Bad idea: build a captcha library that embeds DOSBox so it can make you beat levels/puzzles from DOS games to continue.

Prove you're a human! Beat Lifewater Oasis from Commander Keen 4! Defeat the Yeti in Kings Quest 5! Make sure 15 lemmings survive! Get the sword in Prince of Persia!

I discovered a certificate using a "public private key", in this case a key that is part of OpenSSL's test suite. This would not necessarily be a particularly interesting event. It happens every now and then that people use private keys they find on the Internet, likely due to a lack of understanding of public key cryptography. I usually report them for revocation, and move on. However, this one is a bit more unusual. It has been issued by the CA Digicert - for a domain owned by Digicert. https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/d21mtDJ7YXQ

Eighth article of the series "Extending Burp Suite for fun and profit - The Montoya way" is out!

Topic: BChecks - A quick way to extend Burp Suite Active and Passive Scanner!

https://security.humanativaspa.it/extending-burp-suite-for-fun-and-profit-the-montoya-way-part-8/

Since it's almost been a year and OBTSv7 is around the corner, I published the long overdue writeup for badmalloc:
https://gergelykalman.com/badmalloc-CVE-2023-32428-a-macos-lpe.html

Slides & video from our @grehackconf talk "Attacking Hypervisors - A Practical Case" are online! Learn how we exploited vulnerabilities to escape VirtualBox during Pwn2Own Vancouver 2024: https://www.reversetactics.com/publications/2024_conf_grehack_virtualbox/

Reversing virtualized binaries is no easy task. Our intern Jack took on exploring automated devirtualization techniques, and presents in our latest blog post an efficient, modular, taint-based approach that leverages LLVM IR: https://blog.thalium.re/posts/llvm-powered-devirtualization/

Channeling @Viss

"Go to the cloud, it'll be great"

Microsoft has been reporting an issue since 8:54pm yesterday. The basic summary of the issue is "Teams,. Exchange, Purview, SharePoint, and Universal Print are all broken". So you know - everything you need to use in Office365 to operate on a day to day basis in a Microsoft world.

Copilot is also broken apparently, but we don't like that anyway, right?!

A lot of people don’t know this one weird trick — much like JavaScript, C also lets you perform arithmetic with mixed types:

Dear everyone who owns domains that are *not used for e-mail*, particularly ones that are potential targets for phishing (banks, high-profile names): Could you please configure SPF+DMARC, ideally with p=reject? You may wonder: Why should I configure anything email for a host that isn't used for email? Well... it helps others to identify spam sent with your domain as the sender.

Good news: The Dell firmware update utility definitely checks whether update executables are signed.

Bad news: Dell is posting unsigned update executables to their website labeled “critical” which then fail to install due to the good news

bsky.app/profile/mrme.bsky.social/post/3lbql2z2uas2f

Trust me, the Chinese hack Spring apps harder than you: https://juejin.cn/post/6972564484720328718

Revisiting unresolved JetBrains TeamCity issues: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=teamcity

• TeamCity 2024.07.3
  • Release/Blog Publish Date: 01 October 2024
    CVE assigned/publicly available: 08 October 2024 (8 days)
  • "5 security problems have been fixed."
    5 CVEs assigned
• TeamCity 2024.07.2
  • Release/Blog Publish date: 29 August 2024
    CVEs: N/A
  • "3 security problems have been fixed."
    0 CVEs assigned
• TeamCity 2024.07.1
  • Release/Blog Publish date: 06 August 2024
    CVE assigned/publicly available: 16 August 2024 (11 days)
  • "6 security problems have been fixed."
    5 CVEs assigned
• TeamCity 2024.07
  • Release/Blog Publish Date: 18 July 2024
    CVE assigned/publicly available: 22 July 2024 (5 days)
  • "19 security problems have been fixed."
    6 CVEs assigned

I may be a hater but I'm not lying and to my customers and hiding security issues.

#jetbrains #teamcity #vulnerability #cve

social media platform users are going to link offsite. the only question is how obnoxious the platform will make it for them and everyone else.

(For context: Instagram prohibits links in post text. This, plus the incentive to inflate comments, has led to the proliferation of tools where creators instruct their followers to comment with a specific word to receive a link in their DMs— in this case, to a pie crust recipe)