Doing #curl command lines in powershell can be a whole adventure: https://medium.com/@shindeshreeharsh157/my-midnight-battle-with-a-curl-command-ac6b22942f01

[RSS] tar-fs Link Directory Traversal Vulnerability

https://github.com/google/security-research/security/advisories/GHSA-xrg4-qp5w-2c3w

CVE-2025-48387

[RSS] SQLite - Integer Overflow in FTS5 Extension

https://github.com/google/security-research/security/advisories/GHSA-v2c8-vqqp-hv3g

Hi, I'm your favorite security vendor, welcome to...

"printer on fire" thread by @lauriewired unrolled from the other site:

https://threadreaderapp.com/thread/1956498902443827574.html

lp0 is a Linux error code that means “printer on fire.”

It’s not a joke. In the 50s, computerized printing was an experimental field.

At LLNL (yes, the nuclear testing site), cathode ray tubes created a xerographic printer.

...it would occasionally catch fire.

Fun fact: the #Ghidra API is quite consistent in naming methods according to the data types they accept/return, but HighVariables are returned from Varnodes via getHigh()

hashcat v7.1.0 released!

This update includes important bug fixes, new features, and support for new hash-modes, including KeePass with Argon2.

Read the full write-up here: https://hashcat.net/forum/thread-13353.html

A sad day indeed - the original Rick Roll video has finally been taken down from YouTube from a copyright claim.
https://www.youtube.com/watch?v=dQw4w9WgXcQ

On a related note: is there a window manager/theme/config/??? that is optimized for #eInk screens?

I guess high a contrast theme, minimal animation/tiling would be essential, but I expect many little problems to solve along the way.

#Linux #OSS

Can't read LED screens on the beach so I spent some time hacking on @albinowax's old Perl script and made single-file e-books of all Phrack issues, ICYMI:

https://scrapco.de/dataslate/phrack/

(Will probably update when 72 comes out)

Liberating a Collapsible Chair from a Single Piece of Wood

https://hackaday.com/2025/08/15/liberating-a-collapsible-chair-from-a-single-piece-of-wood/

I wish watchTwr Labs was on mastodon, their blog posts are always amazing.
Today's about a Fortinet vulnerability:
https://labs.watchtowr.com/should-security-solutions-be-secure-maybe-were-all-wrong-fortinet-fortisiem-pre-auth-command-injection-cve-2025-25256/

squirrels always act and look like its their first day being a squirrel

finally got around to writing up my windows exploit from pwn2own vancouver 2024! (plus some notes about using it on xbox) https://exploits.forsale/pwn2own-2024/

Following the method demonstrated by @yarden_shafir in "Your Mitigations Are My Opportunities", this implementation automates adding a driver to the HvciDisallowedImages registry entry, ensuring it will be blocked from loading after the next reboot.

https://github.com/unkvolism/Solemn

Yo all, it is Friday now where I am, so might as well get the #nakeddiefriday thing going.

Today's guest is the famous NES PPU chip, RP2C07A by Ricoh. What's interesting about this particular sample is that it's very very dead. Many thanks to @root42 for supplying it!

As always, a short thread follows. Why not give this one a boost while you're here? :D

SiPron page for those hi-res maps we all love: https://siliconpr0n.org/archive/doku.php?id=infosecdj:ricoh:rp2c07a

Note the die is oriented the same way Visual 2C02 has it: https://www.nesdev.org/wiki/Visual_2C02

#electronics #reverseengineering #icre #failureanalysis

New rant about fuzzing just dropped: https://addisoncrump.info/research/consideration-of-input-shapes/

For all the marketing advice LinkedIn MBAs come up with, a surprising number of people forget one of the most basic steps: The Middle Schooler Test.

The process is simple:

1) Place a sample of your brochure, website, etc. in front of a recently calibrated 12-year-old boy.

2) If they start giggling uncontrollably, identify and correct the source of their amusement. Return to step 1.

3) If they aren't particularly amused, move on with the campaign.

I keep reading ‘AI isn’t going away’, but I don’t think the people saying it have thought through the economics.

An LLM is, roughly speaking, two parts. One defines the structure of the model: the kinds of layers, their arrangement, and the connections between them. The other is the weights. The first part is quite similar to any other software artefact. Once you have a copy of it, it keeps working. This is the cheap bit to build, but the tricky bit to design.

The weights are the result of training. You need to throw a lot of data and a lot of compute at a system to create the weights. Once you have done this, you can use them indefinitely. The problem is that the weights include all of the data that is embedded into a model.

If you train a model today to use for programming, it will embed almost nothing about C++26, for example. If you train it on news, it will not be able to answer any questions about things that happened after today. Weights from today quickly become outdated.

This is one of the big costs for LLM vendors. Just as a snapshot of Google or Bing’s index rapidly decays in value and needs constantly updating, so do LLM weights.

Training these things costs a lot of money (DeepSeek claims only a few tens of millions, but it’s not clear the extent to which that was an accounting trick: how many millions did they spend training models that didn’t work?). For ‘AI’ companies, this cost is a feature. It s a barrier to entry in the market. You need to have a load of data (almost all of which appears to have been used without consent) and a huge pile of very expensive GPUs to do the training. All of this is predicated on the idea that you can then sell access to the models and recoup the training costs (something that isn’t really working, because the inference costs are also high and no one is willing to pay even the break-even price for these things).

So if the companies building these things speculatively can’t make money, what happens? Eventually, they burn through the capital that they have available. Some weights are published (e.g. LLaMA), but those will become increasingly stale. Who do you expect to spend real money (and legal liability) training LLMs for no projected return?

If you’re a publicly traded company and are building anything around LLMs, you probably had a legal duty to disclose these risks to your shareholders.