Connect with us on Friday 2/20 @ 3pm for some advanced exploitation! Brandon (teaching Firmware RE at RE//verse) has a spicy meshtastic bug from class for us to preview, then we'll continue with more advanced C++ reversing! https://www.youtube.com/watch?v=k0s7W3Wuipg

So the apparent concurrency bug I've been chasing for the last couple of days turned out to be:

- a thread panic!ing
- because it couldn't allocate a trivial amount of memory
- probably related to the fact that when I passed a struct to a library, the library apparently decided that the passed fields are not important and made up new ones

The best part was that I saw no indication of the panic until I carefully yanked out half of the code (using a different library), some of which apparently swallowed all panics.

Yes, I work with weird shit.

#Rust

LLMs can generate 'secure' passwords that are actually just predictable garbage. Because, you know, predicting is what LLMs do best.

https://www.irregular.com/publications/vibe-password-generation

Why does nobody ever mention that the company providing ID verification in the UK is ultimately owned by Thiel and, therefore, Palantir?

This is dragnet making XKEYSCORE an amateur system.

https://mastodon.online/@mullvadnet/116087059413472819

Pwndbg 2026.02.18 is out! Enhance your GDB or LLDB experience!

We visualize branches in nearpc, synchronize your decompiler (IDA/Binja/Ghidra) via decomp2dbg, annotate stack variabless from debug info or decompiler, support new Linux kernel debugging commands - for tracing SLUB allocs/frees or dumping tasks information.

See what's changed in: https://github.com/pwndbg/pwndbg/releases/tag/2026.02.18

Want Pwndbg to keep moving fast, or, having us give a talk about it? Sponsor us: https://github.com/sponsors/pwndbg/

#gdb #lldb #pwndbg #pwn #ctf #reverseengineering

Open source has an open slop problem.

And I think the solution is one that would've been perfectly obvious to a thirteenth-century Florentine weaver...

https://www.joanwestenberg.com/the-case-for-gatekeeping-or-why-medieval-guilds-had-it-figured-out/

Mistodon: when you wanna go oldschool, you can't beat the green glow of a P1 phosphor terminal. This embryonic #ANSIart screen, 'Born Digital', was drawn by @mavenmob and included in the MIST0223 artpack collection released three years ago this month.

Microsoft loves to play word games stating that *they* did not evict the chief International Criminal Court prosecutor from the cloud. But this is exactly what they did, and now they are trying to correct the UK parliamentary record, where they had tried to spin this (incorrectly): https://www.theregister.com/2026/02/18/microsoft_asks_uk_parliament_to_correct_record/

[RSS] Carelessness versus craftsmanship in cryptography

https://blog.trailofbits.com/2026/02/18/carelessness-versus-craftsmanship-in-cryptography/

New vulnerability report from Talos:

OpenCFD OpenFOAM Code Stream directive arbitrary code execution vulnerability

https://talosintelligence.com/vulnerability_reports/TALOS-2025-2292

CVE-2025-61982

So I spent way too much time debugging today and this beer made me sentimental so here's a software success story:

I use motibro.com to sign up for trainings and I think they became SW Buddha (or whatever):

- The webapp just works
- AFAIK there is no mobile app, but mobile view just works
- The copyright info stuck in 2022, no one cares ofc
- They send notification with the right info, at the right time, no spam
- I can't recall any feature or design updates, I can basically manage my classes blind
- I hear no complaints about the software from any of its users

We need more software like Motibro!

How have I lived to the Year of our Lord 2026 without having seen this meme before now?

#StarWars #memes #ReneMagritte

This is me, arguing with rustc about various ways of setting one bit in memory:

https://www.youtube.com/watch?v=Hz1JWzyvv8A

so this password manager paper: https://eprint.iacr.org/2026/058 starts with:

> We examine the extent to which security against a fully malicious server holds true for three leading vendors who make the Zero Knowledge Encryption claim: Bitwarden, LastPass and Dashlane

with https://sphinx.pm, we consider it - half-jokingly, with some caveats - normal, the server being fully malicious and it's fine have it hosted by the nsa/u8200/gru/prc

1/n

@alphastrata The root of the issue is that the library I'm using is not originally in/for Rust, so such best practices simply don't exist in their world...

I've seen a lot of people asking for an option for "are" in the marshdeer xkcd-2501 generator... so I made one! Yay open source.

https://foone.github.io/xkcd2501-generator/

(pull request about to be in progress, but this is my fork of my changes)

@addison Thanks, that's in line with @alphastrata's suggestion and the advice I got afk.

I'm quite new to Rust and it's strange that something as simple as moving a couple of lines of code into a function (I'm still considering a macro actually) can require this much consideration, but I guess this is the price we pay for stability.

@addison Thanks, that makes sense, but I can't touch Session as it comes from a dependency. There is definitely a lifetime issue here too (esp. because the actual tree of objects goes ~5 levels deep).

I think the root of my Q is if there is a way to create a "will" for Rust functions/scopes that would say "after my death my caller will inherit all that I own (so please don't free shit up)"?

@kstrlworks Oh sry, I'm on 25.7<whatever is the latest patch>. I simply use two bridged interfaces on Proxmox. Based on my above observations I think this is more of a design issue of moving around files during the upgrade process, and *maybe* something you can mitigate with some ZFS magic (I'm on UFS).

@addison From a different branch of this convo:

"Imagine that initialization is more complex and I want to provide a library that hides that complexity, exposing something like setup_widget() and deinit_all()."

https://infosec.place/notice/B3RIRrdtPQog3eUc2y