If you take a moment and think about the TCB in linux/windows/osx you get lightheaded. How did we get here? where did we go wrong?

CVE-2020-8597 eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response functions. cve.mitre.org/cgi-bin/cvenam…

Mario Ballano, Gabriel Gonzalez, Josep Pi Rodríguez, and Simon Robin, Security Consultants at IOActive, disclosed multiple vulnerabilities to Verint PTZ Cameras on June 18, 2020. Read the advisory: ioac.tv/2Nbc40h

Mario Ballano, Gabriel Gonzalez, Josep Pi Rodríguez, and Simon Robin, Security Consultants at IOActive, disclosed multiple vulnerabilities to Moog EXO series Cameras on June 18, 2020. Read the advisory: ioac.tv/3hy1xu6

Having a publicly documented security bug reporting process (e.g. email address) is a sign you care about security. If you don't have that, there's a good chance I won't report security bugs in your product (should I find one).

Not credited in the commit, but reported by my buddy droogie: github.com/microsoft/WSL2…

IOActive Labs: No buffers harmed: Rooting Sierra Wireless AirLink devices through logic bugs by Ruben Santamarta (reversemode) labs.ioactive.com/2020/09/no-buf…

For those that keep shouting "gotos, harmful, dijkstra" anytime they see a goto error handler, I suggest you actually go read the paper :)

Charlie is 100% right!

In the 90s when I was an annoying teenager I've done my share of channel takeovers and the occasional server takeover, but in the end you always loose. What Andrews Lee has done is next next level. He took over the largest IRC network in the world and is expecting to keep it.

the new notepad icon is ugly :(

#blockchain will fix it!

so when I type in "download chrome" in a freshly installed windows VM, in edge, the actual result to download chrome is the 6th entry down. This doesn't feel like it's a coincidence...

Fucking around with signed int sizes is like playing with a loaded gun. size_t!, learn it, use it, internalize it!

So that's pretty batshit crazy ...

Today we mourn the loss of rarbg. What a sad day.

Everything beyond ascii 127 is a mistake ivs droogie

Unless you are in the exploit selling business, conservatively, you should assume all memory corruption bugs will be exploitable. No if's, no but's, just fix the bug! That is all.