[RSS] BYOVD to the next level (part 1) -- exploiting a vulnerable driver (CVE-2025-8061)

http://blog.quarkslab.com/exploiting-lenovo-driver-cve-2025-8061.html

Help, I need a code signing certificate that won't bankrupt me.

Three years ago, I paid $100 for a three-year code signing certificate. I've signed all my open-source projects' releases with it. Now that it's renewal time, Certera (SignMyCode.com) wants almost $700 for the same three-year certificate (excluding the mandatory HSM purchase, which I am totally on board with).

I write silly C and PowerShell code, and I timestamp my signatures so that they're perpetually valid. My PowerShell Gallery stuff, as well as binaries of aprs-weather-submit on Windows and macOS, are all signed and hashed (but not notarized by Apple, because that's another $99 a year for something that feels done unless Bob Bruninga's followers are thinking about APRS 2.0).

If I can't find a solution, anything I write or update in the future will have to be released as unsigned unless I half-ass something (like the Notepad++ developer using self-signed certs -- semi-dangerously clever). $100 every three years, fine. $700 every three years, and I'll do it if my three fans click my Buy Me A Coffee link over and over.

Is there any CA out there that will offer open-source, not-for-profit developers like me a chance to get globally-trusted code signing certificates? I don't think SigStore ever took off (sadly), and even if it did, I don't think it's part of the Microsoft Authenticode program.

#CodeSigning #SSL #TLS #certificates #Certera #SoftwareDevelopment #C #PowerShell #PowerShellGallery #AmateurRadio #HamRadio #APRS #APRS-Weather-Submit #GitHub #security #developer #Windows #macOS #Linux #Authenticode #DevSecOps #DevOps

SALLY STRUTHERS: Do you use floats? Sure. We all do. But did you know a + b + c ≠ c + b + a with many floats? No. Well, neither did I, but with this one PDF you can become a fount of floating-point foibles to impress and depress your colleagues around the water cooler. Isn't this fun?

https://dl.acm.org/doi/pdf/10.1145/103162.103163 #compsci

@tekhedd Thanks, I got this from others too and ofc I remember the format, but wasn't 100% sure the support is there today.

@rootwyrm Good tips, thanks! Probably this will be the fallback if webamp (that also has that irreplaceable early-2000's charm) doesn't work.

@buherator https://github.com/captbaritone/webamp

@capeta yeah I think this is mostly for LANs, but thanks!

@Viss Whoa that's the most awesomest thing I've seen in a while :O Thank you!

Let's say I have a couple of MP3's (very royalty free ofc) that I want to share with normie friends on a web server. Is there a playlist format or maybe even some web frontend that I can use to organize these tracks so my friends can listen to the tracks without installing anything on their Win/Mac boxes, just opening a single URL/file?

It's be nice if there was support for basic HTTP auth because I don't want to open this to everyone either.

#FOSS #MP3 #mixtape

@burritosec

Bishop: Organized crime?
Cosmo: Don't kid yourself. It's not that organized.

[RSS] The Phantom Extension: Backdooring chrome through uncharted pathways

https://www.synacktiv.com/en/publications/the-phantom-extension-backdooring-chrome-through-uncharted-pathways.html

@burritosec Have you tried organized crime?

at this point anybody still using solarwinds should just be considered a huge security risk

https://www.theregister.com/2025/09/23/solarwinds_patches_rce/

RE: https://infosec.exchange/@quarkslab/115254681302340584

Hard to believe that arbitrary RW to physical pages and arbitrary RW of LSTAR MSR are just bugs and not backdoors but I've seen too many of those things to by default attribute it to malice

New video: Inside Windows Sessions
https://trainsec.net/library/windows-internals/inside-windows-sessions/

[RSS] Kmemdump step by step on Qualcomm Automotive platform

https://www.linaro.org/blog/kmemdump-step-by-step-on-qualcomm-automotive-platform/

New vulnerability report from Talos:

Adobe Acrobat Reader Page Property Use-After-Free Vulnerability

https://talosintelligence.com/vulnerability_reports/TALOS-2025-2222

CVE-2025-54257

With all this discourse about "AI art" I think we've lost sight of the simple joy of generating terrible nonsense via Markov Chains

UXLINK exploited for around $28 million, then hacker gets phished

September 22, 2025
https://www.web3isgoinggreat.com/?id=uxlink-exploit

/me trying hard not to antropomorphise the LLM