How to craft a raw TCP socket without Winsock? https://leftarcode.com/posts/afd-reverse-engineering-part1/

From a CBS news segment from July of 1985 discussing the busting of various #hackers and BBS operators in New Jersey.

Ouch, but also 💀

Will be uploading the entire segment to Internet Archive later today.

Another day, another conversation with the press team where I explain that I did not give the quote in that story and the whole thing is AI slop. This happens once every few weeks now.

In 1983, Philips produced the first FM radio receiver on a chip, leading to products such as the FM radio wristwatch. Let's look at the tiny silicon die inside this chip and see how it works. 1/N

New episode is up!
We talked with Nathan Emerick about the Spotify CarThing and it's journey to becoming the DeskThing :D
https://unnamedre.com/episode/75

Wow, after 25 years of #Unix / #linux experience, I learned that you can filter output in #less.

Press ampersand (&) and enter a regex to show only lines matching the regex.

Press ampersand (&) and then exclamation mark (!) to apply an inverse filter.

blue cheese (the blue is Cherenkov radiation)

This is super interesting and isn’t a type of research I’ve seen a lot of before. Great write-up from @albinolobster and team on attacker infrastructure longevity: https://www.vulncheck.com/blog/stillup-stillevil

Any technical solution that is supposed to block teenagers from anything is not going to work very well, because you are facing an opponent that:

* is smarter than you,
* is very dedicated,
* has a lot of free time,
* has an extensive network of friends,
* faces no serious consequences if caught,
* outnumbers you,
* considers you an immoral crook.

You really, *really* want to have them on your side. That means education rather than control.

"If you only praise last-minute saves, you’ll keep getting last-minute problems. Make sure to recognize the engineer who reduced incidents, the PM who saw the risk a month out, the designer who caught the complexity before it shipped. Make that kind of foresight just as visible and valuable as triage and repair."

— @timcheadle from https://www.timcheadle.com/dont-let-crisis-become-a-compass/

Related: If you want to tell me you've jailbroken the AI, you better be prepared to tell me how you reverse engineered the ETL, data model and guard rails, not how you clicked on the shiny, shiny and got a shell prompt.

We released our Fuzzilli-based V8 Sandbox fuzzer: https://github.com/googleprojectzero/fuzzilli/commit/675eccd6b6d0c35ea6c7df24a0a1e513cce45bb3
It explores the heap to find interesting objects and corrupts them in a deterministic way using V8's memory corruption API. Happy fuzzing!

Reverse engineering Microsoft’s SQLCMD.exe to implement Channel Binding support for MSSQL into Impacket’s mssqlclient.py. Storytime from Aurelien (@defte_), including instructions for reproducing the test environment yourself.

https://sensepost.com/blog/2025/a-journey-implementing-channel-binding-on-mssqlclient.py/

Found critical vulns in Lovense (the biggest sex toy company) affecting 11M+ users. They ignored researchers for 2+ years, then fixed in 2 days after public exposure. 🤦

What I found:
- Email disclosure via XMPP (username→email)
- Auth bypass (email→account takeover, no password)

History of ignoring researchers:
- 2017: First recorded case of someone reporting XMPP email leak.
- 2022: Someone else reports XMPP email leak, ignored
- Sept 2023: Krissy reports account takeover + different email leak via HTTP API, paid only $350
- 2024: Another person reports XMPP email leak AND Account Takeover vuln, offered 2 free sex toys (accepted for the meme)
- March 2025: I report account takeover + XMPP email leak, paid $3000 (after pushing for critical)
- Told me fix for email vuln needs 14 months because "legacy support" > user security (had 1-month fix ready)
- July 28: I go public
- July 30: Both fixed in 48 hours

Same bugs, different treatment. They lied to journalists saying it was fixed in June, tried to get me banned from HackerOne after giving permission to disclose.

News covered it but my blog has the full technical details:
https://bobdahacker.com/blog/lovense-still-leaking-user-emails/

#InfoSec #BugBounty #ResponsibleDisclosure #Security #Vulnerability #IoT #cybersecurity