@cR0w This one by @quarkslab may cover the details, although the CVE is not mentioned: https://blog.quarkslab.com/k7-antivirus-named-pipe-abuse-registry-manipulation-and-privilege-escalation.html

Did someone get you this air quality monitor as a gift? I wanted to have it log the data, but didn’t quite trust it with internet access. I dug around a bit, got a root shell and untethered it. Read the writeup: https://blog.29b.net/dispatches/cgs2_decloud/

@zwol @roseen new political compass just dropped

When the European Commission approached us about funding a bug bounty for BIND 9, we were impressed with the proposal. We have a policy against bug bounties (because we were frustrated with people wasting our time), but under this proposal, the YesWeHack team would do initial triage, and use their expertise to minimize the 'slop' reports. This is a game-changer for a small development team.

The bounty program is active, and we are looking for our first valid report.

https://yeswehack.com/programs/bind-bug-bounty-program

on a zoom call Chuck Moore the author of Forth announced that Windows updates have rendered his otherwise working colorForth system inoperable and unfixable. moving to another operating system would amount to a rewrite. as a result he said it's "time to move on" from Forth.

several people on the call thanked him for changing their lives with his language, for giving them a lifetime of joyful work and a powerful simple way of thinking about computing, to which he responded "I can only hope it was worthwhile"

Has someone here reverse engineered the USB configuration protocol between the #Logitech GHub software and #BlueYeti microphones?
Want to configure the hardware DSP on #Linux.

#ReverseEngineering

Day 22 of Advent of Compiler Optimisations!

Comparing a string_view against "ABCDEFG" should call memcmp, right? Watch what Clang actually generates — no function call at all, just a handful of inline instructions using some rather cunning tricks. How does it compare 7 bytes so efficiently when they don't fit in a single register?

Read more: https://xania.org/202512/22-memory-cunningness
Watch: https://youtu.be/kXmqwJoaapg

#AoCO2025

🚨 In 2026, Pedro Ribeiro (@pedrib1337) and Radek Domanski (@RabbitPro) return to OffensiveCon with a training on "Hunting Zero-Days in Embedded Devices".

☝️This training equips you with skills to uncover zero-day vulnerabilities through in-depth study and practical exercises on various vulnerabilities across different CPU architectures. More details here🔗https://www.offensivecon.org/trainings/2026/hunting-zero-days-in-embedded-devices.html

🚀 Don't miss this chance to improve your skills!

For those looking for a covid/flu vaccine around #39c3 bcrt at the globetrotter(.de) shop in hamburg north gives out shots, about 20-30 per shot. I paid 49 for covid+flu, also for non-germans.

(They do ask for your details, no idcard or details needed)

[RSS] From UART to Root: Breaking Into the Xiaomi C200 via U-Boot

https://github.com/h3xDum/Xiaomi-C200-Firmware-Analysis

Pretty cool - it turns out that the way I write my blog posts is called 'BLUF': Bottom Line up Front, and it was standardized by the US Army in their information management guidelines: https://en.wikipedia.org/wiki/BLUF_(communication)

@swapgs Maybe LLM assisted? The vuln is pretty funny and IMO the "philosophical" question it discusses is valid.

CVE-2025-29970 Microsoft Brokering File System Elevation of Privilege Vulnerability writeup

https://www.pixiepointsecurity.com/blog/nday-cve-2025-29970/

[RSS] When OAuth Becomes a Weapon: Lessons from CVE-2025-6514

https://amlalabs.com/blog/oauth-cve-2025-6514/

[RSS] CVE-2025-38352 - In-the-wild Android Kernel Vulnerability Analysis + PoC

https://faith2dxy.xyz/2025-12-22/cve_2025_38352_analysis/

as promised, here is a repository that lets you quickly turn any random VPS into a Forgejo Actions runner in under 30 minutes, for use with Codeberg or your private forge! https://codeberg.org/whitequark/nixos-forgejo-actions-runner

it uses NixOS internally, but Nix knowledge is neither required nor assumed, and the README walks you through the entire process.

More good news for the shortest day

In July Helsinki marked an entire year without a single traffic death. The Finnish capital, which has a population of 690,000, achieved the feat through lower speed limits, improved street design and investing in pedestrian and cycling infrastructure. More than half of Helsinki’s streets have a speed limit of 30km/h (18-19mph) and roads have been narrowed with trees.

#RoadSafety #Helsinki #Finland #GoodNews

After several years of refusing to communicate on Meta's platforms I just managed to get my high school friends on Signal for an Xmas chat.

Can I now get my attaboy from @pluralistic?

@bert_hubert My similar rule is that I don’t get to say “just” unless I’m the person who has to “just” do it.

Vulnhalla: Picking the true vulnerabilities from the CodeQL haystack https://www.cyberark.com/resources/threat-research-blog/vulnhalla-picking-the-true-vulnerabilities-from-the-codeql-haystack