infosex.exchange <3

You are probably looking for the infosec.exchange Mastodon instance

This host is mostly for my random stuff, and in little part acts like a well-intentioned placeholder for the typosquatted domain.

Discoverability and Archiving

Currently I'm using this host for saving the items from my own feeds to the Wayback Machine and provide in-links for search engines. I hate that I have to do this, but the non-sense ideology of Mastodon pretty much ruined the search feature for Fediverse as a whole, and this wasn't changed by the fact that they owned their mistake and implemented search eventually.

Yes, I (or anyone else) could do similar things with other peoples published feeds, regardless of the tantrum. No, you can't defederate this, because the process doesn't rely on an instance.

Gluttony Section for Search Engines

The IP-law debate around #LLM's reminded me of this old joke:

A cute little girl walks up to the ice cream stand:
- Hello, how much is an empty cone?
- Oh, I can give you that for free - smiles the shop owner
- OK, then I'd like to have 5000 of them!
this post | permalink
[RSS] CrushFTP Authentication Bypass: Indicators of Compromise

https://www.horizon3.ai/attack-research/crushftp-authentication-bypass-indicators-of-compromise/

CVE-2025-2825
this post | permalink
[RSS] MindshaRE: Using Binary Ninja API to Detect Potential Use-After-Free Vulnerabilities

https://www.thezdi.com/blog/2025/3/20/mindshare-using-binary-ninja-api-to-detect-potential-use-after-free-vulnerabilities
this post | permalink
[RSS] The Evolution of Dirty COW (1)

https://u1f383.github.io/linux/2025/03/27/the-evolution-of-COW-1.html
this post | permalink
After its legendary curator passed away a few years ago the reel-to-reel museum reopened in Keszthely:

https://www.youtube.com/watch?v=rySEk-eXFaY

#Hungary
this post | permalink
@stf The more I work in security the more I feel like being part of a large scheduling algorithm: we discover some information, associate some risk, then people will end up workin on some specific stuff. If we cause priority inversion, starvation, etc. then we are a bad scheduler.

In this case:
- The original recommendation ("uninstall it!") turned out to be totally unsubstantiated, we can by all means call it misinformation
- Secrecy about details added to the fear and also *actively misdirected efforts* both at level of security teams and at devs/researchers (see the confusion about #330 & people looking at new commits to find backdoors)

Since no significant new attack surface/vector was presented I don't even think the code will get that much of scrutiny as exploitability is pretty low (local with user interaction).

In the end, the cost-benefit analysis looks really bad to me.
this post | permalink
Three bypasses of Ubuntu's unprivileged user namespace restrictions

https://www.openwall.com/lists/oss-security/2025/03/27/6

This weeks published vulnerability research is strong enough already, now Qualys enters the party.
this post | permalink
Reading the latest BLASTPASS writeup I can only wonder how many engineer hours must have gone into this thing. Incredible stuff!
this post | permalink
@osxreverser Nah, they'll just wait until someone adds them to the group :P
this post | permalink
Napalm Death is like fine wine, but with napalm.
this post | permalink
Next Page