New ISPConfig Authenticated Remote Code Execution Vulnerability https://ssd-disclosure.com/ssd-advisory-ispconfig-authenticated-remote-code-execution/

[RSS] Dubious security vulnerability: Tricking a program into running non-elevated

https://devblogs.microsoft.com/oldnewthing/20250609-00/?p=111258

This essay by @baldur on why individual experiments on the usefulness of "AI" (or similar stuff) don't teach us anything useful and might actually harm us is brilliant.

Go read it. Too many insights to pull a quote TBH: https://www.baldurbjarnason.com/2025/trusting-your-own-judgement-on-ai/

I asked the old punk
how we will get through this,
and he replied:
we will get through this
by taking care of each other.

So I told the old punk
that isn’t very specific,
and he replied:
taking care of each other
isn’t about doing something specific,
it’s about doing something.

[RSS] Bruteforcing the phone number of any Google user

https://brutecat.com/articles/leaking-google-phones

Remarkable investigation into Telegram by IStories (in Russian):
https://www.istories.media/stories/2025/06/10/kak-telegram-svyazan-s-fsb/

English version by OCCRP:
http://www.occrp.org/en/investigation/telegram-the-fsb-and-the-man-in-the-middle

tl;dr:

👉 Telegram uses a single company with ties to the Russian FSB as their sole infrastructure provider, globally.

👉 Combined with a cleartext device identifier Telegram's protocol requires to be prepended to all encrypted messages, this allows for global surveillance of Telegram users.

I am quoted in this story.

#Telegram #InfoSec #Privacy

We’ll trace what really happens inside Telegram when you send or receive a message. 📨

Learn how to capture clean execution traces for Time Travel Analysis, step by step. Register here: https://eshard.eventbrite.fr/ 👈

#android #cybersecurity #mobileapp #telegram

A Cult AI Computer’s Boom and Bust

https://www.youtube.com/watch?v=sV7C6Ezl35A

Asianometry about Lisp machines!

"Vibe coding has no place in Linux kernel maintenance. The vulnerability inserted into 5 LTS kernels at once apparently without any review is yet another instance of AUTOSEL fallout, here with the 'new' LLM-powered version."

Thread by @spendergrsec on Thread Reader App

https://threadreaderapp.com/thread/1932079435571671137.html

Trusting your own judgement on 'AI' is a huge risk: https://www.baldurbjarnason.com/2025/trusting-your-own-judgement-on-ai/

I think this will be the day when we'll have The Talk with kiddo...

I'm only thinking about basic Git commands for linear version tracking, he'll learn about branching and merging as he gains some experience.

#parenting

39 years ago today....

https://nedbatchelder.com/blog/202506/digital_equipment_corporation_no_more.html

LinkedIn upped their cookie banner game so much I literally can't use the site anymore. This is probably the most useful feature update they did in the last 10 years!

Just set some of my recursors to DNS4EU, let's see how it performs!

https://www.joindns4.eu/for-public#resolver-options

[RSS] Spotting CVE-2025-23016 with Ghidra

https://medium.com/@cy1337/spotting-cve-2025-23016-with-ghidra-533a084dac42

We wrote a blog post about a Linux kernel vulnerability we reported to Red Hat in July 2024. The vulnerability had been fixed upstream a year before, but Red Hat and derivatives distributions didn't backport the patch. It was assigned the CVE-2023-52922 after we reported it.

The vulnerability is a use-after-free read. We could abuse it to leak the encoded freelist pointer of an object. This allows an attacker to craft an encoded freelist pointer that decodes to an arbitrary address.

It also allows an attacker to leak the addresses of objects from the kernel heap, defeating physmap/heap address randomization.These primitives facilitate exploitation of the system by providing the attacker with useful primitives.

Additionally, we highlighted a typical pattern in the subsystem, as two similar vulnerabilities had been discovered. However, before publishing the blog post, we noticed that the patch for this vulnerability doesn't fix it. We could still trigger the use-after-free issue.

This finding confirms the point raised by the blog post. Furthermore, we discovered another vulnerability in the subsystem. An out-of-bounds read. We've reported them, and these two new vulnerabilities were already patched. A new blog post about them will be written.

Use-after-free vulnerability in CAN BCM subsystem leading to information disclosure (CVE-2023-52922)

https://allelesecurity.com/use-after-free-vulnerability-in-can-bcm-subsystem-leading-to-information-disclosure-cve-2023-52922/

I don’t know who to credit for this, but it’s beautiful

A human being should be able to change a diaper, plan an invasion, butcher a hog, conn a ship, design a building, write a sonnet, balance accounts, build a wall, set a bone, comfort the dying, take orders, give orders, cooperate, act alone, solve equations, analyze a new problem, pitch manure, program a computer, cook a tasty meal, fight efficiently, die gallantly. Specialization is for insects.

— Robert A. Heinlein

#programmers #specialization