, which the latter uses to implement conditional breakpoints with complex expressions and tracepoints

every time it hits a breakpoint/tracepoint it evaluates the bytecode, which has jumps and can read arbitrary target memory, and decides whether it really was hit or not

This thing works by generating fake vulnerability reports. Here are some of the qualities of the HackerOne report 3125832 sent to #curl:
- It looks convincing at a glance, especially if you're not a subject matter expert.
- It's vague about actual repro steps. It makes it impossible for the victim project to reproduce the issue. For example, it makes up fake patches against non-existent, imaginary code.
- It refers to functions and methods that do not exist (in case someone tries to look for them). When confronted, the attacker refer to some old or new versions of components, using non-existent commit hashes.
- The report makes up some convincing functionality or names that are novel, but don't really exist.

An expert’s look at the report shows the number of discrepancies, but finding them takes time and effort. It requires attention from a subject matter expert, with limited resources.

The real exploit here is that the attacker (evilginx) exploits the fact that the victims (the orgs who paid the attacker money) don't have the capacity to perform thorough analysis and rather just pay up. TL;DR: It's cheaper to pay the bug bounty than hire an expert to perform true analysis.

Why didn't it work against the #curl project? The attacker miscalculated badly. Curl project is not a company and has far greater capability in security response than your average org. Also they can smell #aislop miles away.

New post: Full Disclosure: Multiple Rundeck Job Command Injections https://insinuator.net/2025/05/full-disclosure-multiple-rundeck-job-command-injections/

@alecmuffett this makes the existence of EUV technology appear even more miraculous

ICYMI: “Every TWINSCAN EUV ships with ~45 million lines of code […] Bugfixes and features start out as *word documents* sent to a series of review boards…”
https://alecmuffett.com/article/113264
#SecurityByDesign #SoftwareEngineering #bugs

@foone PythonForWindows worked pretty well for me for ALPC based stuff: https://github.com/hakril/PythonForWindows