V8 now has a (experimental) JS bytecode verifier!

IMO a good example for the benefits of the V8 Sandbox architecture:
- Hard: verify that bytecode is correct (no memory corruption)
- Easier: verify that it is secure (no out-of-sandbox memory corruption)

The sandbox basically separates correctness from security.

More details: https://docs.google.com/document/d/1UUooVKUvf1zDobG34VDVuLsjoKZd-CeSuhvBcLysc7U/edit?usp=sharing

Implementation: https://source.chromium.org/chromium/chromium/src/+/main:v8/src/sandbox/bytecode-verifier.cc

@buherator What are the best anti-scam resources I can link to? It's not the focus on Hacklore but I can make sure there is a smoother on ramp to good guidance.

@boblord That'd make sense, but unfortunately I don't know of any resources I could recommend (in part because of the reasons Hacklore exists...). I keep this in mind though and let you know if I find anything!

American IT software company Ivanti warned customers today to patch a newly disclosed vulnerability in its Endpoint Manager (EPM) solution that could allow attackers to execute code remotely.

https://www.bleepingcomputer.com/news/security/ivanti-warns-of-critical-endpoint-manager-code-execution-flaw/

@boblord I agree with your post and also that scanning QRs is not the problem (as stated on Hacklore).

Now that I look more into it, I think I found what's been bugging me about this point. It seems that QR is the only part where Hacklore expects extra work from the user:

"which is mitigated by existing browser and OS protections, and by **being cautious** about the information you give"

... but the recommendations don't say anything about how to "be cautious", while scams initiated via untrustworthy channels are a very real problem.

I think this should deserve a recommendation bulletpoint with at least some rules of thumb. I'm thinking along the lines of:

"If you are contacted via $untrused_comms to give out $sensitive_data, reject the request and initiate the contact yourself via $known_good" (may be simple enough to work if phrased carefully?)

@boblord Wow that was quick, glad I could help!

I've been doing infosec for ~20 years but I only realized recently we communicate wrong after some relatives fell for QR-based scams and had to walk them through what happened.

I agree that determining risk is incredibly hard in this case and TBH I think "don't trust QRs" may be more effective than trying to teach everyone URLs, DNS and PKI...

Gandi disabled my U2F keys without warning. This sort of incompetence is why I moved all my domains away from them earlier this year (to Namecheap; Porkbun was runner-up).

Day 9 of Advent of Compiler Optimisations!

Loop with `i * i` inside? Surely the compiler replaces that expensive multiply with clever addition tricks — like manually tracking an accumulator. But no! The compiler keeps the multiply because it enables something more valuable. Why is "more expensive per iteration" sometimes faster overall? The answer lies in how modern CPUs actually execute code.

Read more: https://xania.org/202512/09-induction-variables
Watch: https://youtu.be/vZk7Br6Vh1U

#AoCO2025

@boblord Great initiative, saved and shared!

One suggestion re: "QR codes are simply a way to open a URL" -> users have no clue what URLs are or how to interpret them. Even if you assume they can parse out the true domain (major if!), they don't know which domains are trustworthy. On top of this mobile browsers make it esp. hard to inspect URLs. We need to come up with better advice for site verification!

@blackhoodie will have its own assembly at 39c3 congress this year 🥰 https://events.ccc.de/congress/2025/hub/de/assembly/detail/blackhoodie

New Project Zero issue:

Windows: Administrator Protection UI Access Shared Profile EoP

https://project-zero.issues.chromium.org/issues/437868751

CVE-2025-60721

RE: https://infosec.exchange/@mnordhoff/115675202677067879

https://groups.google.com/a/list.nist.gov/g/internet-time-service/c/Zd7VaR-vqV4

On Saturday, 6 December 2025 at approximately 21:13 UTC, the atomic time source (a single cesium beam atomic clock) for all the internet time servers at the NIST Gaithersburg campus failed and exhibited a time step of approximately -10 ms.

Oh.

Does your cybersecurity awareness training contain any hacklore?

I’m collecting examples of hacklore in the wild. Whether it’s training slides, quiz questions, or instructions that focus on rare threats instead of the ones causing the most real-world harm, I want to see it all.

Post some screenshots or notes here, or email them to "info" at hacklore.org. Let’s help organizations replace stale guidance with advice that truly keeps people safe.

I updated the structure of the #Ghidra documentation that I host so now you can access the latest of both version 11.x and 12.x:

https://scrapco.de/ghidra_docs/

I'm still looking for the docs of the new features in 12. If you think something is missing from the web that is available in the source lmk!

Do I know anyone working on freedesktop.org / mesa? A security contact would be ideal :)

Edit: Resolved

GitHub Actions Has a Package Manager, and It Might Be the Worst

https://nesbitt.io/2025/12/06/github-actions-package-manager.html

@mttaggart No worries, SpaceX can put your telescopes to space cheaply so you can avoid Starlink satellites!

@alphaville @pancake as I understand it's not "function" register but "special function" register. RISC-V CSRs are provided as specific example:

https://book.rvemu.app/hardware-components/03-csrs.html

RE: https://mastodon.social/@FirewallDragons/115684533805754572

So excited to share this interview!

@zcutlip I pulled my hair a lot because of that pile of shit until I found this article and while the tech remained the same, at least I started to understand the idea behind it:

"makes perfect sense when you are in the business of breaking stuff so people have to pay you for fixing it."

https://dzone.com/articles/why-you-should-avoid-jsf