In case anyone here has connections with the Python team: can you please tell them to update their docs on XML security? The way it is is quite misleading, and it's been annoying me for a while. I raised this a while ago in their issue tracker, but it got no reaction whatsoever. https://github.com/python/cpython/issues/127502 🧵

PHP just turned 30! 🎉 Did you create guestbooks for your website like the early users of the language? 📜 Do you remember technologies like PHP-Nuke, phpBB, or browsing vBulletin forums? 💻

The slides for @offensive_con talk "Hunting for overlooked cookies in Windows 11 KTM and baking exploits for them" by @saidelike and I are here:

https://docs.google.com/presentation/d/1M_ziQt6rZA01ghsv0qo7lhqyOLIZYNnV-qjHWun6A1g/edit?usp=sharing

another day, another binary file format with a badly designed magic number

not gonna call it out specifically but here are some RFC2113 MUSTs for magic number design:

MUST be the very first N bytes in the file
MUST be at least four bytes long, eight is better
MUST include at least one byte with the high bit set
MUST include a byte sequence that is invalid UTF-8
SHOULD include a zero byte, but you can usually get away with having that be part of the overall version number that immediately follows the magic number (did I mention that you really SHOULD put an overall version number right after the magic number, unless you know and have documented exactly why it's not necessary, e.g. PNG?)

good examples:

• PNG
• ELF

bad examples:

• GIF
• PE
• PDF

End of an era: our CVSweb service turned 21 today, and was promptly retired. Our anoncvs was similarly shut down at the age of 21 two years ago, quietly.

https://bird.makeup/@openwall/1367145526093893641

💥 I'm a youtuber now! 📺

Just recorded a short video solving a crash in the #r2dec decompiler to lower the barrier to help new contributors get handy with the radare2 codebase and common developer workflows. #r2tv

https://www.youtube.com/watch?v=Fr6cOa_YRkI

Just launched Code Auditor CTF — https://auditor.codes

A web platform to practice finding real-world C/C++ vulnerabilities
• 8000+ challenges
• Progress tracking + leaderboard
• Beginner-friendly
• Fully open source (beta): https://github.com/20urc3/auditor.codes

Alan Turing died by suicide on 7 June 1954. Turing was convicted of gross indecency in 1952 and given a choice between imprisonment and probation. His probation would be conditional on his agreement to undergo hormonal physical changes designed to reduce his libido. Turing's conviction led to the removal of his security clearance and barred him from continuing with his consultancy for GCHQ. He was denied entry into the United States after his conviction.

#AlanTuring #GayRights #OnThisDay

Standing by the printer holding a hammer just to make sure it does what it's told

Besides watermelon, there should be windmelon, firemelon and earthmelon - the four elemelons.

@matildalove @soatok
ISO: "We created global standards for everyone to follow"
Everyone: "Can we see them?"
ISO: "No"

The Tiny Awards are back, and so am I! After a year off, I'll be a judge helping to decide "the best of the small, poetic, creative, handmade web" made in the last 12 months. Nominations open until the end of June, submit anything you love! https://tinyawards.net/

So, my technical report on fuzzing CPython with fusil is almost done.

I'd really appreciate some help categorizing the found issues by relevance/severity/importance or any other name for impact.

Do you have the chops to help with that? And do you have time and interest? Please get in touch if so! And please boost if you can :)

A plot, some tables, links to the report and some discussion are available in this thread:

https://discuss.python.org/t/feedback-on-the-recent-fusil-fuzzing-campaign-of-cpython/91737

#Python #CPython #fuzzing #fuzzer #fusil

We sponsored and printed out copies of @PagedOut #6 for SecurityFest and as I’m reading through it I’m not even mad about the messed up font, I just miss good old paper fanzines. PDFs are great but just don’t soothe my old soul the same way.

Project: microsoft/typescript https://github.com/microsoft/typescript
File: src/compiler/program.ts:3242 https://github.com/microsoft/typescript/blob/81c951894e93bdc37c6916f18adcd80de76679bc/src/compiler/program.ts#L3242

function checkModifiers(modifiers: NodeArray<ModifierLike>, isConstValid: boolean)

SVG:
dark https://tmr232.github.io/function-graph-overview/render/?github=https%3A%2F%2Fgithub.com%2Fmicrosoft%2Ftypescript%2Fblob%2F81c951894e93bdc37c6916f18adcd80de76679bc%2Fsrc%2Fcompiler%2Fprogram.ts%23L3242&colors=dark
light https://tmr232.github.io/function-graph-overview/render/?github=https%3A%2F%2Fgithub.com%2Fmicrosoft%2Ftypescript%2Fblob%2F81c951894e93bdc37c6916f18adcd80de76679bc%2Fsrc%2Fcompiler%2Fprogram.ts%23L3242&colors=light

USMC AH-1Z Viper working the pattern at Pt. Mugu, July 2024 #USMC #choppa #rotor #Mugu #AH1Z #aviationphotography #planespotting #AvGeek #spotter #photography #Nikon #aircraft #nikonphotography