Pwning Supercomputers - A 20yo vulnerability in Munge https://blog.lexfo.fr/munge-heap-buffer-overflow.html

The war waged by the tech authoritarian oligarchy against the media has reached a new level:

#Palantir is suing us. Us, the Republik Magazin.

A small Swiss media company, funded by readers, founded in 2018 and free of advertising. I am not aware of any other media company globally that Palantir is currently targeting so aggressively.

What is this about? Together with my wonderful colleagues at the WAV research collective Jenny Steiner, Lorenz Naegeli, Marguerite Meyer, and Balz Oertli, we published a two-part series on Palantir's activities in Switzerland on December 8 and 9.

Using an extensive corpus of documents – which we obtained thanks to the Freedom of Information Act – we were able to trace a sales campaign over a period of seven years. Palantir tried to get in with many federal authorities – and was rejected everywhere.

And we also found out that the Swiss Army Staff evaluated the software and came to the conclusion that the army should refrain from using Palantir products.

Among other risks, they feared that data would be passed on to the US authorities.

Palantir is not just any company. ICE uses its products to hunt down migrants in the US. The Israeli army IDF uses the software in its Gaza offensive. The British health authority NHS has made itself dependent on the products for data analysis during the pandemic. And CEO #AlexKarp displays inhuman and aggressive rhetoric towards Europe, while the company itself advertises the “optimization of the kill chain.”

These are all facts, repeatedly verified and published by renowned media outlets. Our research relating to Switzerland and Zurich is based on this.

In addition to analyzing documents, we also spoke to various sources – including Palantir executives here in Zurich. The quotes used were presented to them and approved. Of course, we always adhered to the high standards of journalistic work. We conducted a thorough fact check before publication.

But the company doesn't want us to write the truth.

After the US company owned by right-wing tech billionaire #PeterThiel dedicated an absurd blog post to us, claiming some misinformation (such as that they had not participated in official tenders with the federal administration, a point we never claimed. On the contrary: we spoke from the outset of attempts to establish contact, sales talks, informal meetings, business as usual), after the Global Director of Privacy & Civil Liberties (PCL) Engineering and contact person for Swiss media Courtney Bowman launched personal attacks against us in LinkedIn comments between Christmas and New Year (“partisan fear-mongering”), Palantir's Swiss lawyers demanded a counterstatement on December 29.

We rejected this in its entirety.

In January, they demanded the same thing again. We rejected it again.

And now we see each other in court.

But why all this?

Our research on the Swiss army report caused a huge international media response. The Guardian and the Austrian newspaper Der Standard reported on the Swiss army's rejection. Numerous financial portals and stock market magazines picked up our news (which could have consequences for the overvalued stock market company Palantir).

And Chaos Computer Club spokesperson Constanze Kurz presented our research to a huge audience at the renowned IT conference Chaos Communication Congress in Hamburg at the end of December.

All of this is making Palantir nervous.

We have now submitted a comprehensive defense brief. We can substantiate all of our findings with several documents and publicly available media reports.

We trust in the rule of law and freedom of the press in this country.

In keeping with yesterday's event “Zurich, little Big Tech City” at the Gessneralle, where we first announced this news exclusively to the audience on site:

World politics will soon be negotiated in Zurich: freedom of the press, the facts about ICE, Trump, Israel, Karp, tech authoritarianism.

The truth.

All this at the Zurich Commercial Court.

We will not be intimidated. And we will keep you informed.

this is going to be vague, but I don't know how to offer details without explaining everything, which would take a lot more words than I have available on a platform like this. in short though: Open Book Touch is going to blow your freaking mind straight out the back of your head. Even if you know to expect it, I promise: you may think you're ready, but you're not.

Watch this space. https://www.crowdsupply.com/oddly-specific-objects/open-book-touch

Matplotlib maintainer Scott Shambaugh has blogged about the AI agent blog shaming experience now.

https://theshamblog.com/an-ai-agent-published-a-hit-piece-on-me/

This is another incredible #talk from @REverseConf 2025

Full-stack Reverse Engineering of the Original Microsoft #Xbox (Markus Gaasedelen @gaasedelen)

https://youtu.be/hGlIkgmhZvc

In a world where proper keyword #search is excommunicated and engines refuse to index content based on arbitrary criteria, grep.app at least allows us to find and look at the source code:

https://grep.app/

RE: https://furry.engineer/@soatok/116055556402436098

By the way, I'm not giving them 90 days this time.

Last time I did that, they didn't bother to actually fix anything, so they didn't actually need any of that time. So they lost that privilege.

