yyzkevin.ca has been working on making #BlueSCSI the first #SCSI emulator to work with the odd IBM AS/400 drive standard. Here's his AS/400 booting IPL'ing with a BlueSCSI!

Still a lot to do but now even AS/400 users can have a modern, fully opensource, storage solution.

https://youtu.be/J8GztrUvox8?si=mpY88vrSCqVwUFvs&t=608

As they say, Hungarian Railways have 5 enemies: the four seasons and the passengers.

This summer started off esp. bad, while official online services allowing the tracking of delays suspiciously started to disappear.

Train enthusiasts however built an unofficial website that showed accurate info about the position and delays of the trains based on scraped data.

Then the Minister of Transportation accused these guys of phishing (he pbbly doesn't know what that means), DoS and of course conspiring the opposition party, so the site was voluntarily taken down...

...but the code is open source, so now we have multiple sites with the same functionality :D

https://github.com/iben12/holavonat

#Hungary #StreisandEffect

Pre-auth RCE in CentOS Web Panel (CVE-2025-48703) found by the friends at Fenrisk. This is beyond madness that Shodan finds 200k of these exposed publicly.

(this post is sponsored by strace®, because no one cares about ionCube)

https://fenrisk.com/rce-centos-webpanel

Finally published today the second blog I'd promised for the #OracleSolaris 11.4.81 CBE release last month:
https://blogs.oracle.com/solaris/post/whats-new-in-the-solaris-modular-debugger-mdb-in-the-oracle-solaris-11481-cbe

A very deep dive into a narrow topic - what's changed in the Solaris Modular Debugger (mdb) since the previous CBE release in 2022. @cgerhard and others have put an impressive amount of work into making debugging easier and better for the users of this tool.

Hat tip to thegrugq for featuring this in his newsletter, a 1991 video of Italian hackers purporting to show them hacking a U.S. military system over x25. Has a real gonzo Max Headroom broadcast signal intrusion vibe with the masks & just general weird vibes, love it.
https://www.youtube.com/watch?v=43FyQlaA6YY

Dear Fedi,

For 3 years, I've been working with friends from the #FOSS world as a team of freelancers and it's been great: we love what we do and our clients are happy and stay with us for years.

But the terrible state of the world has badly affected our clients financially, and we find ourselves suddenly in need of more #work

We focus on systems design, development, and administration. We offer SRE-level quality and processes for companies that cannot afford a whole #SRE team

Boosts welcomed

[RSS] You have to tell Get- and Set-Security-Info the object type, you can't make it guess

https://devblogs.microsoft.com/oldnewthing/20250618-00/?p=111281

The trick with making your morning coffee is that you have to manage to make your morning coffee before having your morning coffee

Misfile essential documents.

Project Vicigol - Reverse-engineering a 28-bit RISC CPU has been released on media.ccc.de and YouTube #gpn23 #HardwareandMaking #ZKMKubus #gpn23eng https://media.ccc.de/v/gpn23-144-project-vicigol-reverse-engineering-a-28-bit-risc-cpu https://www.youtube.com/watch?v=5I1OIrXnM1Q https://cfp.gulas.ch/gpn23/talk/KBQBE7/

@InfoCon Is Off-by-One Conf on your radar already?

https://www.youtube.com/@offbyoneconf

Insecure defaults can lead to surprises. When creating FIFO sockets with systemd, be sure to note that SocketMode defaults to 0666 - that is world readable and writable. That is: any local user can communicate with the FIFO. If your FIFO is used to perform privileged operations you must ensure that either the FIFO file itself is located in secured location or set SocketMode to stricter value.

I spotted one such insecure use in cloud-init: the hotplug FIFO was world writable. This is CVE-2024-11584 and fixed in cloud-init 25.1.3.

The commit fixing this is in https://github.com/canonical/cloud-init/pull/6265

#CVE_2024_11584 #ubuntu #systemd #infosec #cybersecurity

Project: pypy/pypy https://github.com/pypy/pypy
File: rpython/rlib/parsing/deterministic.py:217 https://github.com/pypy/pypy/blob/9abbb4f358a5c308aefb85652a229cc98f899e13/rpython/rlib/parsing/deterministic.py#L217

def make_code(self):

SVG:
dark https://tmr232.github.io/function-graph-overview/render/?github=https%3A%2F%2Fgithub.com%2Fpypy%2Fpypy%2Fblob%2F9abbb4f358a5c308aefb85652a229cc98f899e13%2Frpython%2Frlib%2Fparsing%2Fdeterministic.py%23L217&colors=dark
light https://tmr232.github.io/function-graph-overview/render/?github=https%3A%2F%2Fgithub.com%2Fpypy%2Fpypy%2Fblob%2F9abbb4f358a5c308aefb85652a229cc98f899e13%2Frpython%2Frlib%2Fparsing%2Fdeterministic.py%23L217&colors=light

Released xer v0.0.4-alpha with support for signed byte values (hexadecimal and decimal) for people dealing with Java:

https://github.com/v-p-b/xer/releases/tag/v0.0.4-alpha

Every damn day

The libxml2 maintainer is no longer accepting embargoed security reports. They just get treated like regular issues.

This bit in a comment on the announcement really resonates with me:

> these companies make billions of profits and refuse to pay back their technical debt, either by switching to better solutions, developing their own or by trying to improve libxml2.

Too often a company will depend on some library, and then when there are issues with it, shame the maintainer into fixing them. "There's a problem with your project, it is your responsibility to fix it".

No.

You chose to build on top of this library, and with that took on all responsibility that comes with that choice. Any tech debt or bugs are now YOUR tech debt and bugs. What are you going to do about them?

https://gitlab.gnome.org/GNOME/libxml2/-/issues/913

Project: openssl-static-gcc-dwarf 3.4.0
File: openssl
Address: 0051a550

asn1_cb

SVG:
dark https://tmr232.github.io/function-graph-overview/render/?graph=https%3A%2F%2Fraw.githubusercontent.com%2Fv-p-b%2Fghidra-function-graph-datasets%2Frefs%2Fheads%2Fmain%2F%2Fopenssl-static-gcc-dwarf%2F0051a550.json&colors=dark
light https://tmr232.github.io/function-graph-overview/render/?graph=https%3A%2F%2Fraw.githubusercontent.com%2Fv-p-b%2Fghidra-function-graph-datasets%2Frefs%2Fheads%2Fmain%2F%2Fopenssl-static-gcc-dwarf%2F0051a550.json&colors=light

https://links.fabiomanganiello.com/share/683ee70d0409e6.66273547

[RSS] Python - Tarfile Realpath Overflow Vulnerability

https://github.com/google/security-research/security/advisories/GHSA-hgqp-3mmf-7h8f

PHRACK is coming to #DEFCON! We're printing ~10,000 zines and giving an hour-long talk you won't want to miss! Stay tuned. 🔥 #40yrsOfPhrack #phrack72