@greg @G33KatWork if-let is a prime example of how Clever often beats Readable in Rust Land IMO

(I just wrestled with some code that swear to God was optimized for the minimal number of semicolons...)

🎯 THIS SATURDAY: DFIR Labs CTF 🎯
⏰ June 7 | 1630–2030 UTC
🔗 Register Now → https://dfirlabs.thedfirreport.com/ctf

🚀 DFIR Labs CTF is back!
💥 Only $9.99 to join
💥 Choose Elastic or Splunk
💥 Access a brand-new, unreleased case
💥 Top 5 get invited to join The DFIR Report team!

📣 Hear from past participants:
⭐ “Real case makes it different!”
🚀 “Great hands-on learning experience”
💯 “Excellent CTF, super responsive and realistic”

Don’t miss your chance to level up with real-world incident response challenges.

Both #Yandex and #Meta used obfuscation techniques to hide that the traffic occured and/or that the apps were listening to these requests:

➡️ Meta traffic was using #WebRTC, which does not show up in the browser's developer tools
➡️ Yandex traffic looked non-local
➡️ Yandex apps started listening only after several days

BTW: Apparently, Meta stopped doing this yesterday. But they probably still have the mapping DB.
All the details by the researchers here.
https://localmess.github.io/

"Paprika Csapat" (Team Paprika) ransomed the Hungarian Ministry of Home Affairs (education doesn't deserve a dedicated ministry around here) after dumped a database related to high school final exams (article in HU):

https://telex.hu/techtud/2025/06/03/hekkertamadas-paprika-csoport-erettsegi-adatbazis-masolas-oktatasi-hivatal

Wonder if perpetrators are in fact Hungarian (as the name suggests), or just using some LLM translator?

Cisco IOS XE WLC Arbitrary File Upload Vulnerability (CVE-2025-20188) Analysis:

https://horizon3.ai/attack-research/attack-blogs/cisco-ios-xe-wlc-arbitrary-file-upload-vulnerability-cve-2025-20188-analysis/

#cybersecurity #xxe #infosec #cve #vulnerability #threathunting #exploitation

Every project should have a "cursed"-page like that: 😆

"Cursed knowledge we have learned as a result of building #Immich that we wish we never knew."
https://immich.app/cursed-knowledge/

🤓

#FOSS #yakshaving #fun

https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop.html

Some cool things to note though: (1) the bug was mitigated via finch kill switch (https://developer.chrome.com/docs/web-platform/chrome-finch) one day after the report from TAG (2) we also fixed the V8 Sandbox bypass within 7 days even though it's not yet considered a security boundary.

And I've also updated our V8 Exploit Tracker sheet now: https://docs.google.com/document/d/1njn2dd5_6PB7oZGTmkmoihYnVcJEgRwEFxhHnGoptLk/edit?usp=sharing (see the 2025 tab) :)

Meta and Yandex are de-anonymizing Android users’ web browsing identifiers
Abuse allows Meta and Yandex to attach persistent identifiers to detailed browsing histories.
https://arstechnica.com/security/2025/06/headline-to-come/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social

How to build a high-performance network fuzzer with LibAFL and libdesock https://lolcads.github.io/posts/2025/05/high_performance_network_fuzzing/

@G33KatWork Military drones apparently: https://www.twz.com/news-features/inside-ukraines-fiber-optic-drone-war

Stats: I collected ~2600 bookmarks during ~30 months, archiving all of them takes about 2 GB of disk space (with #Readeck)

Multiple vulnerabilities in Parallels Desktop for Mac disclosed by Talos:

https://talosintelligence.com/vulnerability_reports/TALOS-2024-2123
https://talosintelligence.com/vulnerability_reports/TALOS-2024-2124
https://talosintelligence.com/vulnerability_reports/TALOS-2024-2126

CVE-2024-52561 CVE-2024-54189 CVE-2024-36486

If you wanna automatically produce shit code and spend your time babysitting the lying machine then that's a you problem. I'm sure you'll make a consultant who bills out at $150/hour very happy some day. But your character flaws have nothing to do with me so keep that shit to yourself

Honestly I think there's a disconnect between LLM proponents when it comes to code and the rest of us. They see code as a purely mechanical thing, and so ripe for automation. To them claims of artistry and craft are something to roll your eyes at, arrogance from senior engineers who think too highly of themselves

Meanwhile said senior engineers have the decades of experience to know how much of programming relies on artistry and craft, how much of it is fundamentally a creative endeavor

shot, chaser

@jt_rebelo @0xabad1dea Yes, the system works this way fortunately. But talk to Average Joe and ask him who paid for his tax refund.

New Project Zero issues disclosed affecting Samsung media codecs:

https://project-zero.issues.chromium.org/issues/395975495
https://project-zero.issues.chromium.org/issues/396226992
https://project-zero.issues.chromium.org/issues/388115013

CVE-2025-20963 CVE-2025-20964 CVE-2025-20944

@0xabad1dea Yet too many Europeans can't tell the difference between the government and the state...

New assessment for topic: CVE-2025-48734

Topic description: "Improper Access Control vulnerability in Apache Commons. ..."

"On May 28 2025, Apache posted an [advisory](https://www.openwall.com/lists/oss-security/2025/05/28/6) to the OSS Security mailing list warning that Apache Commons BeanUtils versions 1.x before 1.11.0 and 2.x before 2.0.0-M2 were vulnerable to insecure access to the Java Classloader via exposed enum properties, namely the `declaredClass` property ..."

Link: https://attackerkb.com/assessments/1d98f952-f6f1-475a-8646-74062d040247

CVE-2025-31200 Writeup from noahhw

https://blog.noahhw.dev/posts/cve-2025-31200/

#jailbreak #ios #apple #vulnerability