Everyone who is able to come back to #WHY2025, we are short-staffed on teardown volunteers, so *please* show up to help, either today (during daylight) or tomorrow. Given the shortage, even if this toot was a couple of hours ago by the time you read it, it will probably still be necessary, so please show up!

20 years in between these Phrack releases 😊 Got the small one at WTH2005 and the larger one at #why2025 😄

If someone wants to commit to buying the answer, locking it in a safe deposit box and throwing away the key, I'll throw $50 at the effort.

https://www.washingtonpost.com/entertainment/art/2025/08/14/kryptos-code-k4-solution-jim-sanborn-auction/

The plaintext of Kryptos, the mysterious statue at the heart of CIA headquarters, is for up for sale to the highest bidder. Here's my story: https://www.nytimes.com/2025/08/14/science/kryptos-sculpture-cia-solution-auction.html?unlocked_article_code=1.eE8.m90H.Onsi2at1i2_U&smid=url-share

How The Widget Revolutionized Canned Beer

https://hackaday.com/2025/08/14/how-the-widget-revolutionized-canned-beer/

Our Windows CTF is coming to Nullcon in Berlin, Sept 4-5 🎯 https://github.com/eshard/TTA-CTF

Play for a chance to win a Binary Ninja license or a Flipper Zero.

#CTF #FlipperZero #windows #reverseengineering

There is a new short domain name for #PuTTY!

https://putty.software/

At present, this is just a "landing page": a nice short name to remember, which will redirect you to the full PuTTY website at the same longer URL where it's always been.

But unlike putty.org or other third-party landing pages, this one is run by us, the actual PuTTY team, and it doesn't have a weird separate agenda of its own.

I intend to move the main PuTTY site over to that domain in the future, and leave just a redirector at the old location. But first I want to get the word out, so that people know which site to trust.

If anyone is still linking to putty.org, here's a place to link to instead. Please spread the word!

“Head, shoulders, knees and toes.”

Went from being a fun little kids song to a list of things that hurt.

In case I know anyone here who's familiar with the finer details of DNS and particularly DNS amplification attacks and their mitigations, I have some questions.

Somehow landed on the NetBSD manpage of sleep(1) and they seem to have a rather unique take on what is considered a bug.

#netbsd

🚨Alleged Sale of Fortinet 0-Day RCE Exploit

• Industry: N/A
• Threat Actor: WISDOM
• Network: Clearnet, Dark Web
• Price: 0.5 BTC

• Details: A threat actor claims to be selling a 0-day remote code execution (RCE) exploit affecting FortiOS VPN versions 7.4 to 7.6. The listing includes a proof of concept (PoC) available to serious buyers with deposit or established reputation.

I edited my Cross-Site Request Forgery countermeasures research into a stand-alone article, including recommendations reusable by other projects.

tl;dr: no need for tokens or keys, modern browsers tell you if a request is cross-origin!

https://words.filippo.io/csrf?source=Mastodon

"Orion Browser for Linux Gets Exciting Progress Update" 👇

https://www.omgubuntu.co.uk/2025/08/orion-browser-linux-milestone-2-webkit-alternative-chromium

#Kagi #Orion #Browser #Linux

WTAF????? https://www.bleepingcomputer.com/news/microsoft/microsoft-asks-users-to-ignore-certificate-enrollment-errors/

Here's the full writeup of CVE-2025-53773 - Visual Studio & Copilot – Wormable Command Execution via Prompt Injection: https://www.persistent-security.net/post/part-iii-vscode-copilot-wormable-command-execution-via-prompt-injection

Patch now!