i finally gave in and started using uv to manage the dependencies for my Python scripts and it’s great https://jvns.ca/til/python-inline-dependencies/

I recently posted about looking for an artist and got a bunch of replies.

Problem is 1) there are many obvious bots 2) those who are likely not bots also seem to use LLM/templates to communicate, making them look like bots.

If you don't want to get reported, use your own voice!

#fedihire

Phrack #72 PUZZLE CHALLENGE >>> WALKTHROUGH <<< is OUT.

Everyone who did not find the hidden secrets in the hardcopy release: This is your chance.

♥️ Stay curious and live forever ♥️

http://phrack.org/dl/72/puzzle-challenge.pdf

We derestricted a number of vulnerabilities found by Big Sleep in JavaScriptCore today: https://issuetracker.google.com/issues?q=componentid:1836411%20title:JavascriptCore

All of them were fixed in the iOS 26.1 (and equivalent) update last month. Definitely some cool bugs in there!

V8 now has a (experimental) JS bytecode verifier!

IMO a good example for the benefits of the V8 Sandbox architecture:
- Hard: verify that bytecode is correct (no memory corruption)
- Easier: verify that it is secure (no out-of-sandbox memory corruption)

The sandbox basically separates correctness from security.

More details: https://docs.google.com/document/d/1UUooVKUvf1zDobG34VDVuLsjoKZd-CeSuhvBcLysc7U/edit?usp=sharing

Implementation: https://source.chromium.org/chromium/chromium/src/+/main:v8/src/sandbox/bytecode-verifier.cc

American IT software company Ivanti warned customers today to patch a newly disclosed vulnerability in its Endpoint Manager (EPM) solution that could allow attackers to execute code remotely.

https://www.bleepingcomputer.com/news/security/ivanti-warns-of-critical-endpoint-manager-code-execution-flaw/

Gandi disabled my U2F keys without warning. This sort of incompetence is why I moved all my domains away from them earlier this year (to Namecheap; Porkbun was runner-up).

Day 9 of Advent of Compiler Optimisations!

Loop with `i * i` inside? Surely the compiler replaces that expensive multiply with clever addition tricks — like manually tracking an accumulator. But no! The compiler keeps the multiply because it enables something more valuable. Why is "more expensive per iteration" sometimes faster overall? The answer lies in how modern CPUs actually execute code.

Read more: https://xania.org/202512/09-induction-variables
Watch: https://youtu.be/vZk7Br6Vh1U

#AoCO2025

@blackhoodie will have its own assembly at 39c3 congress this year 🥰 https://events.ccc.de/congress/2025/hub/de/assembly/detail/blackhoodie

New Project Zero issue:

Windows: Administrator Protection UI Access Shared Profile EoP

https://project-zero.issues.chromium.org/issues/437868751

CVE-2025-60721

Does your cybersecurity awareness training contain any hacklore?

I’m collecting examples of hacklore in the wild. Whether it’s training slides, quiz questions, or instructions that focus on rare threats instead of the ones causing the most real-world harm, I want to see it all.

Post some screenshots or notes here, or email them to "info" at hacklore.org. Let’s help organizations replace stale guidance with advice that truly keeps people safe.

I updated the structure of the #Ghidra documentation that I host so now you can access the latest of both version 11.x and 12.x:

https://scrapco.de/ghidra_docs/

I'm still looking for the docs of the new features in 12. If you think something is missing from the web that is available in the source lmk!

Do I know anyone working on freedesktop.org / mesa? A security contact would be ideal :)

Edit: Resolved

GitHub Actions Has a Package Manager, and It Might Be the Worst

https://nesbitt.io/2025/12/06/github-actions-package-manager.html

RE: https://mastodon.social/@FirewallDragons/115684533805754572

So excited to share this interview!

okay so like a month ago @trashpanda sent me one of those 'spycam finder' doodads that you see going for like 80-100 dollars online that supposedly 'find spy cameras and gps trackers'. I've always been curious if they actually work or whats inside. So I just tore the thing open and this is what I found:

That was quick: #Ghidra 12.0 is out! Here's what's new:

https://github.com/NationalSecurityAgency/ghidra/blob/Ghidra_12.0_build/Ghidra/Configurations/Public_Release/src/global/docs/WhatsNew.md

New blog post: Why the Sanitizer API is just `setHTML()` - https://frederikbraun.de/why-sethtml.html

Zuckerberg has blown 77 billion – enough money to revitalize entire countries – on an idea so overwhelmingly, obviously stupid that I have never once heard anyone, from the Thanksgiving avuncular table to the most wretched depths of social media, say they liked it or even tried it. He was so sure that it would revolutionize the world that he renamed his extremely famous company after it. And now he's on to the next thing that he's so very, very sure about.

The world needs direction from sober people who aim to improve the human condition, not the whims of a handful of billionaire princelings who absolutely, positively cannot be dissuaded from failing at unprecedented scale while chasing their own vainglory off the edge of a cliff.

Punchcards weren't only used for code. These Department of Defense punchcards from 1966 have a microfilm window used for technical drawings — in this case, a rotary telephone switch, and a font!