hmmmm idk about this verification method Discord is offering

It's the final Patch Tuesday of 2025! #Microsoft and #Adobe took it easy on us with a smaller release, but there's 1 0-day being exploited & an Exchange bug reported by the NSA. @dustin_childs fills you in on the details & where to focus your priorities. https://www.zerodayinitiative.com/blog/2025/12/9/the-december-2025-security-update-review

i finally gave in and started using uv to manage the dependencies for my Python scripts and it’s great https://jvns.ca/til/python-inline-dependencies/

I recently posted about looking for an artist and got a bunch of replies.

Problem is 1) there are many obvious bots 2) those who are likely not bots also seem to use LLM/templates to communicate, making them look like bots.

If you don't want to get reported, use your own voice!

#fedihire

MS advisories are live. Looks like two publicly disclosed and one EITW.

https://msrc.microsoft.com/update-guide/vulnerability

Phrack #72 PUZZLE CHALLENGE >>> WALKTHROUGH <<< is OUT.

Everyone who did not find the hidden secrets in the hardcopy release: This is your chance.

♥️ Stay curious and live forever ♥️

http://phrack.org/dl/72/puzzle-challenge.pdf

We derestricted a number of vulnerabilities found by Big Sleep in JavaScriptCore today: https://issuetracker.google.com/issues?q=componentid:1836411%20title:JavascriptCore

All of them were fixed in the iOS 26.1 (and equivalent) update last month. Definitely some cool bugs in there!

V8 now has a (experimental) JS bytecode verifier!

IMO a good example for the benefits of the V8 Sandbox architecture:
- Hard: verify that bytecode is correct (no memory corruption)
- Easier: verify that it is secure (no out-of-sandbox memory corruption)

The sandbox basically separates correctness from security.

More details: https://docs.google.com/document/d/1UUooVKUvf1zDobG34VDVuLsjoKZd-CeSuhvBcLysc7U/edit?usp=sharing

Implementation: https://source.chromium.org/chromium/chromium/src/+/main:v8/src/sandbox/bytecode-verifier.cc

@buherator What are the best anti-scam resources I can link to? It's not the focus on Hacklore but I can make sure there is a smoother on ramp to good guidance.

@boblord That'd make sense, but unfortunately I don't know of any resources I could recommend (in part because of the reasons Hacklore exists...). I keep this in mind though and let you know if I find anything!

American IT software company Ivanti warned customers today to patch a newly disclosed vulnerability in its Endpoint Manager (EPM) solution that could allow attackers to execute code remotely.

https://www.bleepingcomputer.com/news/security/ivanti-warns-of-critical-endpoint-manager-code-execution-flaw/

@boblord I agree with your post and also that scanning QRs is not the problem (as stated on Hacklore).

Now that I look more into it, I think I found what's been bugging me about this point. It seems that QR is the only part where Hacklore expects extra work from the user:

"which is mitigated by existing browser and OS protections, and by **being cautious** about the information you give"

... but the recommendations don't say anything about how to "be cautious", while scams initiated via untrustworthy channels are a very real problem.

I think this should deserve a recommendation bulletpoint with at least some rules of thumb. I'm thinking along the lines of:

"If you are contacted via $untrused_comms to give out $sensitive_data, reject the request and initiate the contact yourself via $known_good" (may be simple enough to work if phrased carefully?)

@boblord Wow that was quick, glad I could help!

I've been doing infosec for ~20 years but I only realized recently we communicate wrong after some relatives fell for QR-based scams and had to walk them through what happened.

I agree that determining risk is incredibly hard in this case and TBH I think "don't trust QRs" may be more effective than trying to teach everyone URLs, DNS and PKI...

Gandi disabled my U2F keys without warning. This sort of incompetence is why I moved all my domains away from them earlier this year (to Namecheap; Porkbun was runner-up).

Day 9 of Advent of Compiler Optimisations!

Loop with `i * i` inside? Surely the compiler replaces that expensive multiply with clever addition tricks — like manually tracking an accumulator. But no! The compiler keeps the multiply because it enables something more valuable. Why is "more expensive per iteration" sometimes faster overall? The answer lies in how modern CPUs actually execute code.

Read more: https://xania.org/202512/09-induction-variables
Watch: https://youtu.be/vZk7Br6Vh1U

#AoCO2025

@boblord Great initiative, saved and shared!

One suggestion re: "QR codes are simply a way to open a URL" -> users have no clue what URLs are or how to interpret them. Even if you assume they can parse out the true domain (major if!), they don't know which domains are trustworthy. On top of this mobile browsers make it esp. hard to inspect URLs. We need to come up with better advice for site verification!

@blackhoodie will have its own assembly at 39c3 congress this year 🥰 https://events.ccc.de/congress/2025/hub/de/assembly/detail/blackhoodie

New Project Zero issue:

Windows: Administrator Protection UI Access Shared Profile EoP

https://project-zero.issues.chromium.org/issues/437868751

CVE-2025-60721

RE: https://infosec.exchange/@mnordhoff/115675202677067879

https://groups.google.com/a/list.nist.gov/g/internet-time-service/c/Zd7VaR-vqV4

On Saturday, 6 December 2025 at approximately 21:13 UTC, the atomic time source (a single cesium beam atomic clock) for all the internet time servers at the NIST Gaithersburg campus failed and exhibited a time step of approximately -10 ms.

Oh.

Does your cybersecurity awareness training contain any hacklore?

I’m collecting examples of hacklore in the wild. Whether it’s training slides, quiz questions, or instructions that focus on rare threats instead of the ones causing the most real-world harm, I want to see it all.

Post some screenshots or notes here, or email them to "info" at hacklore.org. Let’s help organizations replace stale guidance with advice that truly keeps people safe.