One of my favorite things is asking LLMs "what's wrong with <this>?" when nothing is wrong with <this>. Works with code, circuit schematics, and so on.

You usually get a wall of *really* convincing text, and I imagine myself in the shoes of some poor student trying to make sense of this.

Last year I asked a question about the state of tracing JITs, and it led to a wonderful exchange. @cfbolz has written a terrific summary that captures a lot of folk knowledge that would otherwise be lost. Thanks!
https://pypy.org/posts/2025/01/musings-tracing.html

Real-time bidding, which powers nearly every ad you see online, might be the most privacy-invasive surveillance system that you’ve never heard of. Learn how it works and how to protect yourself. https://www.eff.org/deeplinks/2025/01/online-behavioral-ads-fuel-surveillance-industry-heres-how

- You have to understand that back in my day, it was possible to make a career out of sending a lot of AAAAAAs to computer programs

- Sure grandpa, let's get you to bed

please don't let maths journals go this way...

Elsevier adds AI to the "proofreading" of publications. Editors resign.

https://retractionwatch.com/2024/12/27/evolution-journal-editors-resign-en-masse-to-protest-elsevier-changes/

https://pivot-to-ai.com/2025/01/05/elsevier-rewrites-academic-papers-with-ai-without-telling-editors-or-authors/

Now that it's actually 2025, you may want to give this a gander.

https://taggart-tech.com/20241212-2025-jobs-guide/

New version of Function-Graph-Overview is out for both VSCode and JetBrains IDEs.

This version is a bugfix release, solving some edge-cases that led to infinite loops in rendering, and improving performance in some cases too. Thanks @buherator for the fix!

JetBrains: https://plugins.jetbrains.com/plugin/25676-function-graph-overview
VSCode: https://marketplace.visualstudio.com/items?itemName=tamir-bahar.function-graph-overview

The future of IBM Power CPUs.
#IBMi #rpgpgm #IBMChampion
https://www.rpgpgm.com/2025/01/the-future-of-ibm-power-cpus.html

I will stream tonight (9PM CET) about the basics of PDF file format tricks - the road to funky PDF, polyglots and hash collisions! See you there!
https://www.youtube.com/live/8g6G96nn7Mo?si=0IByzWDDNDtrnPPk

Interesting links of the week:

Strategy:

* https://jericho.blog/2024/12/28/mitres-phoning-in-new-cnas/ - a critique of the training for new CNA from @attritionorg

Standards:

* https://www.misp-standard.org/blog/Naming-Threat-Actor/ - @misp proposes a standard for naming threat actors

Threats:

* https://www.vodafone.com/sustainable-business/maintaining-trust/law-enforcement-assistance - Vodafone's yearly account of law enforcement interactions
* https://www.propublica.org/article/ap3-oath-keepers-militia-mole - moles in right wing infrastructure
* https://community.emergingthreats.net/t/the-many-cves-of-d-link-hnap-command-injection/2314 - attacking HNAP for CLI injection
* https://www.flux.utah.edu/paper/singh-nsdi24 - analysing the prevalence and scope of ITW SSH brute force attacks

Detection:

* https://www.usenix.org/conference/usenixsecurity24/presentation/badva - paper on threat hunting, full disclosure: participant P18 is me :)

Bugs:

* https://www.safebreach.com/blog/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept-exploit-for-cve-2024-49113/ - AD LDAP sadness
* https://social.circl.lu/@vulnerability_lookup/113761006476621066 - fediverse reporting on the same bugs by @vulnerability_lookup
* https://thesecmaster.com/blog/how-to-protect-your-four-faith-industrial-routers-from-cve-2024-12856-a-critical - hacking the factory
* https://seclists.org/fulldisclosure/2024/Dec/21 - when the CTF platform itself supplies the bugs...
* https://seclists.org/fulldisclosure/2024/Dec/19 - iSay, iSay, shell me a midtier, sir!

Exploitation:

* https://people.kernel.org/kees/colliding-with-the-sha-prefix-of-linuxs-initial-git-commit - @kees collides Linux
* https://www.hvs-consulting.de/en/nfs-security-identifying-and-exploiting-misconfigurations/ - holes in NFS, surely not?
* https://blog.slowerzs.net/posts/thievingfox/ - stealing passwords for red team glory

Hard hacks:

* https://aleksandr.rogozin.us/blog/2021/8/13/hacking-philips-wiz-lights-via-command-line - hacking Philips WiZ

Hardening:

* https://www.cisa.gov/sites/default/files/2024-01/SbD-Alert-Security-Design-Improvements-for-SOHO-Device-Manufacturers.pdf - CISA advice on SOHO networks.. not wildly blown away but I suppose they have to start somewhere...

