@gsuberland styropyro? :)

Sources of Deception

#webcomic #krita #miniFantasyTheater

@davidrevoy @eri that frog made my day <3 go frog!

Random realization: MS Teams is the Lotus Notes of web meetings.

@damieng archive.ph seems to have at least some of it: https://archive.ph/IIOAR

Oh dear the entire https://www.lyonlabs.org site is offline *and* excluded from archive.org.

It's a massive archive of vintage and modern GEOS and C64 material a lot of it seemingly not found elsewhere.

Indicators that your machine has been infected with a virus:

- The computer slows down.

- The computer beeps.

- The OS doesn't load.

- The BIOS logo changes. (WTF?!)

- The computer freezes, has BSODs, etc.

(I thought these were indicators that you're infected with CrowdStrike.)

Google research created a dataset with rainbow tables for NetNTLMv1 with the 1122334455667788 challenge.
https://research.google/resources/datasets/
Dataset is available for download at:
▪️https://console.cloud.google.com/storage/browser/net-ntlmv1-tables [Login required]
▪️gs://net-ntlmv1-tables

hmmmm idk about this verification method Discord is offering

It's the final Patch Tuesday of 2025! #Microsoft and #Adobe took it easy on us with a smaller release, but there's 1 0-day being exploited & an Exchange bug reported by the NSA. @dustin_childs fills you in on the details & where to focus your priorities. https://www.zerodayinitiative.com/blog/2025/12/9/the-december-2025-security-update-review

i finally gave in and started using uv to manage the dependencies for my Python scripts and it’s great https://jvns.ca/til/python-inline-dependencies/

I recently posted about looking for an artist and got a bunch of replies.

Problem is 1) there are many obvious bots 2) those who are likely not bots also seem to use LLM/templates to communicate, making them look like bots.

If you don't want to get reported, use your own voice!

#fedihire

Phrack #72 PUZZLE CHALLENGE >>> WALKTHROUGH <<< is OUT.

Everyone who did not find the hidden secrets in the hardcopy release: This is your chance.

♥️ Stay curious and live forever ♥️

http://phrack.org/dl/72/puzzle-challenge.pdf

We derestricted a number of vulnerabilities found by Big Sleep in JavaScriptCore today: https://issuetracker.google.com/issues?q=componentid:1836411%20title:JavascriptCore

All of them were fixed in the iOS 26.1 (and equivalent) update last month. Definitely some cool bugs in there!

V8 now has a (experimental) JS bytecode verifier!

IMO a good example for the benefits of the V8 Sandbox architecture:
- Hard: verify that bytecode is correct (no memory corruption)
- Easier: verify that it is secure (no out-of-sandbox memory corruption)

The sandbox basically separates correctness from security.

More details: https://docs.google.com/document/d/1UUooVKUvf1zDobG34VDVuLsjoKZd-CeSuhvBcLysc7U/edit?usp=sharing

Implementation: https://source.chromium.org/chromium/chromium/src/+/main:v8/src/sandbox/bytecode-verifier.cc

@buherator What are the best anti-scam resources I can link to? It's not the focus on Hacklore but I can make sure there is a smoother on ramp to good guidance.

@boblord That'd make sense, but unfortunately I don't know of any resources I could recommend (in part because of the reasons Hacklore exists...). I keep this in mind though and let you know if I find anything!

American IT software company Ivanti warned customers today to patch a newly disclosed vulnerability in its Endpoint Manager (EPM) solution that could allow attackers to execute code remotely.

https://www.bleepingcomputer.com/news/security/ivanti-warns-of-critical-endpoint-manager-code-execution-flaw/

@boblord I agree with your post and also that scanning QRs is not the problem (as stated on Hacklore).

Now that I look more into it, I think I found what's been bugging me about this point. It seems that QR is the only part where Hacklore expects extra work from the user:

"which is mitigated by existing browser and OS protections, and by **being cautious** about the information you give"

... but the recommendations don't say anything about how to "be cautious", while scams initiated via untrustworthy channels are a very real problem.

I think this should deserve a recommendation bulletpoint with at least some rules of thumb. I'm thinking along the lines of:

"If you are contacted via $untrused_comms to give out $sensitive_data, reject the request and initiate the contact yourself via $known_good" (may be simple enough to work if phrased carefully?)

@boblord Wow that was quick, glad I could help!

I've been doing infosec for ~20 years but I only realized recently we communicate wrong after some relatives fell for QR-based scams and had to walk them through what happened.

I agree that determining risk is incredibly hard in this case and TBH I think "don't trust QRs" may be more effective than trying to teach everyone URLs, DNS and PKI...