As much as I despise Spotify's business model getting incredibly good music I'd have never known thrown to my stream constantly is mind-blowing!

In case I know anyone here who's familiar with the finer details of DNS and particularly DNS amplification attacks and their mitigations, I have some questions.

[RSS] Function-level Basic Block Analysis [in Binary Ninja]

https://binary.ninja/2025/08/12/function-level-basic-block-analysis.html

Somehow landed on the NetBSD manpage of sleep(1) and they seem to have a rather unique take on what is considered a bug.

#netbsd

🚨Alleged Sale of Fortinet 0-Day RCE Exploit

• Industry: N/A
• Threat Actor: WISDOM
• Network: Clearnet, Dark Web
• Price: 0.5 BTC

• Details: A threat actor claims to be selling a 0-day remote code execution (RCE) exploit affecting FortiOS VPN versions 7.4 to 7.6. The listing includes a proof of concept (PoC) available to serious buyers with deposit or established reputation.

I edited my Cross-Site Request Forgery countermeasures research into a stand-alone article, including recommendations reusable by other projects.

tl;dr: no need for tokens or keys, modern browsers tell you if a request is cross-origin!

https://words.filippo.io/csrf?source=Mastodon

"Orion Browser for Linux Gets Exciting Progress Update" 👇

https://www.omgubuntu.co.uk/2025/08/orion-browser-linux-milestone-2-webkit-alternative-chromium

#Kagi #Orion #Browser #Linux

[RSS] From Support Ticket to Zero Day (CVE-2025-8356, CVE-2025-8355 - Xerox FreeFlow Core)

https://horizon3.ai/attack-research/attack-blogs/from-support-ticket-to-zero-day/

WTAF????? https://www.bleepingcomputer.com/news/microsoft/microsoft-asks-users-to-ignore-certificate-enrollment-errors/

Here's the full writeup of CVE-2025-53773 - Visual Studio & Copilot – Wormable Command Execution via Prompt Injection: https://www.persistent-security.net/post/part-iii-vscode-copilot-wormable-command-execution-via-prompt-injection

Patch now!

I had a great time at the most excellent #why2025 camp! Here a write-up of my own #DNA talks (with links to video & annotated slides), some observations on the tremendously terrible state of security & regulation, and what we could do about it, plus some nice photos!
https://berthub.eu/articles/posts/dna-talks-and-why2025/

Frame 146,183 of 207,800

To prevent further frustration from forgotten tricks I brain dumped the less-than-obvious stuff that I can remember from #Ghidra development in my brand new Ghidra Dev Cheat Sheet:

https://scrapco.de/ghidra-cheat-sheet/

PR's and suggestions are most welcome!

TIL about Operation Midnight Climax

https://en.wikipedia.org/wiki/Operation_Midnight_Climax

This is a totally valid unit for any CI pipeline!

RE: https://chaos.social/@weirdunits/115020402704312177

[FD] PlayReady Activation protocol issues (weak auth / fake client identities)

https://seclists.org/fulldisclosure/2025/Aug/3

"PlayReady Activation service does not implement real authentication, but
some form of obfuscated identification scheme [...] Arbitrary PlayReady identity can be requested by the client through public API" and more...

this is uh.
something.

perplexity is offering twice its valuation to buy chrome off google?

strong "run the fuck away" vibes
https://arstechnica.com/gadgets/2025/08/perplexity-offers-more-than-twice-its-total-valuation-to-buy-chrome-from-google/

Proud moment. The 40th anniversary @phrack release was a full success. We gave away 12,000 full color 150pg printed zines for free across three different conferences and did the final main stage talk before closing. l covered the history of phrack and did some panel questions.