Notices by buherator (buherator@infosec.place)

Embed this notice
buherator (buherator@infosec.place)'s status on Sunday, 03-May-2026 20:51:05 JST buherator
in reply to
- scriptjunkie
@sj chaotic alignment was lacking so I created a chart
In conversation about 4 days ago from infosec.place permalink
Attachments
1. Lawful good: Coordinated disclosure on vendor terms Neutral good: Coordinated dislosure with deadline Chaotic good: Full Disclosure Lawful neutral: Keep it private True Neutral: Exploit to distribute patch Chaotic Neutral: Exploit to distribute memes Lawful evil: Sell to home countries security services Neutral evil: Sell to broker Chaotic evil: Ransomware
  https://media.infosec.place/infosec-place/2e7d0a43e064eb7c593e1586c70d0411989d6082a2dbee8999b1af0908c04cab.jpg
Embed this notice
buherator (buherator@infosec.place)'s status on Thursday, 02-Apr-2026 04:25:29 JST buherator

AI company once again fails to understand how the Internet works

RE: https://mastodon.cloud/@slashdot/116330548519902234
In conversation about a month ago from infosec.place permalink
Attachments
1. No result found on File_thumbnail lookup.
  
  Slashdot :verified: (@slashdot@mastodon.cloud)
  
  from Slashdot :verified:
  
  Anthropic Issues Copyright Takedown Requests To Remove 8,000 Copies of Claude Code Source Code https://developers.slashdot.org/story/26/04/01/158240/anthropic-issues-copyright-takedown-requests-to-remove-8000-copies-of-claude-code-source-code?utm_source=rss1.0mainlinkanon
Embed this notice
buherator (buherator@infosec.place)'s status on Wednesday, 04-Feb-2026 22:40:41 JST buherator
in reply to
- daniel:// stenberg://
@bagder People probably pay less attention than you think (this is a general rule of thumb of mine), they may still assume there is monetary reward even without H1. IMO you should give it some time.

In conversation about 3 months ago from infosec.place permalink
Embed this notice
buherator (buherator@infosec.place)'s status on Wednesday, 28-Jan-2026 00:49:46 JST buherator

RCECoaster, an exploit for Rollercoaster Tycoon 1999

https://github.com/RickdeJager/RCECoaster
In conversation about 3 months ago from infosec.place permalink
Attachments
1. Domain not in remote thumbnail source whitelist: opengraph.githubassets.com
  
  GitHub - RickdeJager/RCECoaster
  
  Contribute to RickdeJager/RCECoaster development by creating an account on GitHub.
Embed this notice
buherator (buherator@infosec.place)'s status on Tuesday, 30-Dec-2025 19:35:56 JST buherator

[RSS] Blind trust: what is hidden behind the process of creating your PDF file?

https://swarm.ptsecurity.com/blind-trust-what-is-hidden-behind-the-process-of-creating-your-pdf-file/
In conversation about 4 months ago from infosec.place permalink
Attachments
1. Domain not in remote thumbnail source whitelist: swarm.ptsecurity.com
  
  Blind trust: what is hidden behind the process of creating your PDF file?
  
  from Vladimir Razov
  
  Every day, thousands of web services generate PDF (Portable Document Format) files—bills, contracts, reports. This step is often treated as a technical routine, “just convert the HTML,” but in practice it’s exactly where a trust boundary is crossed. The renderer parses HTML, downloads external resources, processes fonts, SVGs, and images, and sometimes has access to […]
Embed this notice
buherator (buherator@infosec.place)'s status on Saturday, 27-Dec-2025 02:37:28 JST buherator
in reply to
- Kevin Beaumont
@GossiTheDog Maybe you are confusing MariaDB with MongoDB in their relation to MySQL?

