Bonus

@FrankOverF1ow Selinux adds access control limiting access to objects even if you change your user, but not your context. If you want to test your poc against something that could prevent it, give @lkrg_org a try.

On Fedora, both SELinux and RANDOM_KMALLOC_CACHE are enabled but neither stopped this (>70% success) Writeup soon...

@layle_ctf Cool. What are the advantages over sleigh (other than usable build via cargo)?

I made a DSL to generate instruction decoders and disassemblers in a declarative way! At compile-time it translates the DSL into Rust code, exposing a "decode" function. Transformations like sign extensions are automatically pre-applied. It also implements the Display trait!

I've sailed for the uncharted lands, and I'm slowly loosing sanity...

‼️At the end of last year, there was a series of coordinated attacks in Polish cyberspace. 📌Today, our team is publishing a report describing the technical analysis of these events. We show the scheme of operation and the tools used by the attackers. ➡️cert.pl/uploads/docs/C…

@i2cjak What do you use for generating via stitching in kicad?

do i have enough stitching vias

@mebeim @awawawhoami Every year is a banger year at CCC.

@awawawhoami Wow CCC FOMO hitting harder and harder, chose the wrong year not to attend 😭

this is going to be crazy btw.

@matiasgoldberg @telxius They just ignore some of your ICMP requests. Event if there are 5 more hops that don't respond what's important is that last hop (target) responds and gets all the packets. You have 0 packet loss to the target, so that's not the reason for your issues.

Why is 90% packet loss coming from an IP owned by @telxius ? I want to play Genshin Impact but I keep getting huge issues.

@angealbertini How does it handle polymorphic files?

Public blog post: opensource.googleblog.com/2025/11/announ… Source: github.com/google/magika

Magika 1.0 is released, available in Rust, TypeScript and Python, and supporting more than 200 file types.

@gynvael @S1r1u5_ Sure, but my point is that transparency has a cost. Not everyone is famous enough to get google to pay for their lawyers. The threat of big company lawsuit removes "90 day disclosure" from the table as they can dictate the terms.

@BonusPlay3 @S1r1u5_ And vendors can have very flawed models of distributing patches — updates are a complex problem and rise costs. Even if that's the case, it's still not a reason to keep users/clients/potential clients in the dark about the product defect for a long (e.g. a year) period of time.

so it seems everyone who is mocking google’s 90 day disclosure policy never reported any bugs to vendors and never gone through pain and threats for reporting a bug?

@gynvael @S1r1u5_ Expanding a little bit more, the core of the problem lies in "one policy doesn't fit all sizes". While it might fit heavily updated firmware with good update procedures (e.g. mobile or web apps), its unusable to others like embedded deployments.

@gynvael @S1r1u5_ It would be nice to get them fixed+deployed in a year. But honestly I don't feel like I can demand anything from vendor. I'm just do security audits for my clients so that they can do risk modeling. Would you prefer if vendor made faulty patches during 90 days to satisfy clients?

@gynvael @S1r1u5_ Yes, they are aware, but as there are no patches they can't do much. Also, once you buy devices, you have little to no leverage over vendor, as worst you can do is not buy more, which you probably will do anyway, since you've already integrated your systems into their environment

@BonusPlay3 @S1r1u5_ Did the vendor notify its clients that there are known cybersecurity problems?

@S1r1u5_ I have vulnerabilities that were disclosed 2 years ago and are still not patched, because most attackers try to blow up/pull out an ATM instead of hacking into it. In that case, screaming "90 days" and going public doesn't help anyone (vendor, clients), except researchers ego.

@S1r1u5_ It all depends on the threat model. If it's a public facing web app? Sure, try to get vendor to patch ASAP. But for example, ATM/POS solution could require manual intervention in thousands of deployed units to get them patched. 90 days isn't realistic in that case.

@RueNahcMohr ??? Literally all you need is to grab an older quartus (web edition) and you can generate & program bitstream. You can check "purpose" of the chip here: static6.arrow.com/aropdfconversi… And a pinout for your exact fanout: cdrdv2-public.intel.com/676988/ep1c3t1…

@BonusPlay3 one does not just install and fpga program and start playing. I'm looking for the software to do a *particular* series of chip, the cyclone v1. Nobody, it seems, who does fpga stuff, ever talks about which fpga chips things are for, its like its implied its universal. its not.

I would love to know how to use the cyclone and cyclone II chips I have. but I don't seem to be able to catch the attention of anyone who knows :( (on linux, without the 10G IDE)

@RueNahcMohr Huh? What about: #cyclone%C2%AEseries" target="_blank" rel="nofollow noopener">intel.com/content/www/us…

@BonusPlay3 part of the immediate issue is "what version supports the chip I have" which generally tends to not be published :/

@travisgoodspeed Consider purchasing dedicated capacitor discharging device for safety reasons.

A USB device that I'm reverse engineering has no watchdog timer, while(1) as a crash handler, and no reboot button. It also has carries large batteries and dangerously high voltage capacitors. Every time I crash it, I need to risk electrocution or wait days for it to discharge!

Thanks for creating a great bucket list :D