@acsawdey it's complicated... if you squint, pointing out bugs is a form of help, but the P0 disclosure process (designed to incentivize other large corps) doesn't seem to work with highly popular, but underfunded OSS.

I don't know the solution, but shiting on individual developers code is probably not it.

"Last week the @FFmpeg account began taunting security researchers. Foolish thing to do, as it ignores the asymmetry of their attack surface vs ours.

So as an exercise I found a stack-based buffer overflow on software that he wrote." - @ortegaalfredo

https://threadreaderapp.com/thread/1991974275532636263.html

Normally I'm all for these stunts, but this one...

@Viss That memory probably also comes from the mushroom colony that is consuming you right now.

@Viss Wasn't that X-Files and a large underground mushroom colony?

@freddy But seriously, I just added a comment to my query and I swear it got slower...

@freddy Is that even a requirement these days?

on the back of the envelope, counting with an avg. yearly salary of $75k for a teacher in the US, the projected $4.8 trillion AI market by 2033 would equal ~7M years of teacher salary every year.

#weirdunits

@d_olex Yeah I get that. My point is (but I'm unsure about history here) that when Java or first browser JS engines were shipped inefficient solutions were probably necessary, and now we try to reduce that debt, while in case of your modern examples we probably have cheaper solutions that work better, but burning GPUs is sexier.

@d_olex Good question, but I'd argue that bytecode solves existing problems, while in case of LLM/blockchain I mostly don't see that. Also, isn't JIT specifically a thing to improve performance, meaning less resource consumption? A related observation is that many use-cases for LLMs can probably be solved much cheaper, today. E.g.: better IDE features; more QA for web search results; better education so people can write and understand an email.

#select goes brrrr....

EBury SSHD backdoor?? on 400,000 hosts?

Let's fuck around and find out. (Why +s on the .so file???)

Dissect, understand & ridicule. Join the group effort at https://thc.org/ops or SSH straight into the server and check ~/ebury:

ssh -o "SetEnv SECRET=lYQkdQHIuQyTJngVtIskqRLx" root@adm.segfault.net (password is 'segfault')

Calling for the help of the fediverse!
Help spread the word of our browser extension Consent-O-Matic that helps automate answering those ever-present cookie consent pop-ups.

It's developed by researchers at Aarhus University in Denmark and free to use for Chrome/Edge, Firefox and Safari including for iOS.

Also, it's open source, so if you have a bit of technical skill, you can help us improve the rule set for greater coverage.

https://consentomatic.au.dk

🚀 radare2-6.0.6 is out! (codename 'siesso’)

That's the first release after #r2con which comes with tons of awemazing bug fixes and all the new features presented during the conference! #reverseengineering

🔗 https://github.com/radareorg/radare2/releases/tag/6.0.6

See details below 👇

@kagihq "I don’t think I need to list the large number of tasks where LLMs can save humans time" - I naively thought this would be the whole point of the post? It'd be also important to back up that "large number of tasks" with data (e.g. time to result with/without LLM).

BINGO TIME! With CVE-2025-58034, Fortinet secures the crown in my Insecurity Appliance Bingo. This is technically a "high" severity vuln, but since it's being actively exploited and has landed a spot on CISA KEV, I'm admitting it.

https://cku.gt/appbingo25

Reaching a bingo took longer than expected, with FortiNet and Ivanti sitting at 5/6 vulns since about July. But now, there is a well-deserved winner.

I'm now taking new vuln class and vendor suggestions for next year's edition.

[RSS] Reverse Engineering Casio's .CR5 File Format

https://old.reddit.com/r/ReverseEngineering/comments/1p3ldfq/reverse_engineering_casios_cr5_file_format/

[RSS] FreeBSD considering end of ppc64 support

https://www.talospace.com/2025/11/freebsd-considering-end-of-ppc64-support.html

@tmr232 So you didn't see the highlight either? Took me a while to realize that it's the _text color_ that changes, and once I knew that I started seeing it! But since I expected the background to change I basically went color blind!

every time I take a selfie I admire influencers a bit more - this shit ain't easy!