infosex.exchange <3

You are probably looking for the infosec.exchange Mastodon instance

This host is mostly for my random stuff, and in little part acts like a well-intentioned placeholder for the typosquatted domain.

Discoverability and Archiving

Currently I'm using this host for saving the items from my own feeds to the Wayback Machine and provide in-links for search engines. I hate that I have to do this, but the non-sense ideology of Mastodon pretty much ruined the search feature for Fediverse as a whole, and this wasn't changed by the fact that they owned their mistake and implemented search eventually.

Yes, I (or anyone else) could do similar things with other peoples published feeds, regardless of the tantrum. No, you can't defederate this, because the process doesn't rely on an instance.

Gluttony Section for Search Engines

Here's me face talking about low-level #IBMi security:

@recon 2024 - Control Flow Intergrity on IBM i

https://www.youtube.com/watch?v=0uBbklP9BSE

The video also has some '90s VHS vibes to it, the writeup is still available here (minus the last temporal safety stuff):

https://silentsignal.github.io/BelowMI/
this post | permalink
@haroonmeer It's not that strange if you consider they speak to the low-class workers. Again, a great summary: https://www.youtube.com/watch?v=1CP9Peipxzk (note that B4B is strictily against the alt-right, yet I think they capture the core problems that the current USgov successfully capitalized)
this post | permalink
Look at that warpaint (among other things) @joxeankoret! :D
this post | permalink
https://ripplemusic.bandcamp.com/album/satanic-panic-attack

Perfect music for this #Saturday, and a strong contender for Album Cover of the Year!
this post | permalink
pgAdmin 4 v9.2 fixes CVE-2025-2945 & CVE-2025-2946

https://www.openwall.com/lists/oss-security/2025/04/04/3

* Issue #8602 - Fixed an XSS vulnerability issue in the Query Tool and View/Edit Data (CVE-2025-2946).
* Issue #8603 - Fixed a remote code execution issue in the Query Tool and Cloud Deployment (CVE-2025-2945).
this post | permalink
[RSS] We emulated iOS 14 in QEMU. Here's how we did it.

https://eshard.com/posts/emulating-ios-14-with-qemu
this post | permalink
This is CVE-2025-22871 and Go issue

https://go.dev/issue/71988.

net/http: request smuggling through invalid chunked data
this post | permalink
@Newk @mrclark I think you should not attack the problem from the angle of who is being targeted: it's pretty easy to see it's everyone. IME you can get to an actual victim with one handshake, maybe two if you don't work in infosec.

It's more important to make people realize that they have shit to loose: enumerate critical assets, create estimations what damage can be done (which is what banks do as part of their compliance process). Many businesses (manufacturing is a typical example) don't realize how much they rely on IT these days.
this post | permalink
@wdormann Yes, and this makes me think that bad guys had this exploit well before the patch:
1) APTx runs its dumbest fuzzer and writes an exploit
2) ???
3) Ivanti releases a patch
4) APTx notices their bug is burned
5) APTx goes for a aggressive campaign (or passes the exploit to low-end peers) to cash in on the patch gap.
6) Threat intel picks up ItW exploitation

With my previous comment I wanted to express my worry that we are probably in stage 2) with God knows how many Ivanti 0-days right this moment.
this post | permalink
@mrclark @Newk This can be a reasonable risk assessment though: take a worst case scenario, if you can recover from that with acceptable loss, do nothing. I think the hard part is get people to do the math properly, e.g. what if you have to do recovery two weeks in a row, what is the likelihood of that happening...
this post | permalink
Next Page