fuck you, 2024. I made it through \o/

Multiple vulnerabilities in CTFd versions <= 3.7.4 (CVE-2024-11716, CVE-2024-11717)

https://seclists.org/fulldisclosure/2024/Dec/21

Do these count as Cursed CTF tactics?

Looks like hyp3rlinx also got interested in #IBMi :)

https://hyp3rlinx.altervista.org/advisories/IBMi_Navigator_Server_Side_Request_Forgery_CVE-2024-51463.txt

https://hyp3rlinx.altervista.org/advisories/IBMi_Navigator_HTTP_Security_Token_Bypass-CVE-2024-51464.txt

(CVE-2024-51463, CVE-2024-51464)

[RSS] Security Bulletin: IBM PowerHA SystemMirror for #IBMi is vulnerable to multiple vulnerabilities in the PowerHA Web Interface [CVE-2024-55897, CVE-2024-55896]

https://www.ibm.com/support/pages/node/7180036?myns=swgother&mynp=OCSSPHQG&mynp=OCSWG60&mync=A&cm_sp=swgother-_-OCSSPHQG-OCSWG60-_-A

[RSS] Remote Memory Access in Linux

https://u1f383.github.io/linux/2024/12/28/remote-memory-access-in-linux.html

[RSS] The Feasibility of Using Hardware Breakpoints To Extend the Race Window

https://u1f383.github.io/linux/2024/12/29/the-feasibility-of-using-hardware-breakpoints-to-extend-the-race-window.html

[RSS] From Arbitrary File Write to RCE in Restricted Rails apps

https://blog.convisoappsec.com/en/from-arbitrary-file-write-to-rce-in-restricted-rails-apps/

[RSS] What does [it] mean to "Commit Params/Return"? #Ghidra

https://old.reddit.com/r/ghidra/comments/1hpom0c/what_does_mean_to_commit_paramsreturn/

Waymo (aka Google) admits that it trains its robotaxis to break the law. When WaPo reporter finds robotaxis fail to stop for pedestrians in marked crosswalk 70% of the time, Waymo says it follows "social norms" rather than laws.
Expert explains: When robotaxis obey law, they don't go fast enough to compete successfully with Uber, so Google execs ordered engineers to ignore laws.
https://wapo.st/3ZZDifm

Reminder: Tomorrow, @lavados, @lunkw1ll and I will give a talk at #38c3 about #Rowhammer at 12:00. If you want to check whether your computers are vulnerable to #Rowhammer, visit https://flippyr.am. Everything is open source! You can build our ISO and flash it onto your USB stick. If you're feeling lazy and trust us, come to Hall 3 by the palm tree and get a free USB stick with the ISO already flashed.

Can We Find Beauty in Tax Fraud? #38c3

https://streaming.media.ccc.de/38c3/relive/402

This looks fun!

'International Obfuscated C Code Contest' Will Relaunch, Celebrating 40th Anniversary https://developers.slashdot.org/story/24/12/29/1730224/international-obfuscated-c-code-contest-will-relaunch-celebrating-40th-anniversary?utm_source=rss1.0mainlinkanon

I have this PCB where circular solder points are perfect, while square ones ("negative legs") seem to have solder repellent fields around them.

Is this a known thing or my skill/material issue? If the former, how should I solder these things?

#soldering

Volkswagen's bad streak: They know where your car is, Chaos Computer Club says – and they don't know how to secure it properly. https://reynardsec.com/en/volkswagens-bad-streak-we-know-where-your-car-is/

In 10 mins: Dialing into the Past: RCE via the Fax Machine – Because Why Not?

https://events.ccc.de/congress/2024/hub/event/dialing-into-the-past-rce-via-the-fax-machine-because-why-not/

#38c3

I found the GitHub repo "A Compiler Writing Journey" and was glad to see the compiler building from the ground up - documented with each step in detail.

For any compiler enthusiast, these steps provide valuable insights worth sharing.

I'm making a memory-safe implementation of C/C++. It's called Fil-C. Currently working on making it fanatically compatible with C and C++ so that lots of programs can be made memory-safe with zero or minimal changes.

Learn more here: https://github.com/pizlonator/llvm-project-deluge/blob/deluge/Manifesto.md

Only 10 days left to submit your papers to #MADWeb and secure a spot to present your work in the sunny San Diego!

📅 Deadline: January 9, 2025 (AoE)
📜 Submit here: https://madweb25.hotcrp.com/
🔗 Website: https://madweb.work/

#CfP #websec #websecurity

i just discovered some really good software: SENinja https://github.com/borzacchiello/seninja

it lifts Binary Ninja's intermediate representation to a symbolic form and lifts it to an SMT2 representation, then feeds it to Z3

the user interface is like a debugger, except you get things like symbolic expression, or you can ask for which inputs will result in reaching a specific branch

this is so so so cool

https://doi.org/10.1016/j.softx.2022.101219

Part of our global dumbing down is the assumption no one wants to read anything anymore. This leads to ever briefer articles. Which sucks, since the world is too complicated to be understood through soundbites alone. However, if you invest time in decent writing & do the measurements, you find that tens of thousands of people DO read 3200 word posts straight through to the end: