Julian Horoszkiewicz

Finally, it is published 😁 Making Vulnerable Drivers Exploitable Without Hardware - my latest research on driver vulnerability hardware-gating, explaining the concept of hardware-dependent code and diving deep into creative deployment techniques - software-emulated phantom devices, driver restacking, and forced driver replacement — all explored through the lens of Bring Your Own Vulnerable Driver (BYOVD) attacks: atos.net/wp-content/upl…

My new article is out - Anatomy of Access: Windows Device Objects from a Security Perspective atos.net/en/lp/cybershi… I wish I had this resource 5 months ago 😉

I find it frustrating that none of these "guardians" of Linux and open source have reacted to the OS-level age verification law: - Linux Foundation - Open Source Initiative - Free Software Foundation - Software Freedom Conservancy

Two more kernel-mode CVEs: CVE-2025-15037, CVE-2025-15038 (ASUS Business System Control Interface) 😉 asus.com/security-advis…

We strongly oppose the Unified Attestation initiative and call for app developers supporting privacy, security and freedom on mobile to avoid it. Companies selling phones should not be deciding which operating systems people are allowed to use for apps. uattest.net

Important: We have revised our license to include additional jurisdictions implementing the age verification laws. Residents of Brazil are no longer authorized to use MidnightBSD. We will not implement ID checks as Brazil requires. (not just attesting age)

My second public acknowledgement for a kernel-mode vulnerability: nvidia.com/en-us/security… 😉 This one is for a pool overflow in NVIDIA Install Helper Service (NVI2SystemService64.sys). Because at the time I had discovered and reported the issue the product had already reached EOL, the vendor will not assign a CVE number to it. In other words, this vulnerability did not make it to CVE because it stayed unreported for too long. This policy approach to EOL products is quite common among vendors and exemplifies one of numerous scenarios for which CVE as a tool for vulnerability and risk management is not sufficient. For anyone interested in such scenarios, I recommend reading my article dedicated to this subject: hackingiscool.pl/slipping-throu….

My first public acknowledgement for a kernel-mode vulnerability 😉 CVE pending. #hof" target="_blank" rel="nofollow noopener">asus.com/security-advis…

The entire world is moving to criminalize privacy. We can't let them do that. Privacy is the foundation of a free society. Privacy is protection against powerful people. Privacy is normal.

Do you want to be de-banked over digital ID rules? Vietnam is terminating bank accounts without a linked digital ID. We are not exaggerating when we say this is what could happen in the UK. It is already happening elsewhere. The people must remain in control, we must reject Digital ID.

OSCP is no job experience, it does not even teach actual pentesting and its passing criteria are based on collecting the flags, not on "how pretty the report is". Also, the part about no sleep and no food is BS. Seeing a trend of non-technical juniors without actual passion for infosec believing that OSCP makes one a "senior".

I would argue that the massive flood of new people trying to “break in” as juniors has actually raised the bar for juniors. Every day, hundreds of people wake up and decide they want to become a 5up3r l33t penetration tester or hax0r. And that’s awesome. There’s two problems though: 1) there just aren’t that many penetration testing roles available and 2) employers want to hire the best of the best. We might not like it, but when there’s a major surplus of candidates (and there is), employers can afford to be picky. And they will be. Can you blame them? That’s just supply and demand at work. When the market shifts and there’s a shortage of qualified talent for these roles, requirements loosen. But right now? The market’s flooded, the bar’s getting higher, and the competition is fierce. Plan and adjust accordingly.

The UK is rolling out a national digital ID, the “Brit Card," despite 2.7M+ signatures against it. Tied to borders, benefits, and public services, it’s the spine of a new surveillance state. Combined with the Online Safety Act, identity verification is becoming mandatory to live, work, and speak.

Isn’t she the person who proposed chat control? Seems like a weird behavior for someone who proposed the regulation. It’s not so fun when you are the one getting your messages analyzed is it now? Hypocrite.

🚨 Denmark keeps pushing for Chat Control - but we keep pushing back! Join us in our fight for #privacy ✊ Check why #Germany is the deciding factor 🇩🇪 and learn how to stop #Chatcontrol (including email addresses of German politicians): 👉 tuta.com/blog/chat-cont…

Americans have absolutely no idea how bad things are in Europe They are going into a totalitarian dictatorship the likes of which Orwell thought were too insane to come up with

ChatControl will allow the EU to use keyword filters to probe into what every private citizen says to friends and family about private topics, using AI and machine learning models to create heatmaps of dissidents. Combined with hate speech laws, it’s a recipe for utter disaster.

🇪🇺 My fellow Europeans You have to fight ChatControl 💪 Don't let @vonderleyen read your chats! metalhearf.fr/posts/chatcont…

CVE-2025-20074 - Local Privilege Escalation in Intel® Connectivity Performance Suite. intel.com/content/www/us… #CVE #windows #EoP #privilegeescalation

CVE-2025-49797 - Local Privilege Escalation in Brother software (Windows). support.brother.com/g/b/faqend.asp… Here is the full list of 1077 affected device models: support.brother.com/g/s/id/securit…

As long as vendors can hide vulnerabilities by bullying researchers and their own clients with NDAs and SLAPP, it doesn't really matter what system we use to exchange information about issues. Also, there's many other scenarios in which this just doesn't work as it should: hackingiscool.pl/slipping-throu…

CVE has always been garbage. Researchers have been treating it like a trophy collection for years and the descriptions usually contain minimal to no details about the bug itself. We need something new and useful imo