@troed I guess it's fine for ad-hoc tools, but I'm looking at code with many stars on GH rn. It works. Sometimes it freezes. Everything is redundant, identifiers don't describe actual purpose but something else, functions are prohibitively large. No one will be willing or able to maintain this shit for more than 6 months.

The general code quality of hacking tools has always been shit. Thanks to LLMs now it's somewhat worse.

There is a theory which states that if ever anyone discovers exactly what the Universe is for and why it is here, it will instantly disappear and be replaced by something even more bizarre and inexplicable.
There is another theory which states that this has already happened.

#HitchhikersGuide #DouglasAdams #quotes #quote #bot

POC2025 videos are up:

https://www.youtube.com/watch?v=_eem7AVAMpI&list=PLHu2EA4lxh3Yvaa5sr9TYM3ywzGFBbpR8

This is my every-once-in-awhile post since I’m thinking about it today: if you have a lead on install media, an image of a dev/test system, etc. for the Dynix ILS (from the 1980s/90s), please reach out. No, it’s not on Internet Archive despite some things saying it is.

Anna’s Archive Loses .Org Domain After Surprise Suspension https://torrentfreak.com/annas-archive-loses-org-domain-after-surprise-suspension/

[RSS] DRIVER_POWER_STATE_FAILURE (0x9F): Tracking a Stuck USB Power IRP to FocusriteUSB

https://medium.com/@Debugger/driver-power-state-failure-0x9f-tracking-a-stuck-usb-power-irp-to-focusriteusb-f82e93688a97?source=rss-3ba65b326b28------2

[RSS] CVE-2025-38352 (Part 3) - Uncovering Chronomaly

https://faith2dxy.xyz/2026-01-03/cve_2025_38352_analysis_part_3/

[RSS] RCE via ColdFusion ARchive (CAR) Deployment: One Example of an Authenticated Attack Path in CFAdmin (CVE-2025-61808)

https://www.hoyahaxa.com/2026/01/rce-via-coldfusion-archive-car.html

Trend in Number: Apple Kernel Space CVEs & Vulnerability Reporters
The blue line represents the number of kernel CVEs, and the green line represents the number of vulnerability reporters across the entire Apple platform. Starting in 2022, the number of vulnerability reporters has been increasing, while the number of kernel CVEs has been decreasing.

Do you have an idle cluster? Can you spare a couple core-years?

Help me bruteforce some test vectors for RSA key generation edge cases!

Here are the instructions, it's just a matter of running a single self-contained cross-compilable Go binary that will report the results autonomously.

https://gist.github.com/FiloSottile/19e7ceb1fdcdaa128f7d3319ad0939fa

A German hacker known as "Martha Root" dressed as a pink Power Ranger and deleted a white supremacist dating website live onstage

This happened during the recent CCC conference.

Martha had infiltrated the site, ran her own AI chatbot to extract as much information from users as possible, and downloaded every profile. She also uncovered the owner of the site. She has published all of the data.
#CCC
https://media.ccc.de/v/39c3-the-heartbreak-machine-nazis-in-the-echo-chamber
Leak data:
https://okstupid.lol/

@davidgerard this is a good intro with historical background: https://blog.cryptographyengineering.com/2014/11/27/zero-knowledge-proofs-illustrated-primer/

You can also ping @matthewdgreen on bsky

*sigh* several weeks ago, I tried to view something on Harvard University's rare manuscript site ("Curiosity Collections"), but the images were all broken. Digging into the javascript console, I found that the images are not missing from the server if you extract their URLs, but the json is being put together wrong and the viewer can't parse it.

I sent an email to the site's contact person with all the info I had. They were apologetic and said their maintainers were "aware" of the issue, but the vague reason they gave me (a VPN issue) doesn't make a lot of sense in the context that the images are all loadable if you know their URL and the viewer is crashing in a json parsing function. So I suspect someone told the contact person a plausible-sounding reason without investigating. At the very least, they don't seem to be trying at all to fix it.

So the rare manuscripts website of a world-major university has been languishing broken for several weeks at minimum, but who knows how long it'd been like that before I, personally, noticed. I guess this is a "state of American education" post.

shouts out to the nist cve api for having a query parameter in a format that absolutely no http library will emit, basically forcing you to hand-serialise a url

amazing how many talks at c3, defcon et al boil down to "we looked at the protocol format and it's as though nobody ever thought to do this before"

@hanno I'm afraid there is a general decline of index quality at all major providers (G,Bing,Yandex,???), while alternative engines mostly rely on those. I also noticed that verbatim search is basically dead as not all content is indexed in its original form so even if you know exactly what you are looking for, the index entry is just not there to find it.

@hanno @kagihq ?

@csepp I think @HalvarFlake had a presentation where he talked about hacking like an addiction where accessing more systems (and knowledge) leads you to even more systems, each giving a dopamine rush :)

My MongoDB honeypot is now open source:

https://gitlab.com/bontchev/mongopot

Visualization (not included in the repo):

https://pandora.nlcv.bas.bg/grafana/d/EysKAV4Dz/mongopot