Not related to the latest MongoDB vulnerability (since it doesn't require authentication), but does anyone know of a good MongoDB honeypot? You know, one that masquerades as a real MongoDB database server and logs the login attempts while returning a "bad credentials" error? (It clearly won't be able to log the passwords because of SCRAM but anything else would be useful.)

All I could find was a logging proxy to a real MongoDB server or a MongoDB server running in a Docker image - but I don't want that.

@pancake "Gentlemen don't argue about good taste" :) I don't think Ghidra is bad at all (API stability is a good indicator of this IMO), but I have very objective arguments against IDA...

Apparently on #Fediverse - where safety is so critical that you got burned at the stake when dared to say that searching for things would be actually useful - when I block a user or mute a thread they still show up when my client is not in the mood of hiding them?

#Akkoma

Hey #39c3, Come see my lightning talk on a safe variant for `.innerHTML ` that is built right into the browser. https://events.ccc.de/congress/2025/hub/event/detail/lightning-talks-tag-2 on Day 2.

Ah Saturday morning! What a great time to...

...write a 1-page article for Paged Out! zine!

Deadline is 4th Jan - just a week away.

CFP: https://pagedout.institute/?page=cfp.php

@pancake But I had a chance to choose the appropriate interface instead of blindly trying things in an environment you can't properly debug...

[RSS] Hunting CVE-2025-59287 in Memory Dumps

https://medium.com/@Debugger/hunting-cve-2025-59287-in-memory-dumps-b70afd7d2dcf?source=rss-3ba65b326b28------2

@tshirtman @cs @tmr232 @nieldk You are right and it even seems to be my code dammit! Thanks for your help!

@tmr232 @nieldk @cs @tshirtman Thanks for the responses, but my diagnosis was wrong - although I still don't quite get it: it turns out that the object I'm writing out (json.dump) contains a list that gets extended by the script (this sort of explains why I'm writing out more and more data), BUT the list is part of an object that I reinstantiate on every run, which should empty the list (I call super() with an empty list). Problem is the (super)class is generated code and I suspect the list is not in fact an object member but a static class variable that may cause this??

Edited: Wrong diagnosis, sry!

@Viss

The documentation for this image processing library by @vruba is one of the most interesting things I've read in weeks:

https://github.com/celoyd/potato/blob/main/docs/personal.md
https://github.com/celoyd/potato/blob/main/README.md
https://github.com/celoyd/potato/blob/main/docs/concepts.md

Philosophical discussion of the nature of seeing and what am image is vs a map, fascinating technical details about how satellite imaging works and why it looks as bad as it often does, a lot of really thoughtful conversation about engineering and aesthetic process, and even an amusing unit of measurement — grams per terrapixel.

All I want for Xmas is sane documentation <3

Dropping a Xmas-sploit for CVE-2025-14847

@GossiTheDog Maybe you are confusing MariaDB with MongoDB in their relation to MySQL?

I truly appreciate the work of those who keep an eye on threats during the holiday season, but:

- MongoDB has nothing to do with MySQL
- A memory disclosure is not an RCE (but you should probably prioritize similarly in this case)

CVE-2025-14847

Oh. yay.

"mongobleed" — https://github.com/joe-desimone/mongobleed/blob/main/mongobleed.py

CVE-2025-14847

"Exploits zlib decompression bug to leak server memory via BSON field names.”

"Technique: Craft BSON with inflated doc_len, server reads field names from leaked memory until null byte.”

"What if Bitcoin was one big mining company?":

https://no01.substack.com/p/what-if-bitcoin-was-one-big-mining

You'd be insane buying its shares.

Do you or somebody you know have a Windows 10 that isn't fit for a Windows 11 upgrade? (e.g. no TPM)

1. Get a Windows 11 25H2 ISO
2. Run setup /product server

Enjoy your Windows 11 with no coerced Microsoft Account, TPM features, etc.

AFL++ 4.35c release! Complete hidden coverage gathering, GUIFuzz++ support, IJON for qemu, various fixes! https://github.com/AFLplusplus/AFLplusplus/releases/tag/v4.35c #fuzzing #fuzzer