I've added the slides and the source code for the Sokoban game to the links for my presentation; it appears on the app, but seemingly not the website... For reference, they are:

Links
Source Code (wasm)
Source Code (web)
Slides
Sokoban Fuzzer

I'll be changing out the sokoban puzzle every 30 minutes from hereon out :)

#39c3 #fuzzing

@pancake Aren't IDA scripts/plugins closely tied to (main) versions?

I'm all for self-explanatory API's, but you should keep in mind that you have a lot of context to build on in case of your own project that others may lack (as a general observation, I'm not familiar with r2's API).

Re: Ghidra I think it usually comes down to a Java vs. The World thing, and once you accept the fundamental paradigms the API is reasonable. I'm curious though about what you find overly "simplified" there?

Not related to the latest MongoDB vulnerability (since it doesn't require authentication), but does anyone know of a good MongoDB honeypot? You know, one that masquerades as a real MongoDB database server and logs the login attempts while returning a "bad credentials" error? (It clearly won't be able to log the passwords because of SCRAM but anything else would be useful.)

All I could find was a logging proxy to a real MongoDB server or a MongoDB server running in a Docker image - but I don't want that.

@pancake "Gentlemen don't argue about good taste" :) I don't think Ghidra is bad at all (API stability is a good indicator of this IMO), but I have very objective arguments against IDA...

Apparently on #Fediverse - where safety is so critical that you got burned at the stake when dared to say that searching for things would be actually useful - when I block a user or mute a thread they still show up when my client is not in the mood of hiding them?

#Akkoma

Hey #39c3, Come see my lightning talk on a safe variant for `.innerHTML ` that is built right into the browser. https://events.ccc.de/congress/2025/hub/event/detail/lightning-talks-tag-2 on Day 2.

Ah Saturday morning! What a great time to...

...write a 1-page article for Paged Out! zine!

Deadline is 4th Jan - just a week away.

CFP: https://pagedout.institute/?page=cfp.php

@pancake But I had a chance to choose the appropriate interface instead of blindly trying things in an environment you can't properly debug...

[RSS] Hunting CVE-2025-59287 in Memory Dumps

https://medium.com/@Debugger/hunting-cve-2025-59287-in-memory-dumps-b70afd7d2dcf?source=rss-3ba65b326b28------2

@tshirtman @cs @tmr232 @nieldk You are right and it even seems to be my code dammit! Thanks for your help!

@tmr232 @nieldk @cs @tshirtman Thanks for the responses, but my diagnosis was wrong - although I still don't quite get it: it turns out that the object I'm writing out (json.dump) contains a list that gets extended by the script (this sort of explains why I'm writing out more and more data), BUT the list is part of an object that I reinstantiate on every run, which should empty the list (I call super() with an empty list). Problem is the (super)class is generated code and I suspect the list is not in fact an object member but a static class variable that may cause this??

Edited: Wrong diagnosis, sry!

@Viss

The documentation for this image processing library by @vruba is one of the most interesting things I've read in weeks:

https://github.com/celoyd/potato/blob/main/docs/personal.md
https://github.com/celoyd/potato/blob/main/README.md
https://github.com/celoyd/potato/blob/main/docs/concepts.md

Philosophical discussion of the nature of seeing and what am image is vs a map, fascinating technical details about how satellite imaging works and why it looks as bad as it often does, a lot of really thoughtful conversation about engineering and aesthetic process, and even an amusing unit of measurement — grams per terrapixel.

All I want for Xmas is sane documentation <3

Dropping a Xmas-sploit for CVE-2025-14847

@GossiTheDog Maybe you are confusing MariaDB with MongoDB in their relation to MySQL?

I truly appreciate the work of those who keep an eye on threats during the holiday season, but:

- MongoDB has nothing to do with MySQL
- A memory disclosure is not an RCE (but you should probably prioritize similarly in this case)

CVE-2025-14847

Oh. yay.

"mongobleed" — https://github.com/joe-desimone/mongobleed/blob/main/mongobleed.py

CVE-2025-14847

"Exploits zlib decompression bug to leak server memory via BSON field names.”

"Technique: Craft BSON with inflated doc_len, server reads field names from leaked memory until null byte.”

"What if Bitcoin was one big mining company?":

https://no01.substack.com/p/what-if-bitcoin-was-one-big-mining

You'd be insane buying its shares.