Windows SMB client is basically quantum computing: sometimes it works, but if you look at it the wrong way it isn't.

Last year, I had a few weeks between jobs and decided to look at the infrastructure security of random Linux distributions with the good friends at Fenrisk.

We ended up getting code execution on the Fedora Git forge hosting all package sources and on the Open Build Service instance of openSUSE. Nothing technically fancy (the usual silly argument injection bugs), but we could have effectively backdoored all their packages :°)

We finally presented the details last week at @1ns0mn1h4ck: https://fenrisk.com/assets/media/Don't%20let%20Jia%20Tan%20have%20all%20the%20fun_%20hacking%20into%20Fedora%20and%20OpenSUSE.pdf.

Also now available on the blog:
- Our approach: https://fenrisk.com/supply-chain-attacks
- Pagure: https://fenrisk.com/pagure
- OBS: https://fenrisk.com/open-build-service

Big kudos to distro maintainers, this was one of the most efficient disclosures of my life!

(now let's do kernel.org?)

The EFF has shit the bed again. This is a stirring cry to encourage startups ... specifically, AI startups. This ain't it chief.

https://www.eff.org/deeplinks/2025/03/californias-ab-412-bill-could-crush-startups-and-cement-big-tech-ai-monopoly

occasionally the EFF reminds us it was founded by a republican libertarian and funded by SV tech cos

This project by @recantha reminded me that old (IBM) ThinkPad keyboards should be remade into external USB keyboards. Found this /r/ thread with some great links:

https://www.reddit.com/r/thinkpad/comments/fgyh0q/transform_internal_keyboard_to_external_usb/

This build seems especially nice:

https://www.thingiverse.com/thing:4169964

RE: https://mastodon.social/@recantha/114184031395472987

“I’ve just closed the forum of a small classic car club because we don’t have the time or capacity to ensure compliance with only volunteers. Meta will benefit, because we will, reluctantly, move to using a Facebook page”
https://alecmuffett.com/article/112834
#OnlineSafetyAct #ofcom

This is great news not in the least for our American friends where the weather service is being sabotaged. Weather models are oddly enough always global - you can't predict the weather in Berlin a week ahead without also predicting the weather in Austin, Texas. ECMWF has excellent hurricane forecasts also for the US for that reason, and these are also being used in the US already. Wonderful stuff: https://www.ecmwf.int/en/about/media-centre/news/2025/ecmwf-achieve-fully-open-data-status-2025

I guess vulnerability research means job security now.

Also: none of this will happen.

“There is something deeply wrong when a law passed with cross-party consensus & endorsed by Britain’s most trusted charities has made it impossible to run an internet forum for hamster owners”
https://alecmuffett.com/article/112832
#OnlineSafetyAct #hamsters #ofcom

Please stop externalizing your costs directly into my face

https://drewdevault.com/2025/03/17/2025-03-17-Stop-externalizing-your-costs-on-me.html

"Whether it’s cryptocurrency scammers mining with FOSS compute resources or Google engineers too lazy to design their software properly or Silicon Valley ripping off all the data they can get their hands on at everyone else’s expense… I am sick and tired of having all of these costs externalized directly into my fucking face. Do something productive for society or get the hell away from my servers"

layerone cfp is open
https://www.layerone.org/call-for-papers/

Massive result in Dutch parliament just now. They passed 10 separate motions to enhance digital resilience, run more of our own servers & reduce dependency on US cloud technology.
https://www.reuters.com/world/europe/dutch-parliament-calls-end-reliance-us-software-2025-03-18/

Today, March 18, in 1982, Seattle high schooler David Lightman teaches his friend Jennifer Mack about war dialing, hacking, phreaking, and the importance of infosec (WarGames, 1983)

#Movies #Film #Cinemastodon #Letterboxd #WarGames #TheOnlyWinningMoveIsNotToPlay

This is wild.. also, honeypots totally work..

https://bird.makeup/@parkerconrad/1901615179718406276

[RSS] Why didn't Windows 95 setup use a miniature version of Windows 95 as its fallback GUI?

https://devblogs.microsoft.com/oldnewthing/20250318-00/?p=110975

CVE-2024-9956 - PassKey Account Takeover in All Mobile Browsers

https://mastersplinter.work/research/passkey/

[RSS] SAML roulette: the hacker always wins

https://portswigger.net/research/saml-roulette-the-hacker-always-wins

GitLab CVE-2025-25291 + CVE-2025-25292

Dropkick Murphys kicks ass as always:

https://www.youtube.com/watch?v=Tl4ggwyWEMI

#uspol #punk

“Wired is going to stop paywalling articles that are primarily based on public records obtained through the Freedom of Information Act”

https://freedom.press/issues/wired-is-dropping-paywalls-for-foia-based-reporting-others-should-follow/

🥳The latest !exploitable is here! We're sharing all the joy that comes with exploiting an arbitrary file write in GitLab, while cruising the Mediterranean. 🚢 Everything from onerous configurations to spotty internet! Enjoy!
#doyensec #appsec #security

https://blog.doyensec.com/2025/03/18/exploitable-gitlab.html

🧠 glibc has a noreturn function returning an int 🧠

https://github.com/bminor/glibc/blob/8c6fee9f7f4c09bf96766942fdd430f8beb638b0/csu/libc-start.c#L209-L220