[RSS] STAR Labs Windows Exploitation Challenge 2025 Writeup

https://starlabs.sg/blog/2025/03-star-labs-windows-exploitation-challenge-2025-writeup/

Exciting: The Ghost team has just released the beta version of its ActivityPub support for people using their hosted service

https://activitypub.ghost.org/social-web-beta/

Just spent ~an hour figuring out why a code path wasn't hit.

Turns out it was, only my log messages were configured to a level too low to appear...

#fail

Get your speaker submissions in TODAY for early consideration at this year's HOPE conference! @hopeconf https://www.2600.com/content/early-deadline-hope-talk-submissions-monday

I'm kinda getting used to Space Emacs but eshell quickly became my arch nemesis

Project: mpengine-x64-pdb 1.1.24090.11
File: mpengine.dll
Address: 75a1eaec0

load_page

SVG:
dark https://tmr232.github.io/function-graph-overview/render/?graph=https%3A%2F%2Fraw.githubusercontent.com%2Fv-p-b%2Fghidra-function-graph-datasets%2Frefs%2Fheads%2Fmain%2F%2Fmpengine-x64-pdb%2F75a1eaec0.json&colors=dark
light https://tmr232.github.io/function-graph-overview/render/?graph=https%3A%2F%2Fraw.githubusercontent.com%2Fv-p-b%2Fghidra-function-graph-datasets%2Frefs%2Fheads%2Fmain%2F%2Fmpengine-x64-pdb%2F75a1eaec0.json&colors=light

Of all the #StarTrekProdigy memes I’ve seen, this one hits the hardest for me.

Validating Leaked Passwords with k-Anonymity - from #CloudFlare blog, 2018:

https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/

This is an important bit in the #Cloudflare post (emphasis mine):

"Our data analysis focuses on traffic from Internet properties on Cloudflare’s free plan, which *includes leaked credentials detection as a built-in feature.*"

We have released the files for the research that led to CVE-2024-36904. It contains the codes, the original kernel source, the patch and the modified kernel source that help to trigger the KASAN splat. If you want to play with the vulnerability, you can use the files.

https://github.com/alleleintel/research/tree/master/CVE-2024-36904/

There's another Office "intentional crash" detected by @expmon_ (background for the 1st one: https://www.linkedin.com/posts/haifeili_if-you-need-a-real-world-office-sample-triggering-activity-7304034115706597376-eVnM), it's a bit different (as I just quickly analyzed) but I'd like to leave it to anyone who is interested in investigating. :)

https://pub.expmon.com/analysis/254228/

So, Cloudflare analyzed passwords people are using to log in to sites they protect and discovered lots of re-use.

Let me put the important words in uppercase.

So, CLOUDFLARE ANALYZED PASSWORDS PEOPLE ARE USING to LOG IN to sites THEY PROTECT and DISCOVERED lots of re-use.

[Edit with H/T: https://benjojo.co.uk/u/benjojo/h/cR4dJWj3KZltPv3rqX]

https://blog.cloudflare.com/password-reuse-rampant-half-user-logins-compromised/

#cloudflare #password #cybersecurity

Question to the Fediverse:

I'm looking for a mailing list / newsgroup solution (it can be SaaS or self hosted).

I need a couple things:
- Easy subscribe and unsubscribe functions
- Ability to send out mass emails to subscribers (basic functionality)

- Most important... and this is the weird part... I need all the subscribers to be able to "reply all" or to email the list as a whole, to also send messages to everyone. But I don't want them to be able to see everyone on the list.

I need an oldschool mailing list proper, where people can track the threads and replies, right.

All the marketing email lists are only top-down - the emailer mails all the recipients, but there is no allowing the recipients to email each other.

The best I have found is GNU MailMain: https://www.gnu.org/software/mailman/

Does anyone know any other examples?

Edit to add better nomenclature (my brain is not forming words right now):
- Allows for email discussion
- Allows for email threading
- Email Newsgroup - that's a good one

Editing to add answers to my own question:
- GNU Mailman: https://www.gnu.org/software/mailman/
- Gaggle Email: https://gaggle.email (cheers @zebbm)
- Groups io: https://groups.io (cheers @TNLNYC )
- Gray Duck Mail: https://grayduckmail.com
- mlmmj: https://mlmmj.org

I feel like the message of Sir Tim Berners-Lee's latest op-ed in the Financial Times may suffer from its medium.

But don't worry, you can read his pitch for Solid here:

https://archive.ph/4Vvms

Happy St Patrick’s Day! I hope you get lucky like the Irish. Or something.

qbasic (1992): opens with the option to view help or jump straight into programming.

qb64 (2025): opens with a warning that any program you make with it will be falsely flagged by your antivirus as malware.

We heard you needed some more time, so we wanted to let you cook.

We decided to push the Phrack 72 CFP deadline back until June 15th.

Stay tuned for upcoming Phrack events.

Print this flyer out and give it to someone IRL!!

🚨 LABScon Replay: Investigative journalist Kim Zetter interviews Microsoft VP David Weston on Windows security, AI, secure dev practices, and the company's reaction to the CrowdStrike outage. @kimzetter @dwizzzlemsft

https://youtu.be/7ne9e0YUrQI?si=w2qTa1NNakOJqadP

SAMLStorm: Critical Authentication Bypass in xml-crypto and Node.js libraries https://workos.com/blog/samlstorm

Just spent 6 hours in an ER (I'm fine) and witnessed, in no particular order:

A nurse bit by a patient

A patient screaming MURDERERS from an exam room

Two nurses patiently dressing and re-dessing an elderly man who kept stripping

Someone yelling at a student doctor about wait times

Urine being spilled on the floor

Someone yelling "the patient made a run for it!"

A patient trying to call the cops on doctors

Whatever we think hospital workers should be paid, it's not enough.

#HealthCare