#Linux eBPF vulnerabilities incoming (unprivileged eBPF required) + disclosure troubles:

https://www.openwall.com/lists/oss-security/2025/08/03/1

a 2661 byte program I wrote just won the "Sur Prize" at the International Obfuscated C Code Competition. You can probably guess what it is once I mention that @foone might enjoy it

https://www.youtube.com/watch?v=d2ulsnSTbUQ

[RSS] Exploring possible solutions to the inconsistency in how Windows searches case-insensitively for named resources

https://devblogs.microsoft.com/oldnewthing/20250723-00/?p=111403

Some fun anti-reverse possibilities here :)

How to craft a raw TCP socket without Winsock? https://leftarcode.com/posts/afd-reverse-engineering-part1/

From a CBS news segment from July of 1985 discussing the busting of various #hackers and BBS operators in New Jersey.

Ouch, but also 💀

Will be uploading the entire segment to Internet Archive later today.

Another day, another conversation with the press team where I explain that I did not give the quote in that story and the whole thing is AI slop. This happens once every few weeks now.

Why does [ #WinDbg ] show me the wrong function?

https://devblogs.microsoft.com/oldnewthing/20050322-00/?p=36113

TIL about COMDAT folding #compiler optimization!

[RSS] Exploit development for vulnerabilities in Windows over MS-RPC

https://incendium.rocks/posts/Exploit-Development-For-MSRPC/

New vulnerability report from Talos:

Eclipse ThreadX FileX RAM disk driver buffer overflow vulnerability

https://talosintelligence.com/vulnerability_reports/TALOS-2024-2088

[RSS] MaterialX and OpenEXR Security Audit

https://www.shielder.com/blog/2025/07/materialx-and-openexr-security-audit/

[RSS] Characterizing the Raspberry Pico 2 FI countermeasures - Part 1

https://www.ioactive.com/characterizing-the-raspberry-pico-2-fi-countermeasures-part-1/

In 1983, Philips produced the first FM radio receiver on a chip, leading to products such as the FM radio wristwatch. Let's look at the tiny silicon die inside this chip and see how it works. 1/N

New episode is up!
We talked with Nathan Emerick about the Spotify CarThing and it's journey to becoming the DeskThing :D
https://unnamedre.com/episode/75

Wow, after 25 years of #Unix / #linux experience, I learned that you can filter output in #less.

Press ampersand (&) and enter a regex to show only lines matching the regex.

Press ampersand (&) and then exclamation mark (!) to apply an inverse filter.

#Ghidra 11.4.1 released

https://github.com/NationalSecurityAgency/ghidra/releases/tag/Ghidra_11.4.1_build

What's New:
https://github.com/NationalSecurityAgency/ghidra/blob/Ghidra_11.4.1_build/Ghidra/Configurations/Public_Release/src/global/docs/WhatsNew.md

Change History:
https://github.com/NationalSecurityAgency/ghidra/blob/Ghidra_11.4.1_build/Ghidra/Configurations/Public_Release/src/global/docs/ChangeHistory.md

blue cheese (the blue is Cherenkov radiation)

This is super interesting and isn’t a type of research I’ve seen a lot of before. Great write-up from @albinolobster and team on attacker infrastructure longevity: https://www.vulncheck.com/blog/stillup-stillevil

"If you only praise last-minute saves, you’ll keep getting last-minute problems. Make sure to recognize the engineer who reduced incidents, the PM who saw the risk a month out, the designer who caught the complexity before it shipped. Make that kind of foresight just as visible and valuable as triage and repair."

— @timcheadle from https://www.timcheadle.com/dont-let-crisis-become-a-compass/

Related: If you want to tell me you've jailbroken the AI, you better be prepared to tell me how you reverse engineered the ETL, data model and guard rails, not how you clicked on the shiny, shiny and got a shell prompt.

We released our Fuzzilli-based V8 Sandbox fuzzer: https://github.com/googleprojectzero/fuzzilli/commit/675eccd6b6d0c35ea6c7df24a0a1e513cce45bb3
It explores the heap to find interesting objects and corrupts them in a deterministic way using V8's memory corruption API. Happy fuzzing!