Zuckerberg has blown 77 billion – enough money to revitalize entire countries – on an idea so overwhelmingly, obviously stupid that I have never once heard anyone, from the Thanksgiving avuncular table to the most wretched depths of social media, say they liked it or even tried it. He was so sure that it would revolutionize the world that he renamed his extremely famous company after it. And now he's on to the next thing that he's so very, very sure about.

The world needs direction from sober people who aim to improve the human condition, not the whims of a handful of billionaire princelings who absolutely, positively cannot be dissuaded from failing at unprecedented scale while chasing their own vainglory off the edge of a cliff.

Punchcards weren't only used for code. These Department of Defense punchcards from 1966 have a microfilm window used for technical drawings — in this case, a rotary telephone switch, and a font!

Portugal has modified its cybercrime law to establish a legal safe harbor for good-faith security research and to make hacking non-punishable under certain strict conditions.

https://www.bleepingcomputer.com/news/security/portugal-updates-cybercrime-law-to-exempt-security-researchers/

Fuck cancer (and bureaucrats) :(

https://bontchev.nlcv.bas.bg/bye.html

Get yourself checked!

I look at the impact of AI on future election campaigns. We're in for a wild run. Who deploys it first, wins. https://techletters.substack.com/p/techletters-insights-weaponising

@LukaszOlejnik they are already using it in Hungary (elections next April), I can collect some articles if interested. But I think you are overestimating the sophistication: we just see the dumbest made up lies, not any form of political argument.

@stf red team approves!

New blog post. Something off-topic to feed the search engine. A bug in Lego Star Wars: The Complete Saga (2007). https://frederikbraun.de/lego-star-wars-complete-saga-c3po-bug.html

Linus Torvalds calls a spade a spade

@Leander This sparks joy.

A cool new project by a friend

Zynk - Move anything
Between everything

Send folders, photos, and multi‑gig archives across phones, laptops, TVs, and servers. End‑to‑end encrypted, resumable, no size limits.

https://zynk.it/

Two blog posts just dropped - one with the details on the bloatware pwning shenanigans I was up to earlier in the year, and another on pipetap, a new Windows named pipe proxy/tool.

https://sensepost.com/blog/2025/pwning-asus-driverhub-msi-center-acer-control-centre-and-razer-synapse-4/

https://sensepost.com/blog/2025/pipetap-a-windows-named-pipe-proxy-tool/

Day 7 of Advent of Compiler Optimisations!

Converting numbers to ASCII requires dividing by 10 repeatedly. But division is slow, so what does the compiler actually generate? Turns out: no division instructions at all! Instead, a mysterious constant (0xcccccccd) appears along with multiply and shift operations. How does this produce exact results for all inputs?

Read more: https://xania.org/202512/07-division-again
Watch: https://youtu.be/V9Pvv1tkocM

#AoCO2025

Reverse-engineering a custom USB HID protocol, bypassing microcontroller readout protection, and hacking firmware with a hex editor:

See my latest blog post at https://stefan-gloor.ch/pulseoximeter-hack

Best description of my introversion

Day 6 of Advent of Compiler Optimisations!

Divide by 512—that's just a shift right by 9, right? But look at the generated code: extra instructions appear! The compiler seems to be doing unnecessary work. Or is it? Turns out there's a subtle difference between what you asked for and what you probably meant. One keyword fixes everything.

Read more: https://xania.org/202512/06-dividing-to-conquer
Watch: https://youtu.be/7Rtk0qOX9zs

#AoCO2025

Interesting links of the week:

In honour of stealth:

* https://www.thc.org/404/stealth/eulogy.txt

Threats:

* https://www.hacklore.org/letter - re-evaluating security myth
* https://disclosing.observer/2025/11/24/bulletproof-hoster-anatomy-data-driven-reconstruction.html - how bullet proof hosting works

Detection:

