[RSS] Windows Internals: Secure Calls - The Bridge Between NT and SK

https://connormcgarr.github.io/secure-calls-and-skbridge/

@VulpineAmethyst @h0ng10 @micahflee This is a totally different question (even assuming the server is not intentionally lying...), please don't go down this rabbit hole (I've been there a bunch of times and it doesn't lead anywhere).

@h0ng10 @micahflee This is a fairly common mistake too and causes a lot of bullshit work for security teams. A banner string (*especially* in case of Apache HTTPd) doesn't mean anything, so unless you can demonstrate the presence of a vulnerability this is nothing (aka PoC||GTFO).

(edited) In addition the cited CVE-2024-38476 requires a *malicious backend* to be exploitable:

https://devco.re/blog/2024/08/09/confusion-attacks-exploiting-hidden-semantic-ambiguity-in-apache-http-server-en/

Imagine that the first-ever commercial transistor computer fell into your laps (figuratively!). What would you do with it? Is it even practical to use?

Now you can answer these and many other questions, because I made a thing~

"My first transistorised computer: A Crash Course" is a short user manual for the simulator and the autocode/assembler of a computer highly inspired and mostly compatible with Metrovick 950, the first-ever commercially available transistor computer from 1956.

https://git.sr.ht/~nkali/mv950toy/tree/main/item/docs/crash_course.md

Getting silly with C, part ~(~1<<1) https://lcamtuf.coredump.cx/blog/c3/?n

Also, the Trend Micro story about a billion Google accounts being breached is also bullshit - the story is written using GenAI. That one also went global.

We've reached the point where vendors are just throwing shit at customers and journalists are just single source running it, nothing matters basically.

As a follow up, The Register did the actual journalism on this and yes - the #PromptLock generative AI ransomware story which went worldwide was bullshit. https://www.theregister.com/2025/09/05/real_story_ai_ransomware_promptlock/

The CVE-2025-7775 generative AI exploit story also worldwide right now is also bullshit, I don't have the energy to explain why (hint: several of the Netscaler versions shown in the CheckPoint write up aren't even vulnerable).

Keep an eye on my Medium blog posts. Will be doing more of these crash dump analysis and other troubleshooting related stuff.
https://bird.makeup/users/debugprivilege/statuses/1963541699247943917

If you've ever spent time around Wikipedians, you've doubtless heard its motto: "Wikipedia only works in practice. In theory, it's a mess." It's a delicious line, which is why I stole it for my 2017 novel *Walkaway*.

--

If you'd like an essay-formatted version of this thread to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

https://pluralistic.net/2025/09/05/be-the-first-person/#to-not-do-something-that-no-one-else-has-ever-thought-of-not-doing-before

1/

This long read in The Verge does a remarkable job of describing how Wikipedia's editing community works, the project's strengths and weaknesses, and the threats it faces.

https://www.theverge.com/cs/features/717322/wikipedia-attacks-neutrality-history-jimmy-wales

"In a time of misinformation, in a time of suppression, having this place where people can come and bring knowledge and share knowledge, that is a statement."

#Wikipedia

@gsuberland if this isn't the science result of the week I don't know what is!

yesterday's weird discovery is that every regular sized carrot I have tested is almost exactly 100kΩ end to end with sharp probes stuck in it. a couple of them come out at 100.0k on the dot.

inb4 NIST carrot-based electrical resistance metrology reference

when I saw the @weirdunits post yesterday about carrots per ohm I spent about 30 seconds trying to decide whether or not to actually go measure a carrot for a laugh, and I'm glad I did because the results were actually way more interesting than I expected. so there's a lesson. always go do the silly thing.

https://chaos.social/@gsuberland/115149719242982295

@FritzAdalis @Sempf ok we'll just need 4 more quantum computers

@IngloGamesDev I just had a non-programner friend telling me how he vibe coded a neat tool for himself and I wondered how ppl like him fit this picture.

Then I remembered an old saying about the difference between programming vs software dev is that the latter involves people and time (I'd appreciaye if someone could point me to the original). So I guess there are many hidden, personal projects from ppl who don't even know GitHub exists.

Do I think this worth the cost? No. But it's still a pretty remarkable thing!

I just realized that I have an order of magnetude more bookmarks tagged with "llm" than "llmnr".

(Not having to deal with LLMNR is a good thing!)

This is a fascinating article about AI-based productivity claims, with a ton of data to back up his claims. Definitely worth a read regardless of your stance on AI.

https://mikelovesrobots.substack.com/p/wheres-the-shovelware-why-ai-coding

It's time to take a sneak peak at the new Dynamic Xref Graph and Xref Tree. With these, you can now see function relationships and data flows more clearly, simplifying the task of mapping code paths in complex binaries.

https://hex-rays.com/blog/mapping-relationships-in-ida-9.2-dynamic-xref-graph-and-xref-tree

When the only tool you have is an LLM …
everything looks like a linguistic pattern problem…

Seems like people are jumping to LLMs to solve any task now, when simple ML models or linear regression just do the job at a fraction of the power cost and better precision.

PHRACK Ambassador @dugsong hand delivered a signed hardcopy and PHRACK-COIN to umich.edu Prof Peter Honeyman for his awesome article 🤟

https://phrack.org/issues/72/14_md#article

In 1983, Peter (+2 others) wrote a significant revision of UUCP (Unix2Unix Copy), part of System V Unix.