Chelsea486MHz, la Kubomancienne

J'ai un blog maintenant. chelsea486mhz.fr/blog

A closer look at a BGP anomaly in Venezuela blog.cloudflare.com/bgp-route-leak…

31[.]56[.]27[.]97 blasting cryptominer software at TPLink devices using CVE-2021-44228 gist.github.com/Chelsea486MHz/…

We created a sun that dies after 22 minutes 🤔

@IceSolst yet there are 10 wannabe pentesters for every devsecops/soc

Total asymmetry between offensive security and defensive. One attacker getting access can cause HUNDREDS of people to have to mitigate the damage, for weeks or months.

i end up reversing malware with my ex every couple months. we don’t plan it. it just… happens. 2am. both online. a new APT sample drops. They open the repo. or i do. neither of us acknowledges who pulled it first. the call is 90 percent silence. no “how’ve you been.” no “you seeing anyone?” just technical murmurs and disassembly. “figured out the priv esc.” “kernel module just unhooked itself.” “beautiful obfuscation.” that’s the whole conversation. here’s the thing though. our analysis chemistry is still perfect. They know when i’m about to dive into a code path before my cursor even hovers. i know their heuristics better than the last six reversers i’ve tried to sync with. we don’t communicate because we don’t need to. 2500 hours in IDA together doesn’t give a fuck about relationship status. we’ll unravel an APT loader chain in one night. maybe crack the C2 protocol too if we’re lucky. then it’s “sample done” and we vanish for another 2 months. no follow up. no “we should collab more.” nothing. because we both know what this is. it’s not friendship. it’s not rekindling. it’s not even nostalgia. it’s that neither of us has found better analytical synergy. and that’s the uncomfortable truth about APT reverse-engineering duos. you can end a relationship and still be stuck sharing a debugger window with someone who reads your mind in assembly. you can hate someone’s guts and still flawlessly unwind a four-stage dropper with them. you can move on emotionally and still be hardstuck trying to replace that one person whose brain clicked with yours in virtual machine bytecode. some people have exes they still sleep with. i have an ex i still reverse APT malware with. honestly not sure which is worse. study the UwU way.

Ethical hacking is the most overrated ‘tech flex’ of this generation not because it’s useless, but because most people chasing it don’t actually want to secure anything. They just want the ‘hacker’ aesthetic. The truth is, 80% of real security problems aren’t solved by clever exploits… they’re solved by boring things like patching, logs, access control, policies, and people doing what they’re supposed to do. But nobody wants to hear that because it’s not flashy. Ethical hacking gets all the hype, but in real life, it’s the least impactful part of cybersecurity. The End 🌚

Imagine so incredible cruel that you are community manager for a russian hacker group that hacked SCADA equipment in a Dutch water theme park to increase water chlorination and burn children chemically

non

2010 NSA must have been one hell of a workplace

I loved your work back then and I do even more now, especially the sharing about being a parent. It gives relatable insight that allow us to interact with you on a more human level. I used your samples a lot to learn and now, I don't need to learn anymore, but I still love to hear from you.

Initially when I made vx-underground it was super edgy, and serious, with dark art (satanic and spooky). 45,000,000 malwares, 3 books, 90,000 papers, and 6.5 years later, I'm spamming silly kitty cat pictures and babbling like an idiot. I feel like some sort of deranged malware monk, shackled away on top of a mountain. I've been detached from reality for so long my mind is corrupted at a fundamental level

@DCaussinus @_Nidouille_ Les vibecoders ont découvert leur existence

Tin j’ouvre X et j’ai l’impression d’avoir fait un voyage dans le temps avec tous ces posts sur les VPS genre ça vient de sortir ???? 🤣🤣🤣 @_Nidouille_ il se passe quoi ????

For some reason, I cannot get Claude Opus 4.5 to consider Unit 8200 a serious threat actor in *any* threat model. Weird, eh? 🤔

@IceSolst It looks like you badly needed this Friday to end and enjoy the weekend

What happens if Pinocchio says “my nose will now grow.”? If it doesn’t, he’s lying, so it should. If it does, he isn’t lying, so it shouldn’t. A statement that isn’t provable nor disprovable within the system itself. Aren’t self-reference paradoxes what lead Gödel to his incompleteness theorem? Set aside the semantics of intent and distinction between prediction and statement, I believe Pinocchio’s nose would enter a state of rapid oscillation, frequency high enough it would encounter significant air resistance, causing compression waves like diesel engines igniting fuel. Two scenarios once his nose ignites: - A: if unconsciousness disconnects his nose’s activity, it would act as a circuit breaker, he is left with a charred face. - B: if nose activity is not tied to consciousness, the situation is dire. Apocalyptic even: The oscillation frequency increases exponentially. Hertz become kilohertz. Kilohertz become megahertz. The nose is now vibrating faster than any physical material should tolerate. The heat output becomes enormous. The nose vaporizes, but the logical location where the nose should be keeps oscillating. We’re no longer in matter territory. We’re in pure energy. At around 10^47 joules concentrated in a Planck-scale region, spacetime gives up. The energy density crosses the Schwarzschild threshold for that volume. A black hole forms. It’s tiny at first, smaller than a proton, but it’s right where Pinocchio’s face used to be. The workshop, Geppetto, the cat, the fish, the whole village… consumed in microseconds. The black hole is small enough that Hawking radiation would normally evaporate it quickly, but the paradox keeps feeding it. The magic is still trying to resolve. The black hole grows. Earth is gone in an hour. The solar system follows. Eventually, one of two things happens: - The black hole grows large enough that the original location of the paradox is stretched across the event horizon in a way that somehow breaks the self-reference, and it stops. - It doesn’t stop, and the observable universe slowly falls into a singularity born from one puppet’s linguistic hubris.

⚠️ Vulnérabilité React Server Components Le @CERT_FR a publié une alerte de sécurité relative à la vulnérabilité CVE-2025-55182 affectant React Server Components. ➡ Informations et recommandations sur le site du CERT-FR : cert.ssi.gouv.fr/alerte/CERTFR-…

Another W for DevSecOps

- $15 billion dollar company - ships entire browser with their application cause "native GUI too hard bro" - javascript so devs don't have to reason about memory - leaks memory anyway - "let's just restart the application when we go above 4 GB" this is a new rock bottom

@IceSolst We use UTC for everything. Surprisingly, no one complains.

How do IR folks deal with time zones? When someone says “12:37” without specifying, do you have to convert it to every single time zone as a possibility? Can we delete time zones

A POC for CVE-2025-55182 gist.github.com/maple3142/48bc…

Since I started to analyze CVE-2025-55182 (React, NextJS RCE) at work today, I decided to publish my analysis findings so far, given all the fuzz about the vulnerability: github.com/msanft/CVE-202… Feel free to contribute to the search for a proper RCE sink!