@Blackhoodie_RE X @hexacon_fr happening again! This time it’s my turn to give back 🥹
Use the registration link below to sign up to 4 days of free training given by Sonia, @naehrdine and myself !

https://forms.gle/CwxFJFTGd6VdffJY7

That NodeJS supply chain hack incident is amazing because the threat actor(tm) got RCE access to like a billion devices and ran the world’s shittest Etherum dumper.

Imagine if they had done reverse shells instead, or automated lateral movement to ransomware deployment NotPetya style.

The thing that saved companies here was the threat actor was incompetent crypto boy, nothing more.

[RSS] FFmpeg - Heap-buffer-overflow write in jpeg2000dec

https://github.com/google/security-research/security/advisories/GHSA-39q3-f8jq-v6mg

CVE-2025-9951

All 54 lost clickwheel iPod games have now been preserved for posterity
Finding working copies of the last few titles was an "especially cursed" journey.
https://arstechnica.com/gaming/2025/09/all-54-lost-clickwheel-ipod-games-have-now-been-preserved-for-posterity/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social

[RSS] unpacking Dell's iDRAC schtuff

https://trouble.org/?p=1383

Modern programming languages should have logos like this

2nd of to nights fixes. A 139 year old electrotherapy machine.

Three problems, a brush wasn't contacting the rotor (bent back into shape). The handles were suffering from corrosion (cleaned), and the horseshoe magnet had lost most of its power(see 2nd image).

Works well now... no wonder they were nervous :)

[RSS] hidden functionality in spyro the dragon

https://banyaszvonat.github.io/breaking-videogames/2025/09/07/hidden-functionality-in-spyro-the-dragon.html

#Disgaea #GameHacking

A VM tuning case study: Balancing power and performance on AMD processors

https://developers.redhat.com/articles/2025/08/26/vm-tuning-case-study-balancing-power-and-performance-amd-processors

📣 IDA 9.2 is here!

➥ Smarter Go decompilation
➥ New Dynamic Xref Graph & Xref Tree
➥ Debugger & UI upgrades
➥ Expanded processor support (ARM, RISC-V)
➥ And more...

Explore the full release here: https://hex-rays.com/blog/ida-9.2-release

[RSS] Running code in a PAX Credit Card Payment Machine (part1) | Lets Hack It

https://lucasteske.dev/2025/09/running-code-in-pax-machines

[RSS] Windows Internals: Secure Calls - The Bridge Between NT and SK

https://connormcgarr.github.io/secure-calls-and-skbridge/

@VulpineAmethyst @h0ng10 @micahflee This is a totally different question (even assuming the server is not intentionally lying...), please don't go down this rabbit hole (I've been there a bunch of times and it doesn't lead anywhere).

@h0ng10 @micahflee This is a fairly common mistake too and causes a lot of bullshit work for security teams. A banner string (*especially* in case of Apache HTTPd) doesn't mean anything, so unless you can demonstrate the presence of a vulnerability this is nothing (aka PoC||GTFO).

(edited) In addition the cited CVE-2024-38476 requires a *malicious backend* to be exploitable:

https://devco.re/blog/2024/08/09/confusion-attacks-exploiting-hidden-semantic-ambiguity-in-apache-http-server-en/

Imagine that the first-ever commercial transistor computer fell into your laps (figuratively!). What would you do with it? Is it even practical to use?

Now you can answer these and many other questions, because I made a thing~

"My first transistorised computer: A Crash Course" is a short user manual for the simulator and the autocode/assembler of a computer highly inspired and mostly compatible with Metrovick 950, the first-ever commercially available transistor computer from 1956.

https://git.sr.ht/~nkali/mv950toy/tree/main/item/docs/crash_course.md

Getting silly with C, part ~(~1<<1) https://lcamtuf.coredump.cx/blog/c3/?n

Also, the Trend Micro story about a billion Google accounts being breached is also bullshit - the story is written using GenAI. That one also went global.

We've reached the point where vendors are just throwing shit at customers and journalists are just single source running it, nothing matters basically.

As a follow up, The Register did the actual journalism on this and yes - the #PromptLock generative AI ransomware story which went worldwide was bullshit. https://www.theregister.com/2025/09/05/real_story_ai_ransomware_promptlock/

The CVE-2025-7775 generative AI exploit story also worldwide right now is also bullshit, I don't have the energy to explain why (hint: several of the Netscaler versions shown in the CheckPoint write up aren't even vulnerable).

Keep an eye on my Medium blog posts. Will be doing more of these crash dump analysis and other troubleshooting related stuff.
https://bird.makeup/users/debugprivilege/statuses/1963541699247943917

If you've ever spent time around Wikipedians, you've doubtless heard its motto: "Wikipedia only works in practice. In theory, it's a mess." It's a delicious line, which is why I stole it for my 2017 novel *Walkaway*.

--

If you'd like an essay-formatted version of this thread to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

https://pluralistic.net/2025/09/05/be-the-first-person/#to-not-do-something-that-no-one-else-has-ever-thought-of-not-doing-before

1/