Our #CTF continues its world tour: we're heading to @ph0wn 🚩

Come time travel debug our challenge for a chance to win cool prizes 😉

TIL Leif Svalgaard passed away last year:

https://solarnews.aas.org/2025/obituary-leif-svalgaard-1942-2025/

A true #AS400 (lately #IBMi ) hacker legend:

https://svalgaard.leif.org/as400/

https://www.itjungle.com/2004/08/16/fast400-founder-sues-big-blue/

R.I.P.

We've invented service accounts all over again. MCP servers are quietly becoming the same overprivileged, under-monitored access brokers that have haunted enterprise security for years. Except this time, we're stacking them on top of the old ones.

https://go.aembit.io/s/mcp-servers-and-the-return-of-the-service-account-problem-25746

[RSS] Challenges in Decompilation and Reverse Engineering of CUDA-based Kernels

https://nicolo.dev/files/pdf/reverse26-cuda-kernels.pdf

[RSS] AirSnitch: Demystifying and Breaking Client Isolation in Wi-Fi Networks

https://www.ndss-symposium.org/wp-content/uploads/2026-f1282-paper.pdf

Tired of guessing inputs? Let the computer do the work! Learn about symbolic execution from @barbie in "Reverse Engineering 3201" https://ost2.fyi/RE3201 and use SMT solvers to find the exact inputs to reach vulnerable code. Stop guessing, start solving! 

I already knew that we use nonsense measurement systems here in the US. But only recently did I realize that a US gallon is different than a UK gallon.

RE: https://infosec.exchange/@mr_phrazer/116166155203519881

I also published my Ghidra Headless MCP that follows similar design principles: https://github.com/mrphrazer/ghidra-headless-mcp

@pleia2 Except there is at least one fundamental difference between the X->Prompt abstraction and everything else he brings up (based on the slides):

https://blog.trailofbits.com/2025/12/19/can-chatbots-craft-correct-code/

New blog post: Perfect types with `setHTML()` - https://frederikbraun.de/perfect-types-with-sethtml.html - TLDR: Use require-trusted-types-for 'script'; trusted-types 'none'; in your CSP and nothing besides setHTML() works, essentially removing all DOM-XSS risks....

Composing Sanitizer configurations (https://frederikbraun.de/composable-sanitizers.html): The HTML Sanitizer API allows multiple ways to customize the default allow list and this blog post aims to describe a few variations and tricks we came up with while writing the specification.

Building a Super-Compact Cistercian Numerals Clock

https://hackaday.com/2026/03/08/building-a-super-compact-cistercian-numerals-clock/

@Sempf I used this model for years, but somehow the keyboard became terrible (didn't register presses or registered double-triple) after a while and it was even worse in brand new phones. How's yours doing?

Darknet Diaries 170: Phrack

"Phrack is legendary. It is the oldest, and arguably the most prestigious, underground hacking magazine in the world..."

🔗 https://darknetdiaries.com/episode/170/

#Phrack #Hacking #CyberSecurity

Watching pro developers discussing how stupid some of the exploits of widely used software are is pretty entertaining:

https://www.youtube.com/watch?v=OgfdyH4iaps

Good to see the "other side" gets it!

I wrote a not very serious thing about #3Dprinter and #warhammer

https://matduggan.com/the-year-of-the-3d-printed-miniature-and-other-lies-we-tell-ourselves/

@algernon Hearing this from someone who produces non-trivial Rust software restores my self-esteem a tiny bit

Phrack 73 CFP

https://phrack.org/

With a demo!

The perfect headline doesn’t exi…

https://www.engadget.com/big-tech/google-pledges-roughly-three-hours-of-its-annual-profit-to-fight-climate-change-164808010.html

[RSS] Reverse-engineered the WiFi transfer protocol for HeyCyan smart glasses (BLE + USR-W630 WiFi module) -- first iOS implementation

https://alexschar.dev/HeyCyanCaseStudy