The economics of proving exploitability by @x43r0

https://nickg.ca/posts/economics-of-proving-exploitability/

I love how this looks like they’re having a conversation.

Stop thinking of Twitter, TikTok, IG, (et al) as social media sites.

They are **Content Refineries.**

Like processed food manufacturers they take user content & extract the most addicting/engaging content. Brains eat it up but in an unhealthy “devour the whole bag of chips” way.

They make hyper-processed social media junk food.

Mastodon is more like a potluck. We're all bringing dishes. It's a mess. Kids are running all over. But we are, at least, real people sharing real things.

This seems accurate #agile #SoftwareDevelopment

Finally achieved empty tcpdump starting Firefox. Had to find and clear location.services.mozilla.com and push.services.mozilla.com from show-all in about:config. Then there were the following that are hard-coded, not appearing in about:config, for which /etc/hosts needed to be invoked:

firefox.settings.services.mozilla.com content-signature-2.cdn.mozilla.net prod.remote-settings.prod.webservices.mozgcp.net content-signature-chains.prod.autograph.services.mozaws.net

FFS do better.

New Update to the #InfoCon Security Archives: Hacktivity 2023 has been added to the https://infocon.org/cons/Hacktivity/ collection, and missing English captions have been generated.

"The IT Security Festival in Central and Eastern Europe since 2004"

You can D/L, Torrent or watch in your browser. @hacktivityconf #Hacking #InfoSec #Security #CyberSecurity

"While conducting a postmortem review of the Asnarök attack, [Sophos] built a specialized kernel implant to deploy to devices that Sophos had high confidence were controlled by groups conducting malicious exploit research. The tool allowed for remote file and log collection without any visible userland artifacts."
https://t.co/xUXifo4ZQV

reminder that the bcrypt hash function ignores input above a certain length! so if you do bcrypt(username || password) for some reason, a sufficiently long username will make it accept any password. to fix this you can sha256 the input first.

https://bird.makeup/@kmcquade3/1852475962715246869

Pretty much all versions of bcrypt are vulnerable to second preimage attacks because they truncate the input to the first 72 bytes, meaning the hashes for messages longer than that will collide.

This resulted in a login bypass against Okta.

https://www.theverge.com/2024/11/1/24285874/okta-52-character-login-password-authentication-bypass

#OffensiveCon2025 dates (from the other site):

Conference: 16-17 May
Trainings: 12-15 May

🌪️Heads up speakers: Our 2025 Call for Papers is now open!
Be part of the best all-offensive security conference in Asia!
Submit your talk today at: https://typhooncon.com/call-for-papers-2025/

oh my god you literally can't log into DigitalOcean if fonts.googleapis.com is down or (in my case) null-routed. the site literally won't load. they have made the font CSS part of the critical path with no fallback. this is horrendous

This paper looks promising: "SIGMADIFF: Semantics-Aware Deep Graph Matching for Pseudocode Diffing".

https://ink.library.smu.edu.sg/cgi/viewcontent.cgi?article=9671&context=sis_research

#SigmaDiff #Pseudocode #Diffing #BinaryDiffing #BCSA

Is there a word for when people with no medical background discuss each others medication for long periods of time?

~25M lines of code in the Linux kernel drivers/ directory. O_O

~15M LoC for everything else.

Hello everyone, fun fact, UAC bypasses = bounty money when Administrator Protection is enabled. We checked many but we fully expect we missed some. You could simply dig up old research, try it and if it works make some cash. This feature is in an early stage, help us improve it.

https://bird.makeup/@decoder_it/1846282808785846502

[RSS] From Naptime to Big Sleep: Using Large Language Models To Catch Vulnerabilities In Real-World Code

https://googleprojectzero.blogspot.com/2024/10/from-naptime-to-big-sleep.html

"we want to reiterate that these are highly experimental results. The position of the Big Sleep team is that at present, it%27s likely that a target-specific fuzzer would be at least as effective (at finding vulnerabilities). " (still wow!)

[RSS] Fuzzing between the lines in popular barcode software

https://blog.trailofbits.com/2024/10/31/fuzzing-between-the-lines-in-popular-barcode-software/

https://netboot.xyz/ is really cool, just used it to install Debian for a relative.
cc #netbootxyz #theWorkshop

We're live! Join us for a stream as we build an Apple I replica! 🛠️✨ https://www.twitch.tv/racunalniskimuzej

#computermuseum #computerhistory #slovenia #ljubljana #softwareheritage #digitalheritage #nostalgia #applei #museo #retrocomputing #Twitch #livestream #vintagecomputing #stream #SmallStreamers #applenerd #apple #streaming #live #twitchstreamer #apple1 #retrogaming #informatica