* https://www.greynoise.io/blog/your-ip-address-might-be-someone-elses-problem - @greynoise discuss what happens if 127.0.0.1 gets popped
* https://blogs.cisco.com/security/cisco-talos-incident-response-threat-hunting-at-govware-2025 - threat hunting at GovWare from one of my old team at @TalosSecurity
* https://mikecybersec.notion.site/ESXi-IR-Guide-0ffbcec7272244d6b10dba4f4d16a7c8 - doing IR on ESXi
* https://rosesecurity.dev/2024/08/28/homegrown-honeypots.html - mm, honey

Bugs:

* https://blog.quarkslab.com/k7-antivirus-named-pipe-abuse-registry-manipulation-and-privilege-escalation.html - AV oopsies, don't you just love them... this time from @quarkslab
* https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478/ - explanation of the React bug

Exploitation:

* https://jhalon.github.io/reverse-engineering-protocols/ - reverse engineering protocols
* https://lyra.horse/blog/2025/12/svg-clickjacking/ - draw me the attack path
* https://ayaa101.medium.com/how-i-discovered-1-400-users-pii-through-a-graphql-query-and-uncovered-5-more-bugs-using-the-389d8e7d8deb - turns out adversaries also think in graphs
* https://blog.mantrainfosec.com/blog/18/prepared-statements-prepared-to-be-vulnerable - SQLi into prepared statements
* https://phishing.club/blog/covert-red-team-phishing-with-phishing-club/ - the first rule of phishing.club is there are no rules (that can't be bypassed)
* https://afine.com/desktop-application-security-standard-introducing-dasvs/ - content with fixing all web and mobile vulnerabilities, binary desktop apps enter the spotlight
* https://xbz0n.sh/blog/living-off-the-land-windows - avoiding falling out of Windows
* https://ipurple.team/2025/12/01/bind-link-edr-tampering/ - a new/old way to avoiding endpoint detection

Hard hacks:

* https://troopers.de/downloads/troopers25/TR25_SBOMs-The-right-way_CBLHDX.pdf - da SBOM from the @securefirmware gang
* https://xairy.io/articles/pixel-kgdb - debugging a Pixel with gdb
* https://stefan-gloor.ch/pulseoximeter-hack - @stgl patches consumer-grade pulse oximeters

Hardening:

* https://lwn.net/SubscriberLink/1046841/5bbf1fc049a18947/ - making Debian Rusty

Nerd:

* https://lolwifi.network/journey - how much do you trust wifi?
* https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f076ef44a44d02ed91543f820c14c2c7dff53716 - are you sure that's the right time?
* https://mathstodon.xyz/@dougmerritt/115596707083538102 - the wrong history of languages courtesy of @dougmerritt
* https://obr.uk/docs/dlm_uploads/01122025-Investigation-into-November-2025-EFO-publication-error.pdf - release early, release predictably... UK OBR goes agile
* https://monthlyreview.org/articles/why-socialism/ - Einstein, not just a pretty face
* https://netpol.org/2025/11/28/government-plans-new-powers-to-label-dissenting-movements-as-subversion/ - kinda wonder what happens if you dissent?
* https://replaceyourboss.ai/ - replace your boss, slopify your strategy

#security, #research

Some weekend updates to my homepage:

Added a little guide to debug recursive #CodeQL predicates:

https://scrapco.de/codeql-cheat-sheet/debugging/debugging-recursion/

#Ghidra documentation now reflects the state of 11.4.3:

https://scrapco.de/ghidra_docs/

The next time someone says "Privacy doesn't matter to me, I've got nothing to hide", show them this video.

CUDA de Grâce

Talk by @chompie1337 and Samuel Lovejoy about exploiting a race condition that leads to a double-free in the NVIDIA GPU driver to escape a container created with NVIDIA Container Toolkit.

Video: https://www.youtube.com/watch?v=Lvz2_ZHj3lo
Slides: https://docs.google.com/presentation/d/1FgfURpMyHhnflGWtxeq8ClPPaB5ZDCzT/edit?usp=sharing