The more I move to a thin-client model with my workstation (with projects/services moving to VM's) the more I see my dark future as an Emacs user.

TRAMP mode is pretty cool :/

As a reminder, I'm uploading hundreds (yes) of Flash games unavailable until now to the internet archive:

https://archive.org/details/@touloutoumou

Analysis of a Flaw in Microsoft's Patch for "copy2pwn" (CVE-2024-38213)
https://blog.0patch.com/2025/02/analysis-of-flaw-in-microsofts-patch.html

I'm still looking for that brain activity sensor that someone used to make a propeller hat that spins faster when you think harder.

Re: CVE-2025-0108

Can we agree that "X-Trust-Me-Bro: $boolean" headers set by reverse proxies are an anti-pattern?

If so, what is the best practice?

[RSS] Hack That Broken Zipper!

https://hackaday.com/2025/02/09/hack-that-broken-zipper/

[RSS] Nginx/Apache Path Confusion to Auth Bypass in PAN-OS (CVE-2025-0108)

https://www.assetnote.io/resources/research/nginx-apache-path-confusion-to-auth-bypass-in-pan-os

Full analysis

Congrats to the IOActive marketing team for moving their blog to a platform with no RSS :P

[RSS] The Key to COMpromise - Downloading a SYSTEM shell, Part 3

https://neodyme.io/en/blog/com_hijacking_3/

I don't understand how Windows 10 is discontinued yet Microsoft still finds ways to add new types of advertisements to it

Letting me have image editing software was a mistake

Updates get MitM'd by middleboxes (using shitty certs) all the time. This is why update packages are digitally signed and why many vendors simply use plain HTTP for delivery.

Yet for some reason Crowd Strike marked this as high severity with a CVSS vector indicating MitM -> full system compromise...

CVE-2025-1146

OK I think this (via @cR0w) deserves some more attention ( #CrowdStrike CVE-2025-1146):

https://www.crowdstrike.com/security-advisories/cve-2025-1146/

In short, Crowd Strike agents on Linux can be MitM'd when they connect to their mothership (CS cloud).

My first Q is: what exactly is delivered to Falcon sensors from the CS cloud?

I present my second Q as a meme for higher reach:

An international team of scientists announced Wed the detection of an extraordinary, elusive #neutrino — a tiny, subatomic particle that flitted at close to the speed of light toward an undersea detector off the coast of Sicily carrying about 30k times the #energy generated by the largest particle accelerator on #earth.

The observation, unveiled in the journal #Nature, revealed the highest-energy neutrino ever detected.

#astrophysics #science #cool
https://www.nature.com/articles/s41586-024-08543-1

From Convenience to Contagion: The Half-Day Threat and Libarchive Vulnerabilities Lurking in Windows 11 https://devco.re/blog/2025/02/12/from-convenience-to-contagion-the-half-day-threat-and-libarchive-vulnerabilities-lurking-in-windows-11-en/

Here are the results of #ghidriff's VersionTrackingDiff ran on the latest patch of afd.sys (likely as the result of CVE-2025-21418):

https://gist.github.com/v-p-b/458475d0c7f8aaf6496b5168c04ea262

The change seems to affect a single but significant API (AfdAccept()), my initial guess is this was a locking issue.

#ExploitWednesday

As JD Vance delivered his speech about “European overregulation” and criticized “endless compliance costs imposed on the US companies by GDPR” I have seen some voices from Europe who said something to the effect “I don‘t know a single EU company happy about #GDPR either”.

Well, it’s kind of obvious companies aren’t happy because GDPR was not made to make companies happy but to protect the privacy of consumers 😄

This regulation is based on fundamental differences between US and EU legal systems. In EU, you own and control your personal data. In US it’s owned by whoever managed to extort it from you, and then aggregate, personalise and resell to any other entity anywhere.

For example, if you want to pay higher insurance premium because you have genetic tendencies to diabetes or obesity - well, that’s the US way of doing business, but it’s not the only one, nor it’s somehow axiomatically “better”. And yes, high insurance premiums also have the effect of increasing overall country’s GDP, just as a house burnt and rebuilt also does this magic, yet somehow few people celebrate it 😉

Then someone asked me if I really “feel that my data is better protected thanks to GDPR”. And yes, as a matter of fact the most invasive behavioural profiling aren’t being rolled out by companies like Twitter or Facebook to EU specifically because of GDPR, while in US they just roll them out without asking anyone.

Anyone… of course except for the states which have regulations very similar or even more restrictive than GDPR, such as California. Yet, because California is “their”, these companies and their CEOs with high media presence simply shut up and make their apps compliant with CCPA without all this barking about “how GDPR kills out business”.

It’s the same with EU VAT, about which Vance also whined, whereas US sales tax accounting rules are not even harmonized across states. But hey, you know what? An US business that has to emply a tax consulting company to get multi-state accounting right also increases overall GDP! 😄

So effectively what in US is perceived as each state’s fundamental right, sign of their diversity and key part of their autonomy, in the EU is portrayed as something equivalent to Soviet Union style central planning. And when they post all the memes about “bottle caps” in EU, they of course never mention a gazillion of state-level archaic or absurd regulations which are nonetheless binding, especially if someone likes to build a class lawsuit around them.

And now as Tesla opened a new factory in #China, I’ve never seen Musk make a single critical remark about the overregulation in China, even though it’s even more complex than EU and US taken together due to its vast geographic and administrative diversity.