Splitting water into hydrogen and oxygen takes more energy than it theoretically should, which is partly why it's not used on a large scale to generate hydrogen fuel.

Now scientists know why – and it's all down to a feat of nanoscale gymnastics.

https://physicsworld.com/a/splitting-water-takes-more-energy-than-theory-predicts-and-now-scientists-know-why/

#physics #chemistry #science

So, what happened with that whole crowdstrike debacle? Did companies like Delta get a huge payout or discount?

#crowdstrike

🔴 Our @reconmtl talk of last year has been published!

"Path of rev.ng-ance: from raw bytes to CodeQL on decompiled code"

Check it out: https://www.youtube.com/watch?v=0lrhCV14nVE

Ooh, Siemens had a couple criticals yesterday, including a perfect 10. 🥳

https://cert-portal.siemens.com/productcert/html/ssa-187636.html

sev:CRIT 10.0 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). Affected devices contain hardcoded credentials for remote access to the device operating system with root privileges. This could allow unauthenticated remote attackers to gain full access to a device, if they are in possession of these credentials and if the ssh service is enabled (e.g., by exploitation of CVE-2024-41793).

https://nvd.nist.gov/vuln/detail/CVE-2024-41794

https://cert-portal.siemens.com/productcert/html/ssa-819629.html

https://cert-portal.siemens.com/productcert/html/ssa-634640.html

sev:CRIT 9.8 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

A vulnerability has been identified in Industrial Edge Device Kit - arm64 V1.17 (All versions), Industrial Edge Device Kit - arm64 V1.18 (All versions), Industrial Edge Device Kit - arm64 V1.19 (All versions), Industrial Edge Device Kit - arm64 V1.20 (All versions < V1.20.2-1), Industrial Edge Device Kit - arm64 V1.21 (All versions < V1.21.1-1), Industrial Edge Device Kit - x86-64 V1.17 (All versions), Industrial Edge Device Kit - x86-64 V1.18 (All versions), Industrial Edge Device Kit - x86-64 V1.19 (All versions), Industrial Edge Device Kit - x86-64 V1.20 (All versions < V1.20.2-1), Industrial Edge Device Kit - x86-64 V1.21 (All versions < V1.21.1-1), Industrial Edge Own Device (IEOD) (All versions < V1.21.1-1-a), Industrial Edge Virtual Device (All versions < V1.21.1-1-a), SCALANCE LPE9413 (6GK5998-3GS01-2AC2) (All versions), SIMATIC IPC BX-39A Industrial Edge Device (All versions < V3.0), SIMATIC IPC BX-59A Industrial Edge Device (All versions < V3.0), SIMATIC IPC127E Industrial Edge Device (All versions < V3.0), SIMATIC IPC227E Industrial Edge Device (All versions < V3.0), SIMATIC IPC427E Industrial Edge Device (All versions < V3.0), SIMATIC IPC847E Industrial Edge Device (All versions < V3.0). Affected devices do not properly enforce user authentication on specific API endpoints when identity federation is used. This could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user. Successful exploitation requires that identity federation is currently or has previously been used and the attacker has learned the identity of a legitimate user.

https://nvd.nist.gov/vuln/detail/CVE-2024-54092

Rockwell with 11 sev:HIGH 8.5 CVEs this week too. Nice.

https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1726.html

CVE-2025-2285
CVE-2025-2286
CVE-2025-2287
CVE-2025-2288
CVE-2025-2293
CVE-2025-2829
CVE-2025-3285
CVE-2025-3286
CVE-2025-3287
CVE-2025-3288
CVE-2025-3289

You know that whole analogy about putting on your own oxygen mask so you are able to help others, otherwise you won't be able to help anyone? Yeah, that's legit. Take care of yourselves.

On a related note: Defibrillators are not fun.

A call to memcpy() in a single binary that uses glibc may behave in 12 different ways depending on the features of the specific x86-64 CPU you run it on.

Here is a list of those impls in glibc:

https://github.com/bminor/glibc/blob/12a497c716f0a06be5946cabb8c3ec22a079771e/sysdeps/x86_64/multiarch/ifunc-impl-list.c#L1174-L1218

Fwiw this may matter a lot during binary exploitation. This was important in a challenge from PlaidCTF 2025. E.g. passing a negative (or: very huge) length allowed you to write past a buffer without a crash (the given implementation was not doing a wild copy).

#linux #binaryexploitation #ctf

Hardening the Firefox Frontend with Content Security Policies
https://attackanddefense.dev/2025/04/09/hardening-the-firefox-frontend-with-content-security-policies.html

This meeting could have been a nap.

Here’s the #Ghidriff output for CLFS.sys 10.0.20348.3328 vs. 10.0.20348.3453, likely corresponding to the CVE-2025-29824 use-after-free LPE:

https://gist.github.com/v-p-b/8c43fb8e0d72814dcd03764d478622ce

Announce: OpenSSH 10.0 released

https://www.openwall.com/lists/oss-security/2025/04/09/1

Oh is it time for another Fortinet crit again? Unauthenticated admin password change in FortiSwitch.

CVE-2024-48887, CVSSv3 9.3

https://fortiguard.fortinet.com/psirt/FG-IR-24-435

#CVE #ThreatIntel

@HalvarFlake one for you: Skyper / TESO on Where Warlocks Stay Up Late - Episode 4 "Eduart Steiner aka Skyper" https://www.youtube.com/watch?v=sQVLniT9CDY

“Seniors also recognize that understanding problems isn’t just coming up with an algorithm. It’s understanding who wants the problem solved, why they want it solved, who’s paying for the problem to be solved, what parts of the problem have already been solved, what different kinds of solutions are possible, whether those solutions can be scaled or extended—and much more.”

https://www.oreilly.com/radar/seniors-and-juniors/

Weaponizing DCOM for NTLM Authentication Coercions https://github.com/xforcered/RemoteMonologue

Debugging in the terminal isn't difficult anymore 🔥

🛠️ Meet **heretek** — A gdb TUI dashboard

🐛 Supports viewing stack, registers, instructions, hexdump & more!

🚀 Works with remote targets seamlessly (no gdbserver!)

🦀 Written in Rust & built with @ratatui_rs

⭐ GitHub: https://github.com/wcampbell0x2a/heretek

#rustlang #ratatui #tui #gdb #debugging #terminal #linux #commandline