Nice community contribution! James Downs built a Kagi News app for Pebble watches:

https://apps.rebble.io/en_US/application/692b3f0549be450009b545ce

#Kagi #News #Pebble

pov: your a nvidia board partner in 2026 frantically "sourcing" vram from playstation 5s
https://bird.makeup/users/falconryfinance/statuses/1994764207649427621

🎄 Missed last year’s #radare2 Advent Calendar? No worries — the challenges are still live and ready to hack! Share your progress in the fediverse! 💪✨ #ReverseEngineering #CTF #infosec #radare2
https://radare.org/advent/

@pancake he should be gradually introduced to the wonders of LSDJ

[RSS] The Importance of Diverse Knowledge in Vulnerability Research - The Transferability of Knowledge

https://allelesecurity.com/transferability-knowledge/

/by @allelesecurity

[RSS] K7 Antivirus: Named pipe abuse, registry manipulation and privilege escalation

http://blog.quarkslab.com/k7-antivirus-named-pipe-abuse-registry-manipulation-and-privilege-escalation.html

I so hate when a bug is like "here's an $API that does a thing", then you invoke $API and it doesn't do the thing.

Now I start searching for a solution, and all I can find is "oh you should just call $API!"

Microsoft Silently Patched CVE-2025-9491 - We Think Our Patch Provides More Security
https://blog.0patch.com/2025/12/microsoft-silently-patched-cve-2025.html

I've recently stumbled upon an RCE "exploit" for the Serendipity blog software, which I happen to use and have contributed to in the past. From what I can tell, it does nothing interesting (it does not even work due to broken indents, if one fixes that it uploads a PHP shell given existing credentials, but that won't be executed unless you have a server config that executes .inc files). I'm 95% certain this is bogus. Yet... in case anyone wants to have a look: https://github.com/s9y/Serendipity/issues/940

Stealth died 😢 A member of Team-Teso, Phrack staff, and many other groups. A true hacker—perhaps as true as a hacker can ever be. WE MISS YOU. 🩷

More: https://thc.org/404

<stealth> we had joy we had fun we had a rootshell on a sun.

I wrote a blog post on CVE-2025-48593, an issue patched in Android's November Security Bulletin that only affected devices which act as Bluetooth headphones, such as smartwatches, smart glasses, and cars.

I examined the patch and wrote a proof-of-concept:
https://worthdoingbadly.com/bluetooth/

My proof-of-concept is available at https://github.com/zhuowei/blueshrimp; it gets "fault addr 0x4141414141414141" on the Android Automotive emulator... once you accept the pairing request.

When we started work on a network security book a couple of years ago, we reached out to friend and colleague Brad Karp, a professor at University College London who has taught system security and networking classes for many years. The book benefited greatly from his insights, and when we were done, we asked him to write a foreword. He kindly agreed, and he has crystallised what it means to take a systems view to security. Whereas it is common to focus on building blocks such as cryptographic algorithms, it is ultimately the assembly of parts to form a functioning system, and the making of tradeoffs among competing goals, that leads to more secure networks and end systems. So we have published the foreword in this week's newsletter and it makes a good case for why we needed to write this book. https://systemsapproach.org/2025/12/01/foreword-to-network-security-a-systems-approach/

Kernel fuzzing on Mac with syzkaller

Guide to build a VM, add a vulnerable driver and crash it using syzkaller from macOS.

https://slava-moskvin.medium.com/fuzzing-the-kernel-with-syzkaller-part-1-setting-up-on-mac-and-crashing-a-vulnerable-driver-b2a3949ea575

#fuzzing #kernel

https://www.theregister.com/2025/12/01/infosec_news_in_brief/?td=rt-3a

switzerland has chucked microsoft out the window now too

@mainframed767 @defcon https://video.infosec.exchange needs more <3

@R41N3RZUF477 the most concerning part of admin protection's design was just that UI Access seemed to not considered part of the boundary. Of the 9 bugs I reported, 5 were basically ways of getting control over a UI Access process and from there full admin. I think if you're going to break app compat anyway you might as well have done something more than UAC with bells on it.

I wasn't imagining things, Administrator Protection has indeed been pulled for now. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/administrator-protection/?tabs=intune#system-requirements

🌍Making #radare2 more portable and accessible to new audiences has been always a priority for us.

At #r2con2025, @AbhiTheModder created a web frontend for #radare2 using the webassembly builds to allow Chromebook students reverse engineer crackmes from the browser!

• Select version of r2
• Create multiple tabs
• Keyboard driven
• Analyze large binaries

This sandboxed environment is ideal for education as well as for malware analysis and the whole toolchain can be used from the commandline with wasmer.

• Try it online https://r2.revengi.in
• HTML radare2 Widget https://radareorg.github.io/r2wasm/index.html
• Source code https://github.com/radareorg/r2web
• Watch the presentation 👇

https://youtu.be/TblF4f91NnA

🎅🎁 Ho ho ho #Telco📡! 5GC Pentest Burp Suite ext under the tree! 🔐🎄 https://github.com/PentHertz/5GC_API_Pentest ✨🎉🚀 #5GSecurity