Memory bugs, such as use-after-free and buffer overflows, are the most exploited vulnerability class; however, AddressSanitizer's 2-4x performance overhead makes it unusable in production.

So, we recommend GWP-ASan, which uses sampling and guard pages to detect memory safety bugs at scale. Learn the technique and how to implement it in your C++ projects using LLVM's scudo allocator:
https://blog.trailofbits.com/2025/12/16/use-gwp-asan-to-detect-exploits-in-production-environments/

I want things that are above my reading level, that's how I get better at reading 🤔😁

@reading @bookstodon @books @humor@fedigroups.social @humor@lemmy.world @aiop

#ReadingMemes #Memes
#ReadAllTheBooks #Humor #Humour
#Reading #Readers #ReadersOfMastodon #ReadingCommunity
#Book #Books #Novel #Novels #Fiction
#Bookwyrm #Bookworm #Bookstodon #BookLove #FantasyBooks #ReadingLevel #Level

My second blog post regaling tales from my weekend of bugs:

https://wirepair.org/2025/12/16/netcode-bugs/

#gamedev

The Cryptax Award H2 2025 is out! (lol)

Best talks, papers, CTF challenges, tools I encountered in the second half of 2025:

https://cryptax.github.io/nomination-2025-h2/

It's a difficult selection, as always, and it is very personal opinion!

Congratulations to those who are listed, and kudos to others :)

@pancake @UYBHYS @rootme_org

THC Release 💥: The world’s largest IP<>Domain database: https://ip.thc.org

All forward and reverse IPs, all CNAMES and all subdomains of every domain. For free.

Updated monthly.

Try: curl https://ip.thc.org/1.1.1.1

Raw data: https://ip.thc.org/docs/bulk-data-access

(The fine work of messede 👌)

What does everyone think? Need feedback before release tomorrow :)

If you need to get your mood down a few notches, there are some new slop entries to torment yourself with here:

https://gist.github.com/bagder/07f7581f6e3d78ef37dfbfc81fd1d1cd

Training Ticket Shop for #offensivecon26 is now open.

The content of our 2026 trainings is unique and exclusive to OffensiveCon, so don’t miss out.

🔥 New this year: Get your training + conference ticket bundle - you have the opportunity to secure a conference ticket before the conference ticket shop opens!
You can also get a training ticket only...

Training tickets: https://www.offensivecon.org/register.html

And the conference ticket shop? Oh, it’ll open… sometime in the next 5 months. Stay tuned.👀

There's another researcher, Zhengyu Liu, who's been finding CPython crashes (mostly use-after-free) at breakneck speed (19 in 5 days!): https://github.com/python/cpython/issues?q=is%3Aissue%20author%3Ajackfromeast

Not sure about what technique they're using, but their site states they they favor "leveraging program analysis approaches to detect/exploit/patch vulnerabilities in real-world complex applications and systems".

Their reports are comprehensive, with great presentation and details.

https://jackfromeast.github.io/

#CPython #Python #Crash

There's a researcher, Jiang Yuancheng, who's doing a great work finding CPython crashes and memory leaks: https://github.com/python/cpython/issues?q=is%3Aissue%20author%3AYuanchengJiang

They've come up with a very clever idea for a new way of fuzzing, made a fine tool out of it, and are reaping great results.

Fuzzing can be a diminishing returns endeavor: you only have so many bugs to find. Their approach has shown itself to cover different areas and kinds of issues well, as shown by their track record.

#CPython #Python #Fuzzer #Fuzzing #fusil

High level diff of iOS 26.2 vs. iOS 26.3 beta1 🎉

https://github.com/blacktop/ipsw-diffs/blob/main/26_2_23C55__vs_26_3_23D5089e/README.md

CVE-2025-64669: Uncovering Local Privilege Escalation Vulnerability in Windows Admin Center https://cymulate.com/blog/cve-2025-64669-windows-admin-center/

Bellingcat’s Kolina Koltai uncovers the Hungarian national behind two deepfake porn websites. The key figure rakes in profits and vacations in luxury hotels in Dubai and Bali, whilst website visitors create sexually explicit images and videos.
Find out how we uncovered the administrator behind the deepfakes by reading the full investigation here: https://www.bellingcat.com/news/2025/12/15/mark-resan-reface-deepfake-porn/?utm_source=mastodon

just released liboprf-0.9.3

liboprf is a library implementing the OPRF from https://www.rfc-editor.org/rfc/rfc9497.html and in addition it also provides a threshold variant (tOPRF) and a distributed key generation (DKG) protocol for the tOPRF shared secret, as well as a key update protocol for the tOPRF shared secret. it comes with a high level python frontend that supports servers on TLS, USB and Bluetooth LE

see: https://github.com/stef/liboprf

We need to normalize declaring software as finished. Not everything needs continouos updates to function. In fact, a minority of software needs this. Most software works as it is written. The code does not run out of date. I want more projects that are actually just finished, without the need to be continuously mutated and complexified ad infinitum.

slip slop slap

https://hackerone.com/reports/3465094

Microsoft will pay bug bounties even for 3rd party components:

https://www.theregister.com/2025/12/12/microsoft_more_bug_payouts

Does anyone have a copy of the following paper:

https://doi.org/10.1016/0167-4048(82)90003-7

Robert H. Courtney, Jr., "A systematic approach to data security", in Computers & Security Volume 1, Issue 2, June 1982 (pgs. 99-112)

I have tried Sci-Hub and Anna's but no luck

(it is paywalled at https://www.sciencedirect.com/science/article/abs/pii/0167404882900037 for $30 which seems criminal)

The World Is Not A Desktop - Mark Weiser

https://dl.acm.org/doi/10.1145/174800.174801