"The selling point of generative A.I. is that these programs generate vastly more than you put into them, and that is precisely what prevents them from being effective tools for artists."

[RSS] Vulnerabilities in Open Source C2 Frameworks

https://blog.includesecurity.com/2024/09/vulnerabilities-in-open-source-c2-frameworks/

With Kagi, not only can you see how many ads/trackers a website has before clicking, but you can also personalize your search by ranking domains to tailor the experience to your specific needs👇

#AdFree #Search #Kagi

SAP Hash Cracking Techniques https://redrays.io/blog/sap-hash-cracking-techniques/

good news: I can now publish my work on "RTL debugger", an interactive tool that lets you single-step your hardware design and observe its state, currently integrated into VS Code as an extension but using an open protocol https://github.com/amaranth-lang/rtl-debugger

right now it's in a very early state and not all that useful, but this should change in the coming days

This looks amazing: THE JUNKYARD: An End-Of-Life Pwnathon (February 21-22, 2025) DistrictCon: https://www.districtcon.org/junkyard

new blogpost time!!

this one's a fun writeup on a vulnerability chain i found across multiple google services that earned me a $4133.70 bounty

lots of fun css as usual! i had to recreate a bunch of drive/docs/gmail/youtube UIs c:

have fun!

https://lyra.horse/blog/2024/09/using-youtube-to-steal-your-files/

OpenHCL: Evolving Azure’s virtualization model

https://techcommunity.microsoft.com/t5/windows-os-platform-blog/openhcl-evolving-azure-s-virtualization-model/ba-p/4248345?s=09

It's amazing some "experts" manage to bring up "AI" even in the context of the latest incidents in Lebanon, citing tech from 2010...

Thanks to gcc 14's stricter errors, today I learned that the getpwent_r/getspent_r/etc. interfaces on Linux & Solaris have basically opposite return values - on Solaris they return a non-NULL pointer on success, a NULL pointer on failure - while on Linux they return ints - 0 for success, -1 for failure - so checking for == 0 is inverted between the two. Hopefully not a lot of code uses these APIs, but I still wonder how much is broken. For instance, accountsservice gets this wrong on Solaris.

Rust on illumos

https://www.osnews.com/story/140727/rust-on-illumos/

#IllumOS #Rust

US Government 'Took Control' of a Botnet Run by Chinese Government Hackers, Says FBI Director https://news.slashdot.org/story/24/09/18/1728234/us-government-took-control-of-a-botnet-run-by-chinese-government-hackers-says-fbi-director?utm_source=rss1.0mainlinkanon

Lately my days of exploiting have been:

36 hours spent troubleshooting how broadcast/multicast traffic works on various operating systems

4 hours spent writing the actual exploit and pwning the thing

The unreasonable effectiveness of simple HTML
https://shkspr.mobi/blog/2021/01/the-unreasonable-effectiveness-of-simple-html/

I've told this story at conferences - but due to the general situation I thought I'd retell it here.

A few years ago I was doing policy research in a housing benefits office in London. They are singularly unlovely places. The walls are brightened up with posters offering helpful services for people fleeing domestic violence. The security guards on the door are cautiously indifferent to anyone walking in. The air is filled with tense conversations between partners - drowned out by the noise of screaming kids.

In the middle, a young woman sits on a hard plastic chair. She is surrounded by canvas-bags containing her worldly possessions. She doesn't look like she is in a great emotional place right now. Clutched in her hands is a games console - a PlayStation Portable. She stares at it intensely; blocking out the world with Candy Crush.

Or, at least, that's what I thought.

Walking behind her, I glance at her console and recognise the screen she's on. She's connected to the complementary WiFi and is browsing the GOV.UK pages on Housing Benefit. She's not slicing fruit; she's arming herself with knowledge.

The PSP's web browser is - charitably - pathetic. It is slow, frequently runs out of memory, and can only open 3 tabs at a time.

