uv is a pretty useful band-aid

Is there actually a name for the development model where you don’t have a single codebase for all your clients/device model/whatever but rather fork the codebase whenever a new client/device model/whatever comes along? You then continue your development in the new codebase and occasionally cherry pick some of the improvements for the older variants of your codebase (of which you eventually accumulate dozens if not hundreds).

Games That Weren't: How can you possibly squeeze a 32-bit PlayStation CD ROM game into a small Game Boy Color Cartridge? Well, HotGen would attempt to do just that with a conversion of Resident Evil in mid-1999 and to make it as close as possible with similar 3D perspectives using scaled sprites.

https://www.gamesthatwerent.com/2025/12/resident-evil/

#ResidentEvil #GameBoy #GameBoyColor

Is there a #logging library that provides nice interfaces (not N config variables) for both:

- "Reliable" logging, when you want to e.g. flush every message immediately because you are debugging
- "Performant" logging, when you don't want to waste time on I/O?

(what's the proper terminology here?)

There must be of course middle-ground, e.g. I imagine errors should always be recorded reliably in many situations, but I imagine that e.g. auto-tweaking performance on debug log level would be reasonable.

[RSS] Windows Exploitation Techniques: Winning Race Conditions with Path Lookups

https://projectzero.google/2025/12/windows-exploitation-techniques.html

[RSS] Thinking Outside The Box [dusted off draft from 2017]

https://projectzero.google/2025/12/thinking-outside-the-box.html

#VirtualBox

New Project Zero issue:

Adobe DNG SDK: areaSpec overlap miscalculation lead to integer overflow, leading to OOB read/write

https://project-zero.issues.chromium.org/issues/445575206

CVE-2025-64783

🚨 noyb has filed complaints against #TikTok and #Grindr. As it turns out, TikTok even tracks you while you're using other apps. For example, TikTok was able to track a person’s Grindr usage - which allows it to draw conclusions about his sexual orientation and sex life

👉 https://noyb.eu/en/tiktok-unlawfully-tracks-your-shopping-habits-and-your-use-dating-apps

Mitre has just published their top 25 most dangerous software vulnerabilities of 2025

How does #CHERIoT stack up against this list?

5, 7, 8, 11, 14, and 16 are deterministically mitigated with just a recompile.

13 will trap, but is recoverable on a per-compartment basis.

15 is trivial to mitigate with compartmentalisation. Phil Day wrote about this 18 months ago.

6 is mitigated by good capability-based filesystem APIs.

25 is mitigated by our software capability model in the RTOS.

1, 2, 3, 9, 10, 12, 22, and 23 and are not normally applicable on embedded platforms.

That leaves you with a lot more spare brainpower to think about avoiding the remaining seven (4, 17, 18, 19, 20, 21, and 24). The impact of many of these is limited in an environment where there is a programmer model that makes implementing the principles of least privilege and intentional use trivial.

Attempting Cross Translation Unit Taint Analysis for Firefox

https://attackanddefense.dev/2025/12/16/attempting-cross-translation-unit-static-analysis.html

I've never felt one with any other movie character like this. RIP, legend!

https://www.youtube.com/watch?v=VO4XYoB49Lg

[RSS] Don't judge an audiobook by its cover: taking over your Amazon account with a Kindle

https://blog.thalium.re/posts/dont-judge-an-audiobook-by-its-cover-taking-over-your-amazon-account-with-a-kindle/

[CVE-2025-14282] dropbear: privilege escalation via unix domain socket forwardings

https://github.com/turistu/odds-n-ends/blob/main/CVE-2025-14282.md

It's 2025, and I have to prompt an LLM no less than 5 times to figure out how to add a new keyboard layout to Windows Server 2025, becase 1) the UI turned absolutely shit 2) the built-in search is optimized for ads instead of discovering functionality.

Also, Disk Management is gone, and you get no meaningful results for "disk" in the Start Menu. But when you *right click* the Start icon it's there. Why would it be so hard to make this discoverable by search (or leaving a shortcut with the original name)??

Rust is is not a "silver bullet" that can solve all security problems, but it sure helps out a lot and will cut out huge swatches of Linux kernel vulnerabilities as it gets used more widely in our codebase.

That being said, we just assigned our first CVE for some Rust code in the kernel: https://lore.kernel.org/all/2025121614-CVE-2025-68260-558d@gregkh/ where the offending issue just causes a crash, not the ability to take advantage of the memory corruption, a much better thing overall.

Note the other 159 kernel CVEs issued today for fixes in the C portion of the codebase, so as always, everyone should be upgrading to newer kernels to remain secure overall.

With H2HC on hiatus this year, the security community stepped up to create the 307 Temporary Security Conference—and we were proud to be part of it!

We presented our research on vulnerabilities in the CAN BCM protocol in the Linux kernel.

Thank you to everyone who watched!

The slides and exploit demos are now available.

Slides
https://allelesecurity.com/wp-content/uploads/2025/12/Presentation_307.pdf

Demo 1: Exploit for UAF read (CAN BCM) to dump shadow file & MySQL root hash.
https://www.youtube.com/watch?v=znTLHc2mXIs

Demo 2: Exploit for UAF read in CAN BCM (CVE-2023-52922) that leaks encoded freelist pointer and slab object addresses
https://www.youtube.com/watch?v=XQ3QlXqn6pI

Memory bugs, such as use-after-free and buffer overflows, are the most exploited vulnerability class; however, AddressSanitizer's 2-4x performance overhead makes it unusable in production.

So, we recommend GWP-ASan, which uses sampling and guard pages to detect memory safety bugs at scale. Learn the technique and how to implement it in your C++ projects using LLVM's scudo allocator:
https://blog.trailofbits.com/2025/12/16/use-gwp-asan-to-detect-exploits-in-production-environments/

I want things that are above my reading level, that's how I get better at reading 🤔😁

@reading @bookstodon @books @humor@fedigroups.social @humor@lemmy.world @aiop

#ReadingMemes #Memes
#ReadAllTheBooks #Humor #Humour
#Reading #Readers #ReadersOfMastodon #ReadingCommunity
#Book #Books #Novel #Novels #Fiction
#Bookwyrm #Bookworm #Bookstodon #BookLove #FantasyBooks #ReadingLevel #Level

My second blog post regaling tales from my weekend of bugs:

https://wirepair.org/2025/12/16/netcode-bugs/

#gamedev

To the person who thought displaying questionnaires on first browser startup is a good idea:

You are dumb and literally everyone hates you.