In conversation about 4 months ago from infosec.place permalink
Embed this notice
buherator (buherator@infosec.place)'s status on Sunday, 14-Dec-2025 21:48:14 JST buherator

This is beautiful. I've been looking at this for 5 hours now.
In conversation about 5 months ago from infosec.place permalink
Attachments
1. The Microsoft Windows 2025 experience, expressed in a single picture (by @MMatt14): "terminal" is typed into Start Menu search, first result is an ad of the movie title "Terminal" (not even The Terminal with Tom Hanks). The ad includes 3 bad crops of the same movie poster.
  https://media.infosec.place/infosec-place/56b6586ca18f3b7fb55f585fde4888b8992ad9f3a3f2cf08b20b8fe672423d6b.jpeg
Embed this notice
buherator (buherator@infosec.place)'s status on Monday, 24-Nov-2025 11:51:36 JST buherator
in reply to
- Dmytro Oleksiuk
@d_olex Good question, but I'd argue that bytecode solves existing problems, while in case of LLM/blockchain I mostly don't see that. Also, isn't JIT specifically a thing to improve performance, meaning less resource consumption? A related observation is that many use-cases for LLMs can probably be solved much cheaper, today. E.g.: better IDE features; more QA for web search results; better education so people can write and understand an email.

In conversation about 5 months ago from infosec.place permalink
Embed this notice
buherator (buherator@infosec.place)'s status on Thursday, 20-Nov-2025 21:53:55 JST buherator

[RSS] Remotely crashing the Spooler service

https://incendium.rocks/posts/Remotely-crashing-spooler/
In conversation about 6 months ago from infosec.place permalink
Attachments
1. Domain not in remote thumbnail source whitelist: www.incendium.rocks
  
  Remotely crashing the Spooler service
  
  from Remco van der Meer
  
  Showcasing a vulnerability in Windows that causes the Spooler service to crash remotely.
Embed this notice
buherator (buherator@infosec.place)'s status on Monday, 22-Sep-2025 05:31:16 JST buherator
in reply to
- Paul Cantrell
- Tim Bray
@inthehands @timbray my first thought too, but if electron is compromised obsidian would not be among our primary concerns (esp. because according to this policy they would likely not update before the incident is noticed). So I think electron is more of an attack surface problem than a supply chain one.

In conversation about 8 months ago from infosec.place permalink
Embed this notice
buherator (buherator@infosec.place)'s status on Monday, 08-Sep-2025 21:33:02 JST buherator
in reply to
- Micah Lee
- Hans-Martin Münch
@h0ng10 @micahflee This is a fairly common mistake too and causes a lot of bullshit work for security teams. A banner string (*especially* in case of Apache HTTPd) doesn't mean anything, so unless you can demonstrate the presence of a vulnerability this is nothing (aka PoC||GTFO).

(edited) In addition the cited CVE-2024-38476 requires a *malicious backend* to be exploitable:

https://devco.re/blog/2024/08/09/confusion-attacks-exploiting-hidden-semantic-ambiguity-in-apache-http-server-en/
In conversation about 8 months ago from infosec.place permalink
Attachments
1. Domain not in remote thumbnail source whitelist: devco.re
  
  Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server! | DEVCORE 戴夫寇爾
  
  from d3vc0r3
  
  This article explores architectural issues within the Apache HTTP Server, highlighting several technical debts within Httpd, including 3 types of Confusion Attacks, 9 new vulnerabilities, 20 exploitation techniques, and over 30 case studies. The content includes, but is not limited to: 1. How a single ? can bypass Httpd's built-in access control and authentication. 2. How unsafe RewriteRules can escape the Web Root and access the entire filesystem. 3. How to leverage a piece of code from 1996 to transform an XSS into RCE.
Embed this notice
buherator (buherator@infosec.place)'s status on Tuesday, 02-Sep-2025 21:22:41 JST buherator
- Kevin Beaumont
- Misuse Case
@GossiTheDog @MisuseCase I mean CTXS stock

In conversation about 8 months ago from gnusocial.jp permalink
Embed this notice
buherator (buherator@infosec.place)'s status on Tuesday, 02-Sep-2025 20:47:58 JST buherator
- Kevin Beaumont
- Misuse Case
@GossiTheDog @MisuseCase Neat! It'd be cool to show threats drive down product use predictably! Stocks on the other hand seem pretty stable, so I still don't know what this all tells about the market...

