@raptor cc @gergelykalman

I had missed this #linux #kernel discussion about #pathtraversal #vulnerabilities

[RFC] Add a prctl to disable ".." traversal in path resolution

https://lore.kernel.org/linux-fsdevel/20241211142929.247692-1-mjg59@srcf.ucam.org/T/#u

[RSS] A Quick Note on CVE-2025-38617

https://u1f383.github.io/linux/2025/08/27/a-quick-note-on-CVE-2025-38617.html

I combined DEVCORE's CVE-2024-35250 with the CVE-2024-30084 double fetch bug and the Cloud Filter memory trap technique by @tiraniddo to achieve reliable LPE without device requirements on Win10 VMs.

https://scrapco.de/blog/its-a-trap-reliable-exploitation-of-cve-2024-30084.html

checking whether the C compiler works... no

Understandable, have a nice weekend

The Register wrote a story about a single maintainer open source project, I think it's shameful and upsetting. So I wrote a blog post about it

An absolutely ridiculous amount of open source is one person projects. I have the data to prove it

https://opensourcesecurity.io/2025/08-oss-one-person/

Cisco Talos just disclosed vulnerabilities in Libbiosig, Tenda routers, SAIL image library, PDF-XChange, and Foxit Reader — all now patched by vendors: https://blog.talosintelligence.com/libbiosig-tenda-sail-pdf-xchange-foxit-vulnerabilities/

#Ghidra 11.4.2 is out:

https://github.com/NationalSecurityAgency/ghidra/releases/tag/Ghidra_11.4.2_build

This page intentionally left blank

"Our safeguards work **more reliably** in **common**, **short** exchanges. We have learned over time that these safeguards can **sometimes** be **less reliable** in **long** interactions: as the back-and-forth grows, **parts** of the model’s safety training **may** degrade."

Look at the rate of weasel wording in OpenAI's not-really-apology:

https://openai.com/index/helping-people-when-they-need-it-most/

I'm sick and tired of people pretending they have ways to enforce LLM behavior, while all they do is weigh dices differently - they remain dices.

Trying to enforce security boundaries with a PRNG is one thing, but you definitely can't prevent reinforcing harmful behavior, because you can't even define what it is.

And this can cost lives, as we just witnessed.

The CEO of Open AI should be tried for accessory to murder -- OpenAI responds to ChatGPT helping a teen commit suicide

What a load of goddamned CRAP:

https://openai.com/index/helping-people-when-they-need-it-most/

Tim Berners-Lee wrote this in 1999. 26 years later: https://www.justice.gov/opa/pr/department-justice-prevails-landmark-antitrust-case-against-google

🇪🇺 Brussels speaks clearly. @EU_Commission confirmed to us: The #DigitalMarketsAct is non-negotiable, not even as part of trade talks with Donald Trump.

💪 We welcome the EC’s reaffirmation of its commitment to neutral, robust, and evidence-based enforcement of the #DMA. But we call on the Commissioners to strengthen enforcement and make sure gatekeepers cannot get away with circumventing the law.

👉 Read the Commission’s reply: https://edri.org/wp-content/uploads/2025/08/European-Commission-response-on-US-influence-in-DMA-enforcement.pdf

@davidgerard We have a client with a working/useful computer vision product... and the word AI doesn't appear on their website because they presumably don't want to seem like grifters

Everything is backwards

"Will WebClient Start"

This awesome blog post by Steven Flores, with SpectorOps, tries to answer a question I had too: "Is it possible to start the WebClient service remotely as a low-priv user?"

Very interesting read. The article walks you through the entire thought process and tackles various Windows internals. And even if the result may seem underwhelming, it lays the ground for others to try and take on this challenge. 😉

👉 https://specterops.io/blog/2025/08/19/will-webclient-start/

SMAP is coming to Windows

[RSS] The One Where We Just Steal The Vulnerabilities (CrushFTP CVE-2025-54309) - watchTowr Labs

https://labs.watchtowr.com/the-one-where-we-just-steal-the-vulnerabilities-crushftp-cve-2025-54309