I was away for a while, dropping my current side-project here.
Password cracking in your browser. Think of it as a mini-@hashcat it uses WebGPU to perform the cracking.
NT/LM/DCC/DCC2/MD5 currently implemented with bruteforce/mask/wordlist/hybrid attacks.
https://webcrack.octopwn.com/

RE: https://infosec.exchange/@zak/115793005915790340

This is a metaphor about cybersecurity products.

@pancake Yes, it's SWIG

@pancake it seems items that I reference from Python are overwritten while I go through a generator...

I think I found the magic sauce of if's, now I get Memory Error which I can debug even less than the previous errors

"The operation was successful, the patient died"

🔺This is the first talk I've given in 6 years – featuring formal verification of post-quantum cryptography, the evolution of the Secure Page Table Monitor, a view into Memory Integrity Enforcement, updates to Apple Security Bounty… and a personal note.
https://bird.makeup/users/hexacon_fr/statuses/2002020791865532704

I'm parsing the #IDA type info library and it turns out:

- Sometimes struct member names are not returned. Sometimes!
- The first struct member is at offset 94489263476241, but amazingly the second one is at 8.

Just in case you wonder why I drink...

Edit: that weird value is somewhat random too, so I suspect a memory leak

IT IS NO LONGER POSSIBLE TO STOP ME

At the https://gpg.fail talk and omg #39c3

You can just put a \0 in the Hash: header and then newlines and inject text in a cleartext message.

Won’t even blame PGP here. C is unsafe at any speed.

gpg has not fixed it yet.

Disobedience in Helsinki coming soon! #Disobey2026 https://disobey.fi/2026/

We're happy to announce that the first recordings are now available at https://media.ccc.de/c/39c3!

#39c3

^ta

Admirable reflection on past years fails (and successes) by @starlabs_sg :

https://starlabs.sg/blog/2025/12-2025-reflection/

#fail

TOCTOU in the AMD boot rom? Wow wow wow. #39c3

You! Yes, you, at #39C3 ! Come to our self-organized-session-talk thing!

“FAFO: How we stopped worrying and bought an Electron Microscope”

SoS Stage H, at 00:01 on day 3 (so in ~34 hours after this was posted).

More details: https://events.ccc.de/congress/2025/hub/en/room/detail/sos-stage-h/

I've added the slides and the source code for the Sokoban game to the links for my presentation; it appears on the app, but seemingly not the website... For reference, they are:

Links
Source Code (wasm)
Source Code (web)
Slides
Sokoban Fuzzer

I'll be changing out the sokoban puzzle every 30 minutes from hereon out :)

#39c3 #fuzzing

@pancake Aren't IDA scripts/plugins closely tied to (main) versions?

I'm all for self-explanatory API's, but you should keep in mind that you have a lot of context to build on in case of your own project that others may lack (as a general observation, I'm not familiar with r2's API).

Re: Ghidra I think it usually comes down to a Java vs. The World thing, and once you accept the fundamental paradigms the API is reasonable. I'm curious though about what you find overly "simplified" there?

Not related to the latest MongoDB vulnerability (since it doesn't require authentication), but does anyone know of a good MongoDB honeypot? You know, one that masquerades as a real MongoDB database server and logs the login attempts while returning a "bad credentials" error? (It clearly won't be able to log the passwords because of SCRAM but anything else would be useful.)

All I could find was a logging proxy to a real MongoDB server or a MongoDB server running in a Docker image - but I don't want that.

@pancake "Gentlemen don't argue about good taste" :) I don't think Ghidra is bad at all (API stability is a good indicator of this IMO), but I have very objective arguments against IDA...

Apparently on #Fediverse - where safety is so critical that you got burned at the stake when dared to say that searching for things would be actually useful - when I block a user or mute a thread they still show up when my client is not in the mood of hiding them?

#Akkoma

Hey #39c3, Come see my lightning talk on a safe variant for `.innerHTML ` that is built right into the browser. https://events.ccc.de/congress/2025/hub/event/detail/lightning-talks-tag-2 on Day 2.