@zcutlip That "security" is sometimes "job security": no one in their right mind would use JSF (that produces the exact behavior you describe) unless they can bill by the hour after they locked in the bank with their software built on a (brain)dead framework.

okay so like a month ago @trashpanda sent me one of those 'spycam finder' doodads that you see going for like 80-100 dollars online that supposedly 'find spy cameras and gps trackers'. I've always been curious if they actually work or whats inside. So I just tore the thing open and this is what I found:

"The benefit of having an actual memory space for special function registers is they can be seen, named, references created to them, data types applied at the location, as well as default values supplied for a given binary sample. We plan to do the same for other processors such as the PowerPC."

I hope this is the reason why my PPC-AS pull request is open for more than a year now :)

That was quick: #Ghidra 12.0 is out! Here's what's new:

https://github.com/NationalSecurityAgency/ghidra/blob/Ghidra_12.0_build/Ghidra/Configurations/Public_Release/src/global/docs/WhatsNew.md

New blog post: Why the Sanitizer API is just `setHTML()` - https://frederikbraun.de/why-sethtml.html

@bontchev @adamshostack My favorite example: programmers are taught to use prepared statements, so at first it seems their app doesn't have any SQLi's. Until they add a feature where the user controls result set ordering: you can't use bound variables for field names, so there's a vuln 90% of the time (IME, with wildly different dev teams).

@pancake That's terrible and unfortunately far from unique. Sorry for your mom :(

Zuckerberg has blown 77 billion – enough money to revitalize entire countries – on an idea so overwhelmingly, obviously stupid that I have never once heard anyone, from the Thanksgiving avuncular table to the most wretched depths of social media, say they liked it or even tried it. He was so sure that it would revolutionize the world that he renamed his extremely famous company after it. And now he's on to the next thing that he's so very, very sure about.

The world needs direction from sober people who aim to improve the human condition, not the whims of a handful of billionaire princelings who absolutely, positively cannot be dissuaded from failing at unprecedented scale while chasing their own vainglory off the edge of a cliff.

Punchcards weren't only used for code. These Department of Defense punchcards from 1966 have a microfilm window used for technical drawings — in this case, a rotary telephone switch, and a font!

Portugal has modified its cybercrime law to establish a legal safe harbor for good-faith security research and to make hacking non-punishable under certain strict conditions.

https://www.bleepingcomputer.com/news/security/portugal-updates-cybercrime-law-to-exempt-security-researchers/

Fuck cancer (and bureaucrats) :(

https://bontchev.nlcv.bas.bg/bye.html

Get yourself checked!

I look at the impact of AI on future election campaigns. We're in for a wild run. Who deploys it first, wins. https://techletters.substack.com/p/techletters-insights-weaponising

@LukaszOlejnik they are already using it in Hungary (elections next April), I can collect some articles if interested. But I think you are overestimating the sophistication: we just see the dumbest made up lies, not any form of political argument.

@stf red team approves!

New blog post. Something off-topic to feed the search engine. A bug in Lego Star Wars: The Complete Saga (2007). https://frederikbraun.de/lego-star-wars-complete-saga-c3po-bug.html

Linus Torvalds calls a spade a spade

@Leander This sparks joy.

A cool new project by a friend

Zynk - Move anything
Between everything

Send folders, photos, and multi‑gig archives across phones, laptops, TVs, and servers. End‑to‑end encrypted, resumable, no size limits.

https://zynk.it/

Two blog posts just dropped - one with the details on the bloatware pwning shenanigans I was up to earlier in the year, and another on pipetap, a new Windows named pipe proxy/tool.

https://sensepost.com/blog/2025/pwning-asus-driverhub-msi-center-acer-control-centre-and-razer-synapse-4/

https://sensepost.com/blog/2025/pipetap-a-windows-named-pipe-proxy-tool/

Day 7 of Advent of Compiler Optimisations!

Converting numbers to ASCII requires dividing by 10 repeatedly. But division is slow, so what does the compiler actually generate? Turns out: no division instructions at all! Instead, a mysterious constant (0xcccccccd) appears along with multiply and shift operations. How does this produce exact results for all inputs?

Read more: https://xania.org/202512/07-division-again
Watch: https://youtu.be/V9Pvv1tkocM

#AoCO2025