I used to run trainings classes teaching people how to find exploitable bugs in disassembles. The quality of a lot of proprietary software is astonishingly low.

the xz sshd backdoor rabbithole goes quite a bit deeper. I was just able to trigger some harder to reach functionality of the backdoor. there's still more to explore.. 1/n

I've built a brand new version of my fuzzing tool Shazzer🚀 shazzer.co.uk - Easy fuzz browser behaviour - Find bugs - Share the results with the world

Anche Mediobanca premier (ex CheBanca!) completamente down da ieri

Anyone hiring? I might need a new job 🙁

David is a huge talented professional and a wonderful human. Hire him!

europol.europa.eu/media-press/ne…

Unpopular opinion: companies doing an about-face to focus only on AI while abandoning existing products will regret that decision.

I was reviewing this patch because the function is named `safe_extract` and is now used in many open-source projects, and I think it is still vulnerable to path traversal via symlink. PoC github.com/luigigubello/t… It reminded me of the Snyk zipslip patch and LiveOverflow 🔴 video

this is not a vulnerability, this is just a shitty workload for security engineers that are forced to triage and kindly reply to you

🚨Alert🚨CVE-2024-4367/34342: JavaScript Flaws Threaten Millions of PDF.js and React-PDF Users ⚠Designated as CVE-2024-4367 in PDF.js and CVE-2024-34342 in React-PDF, this flaw leads to the execution of unrestricted JavaScript under the hosting domain’s context. 📊50K+ Services

I looked for a similar vulnerability for years :((

Added generic PoC for CVE-2024-4367 (credits: Thomas Rinsma). In addition, someone assigned CVE-2024-4327 for Apryse PDF WebViewer (former PDFTron) using payload1.pdf as PoC. github.com/luigigubello/P…

If you wish to help a PhD student with their research, this questionnaire requires only a few minutes of your time: forms.office.com/e/asnQ074vHJ

Bot che rilanciano disinformazione russa, target Italia. Il sito redirige all'URL repubblica[.]in, dominio riattivato ad aprile 2024 (non sicuro di questo). Tecnica usata per amplificare: repost tramite account privati. Twitter è spazzatura ormai. x.com/search?q=agenc…

📣Official statement: the new EU chat controls proposal for mass scanning is the same old surveillance with new branding. Whether you call it a backdoor, a front door, or “upload moderation” it undermines encryption & creates significant vulnerabilities signal.org/blog/pdfs/uplo…

qui solo per l'ironia: il sito piracyshield[.]app - di proprietà di AGCOM - è indicizzato su Google per redirigere a un sito porno di dubbia affidabilità, nonché già segnalato da Brazzers a Google per violazione di copyright, per un plugin vulnerabile deprecato nel 2010. LOL

Giulia Pastorella Non servono nuove norme (e anzi quelle recentemente riscritte hanno più problemi che altro). Servono investimenti e competenze corrette nei punti corretti.