But the GOV.UK pages are written in simple HTML. They are designed to be lightweight and will work even on rubbish browsers. They have to. This is for everyone.

Not everyone has a big monitor, or a multi-core CPU burning through the teraflops, or a broadband connection.

The photographer Chase Jarvis coined the phrase "the best camera is the one that’s with you". He meant that having a crappy instamatic with you at an important moment is better than having the best camera in the world locked up in your car.

The same is true of web browsers. If you have a smart TV, it probably has a crappy browser.

My old car had a built-in crappy web browser.

Both are painful to use - but they work!

If your laptop and phone both got stolen - how easily could you conduct online life through the worst browser you have? If you have to file an insurance claim online - will you get sent a simple HTML form to fill in, or a DOCX which won't render?

What vital information or services are forbidden to you due to being trapped in PDFs or horrendously complicated web sites?

Are you developing public services? Or a system that people might access when they're in desperate need of help? Plain HTML works. A small bit of simple CSS will make look decent. JavaScript is probably unnecessary - but can be used to progressively enhance stuff. Add alt text to images so people paying per MB can understand what the images are for (and, you know, accessibility).

Go sit in an uncomfortable chair, in an uncomfortable location, and stare at an uncomfortably small screen with an uncomfortably outdated web browser. How easy is it to use the websites you've created?

I chatted briefly to the young woman afterwards. She'd been kicked out by her parents and her friends had given her the bus fare to the housing benefits office. She had nothing but praise for how helpful the staff had been. I asked about the PSP - a hand-me-down from an older brother - and the web browser. Her reply was "It's shit. But it worked."

I think that's all we can strive for.

---

Here are some stats on games consoles visiting GOV.UK

Matt Hobbs (@TheRealNooshu@hachyderm.io)

@TheRealNooshu

Replying to @TheRealNooshuInterestingly we have 3,574 users visiting GOV.UK on games consoles:
• Xbox - 2,062
• Playstation 4 - 1,457
• Playstation Vita - 25
• Nintendo WiiU - 14
• Nintendo 3DS - 16

20/22

---

❤️ 29💬 1♻️ 010:45 - Mon 01 February 2021

https://shkspr.mobi/blog/2021/01/the-unreasonable-effectiveness-of-simple-html/

#HTML5 #web #WeekNotes #work

New vulnerability report from Talos:

OpenPLC OpenPLC_v3 OpenPLC Runtime EtherNet/IP parser invalid pointer dereference vulnerabilities

https://talosintelligence.com/vulnerability_reports/TALOS-2024-2016

CVE-2024-39589,CVE-2024-39590,CVE-2024-39589,CVE-2024-39590

New vulnerability report from Talos:

OpenPLC OpenPLC_v3 OpenPLC Runtime EtherNet/IP parser stack-based buffer overflow vulnerability

https://talosintelligence.com/vulnerability_reports/TALOS-2024-2005

CVE-2024-34026

New vulnerability report from Talos:

OpenPLC OpenPLC_v3 OpenPLC Runtime EtherNet/IP PCCC out-of-bounds read vulnerability

https://talosintelligence.com/vulnerability_reports/TALOS-2024-2004

CVE-2024-36981,CVE-2024-36980,CVE-2024-36980,CVE-2024-36981

I gave a keynote at the FUZZING24 workshop. The video is here: https://t.co/Q0tyqEiqv6

https://www.youtube.com/watch?v=Jd1hItbf52k&feature=youtu.be

The slides are here:
https://docs.google.com/presentation/d/1vw9lywrMnNojiOIu-xU5KXZz7WzE0MYNQF6V7n6vyY8/edit?usp=sharing

[RSS] It rather involved being on the other side of this airtight hatchway: Posting completions to somebody else's I/O completion port

https://devblogs.microsoft.com/oldnewthing/20240917-00/?p=110276

[RSS] PC Floppy Copy Protection: Electronic Arts Interlock

https://hackaday.com/2024/09/17/pc-floppy-copy-protection-electronic-arts-interlock/