A data breach that exposed the names of Afghans who helped the UK military during the Afghan war was far larger than previously thought.

The leak also exposed the personal data of UK spies and special forces.

The leak originated at the UK Special Forces headquarters.

https://www.bbc.com/news/live/c706jdlr934t

It has been a while but the latest edition of the Security Liberation Front is out!

https://slf.fish/

NEW: Security researchers and CISA warn that hackers are exploiting a flaw in the Signal clone TeleMessage, which could lead to them stealing "plaintext usernames, passwords, and other sensitive data."

@h0wdy, the researcher who analyzed it said they were "in disbelief at the simplicity of this exploit."

https://techcrunch.com/2025/07/17/hackers-are-trying-to-steal-passwords-and-sensitive-data-from-users-of-signal-clone/

Go hack more AI shit please. Now.

https://www.wiz.io/blog/nvidia-ai-vulnerability-cve-2025-23266-nvidiascape

@bagder writes about his AI slop problem on H1: https://daniel.haxx.se/blog/2025/07/14/death-by-a-thousand-slops/

I like bug bounties and I put a fair amount of effort into bootstrapping the one at Google back in the day, but I think the problem runs deeper than AI.

First, most people who make a living doing bug bounties don't go after $10,000+ bugs. Very few researchers can crank out top-notch find month after month. A much better strategy on these platforms is to go after low-hanging fruit and rake in $500 to $1,000 bugs every day.

Companies respond accordingly! Because most of the traffic are low-value vulns from less skilled researchers, you don't want to throw your best analysts at this. It's increasingly common to outsource triage and bug-filing for bug bounty programs.

But if the person doing the triage isn't highly paid and familiar with the systems in question, there is a strong incentive to err on the side of caution. If you incorrectly close something serious as a non-issue, you risk the researcher making a stink. Conversely, if the triager files a non-issue with the product team, they'll probably fix it anyway, and the only cost is some wasted time.

The result is that in most programs, there's no penalty for slop. And researchers exploit this with spray-and-pray tactics. Why not?

I think one issue here are platforms that make it easy to window-browse for bug bounty programs. They have plenty of advantages, but it's a race to the bottom because the least diligent vendors set the bar for participation for all.

Unfortunately the reel-to-reel museum at Keszthely, #Hungary was closed, but the TV&radio&turntable museum was open. The traditional decorations on and around the items were especially cool!

(...) Thinking this way will teach you two things about computers: One, there's no magic, no matter how much it looks like there is. There's just work to make things look like magic. And two, it's crazy in there.

— Paul Ford

#computers

The Retro Museum in the city of Eger, Hungary 🇭🇺 is jam-packed with 20th century Hungarian and East-Bloc nostalgia, from prewar times to the late 90s.

It's small, but they have thousands and thousands of items on show, all setup with lots of love and care. Can highly recommend, it's great fun if you're into this kind of thing.

Of course it helps if you're Hungarian and recognize your childhood toys, and lots of other everyday items lost in time.

https://retromuzeumeger.hu

#retro #hungary

That's 5D-educational chess.

#FuckGenAI #ChatGPT #GenAIsucksCamelDong

disconnect3d from Trail of Bits presents Pwndbg at #EuroPython.
Pwndbg is a Python tool that makes low-level debugging actually enjoyable for security work.
Pwndbg provides:
→ Clear context displays for assembly analysis
→ Built-in heap and stack visualization
→ Streamlined commands for exploit development
→ Python extensibility for custom analysis
Today at 10:30 at Terrace 2A. Perfect for anyone doing systems security, malware analysis, or CTF challenges.
https://ep2025.europython.eu/session/pwndbg-low-level-debugging-and-exploit-development-with-python

Exciting! @vector35 's excellent #BinaryNinja ships with built-in BinExport in the latest dev version!
Here's how to use it with #BinDiff: https://dev-docs.binary.ninja/guide/binexport.html

Microsoft marketing: “Your data stays in Europe.”

Microsoft’s Legal Director (under oath, in French Parliament): “No, I cannot guarantee that.”

Still think Microsoft Teams is a sovereign solution?

Credit @ponceto91 for the meme

https://x.com/wire/status/1944851027381117019

#microsoft #DataPrivacy #DigitalSovereignty #europe

I have a friend that’s working on learning Rust, and looking for something more hands on / interactive. What’s the leading option these days?

Fuzzing Linux Kernel Modules, with Slava Moskvin

Stream by @slava_moskvin hosted by @steph3nsims about building a custom fuzzer to rediscover CVE-2025-0927 in the HFS+ filesystem implementation.

Slava started with a simple fuzzer implementation and then improved it step-by-step by adding coverage collection, proper seed generation, mutations, etc.

The source code of the fuzzer is public.

Stream: https://www.youtube.com/live/uCcsZrXyLyE
Fuzzer: https://github.com/sl4v/hfsplus-kernel-fuzzing-demo

Trail of Bits LibAFL Notes https://appsec.guide/docs/fuzzing/c-cpp/libafl/

I'm considering to learn PIC programming. Please send help!

Want to learn about Chrome exploitation and the role of WebAssembly in it?

In our new article, we'll break down the world of WASM, how it interacts with V8, and use CVE-2024-2887 as a case study to show how flaws in WASM can lead to remote code execution.

Read it here: https://ssd-disclosure.com/an-introduction-to-chrome-exploitation-webassembly-edition/

[RSS] ControlPlane Local Privilege Escalation Vulnerability on macOS

http://blog.quarkslab.com/controlplane_lpe_macos.html

[RSS] CVE-2025-4919: Corruption via Math Space in Mozilla Firefox

https://www.thezdi.com/blog/2025/7/14/cve-2025-4919-corruption-via-math-space-in-mozilla-firefox

"Exclusive: Meta won't tweak pay-or-consent model further despite risk of EU fines, sources say"

https://www.reuters.com/sustainability/boards-policy-regulation/meta-wont-tweak-pay-or-consent-model-further-despite-risk-eu-fines-sources-say-2025-07-11/

IMO pay-or-consent is a reasonable model for #adtech, but if Meta implements that *and* pays fines, that's good enough for me!