New blog post: With Carrots & Sticks - Can the browser handle web security? https://frederikbraun.de/madweb-keynote-2025.html - This is the blog version of my keynote from MADWeb 2025 earlier this year. It's about how web security could become the browser's responsibility.

okay. if you ever want to get the previous version of a file that Windows Update has updated, do i have an utility for you https://github.com/whitequark/ApplyDeltaB

We've open-sourced another core Binary Ninja feature: SCC. If you're not familiar with it, the Shellcode Compiler has been built-in to BN from the beginning, allowing you to build small PIE shellcode in a variety of architectures right from the UI: https://scc.binary.ninja/ (Source: https://github.com/Vector35/scc)

Seriously, this HAS to be insider trading.

Come on! First you announce tariffs, every stock tanks, you play the hard to get dude and proclaim with a swollen chest that there will be no delays, everything tanks even more.

And now you delay everything by 90 days? In the mean time your buddies bought everything at a low and now the stock recovers.

Come the fuck on!

pleased to hear the penguins have won the trade bargains

#USpolitics #USpol

NEW: A recently published court document shows the locations of WhatsApp victims targeted with NSO Group's spyware.

The document lists 1,223 victims in 51 countries, including Mexico, India, Morocco, United Kingdom, United States, Spain, Hungary, Netherlands, etc.

This targeting was over a span of around two months in 2019, according to WhatsApp's lawsuit against NSO Group.

http://techcrunch.com/2025/04/09/court-document-reveals-locations-of-whatsapp-victims-targeted-by-nso-spyware/

Just saw it mentioned on LWN, handy site for checking which distros enable a certain config option: https://oracle.github.io/kconfigs/?config=UTS_RELEASE&... Just replace UTS_RELEASE with whatever config option name minus CONFIG_, for example: https://oracle.github.io/kconfigs/?config=CFI_CLANG&...

Splitting water into hydrogen and oxygen takes more energy than it theoretically should, which is partly why it's not used on a large scale to generate hydrogen fuel.

Now scientists know why – and it's all down to a feat of nanoscale gymnastics.

https://physicsworld.com/a/splitting-water-takes-more-energy-than-theory-predicts-and-now-scientists-know-why/

#physics #chemistry #science

🔴 Our @reconmtl talk of last year has been published!

"Path of rev.ng-ance: from raw bytes to CodeQL on decompiled code"

Check it out: https://www.youtube.com/watch?v=0lrhCV14nVE

A call to memcpy() in a single binary that uses glibc may behave in 12 different ways depending on the features of the specific x86-64 CPU you run it on.

Here is a list of those impls in glibc:

https://github.com/bminor/glibc/blob/12a497c716f0a06be5946cabb8c3ec22a079771e/sysdeps/x86_64/multiarch/ifunc-impl-list.c#L1174-L1218

Fwiw this may matter a lot during binary exploitation. This was important in a challenge from PlaidCTF 2025. E.g. passing a negative (or: very huge) length allowed you to write past a buffer without a crash (the given implementation was not doing a wild copy).

#linux #binaryexploitation #ctf

Hardening the Firefox Frontend with Content Security Policies
https://attackanddefense.dev/2025/04/09/hardening-the-firefox-frontend-with-content-security-policies.html

This meeting could have been a nap.

Here’s the #Ghidriff output for CLFS.sys 10.0.20348.3328 vs. 10.0.20348.3453, likely corresponding to the CVE-2025-29824 use-after-free LPE:

https://gist.github.com/v-p-b/8c43fb8e0d72814dcd03764d478622ce

Announce: OpenSSH 10.0 released

https://www.openwall.com/lists/oss-security/2025/04/09/1