This is another incredible #talk from @REverseConf 2025

Full-stack Reverse Engineering of the Original Microsoft #Xbox (Markus Gaasedelen @gaasedelen)

https://youtu.be/hGlIkgmhZvc

In a world where proper keyword #search is excommunicated and engines refuse to index content based on arbitrary criteria, grep.app at least allows us to find and look at the source code:

https://grep.app/

RE: https://furry.engineer/@soatok/116055556402436098

By the way, I'm not giving them 90 days this time.

Last time I did that, they didn't bother to actually fix anything, so they didn't actually need any of that time. So they lost that privilege.

Expect a public disclosure / write-up as soon as I feel like it.

From Winslop release notes: "I do not own or operate winslop[.]com and I'm not affiliated with whoever registered it.
Even if it currently redirects to this GitHub repo, a third-party domain can be changed at any time (phishing, fake releases, malware links)."

https://github.com/builtbybel/Winslop/discussions/22

#phishing #malware

wrote a short blog post about some toying around I did with using kprobes to get around a mitigation in order to disable SMEP/SMAP:
https://blog.zolutal.io/two-shot-kernel-shellcode/

libpng CVE-2026-25646: Heap buffer overflow in `png_set_quantize`

https://github.com/pnggroup/libpng/security/advisories/GHSA-g8hp-mq4h-rqm3

Pillow CVE 2021-25289: Fix OOB write with invalid tile extents

https://pillow.readthedocs.io/en/stable/releasenotes/12.1.1.html

Check Point Harmony Local Privilege Escalation (CVE-2025-9142)

https://blog.amberwolf.com/blog/2026/january/advisory---check-point-harmony-local-privilege-escalation-cve-2025-9142/

/via @badsectorlabs

Accelerator mode changed to: PROTON PHYSICS

Byte magazine artist Robert Tinney, who illustrated the birth of PCs, dies at 78
He became one of the first to visualize personal computing by painting vivid cover art.
https://arstechnica.com/gadgets/2026/02/byte-magazine-artist-robert-tinney-who-illustrated-the-birth-of-pcs-dies-at-78/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social

On Discord Alternatives

Next month, Discord is going to start requiring age verification. The backlash from gamers everywhere has been predictable and justified. I guess their company name checks out. I've had a few people reach out to me because of my prior vulnerability disclosures and criticism of encrypted messaging apps. (Thanks, Toggart.) Unfortunately, asking a cryptography-focused security engineer for app recommendations is like asking a rocket scientist to…

http://soatok.blog/2026/02/11/on-discord-alternatives/

r2ghidra is ready for release. i'm waiting to cut r2-6.1 to trigger the ci. please help #radare2 to be tested as much as possible so we can make another stable release again!

Last year's shutdown of @glitchdotcom was a blow to my pedagogy. Glitch was ideal for creative coding classes and workshops. I looked around for alternatives. But there was nothing that was open, decentralized, and not at the mercy of VCs or Big Tech.

So I built my own. Here's Glitchlet.

Glitchlet runs on any shared hosting service (e.g., Reclaim Hosting). If you can run WordPress, you can run Glitchlet. Projects-in-progress are stored in the browser's local storage, but you can also one-click publish to make them public and remixable. Glitchlet is designed with educators in mind.

There's no single, primary Glitchlet that everyone uses. The idea is that every instructor installs their own Glitchlet and manages their own classes/workshops/projects. You can seed your instance with template files, or Glitchlet can easily import projects (including archived Glitch .tgz files).

Making something so easy to install and host has trade-offs, of course. No fancy pants Node or React projects, but Glitchlet works beautifully with HTML/JavaScript/CSS. No live collaboration, but you can still remix published projects.

Best of all—you're in control and not subject to the whims of some startup that suddenly decides to "sunset" a key pedagogical tool.

Glitchlet is alpha now, but its code will available to all very soon!

NEW: U.S. prosecutors say the hacking tools that Peter "Doogie" Williams stole from defense contractor L3Harris Trenchant could have been used against "millions of computers and devices" worldwide.

The prosecutors also confirmed that Williams "stood idly by while another employee of the company was essentially blamed" for his own actions, as we first reported last year.

Williams said he didn't know the tools could end up in the hands of Russia or other governments.

https://techcrunch.com/2026/02/11/doj-says-trenchant-boss-sold-exploits-to-russian-broker-capable-of-accessing-millions-of-computers-and-devices/

This is a phenomenal little blog post about Linux C++ binary analysis ❤️❤️❤️
https://oneraynyday.github.io/dev/2020/05/03/Analyzing-The-Simplest-C++-Program/

They finally did it. Microsoft has successfully over-engineered a text editor into a threat vector.

This CVE is an 8.8 severity RCE in Notepad of all things lmao.

Apparently, the "innovation" of adding markdown support came with the ability of launching unverified protocols that load and execute remote files.

We have reached a point where the simple act of opening a .md file in a native utility can compromise your system. Is nothing safe anymore? 😭

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841

#noai #microslop #microsoft #windows #programming #writing #windows11 #enshittification #cybersecurity #infosec #technology

Simple solution

#webcomic #krita #miniFantasyTheater

Micropatches released for Windows Telephony Service Elevation of Privilege Vulnerability (CVE-2024-43626)
https://blog.0patch.com/2026/02/micropatches-released-for-windows.html

"I'm very glad," said Piglet happily, "that I thought of giving you Something to put in a Useful Pot."

[RSS] Shellcode as 'XML'

https://tmpest.dev/shellcode_as_xml.html