Yes, we're beating a dead horse. But that horse still runs in corporate networks - and quietly gives attackers the keys to the kingdom. We're publishing what’s long been exploitable. Time to talk about it. #DSM #Ivanti https://code-white.com/blog/ivanti-desktop-and-server-management/

I just realized that @ is a lower case anarchy symbol.

One of my co-founders went into a paid engagement yesterday and was noodling through a piece on how to prevent upstream teams from making changes to application database schemas that would break analytics pipelines.

They got the attention of the room and then said "one solution is a baseball bat".

There was a moment of uncomprehending silence and then they said "solve at the human layer".

[RSS] Open-source toolset of an Ivanti CSA attacker

https://www.synacktiv.com/en/publications/open-source-toolset-of-an-ivanti-csa-attacker

[oss-security] Dropbear SSH 2025.88 fixes CVE-2025-47203

https://seclists.org/oss-sec/2025/q2/116

"Don't allow dbclient hostname arguments to be interpreted by the shell."

Sounds like fun on many embedded devices :) Original announcement:

https://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2025q2/002385.html

[RSS] Dubious security vulnerability: A program does not run correctly if you run it the wrong way, redux

https://devblogs.microsoft.com/oldnewthing/20250512-00/?p=111174

Lulz...

"Impact: Muting the microphone during a FaceTime call may not result in audio being silenced"

@ https://support.apple.com/en-us/122404

When I was at L3Harris/Trenchant they tried to buy NSO, much to all of our disgust. I believe the deal was killed by the Biden administration

Wonder if they're feeling like they dodged a bullet rn

(although as I understand it, the main people driving the deal at the time have since moved on to do other things) https://infosec.exchange/@lorenzofb/114495270756306678

CVE ID: CVE-2025-47729
Vendor: TeleMessage
Product: TM SGNL
Date Added: 2025-05-12
Vulnerability: TeleMessage TM SGNL Hidden Functionality Vulnerability
Notes: Apply mitigations per vendor instructions. Absent mitigating instructions from the vendor, discontinue use of the product. ; https://nvd.nist.gov/vuln/detail/CVE-2025-47729
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2025-47729

The ICAO Council has ruled that Russia is responsible for downing flight MH17, violating the Chicago Convention by using weapons against a civilian aircraft. 298 innocent lives were lost.

https://www.rijksoverheid.nl/ministeries/ministerie-van-buitenlandse-zaken/nieuws/2025/05/12/icao-raad-russische-federatie-verantwoordelijk-voor-neerhalen-van-vlucht-mh17

It's fruit update time.
https://support.apple.com/en-us/100100

This was a fun one :)

https://github.com/Binary-Gecko/ekoparty2024_challenge

There was a short period of time in history when people would unironically say "why are you asking me, go ahead and google it."
(See also: LMFGTFY)

And now we are going back to "for the love of god don't google it, ask an expert instead."

#AI #internet #DumbestTimeline

10 Burp extensions I actually use... BUT none of them are in the top 30 most popular in the BApp Store!

I get tired of seeing the same extensions come up in "top 10" lists. Here are some hidden gems you might not have tried... yet. In no particular order.

🧵👇

In this behind the scenes look at #Pwn2Own Berlin, Zed and Dustin have run into an interesting problem - no gear! https://youtube.com/shorts/Xj9Du8iuXCw?feature=share

We have a CI job to spot unwanted utf8 letters in #curl PRs as we have noticed that GitHub will gladly show the for example (identical) Cyrillic version of a letter next to the Latin version in a diff and it is yes, entirely impossible for a human to spot the diff. I mean the diff is shown, but the significance of it is not.

Changing just a single letter like that in a URL hostname opens up for a world of grief.

my bank, deutsche bank, is serving a *revoked* tls certificate on their website db.com.

the mind reels at this level of incompetence.

https://www.ssllabs.com/ssltest/analyze.html?d=db.com

Soundcloud claims the right to train AI on your songs — but swears it hasn’t yet, honest

https://pivot-to-ai.com/2025/05/11/soundcloud-claims-the-right-to-train-ai-on-your-uploaded-music-but-swears-it-hasnt-yet-honest/ - text
https://www.youtube.com/watch?v=Cwg2TiF2Arg&list=UU9rJrMVgcXTfa8xuMnbhAEA - video

so i wrote another program for the IBM 1401 computer this past week. i wrote what it does on the card, but can you figure out how it works? the program is

,008015,022029,036043,048056,061066,070074U%U2MM%U2070WU%U2BB048B.048DATA⯒

that last little character is special!

You noticed how google search became unusably shit a few years ago?
Turns out that was on purpose