Expect a public disclosure / write-up as soon as I feel like it.

From Winslop release notes: "I do not own or operate winslop[.]com and I'm not affiliated with whoever registered it.
Even if it currently redirects to this GitHub repo, a third-party domain can be changed at any time (phishing, fake releases, malware links)."

https://github.com/builtbybel/Winslop/discussions/22

#phishing #malware

wrote a short blog post about some toying around I did with using kprobes to get around a mitigation in order to disable SMEP/SMAP:
https://blog.zolutal.io/two-shot-kernel-shellcode/

libpng CVE-2026-25646: Heap buffer overflow in `png_set_quantize`

https://github.com/pnggroup/libpng/security/advisories/GHSA-g8hp-mq4h-rqm3

Pillow CVE 2021-25289: Fix OOB write with invalid tile extents

https://pillow.readthedocs.io/en/stable/releasenotes/12.1.1.html

Check Point Harmony Local Privilege Escalation (CVE-2025-9142)

https://blog.amberwolf.com/blog/2026/january/advisory---check-point-harmony-local-privilege-escalation-cve-2025-9142/

/via @badsectorlabs

Accelerator mode changed to: PROTON PHYSICS

Byte magazine artist Robert Tinney, who illustrated the birth of PCs, dies at 78
He became one of the first to visualize personal computing by painting vivid cover art.
https://arstechnica.com/gadgets/2026/02/byte-magazine-artist-robert-tinney-who-illustrated-the-birth-of-pcs-dies-at-78/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social

On Discord Alternatives

Next month, Discord is going to start requiring age verification. The backlash from gamers everywhere has been predictable and justified. I guess their company name checks out. I've had a few people reach out to me because of my prior vulnerability disclosures and criticism of encrypted messaging apps. (Thanks, Toggart.) Unfortunately, asking a cryptography-focused security engineer for app recommendations is like asking a rocket scientist to…

http://soatok.blog/2026/02/11/on-discord-alternatives/

r2ghidra is ready for release. i'm waiting to cut r2-6.1 to trigger the ci. please help #radare2 to be tested as much as possible so we can make another stable release again!

Last year's shutdown of @glitchdotcom was a blow to my pedagogy. Glitch was ideal for creative coding classes and workshops. I looked around for alternatives. But there was nothing that was open, decentralized, and not at the mercy of VCs or Big Tech.

So I built my own. Here's Glitchlet.

Glitchlet runs on any shared hosting service (e.g., Reclaim Hosting). If you can run WordPress, you can run Glitchlet. Projects-in-progress are stored in the browser's local storage, but you can also one-click publish to make them public and remixable. Glitchlet is designed with educators in mind.

There's no single, primary Glitchlet that everyone uses. The idea is that every instructor installs their own Glitchlet and manages their own classes/workshops/projects. You can seed your instance with template files, or Glitchlet can easily import projects (including archived Glitch .tgz files).

Making something so easy to install and host has trade-offs, of course. No fancy pants Node or React projects, but Glitchlet works beautifully with HTML/JavaScript/CSS. No live collaboration, but you can still remix published projects.

Best of all—you're in control and not subject to the whims of some startup that suddenly decides to "sunset" a key pedagogical tool.

Glitchlet is alpha now, but its code will available to all very soon!

NEW: U.S. prosecutors say the hacking tools that Peter "Doogie" Williams stole from defense contractor L3Harris Trenchant could have been used against "millions of computers and devices" worldwide.

The prosecutors also confirmed that Williams "stood idly by while another employee of the company was essentially blamed" for his own actions, as we first reported last year.

Williams said he didn't know the tools could end up in the hands of Russia or other governments.

https://techcrunch.com/2026/02/11/doj-says-trenchant-boss-sold-exploits-to-russian-broker-capable-of-accessing-millions-of-computers-and-devices/

This is a phenomenal little blog post about Linux C++ binary analysis ❤️❤️❤️
https://oneraynyday.github.io/dev/2020/05/03/Analyzing-The-Simplest-C++-Program/

They finally did it. Microsoft has successfully over-engineered a text editor into a threat vector.

This CVE is an 8.8 severity RCE in Notepad of all things lmao.

Apparently, the "innovation" of adding markdown support came with the ability of launching unverified protocols that load and execute remote files.

We have reached a point where the simple act of opening a .md file in a native utility can compromise your system. Is nothing safe anymore? 😭

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841

#noai #microslop #microsoft #windows #programming #writing #windows11 #enshittification #cybersecurity #infosec #technology