Unrelated to the particular context this came up, is there a name for this? I've seen this behavior a bunch of times, esp. in IT!

RE: https://mstdn.io/@wolf480pl/115113655884602210

I think people often forget (or maybe never knew) that the CVSS scores provided by the NIST NVD are base scores and can be modified by organizations to better reflect their own situation.

For example, take a vulnerability that with a network attack vector and high impact to availability. Base score could be 9.3 (critical). But in your environment, let's say that system is not open to the Internet and would require access from an adjacent system. That could drop it to an 8.5 (high).

It's not a perfect system, but I think a lot of people start and end at the base scores.

https://nvd.nist.gov/vuln-metrics/cvss/v4-calculator

Do the “unfashionable” thing: use pen and paper. https://medium.com/@rehmanmomin/the-unfashionable-art-of-actually-learning-things-0cc7359dbb88

🆕 PrivescCheck important change!

I killed PrivescCheck.ps1, well..., sort of...

Starting from now, the file is no longer available in the repository. Instead, it is now provided as a release file (more information in the README).

As you may already know, the file "PrivescCheck.ps1" is generated using a custom build script. This allows me to separate the code into multiple files and then gather and compress everything into a single one.

For a while now, I've been manually executing this script every time I wanted to push new features. This was nonsensical. So, I finally took the time to implement an automated workflow on GitHub so that release files are created automatically. Hopefully, this will save me some time in the long run. Also, it will serve as the base for an important feature I plan to implement. 😉

https://github.com/itm4n/PrivescCheck/releases

Happy #Skynet Day!

Pentagon ends Microsoft's use of China-based support staff for DoD cloud

'It blows my mind,' says SecDef The Pentagon has formally kiboshed Microsoft's use of China-based employees to support Azure cloud services deployed by US government agencies, and it's demanding Microsoft do more of its own digging to determine whether any sensitive data was compromised. …
#theregister #IT
https://go.theregister.com/feed/www.theregister.com/2025/08/29/pentagon_ends_microsofts_use_of/

I really wish Elastic released the submission they got to clear up what's going on with this alleged 0day...

https://www.reddit.com/r/netsec/comments/1n394gs/elastic_edr_0day_part_2_technical_details_and_the/

Meta says it patched a zero-click exploit (CVE-2025-55177) that appears to have been used together with a recent iOS zero-day (CVE-2025-43300)

https://www.whatsapp.com/security/advisories/2025/

r2frida-6.0.2 is out! Shipping small fixes for breakpoints and remote filesystem access and removing the build dependency with NodeJS https://github.com/nowsecure/r2frida/releases/tag/6.0.2

New blog post:
In which I demo two PoCs for SQL injection vulnerabilities fixed in SQL Server 2022 CU20 GDR KB5063814.
https://vladdba.com/2025/08/29/poc-sql-injection-sql-server-2022-cu20-gdr-kb5063814/
#sqlserver #sqldba #microsoftsqlserver #mssqlserver #mssql #mssqldba #sql #security #sqli #sqlinjection

fursuits per digital signature

What kind of tool do I use if I want to automatically generate code in multiple languages for parsing text conforming a (e.g. JSON) schema to objects/structs, based on a given schema?

I already found a bunch of JSON schema validators, but I also want my text->typed object code to be fully generated.

#programming

A quick reminder: dueling URL parsers is a path to pain and sorrow.

(blogged two years ago)

https://daniel.haxx.se/blog/2022/01/10/dont-mix-url-parsers/

Cache Me If You Can (Sitecore Experience Platform Cache Poisoning to RCE)

https://labs.watchtowr.com/cache-me-if-you-can-sitecore-experience-platform-cache-poisoning-to-rce/

CVE-2025-34509 CVE-2025-34510 CVE-2025-34511

Rage Against the Authentication State Machine

https://blog.silentsignal.eu/2025/06/14/gitblit-cve-CVE-2024-28080/

Beautiful authentication bypass in Gitblit from my old friends at @silentsignal !

CVE-2024-28080

Making Minecraft Spherical https://www.bowerbyte.com/posts/blocky-planet/

[RSS] exploits.club Weekly Newsletter 84 - Stealing Exploits, Competition Misconfigs, Android Physical Memory, And More

https://blog.exploits.club/exploits-club-weekly-newsletter-84-stealing-exploits-competition-misconfigs-android-physical-memory-and-more/

Police are investigating a murder-suicide in what appears to be the first documented murder involving someone who engaged extensively with an AI chatbot (Wall Street Journal)

https://www.wsj.com/tech/ai/chatgpt-ai-stein-erik-soelberg-murder-suicide-6b67dbfb?st=Hp4Ajw&reflink=desktopwebshare_permalink
http://www.techmeme.com/250829/p3#a250829p3

The public data torrent server has been running reliably for days now, distributing data worldwide that was deleted by the orange clown regime.

Learn more: https://lydie.cc/data.html

RESIST!!!!

#resist #fascism #datahoarder #digitalpreservation #archive

Serious question regarding LLMs.

I have been trying to train a model specifically for one thing: helping me with #OpenBSD PF¹ configurations.

Using a Jolla Mind2², which uses llama, I have uploaded the PDF of "The Book of PF (3rd Edition)" (by @pitrh) and the PDFs of the various presentations given on PF.

Then I tried asking some questions and, well, the bit which I find incredibly puzzling is that it gets the answer right (for some basic configurations) but the notation is wrong! As some presentations / book pages use, for example, the -> character, then the LLM uses that for direction in a PF rule so you get

pass on egress from any -> egress:0 port 80

which is really puzzling.

Note that, in my little mind, having constrained the data set to what I imagine was the best data available, I was expecting pretty impressive results but.. no.

Anyone willing to spend a little time to explain why to me? I am really not ranting, I don't want to vibe PF, I just want something help me have better insights or improve my rules by making suggestions based on good data (i.e. not just searching for it).

__
¹ https://www.openbsd.org/faq/pf/
² https://www.jollamind2.com
³ https://nostarch.com/book-of-pf-4th-edition