Mildly cursed factoid about UNC paths:
- UNC Paths can contain IP addresses such as \\192.168.1.1\share
- IPv6 addresses are supported as well
- IPv6 addresses contain colons
- can't have colons in Windows paths since colons are reserved for drive letters
So Microsoft came up with the the ipv6-literal.net domain that's special-cased by Windows so you can to write IPv6 addresses in UNC paths as 2a0e-3c0--21.ipv6-literal.net without it hitting any resolvers.
China's APT cyberspies are some of the best in the business. But how did the hackers get their start? Turns out many were "Honkers" - patriotic hackers in their teens and 20s who, in the late 90s, launched nationalistic cyberattacks against countries they deemed disrespectful to China. But as the Honkers developed their skills over time, the PLA and MSS came calling. In recent years they have been tied to prolific APT groups responsible for hundreds of intrusions in the US and around the world; and some have been indicted. Some of them also launched companies, like i-Soon, that have played an integral role in China's state hacking operations. Here's my story, based on great research from Eugenio Benincasa and Adam Kozy.
https://www.wired.com/story/china-honkers-elite-cyber-spies/
It is a mistake to think you can solve any major problems just with potatoes.
Has anyone had/decided-not-to-have an intern specifically in a vuln research team? We're debating it at work but some people are skeptical WRT the amount of work we'd be putting in mentoring (we aren't prepared to half-ass it), vs the amount of business value we'd get out. Candidates are strong (having CVEs for example) but it's a big ask to put them on a fortigate (for example) and expect results - and at the same time, it's not fair to give an intern a hard project which is likely going to give them a confidence hit. How did you / how could I manage this? Ideally I don't want to give interns non-research work (like the usual 'set up a lab'), I know they want to be finding bugs. Plus we've got the university sponsoring it wanting clear projects and targets, which can be really difficult in a research team. Any tips? If it helps, our team looks at 0day/nday and our usual output is blogposts and fingerprinting scripts (usually fingerprinting via exploitation - we'd much rather exploit a vuln and detect that than rely on stuff like banners).
CVE-2025-4674: Go: cmd/go: unexpected command execution in untrusted VCS repositories https://www.openwall.com/lists/oss-security/2025/07/08/5
Using the Go toolchain in directories fetched using VCS tools (such as cloning Git or Mercurial repositories) can execute unexpected commands. Fixed in 1.24.5 & 1.23.11.
Project: openssl-static-gcc-dwarf 3.4.0
File: openssl
Address: 005c87c0
evp_kem_from_algorithm
SVG:
dark https://tmr232.github.io/function-graph-overview/render/?graph=https%3A%2F%2Fraw.githubusercontent.com%2Fv-p-b%2Fghidra-function-graph-datasets%2Frefs%2Fheads%2Fmain%2F%2Fopenssl-static-gcc-dwarf%2F005c87c0.json&colors=dark
light https://tmr232.github.io/function-graph-overview/render/?graph=https%3A%2F%2Fraw.githubusercontent.com%2Fv-p-b%2Fghidra-function-graph-datasets%2Frefs%2Fheads%2Fmain%2F%2Fopenssl-static-gcc-dwarf%2F005c87c0.json&colors=light
I want someone to make a video series where they exceed cable lengths and show what happens.
what happens if you have a 2km USB cable? what works and what breaks?
If you are enabling an AI feature scanning all your emails, consider this will also scan the emails people have sent you. This information could include personal or otherwise legally protected information.
If this data leaks later (as it regularly happens with these systems), this could mean severe legal consequences for you down the road.
YOU are responsible for protecting the data of others under your custody.
This includes the messages and emails others send to you.