shellify allows generating shell.nix from ad-hoc #Nix environments:

https://github.com/danielrolls/shellify

Why isn't this a core feature??

We are testing Ghost's ActivityPub beta integration for 404 Media! We're really excited about the future of the decentralized internet, we're stoked that Ghost is leading the way, and we're proud to be one of its first adopters.

You can follow us @index

Right now things seem pretty buggy but it's obviously very early. Looking forward to messing around with it and making the product better. Eventually as it gets better that will probably become our main account but for now we'll crosspost

CEF Debugger Enabled in Google Web Designer | Google Bug Hunters https://bughunters.google.com/reports/vrp/qMhY4nw9i

I found 2 use-after-free bugs in libxslt with Jackalope, let's find more together! The harness is now included in examples (link below). This also serves as a demo for two not very commonly used modes in Jackalope: grammar mutational fuzzing and sanitizer coverage.
https://github.com/googleprojectzero/Jackalope/tree/main/examples/libxslt

Slides of my talk "Malware analysis with R2AI": https://filestore.fortinet.com/fortiguard/research/r2ai.pdf

Demo of string obfuscation on Linux/RudeDevil: https://asciinema.org/a/708621

Download and contribute to r2ai: https://github.com/radareorg/r2ai @radareorg

#AI #radare2 #INSO25 #malware #linux

@patrickleavy has started a petition:

Behavioural metadata extraction underpins the 'surveillance business model'... We think it [enables] manipulation of individual voting at scale via social media microtargeting, spreading fake news, increasing big tech power, mistrust of govs, opinion polarisation, victimisation. RTB system data can be accessed by anyone, not just advertisers (as reported by ICCL)!

Might be a good one to add your name to? Let get the numbers up!

https://petition.parliament.uk/petitions/713456

C++ macro for x64 programs that breaks ida hex-rays decompiler tool.

https://github.com/android1337/brkida

"This project exploits the fact that IDA decompiler fails when it encounters a stack access on a pointer that's too big."

#IDA #IDAPro #HexRays

New Project Zero issue:

libxslt: use-after-free in xsltParseStylesheetProcess

https://project-zero.issues.chromium.org/issues/382015274

CVE-2024-55549

New assessment for topic: CVE-2025-24813

Topic description: "Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. ..."

"On March 10, 2025, the Apache Software Foundation [published](https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq) an advisory for [CVE-2025-24813](https://nvd.nist.gov/vuln/detail/CVE-2025-24813), an unauthenticated remote code execution vulnerability in Apache Tomcat’s “partial PUT” feature ..."

Link: https://attackerkb.com/assessments/1a24556d-24fb-4017-be67-e4ab39c76566

Some really impressive work from my old team here: https://forums.swift.org/t/the-future-of-serialization-deserialization-apis/78585

If you care about Codable and/or serialization in Swift in general, definitely check it out

#swiftlang #swiftevolution

[RSS] Dubious security vulnerability: A program does not run correctly if you run it the wrong way

https://devblogs.microsoft.com/oldnewthing/20250317-00/?p=110970

[RSS] STAR Labs Windows Exploitation Challenge 2025 Writeup

https://starlabs.sg/blog/2025/03-star-labs-windows-exploitation-challenge-2025-writeup/

Exciting: The Ghost team has just released the beta version of its ActivityPub support for people using their hosted service

https://activitypub.ghost.org/social-web-beta/

Just spent ~an hour figuring out why a code path wasn't hit.

Turns out it was, only my log messages were configured to a level too low to appear...

#fail

Get your speaker submissions in TODAY for early consideration at this year's HOPE conference! @hopeconf https://www.2600.com/content/early-deadline-hope-talk-submissions-monday

I'm kinda getting used to Space Emacs but eshell quickly became my arch nemesis

Project: mpengine-x64-pdb 1.1.24090.11
File: mpengine.dll
Address: 75a1eaec0

load_page

SVG:
dark https://tmr232.github.io/function-graph-overview/render/?graph=https%3A%2F%2Fraw.githubusercontent.com%2Fv-p-b%2Fghidra-function-graph-datasets%2Frefs%2Fheads%2Fmain%2F%2Fmpengine-x64-pdb%2F75a1eaec0.json&colors=dark
light https://tmr232.github.io/function-graph-overview/render/?graph=https%3A%2F%2Fraw.githubusercontent.com%2Fv-p-b%2Fghidra-function-graph-datasets%2Frefs%2Fheads%2Fmain%2F%2Fmpengine-x64-pdb%2F75a1eaec0.json&colors=light

Of all the #StarTrekProdigy memes I’ve seen, this one hits the hardest for me.

Validating Leaked Passwords with k-Anonymity - from #CloudFlare blog, 2018:

https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/

This is an important bit in the #Cloudflare post (emphasis mine):

"Our data analysis focuses on traffic from Internet properties on Cloudflare’s free plan, which *includes leaked credentials detection as a built-in feature.*"