Nerd:

* https://github.com/markqvist/Reticulum/discussions/231 - an interesting approach to non-TCP/IP federated networks as shared by @sqshr...
* https://www.jmeiners.com/lc3-vm/ - write your own VM... kinda remember doing this at uni
* https://tickets.why2025.org/ - have you ordered your tickets for @why2025camp

#security, #research

at #38c3 @rdjgr did a pretty good job at explaining the lore of how they scammed me before we ultimately joined forces. make sure to check out the full talk ("Dialing into the Past: RCE via the Fax Machine – Because Why Not?"), great stuff!

[RSS] Reliable system call interception [with seccomp user notify]

https://blog.mggross.com/intercepting-syscalls/

#genuary5 prompt: Isometric art.

It's game of life. History goes down. I've seen a visualization like this last year and wanted to recreate it.

Made with #PyScript:
https://ambv.pyscriptapps.com/genuary-prompt-5/latest/

#genuary2025 #genuary #GenerativeArt #CreativeCoding #WebGL #Python

I have this favorite story about "the first 3D shopping mall" on the Hungarian Internet: it was of course a massive failure, because the minds behind it didn't realize that people are not going to the mall to use escalators (which was precisely modeled in VRML along with corridors, benches, etc).

I think the recent enthusiasm about GenAI-driven voice/video recognition is similar in this aspect: in many cases people would prefer a system *not* involving human(-like) interaction (or using an escalator), it's just we currently don't have better solutions for many tasks. Assuming a speech/video interface is always better than e.g. a bar code reader results in faster horses, not cars.

#GrapheneOS appears to be standing up to UK forensics, in this painful and "unprecedented" case which could see a UK journalist go to jail for not relinquishing the passphrase to his devices. Not only is withholding his basic human right, but he does it to protect his sources, and as ratified in the European Court of Human Rights.

https://www.ilfattoquotidiano.it/in-edicola/articoli/2025/01/02/british-journalist-could-face-years-in-prison-for-refusing-to-hand-over-his-passwords-to-the-police/7822432/

#humanrights #infosec #privacy

Oh hey. Just wanted to let you know today that I am open to hobby/public IC decapping and imaging projects. Boosts and other sharing are always appreciated!

More info here: https://siliconpr0n.org/archive/doku.php?id=infosecdj:start#commissioning_work

#microscopy #reverseengineering #electronics

The last couple of days I worked with @tmr232 to bring binaries to his @cfgbot.

Here's my script to export CFG's in DOT and JSON formats from #Ghidra:

https://github.com/v-p-b/ghidra-graph-export

I also exported the latest Microsoft Defender and openssl binaries:

https://github.com/v-p-b/ghidra-function-graph-datasets

... so you can enjoy Absolute Units like:

https://tmr232.github.io/function-graph-overview/render/?graph=https://gist.githubusercontent.com/v-p-b/67d63235089a02888d0bb0159181534a/raw/2799461034b0c0d6fff2051868d56370962965eb/netvm_emulate.json

Like and subscribe:

https://mastodon.social/@cfgbot
https://bsky.app/profile/cfgbot.bsky.social

Arrrgh does anyone have a recommendation for a hugo theme that is very very simple (no sass or npm etc), text-centric, responsive, and accessible? I am trying to move off Wordpress for this site:

https://frameshiftconsulting.com/

Project: openssl-static-gcc-dwarf 3.4.0
File: openssl
Address: 0058b000

EC_POINT_is_at_infinity

SVG:
dark https://tmr232.github.io/function-graph-overview/render/?graph=https%3A%2F%2Fraw.githubusercontent.com%2Fv-p-b%2Fghidra-function-graph-datasets%2Frefs%2Fheads%2Fmain%2F%2Fopenssl-static-gcc-dwarf%2F0058b000.json&colors=dark
light https://tmr232.github.io/function-graph-overview/render/?graph=https%3A%2F%2Fraw.githubusercontent.com%2Fv-p-b%2Fghidra-function-graph-datasets%2Frefs%2Fheads%2Fmain%2F%2Fopenssl-static-gcc-dwarf%2F0058b000.json&colors=light

Following my live stream yesterday to introduce the basics of the PDF file format, I will stream live in 7 hours on the risks of information leaks in PDF document, based on in-the-wild examples and hand-written PoCs.
The pace was nice and chill - see you there! https://www.youtube.com/live/hncHOnppwl8?si=yfWEeTbiXgoHbp-D