CVE-2025-64669: Uncovering Local Privilege Escalation Vulnerability in Windows Admin Center https://cymulate.com/blog/cve-2025-64669-windows-admin-center/

Wrote down what I learned so far and open questions in this new doc: https://docs.google.com/document/d/16QNavHjds1OdkKsfqLYx6EF0ohA-Qh_dZc8OK9TFrQk/edit?tab=t.0#heading=h.z1r9lwho309s

…in case you are interested in seeing where I am and what are my next steps, and maybe have new ideas. Thanks in advance! The doc is free to comment, or you can always ping me here.

EDIT: Please do not tag/bother Tim Berners-Lee. Angle brackets happened many years before he started working on HTML.

#MarkupMonday

Bellingcat’s Kolina Koltai uncovers the Hungarian national behind two deepfake porn websites. The key figure rakes in profits and vacations in luxury hotels in Dubai and Bali, whilst website visitors create sexually explicit images and videos.
Find out how we uncovered the administrator behind the deepfakes by reading the full investigation here: https://www.bellingcat.com/news/2025/12/15/mark-resan-reface-deepfake-porn/?utm_source=mastodon

@WPalant Right, then Ghidra API sounds like a good choice indeed. Also note the Ghidra VersionTracker has several "atomic" matchers (like string matcher) which may also be useful, and _maybe_ they can be configured by creating a Ghidriff plugin?

@WPalant Not really grasping the situation but Pigaios by @joxeankoret may also be interesting?

https://github.com/joxeankoret/pigaios

@WPalant Why not Ghidriff/BinDiff/Diaphora?

For those of you who remember ScreamingGoat, they're currently looking for a new role. Ideally something in the threat Intelligence space and DC local. Y'all know how he is with emerging vulnerabilities. Let me know what you've got and I'll make sure it makes it to them.

just released liboprf-0.9.3

liboprf is a library implementing the OPRF from https://www.rfc-editor.org/rfc/rfc9497.html and in addition it also provides a threshold variant (tOPRF) and a distributed key generation (DKG) protocol for the tOPRF shared secret, as well as a key update protocol for the tOPRF shared secret. it comes with a high level python frontend that supports servers on TLS, USB and Bluetooth LE

see: https://github.com/stef/liboprf

We need to normalize declaring software as finished. Not everything needs continouos updates to function. In fact, a minority of software needs this. Most software works as it is written. The code does not run out of date. I want more projects that are actually just finished, without the need to be continuously mutated and complexified ad infinitum.

slip slop slap

https://hackerone.com/reports/3465094

Microsoft will pay bug bounties even for 3rd party components:

https://www.theregister.com/2025/12/12/microsoft_more_bug_payouts

Does anyone have a copy of the following paper:

https://doi.org/10.1016/0167-4048(82)90003-7

Robert H. Courtney, Jr., "A systematic approach to data security", in Computers & Security Volume 1, Issue 2, June 1982 (pgs. 99-112)

I have tried Sci-Hub and Anna's but no luck

(it is paywalled at https://www.sciencedirect.com/science/article/abs/pii/0167404882900037 for $30 which seems criminal)

The World Is Not A Desktop - Mark Weiser

https://dl.acm.org/doi/10.1145/174800.174801

make a programming language and then make a game in it.

https://itch.io/jam/langjamgamejam

https://langjamgamejam.com/
#langjam #gamejam #langjamgamejam

@warandpeas This is dark even by my standards! (love it)

@sassdawe What pisses me off is the bloody "reasoning" they provide, but it actually is a copy-paste saying nothing. This tells me the story of "Here's 10k of our customers, and now we will _pretend_ we care about them enough to write 5 sentences to a web page." #LEGO

@LinuxAndYarn @Taco_lad @cR0w @reverseics

[RSS] Is web3 security going great?

https://bfswa.substack.com/p/it-web3-security-going-great

@rodneylives We're on the WW fucking W, and this is a screenshot from X(?) that I got on Signal. Just go nuts with it!

Jeez this blew up! If you are reading this:

Learn how things work and write it down. We're accelerating to stupid.