I've added the slides and the source code for the Sokoban game to the links for my presentation; it appears on the app, but seemingly not the website... For reference, they are:

Links
Source Code (wasm)
Source Code (web)
Slides
Sokoban Fuzzer

I'll be changing out the sokoban puzzle every 30 minutes from hereon out :)

#39c3 #fuzzing

Not related to the latest MongoDB vulnerability (since it doesn't require authentication), but does anyone know of a good MongoDB honeypot? You know, one that masquerades as a real MongoDB database server and logs the login attempts while returning a "bad credentials" error? (It clearly won't be able to log the passwords because of SCRAM but anything else would be useful.)

All I could find was a logging proxy to a real MongoDB server or a MongoDB server running in a Docker image - but I don't want that.

Apparently on #Fediverse - where safety is so critical that you got burned at the stake when dared to say that searching for things would be actually useful - when I block a user or mute a thread they still show up when my client is not in the mood of hiding them?

#Akkoma

Hey #39c3, Come see my lightning talk on a safe variant for `.innerHTML ` that is built right into the browser. https://events.ccc.de/congress/2025/hub/event/detail/lightning-talks-tag-2 on Day 2.

Ah Saturday morning! What a great time to...

...write a 1-page article for Paged Out! zine!

Deadline is 4th Jan - just a week away.

CFP: https://pagedout.institute/?page=cfp.php

[RSS] Hunting CVE-2025-59287 in Memory Dumps

https://medium.com/@Debugger/hunting-cve-2025-59287-in-memory-dumps-b70afd7d2dcf?source=rss-3ba65b326b28------2

Edited: Wrong diagnosis, sry!

The documentation for this image processing library by @vruba is one of the most interesting things I've read in weeks:

https://github.com/celoyd/potato/blob/main/docs/personal.md
https://github.com/celoyd/potato/blob/main/README.md
https://github.com/celoyd/potato/blob/main/docs/concepts.md

Philosophical discussion of the nature of seeing and what am image is vs a map, fascinating technical details about how satellite imaging works and why it looks as bad as it often does, a lot of really thoughtful conversation about engineering and aesthetic process, and even an amusing unit of measurement — grams per terrapixel.

All I want for Xmas is sane documentation <3

Dropping a Xmas-sploit for CVE-2025-14847

I truly appreciate the work of those who keep an eye on threats during the holiday season, but:

- MongoDB has nothing to do with MySQL
- A memory disclosure is not an RCE (but you should probably prioritize similarly in this case)

CVE-2025-14847

Oh. yay.

"mongobleed" — https://github.com/joe-desimone/mongobleed/blob/main/mongobleed.py

CVE-2025-14847

"Exploits zlib decompression bug to leak server memory via BSON field names.”

"Technique: Craft BSON with inflated doc_len, server reads field names from leaked memory until null byte.”

"What if Bitcoin was one big mining company?":

https://no01.substack.com/p/what-if-bitcoin-was-one-big-mining

You'd be insane buying its shares.

Do you or somebody you know have a Windows 10 that isn't fit for a Windows 11 upgrade? (e.g. no TPM)

1. Get a Windows 11 25H2 ISO
2. Run setup /product server

Enjoy your Windows 11 with no coerced Microsoft Account, TPM features, etc.

AFL++ 4.35c release! Complete hidden coverage gathering, GUIFuzz++ support, IJON for qemu, various fixes! https://github.com/AFLplusplus/AFLplusplus/releases/tag/v4.35c #fuzzing #fuzzer

c3nav is out!!! come hang out with your favorite has-beens and get lectured about the good old days at the console hackers retirement home! non-retired hackers also welcome we are here to support the new generation 🫡

Console Hackers Retirement Home
Assembly, F6, Hall 3, Level 0

#39c3

https://39c3.c3nav.de/l/nintenbros/

does anyone know of an artist taking commissions who has a sense of humour and a style somewhere in the realms of Hieronymus Bosch / medieval era classical painting, who would be willing to make me a t-shirt design? (paid work, of course.)

I'm looking to get a seasonal parody recreation of Slayer's Seasons In The Abyss album cover, in the theme of "Sleigher - Season's Greetings In The Abyss".

[RSS] Update: unique Unix v4 source code recovered off random tape

https://www.tomshardware.com/software/linux/unix-v4-recovered-from-randomly-found-tape-at-university-of-utah-only-known-copy-of-first-os-version-with-kernel-and-core-utilities-written-in-c

I'm sorry to report that I lost #Whamageddon on the 23rd :(

[RSS] CVE-2025-38352 (Part 2) - Extending The Race Window Without a Kernel Patch

https://faith2dxy.xyz/2025-12-24/cve_2025_38352_analysis_part_2/