[RSS] On the Original Punched Cards

https://hackaday.com/2025/02/12/on-the-original-punched-cards/

[RSS] [Vulnerability] Unauthenticated Remote Code Execution via Known View State Secret in FieldPie

https://code-white.com/public-vulnerability-list/#unauthenticated-remote-code-execution-via-known-view-state-secret-in-fieldpie

This may be one of those leaked secrets MS warned about? No details unfortunately...

[RSS] Patch-Gapping the Google Container-Optimized OS for $0

https://h0mbre.github.io/Patch_Gapping_Google_COS/

Scoop: The databases powering doge. gov are insecure, and people outside the government have already pushed their own updates to the site to prove it:

https://www.404media.co/anyone-can-push-updates-to-the-doge-gov-website-2/

Not sure why Google's kCTF isn't more widely known (other than by all the researchers making money from it). 44 unique successful exploits in a year against Linux kernels even running Google's out-of-tree "hardening" is a big story I'd say...

CVE-2025-26519: musl libc: input-controlled out-of-bounds write primitive in iconv()

https://seclists.org/oss-sec/2025/q1/127

POV: kernel-level anti-cheat /s

https://infosec.exchange/@lorenzofb/113997653014436378

Accelerating The Adoption of Post-Quantum Cryptography with PHP

https://paragonie.com/blog/2025/02/accelerating-adoption-post-quantum-cryptography

#PHP #crypto #cryptography #HPKE #KEMs #MLKEM #MLDSA #SLHDSA #postquantum #programming #webdev #MLS #rfc9180 #rfc9420

New court documents shed light on what a 25-year-old DOGE worker named Marko Elez did inside Treasury payment systems, including which systems he accessed, security measures Treasury IT staff took to limit his access and activity, and whether he really did have the ability to change source code on production systems as previously reported. The new documents, signed affidavits filed in court by career executives at the Treasury department not political appointees, suggest that the situation inside the Treasury department is more nuanced than previously reported. Here's my story. If you find the piece valuable, please consider becoming a paid subscriber to my Zero Day publication, which is reader supported. https://www.zetter-zeroday.com/court-documents-shed-new-light-on-doge-access-and-activity-at-treasury-department/

New #Rapid7 vuln disclosure c/o
@stephenfewer: CVE-2025-1094 is a SQL injection flaw in PostgreSQL's psql interactive tool that was discovered while analyzing BeyondTrust RS CVE-2024-12356. The bug is interesting — 🧵on its relation to BeyondTrust exploitation https://www.rapid7.com/blog/post/2025/02/13/cve-2025-1094-postgresql-psql-sql-injection-fixed/

We just opened our YouTube channel! 📹

First video is out: An introduction to LLVM IR 🐲
Check it out: https://www.youtube.com/watch?v=CDKuH7SIgdM
Let us know what you think 🙃

bring back forums

you aren't supposed to have a single identity online

communities shouldn't demand you let a vc-funded company have your mobile phone number

you don't have to pay $100/yr [or whatever it is] for features that every forum had for years, or if it didn't it's for a reason

your group of friends or multiple-thousand-people community won't disappear because of the failure of the aforementioned vc-funded company

even if the group dissolves you will still be able to find the useful tips you used to share

The more I move to a thin-client model with my workstation (with projects/services moving to VM's) the more I see my dark future as an Emacs user.

TRAMP mode is pretty cool :/

As a reminder, I'm uploading hundreds (yes) of Flash games unavailable until now to the internet archive:

https://archive.org/details/@touloutoumou

Analysis of a Flaw in Microsoft's Patch for "copy2pwn" (CVE-2024-38213)
https://blog.0patch.com/2025/02/analysis-of-flaw-in-microsofts-patch.html

I'm still looking for that brain activity sensor that someone used to make a propeller hat that spins faster when you think harder.

Re: CVE-2025-0108

Can we agree that "X-Trust-Me-Bro: $boolean" headers set by reverse proxies are an anti-pattern?

If so, what is the best practice?

[RSS] Hack That Broken Zipper!

https://hackaday.com/2025/02/09/hack-that-broken-zipper/

[RSS] Nginx/Apache Path Confusion to Auth Bypass in PAN-OS (CVE-2025-0108)

https://www.assetnote.io/resources/research/nginx-apache-path-confusion-to-auth-bypass-in-pan-os

Full analysis

Congrats to the IOActive marketing team for moving their blog to a platform with no RSS :P