We're happy to announce that the first recordings are now available at https://media.ccc.de/c/39c3!

#39c3

^ta

Admirable reflection on past years fails (and successes) by @starlabs_sg :

https://starlabs.sg/blog/2025/12-2025-reflection/

#fail

TOCTOU in the AMD boot rom? Wow wow wow. #39c3

You! Yes, you, at #39C3 ! Come to our self-organized-session-talk thing!

“FAFO: How we stopped worrying and bought an Electron Microscope”

SoS Stage H, at 00:01 on day 3 (so in ~34 hours after this was posted).

More details: https://events.ccc.de/congress/2025/hub/en/room/detail/sos-stage-h/

I've added the slides and the source code for the Sokoban game to the links for my presentation; it appears on the app, but seemingly not the website... For reference, they are:

Links
Source Code (wasm)
Source Code (web)
Slides
Sokoban Fuzzer

I'll be changing out the sokoban puzzle every 30 minutes from hereon out :)

#39c3 #fuzzing

Not related to the latest MongoDB vulnerability (since it doesn't require authentication), but does anyone know of a good MongoDB honeypot? You know, one that masquerades as a real MongoDB database server and logs the login attempts while returning a "bad credentials" error? (It clearly won't be able to log the passwords because of SCRAM but anything else would be useful.)

All I could find was a logging proxy to a real MongoDB server or a MongoDB server running in a Docker image - but I don't want that.

Apparently on #Fediverse - where safety is so critical that you got burned at the stake when dared to say that searching for things would be actually useful - when I block a user or mute a thread they still show up when my client is not in the mood of hiding them?

#Akkoma

Hey #39c3, Come see my lightning talk on a safe variant for `.innerHTML ` that is built right into the browser. https://events.ccc.de/congress/2025/hub/event/detail/lightning-talks-tag-2 on Day 2.

Ah Saturday morning! What a great time to...

...write a 1-page article for Paged Out! zine!

Deadline is 4th Jan - just a week away.

CFP: https://pagedout.institute/?page=cfp.php

[RSS] Hunting CVE-2025-59287 in Memory Dumps

https://medium.com/@Debugger/hunting-cve-2025-59287-in-memory-dumps-b70afd7d2dcf?source=rss-3ba65b326b28------2

Edited: Wrong diagnosis, sry!

The documentation for this image processing library by @vruba is one of the most interesting things I've read in weeks:

https://github.com/celoyd/potato/blob/main/docs/personal.md
https://github.com/celoyd/potato/blob/main/README.md
https://github.com/celoyd/potato/blob/main/docs/concepts.md

Philosophical discussion of the nature of seeing and what am image is vs a map, fascinating technical details about how satellite imaging works and why it looks as bad as it often does, a lot of really thoughtful conversation about engineering and aesthetic process, and even an amusing unit of measurement — grams per terrapixel.

All I want for Xmas is sane documentation <3

Dropping a Xmas-sploit for CVE-2025-14847

I truly appreciate the work of those who keep an eye on threats during the holiday season, but:

- MongoDB has nothing to do with MySQL
- A memory disclosure is not an RCE (but you should probably prioritize similarly in this case)

CVE-2025-14847

Oh. yay.

"mongobleed" — https://github.com/joe-desimone/mongobleed/blob/main/mongobleed.py

CVE-2025-14847

"Exploits zlib decompression bug to leak server memory via BSON field names.”

"Technique: Craft BSON with inflated doc_len, server reads field names from leaked memory until null byte.”

"What if Bitcoin was one big mining company?":

https://no01.substack.com/p/what-if-bitcoin-was-one-big-mining

You'd be insane buying its shares.

Do you or somebody you know have a Windows 10 that isn't fit for a Windows 11 upgrade? (e.g. no TPM)

1. Get a Windows 11 25H2 ISO
2. Run setup /product server

Enjoy your Windows 11 with no coerced Microsoft Account, TPM features, etc.

AFL++ 4.35c release! Complete hidden coverage gathering, GUIFuzz++ support, IJON for qemu, various fixes! https://github.com/AFLplusplus/AFLplusplus/releases/tag/v4.35c #fuzzing #fuzzer

c3nav is out!!! come hang out with your favorite has-beens and get lectured about the good old days at the console hackers retirement home! non-retired hackers also welcome we are here to support the new generation 🫡

Console Hackers Retirement Home
Assembly, F6, Hall 3, Level 0

#39c3

https://39c3.c3nav.de/l/nintenbros/