In conversation about 8 months ago from gnusocial.jp permalink
Embed this notice
buherator (buherator@infosec.place)'s status on Tuesday, 02-Sep-2025 20:32:48 JST buherator
in reply to
- Kevin Beaumont
- Misuse Case
@MisuseCase @GossiTheDog I also think this is the true cause of the decline, vulns probably just correlate (evidence: every other product with frequent ItW vulns)

In conversation about 8 months ago from gnusocial.jp permalink
Embed this notice
buherator (buherator@infosec.place)'s status on Tuesday, 19-Aug-2025 11:21:16 JST buherator

Can You Write A Web Server in PURE BASH?! (no socat, no netcat, no external tools) 🍿

https://www.youtube.com/watch?v=L967hYylZuc
In conversation about 9 months ago from infosec.place permalink
Attachments
1. Can You Write A Web Server in PURE BASH?! (no socat, no netcat, no external tools)
  
  from You Suck at Programming
  
  Support me on https://patreon.com/YouSuckatProgrammingFinal code → https://github.com/bahamas10/bash-web-server- $ whoamiYo what's up everyone my name's dave...
Embed this notice
buherator (buherator@infosec.place)'s status on Friday, 01-Aug-2025 02:43:59 JST buherator
in reply to
- Jan Schaumann
@jschauma maybe that's why furries are overrepresented in reliable IT projects?

In conversation about 9 months ago from infosec.place permalink
Embed this notice
buherator (buherator@infosec.place)'s status on Tuesday, 17-Jun-2025 02:51:22 JST buherator

[oss-security] CVE-2025-4748: Erlang/OTP 17.0–28.0.0 absolute-path traversal in zip:unzip/zip:extract

https://www.openwall.com/lists/oss-security/2025/06/16/5

Exquisite bug!
In conversation about 11 months ago from infosec.place permalink
Attachments
1. Rhett Mclaughlin Chef's Kiss
  https://media.infosec.place/infosec-place/58e6d9d2e2443572365c350fc73072580bfaeef31c4fd4d1359e84b736c9bdc2.gif
2. Domain not in remote thumbnail source whitelist: www.openwall.com
  
  oss-security - CVE-2025-4748: Erlang/OTP 17.0–28.0.0 absolute-path traversal in zip:unzip/zip:extract
Embed this notice
buherator (buherator@infosec.place)'s status on Wednesday, 28-May-2025 21:12:33 JST buherator

[RSS] Inside GitHub: How we hardened our SAML implementation

https://github.blog/security/web-application-security/inside-github-how-we-hardened-our-saml-implementation/
In conversation about a year ago from infosec.place permalink
Attachments
1. Domain not in remote thumbnail source whitelist: github.blog
  
  Inside GitHub: How we hardened our SAML implementation
  
  from Greg Ose
  
  See how we addressed the challenges of securing our SAML implementation with this behind-the-scenes look at building trust in our systems.
Embed this notice
buherator (buherator@infosec.place)'s status on Sunday, 18-May-2025 04:59:41 JST buherator
- Devine Lu Linvega
This could be us but you vibe coding

https://suberic.net/~dmm/projects/mystical/README.html

h/t @neauoire
In conversation about a year ago from infosec.place permalink
Attachments
1. Quick sort implemented in Mystical
  https://media.infosec.place/infosec-place/88b499a5a769f70a10ea488539bd62a110eb59fd208a78b66c06ea7bfa21028b.png
2. Domain not in remote thumbnail source whitelist: suberic.net
  
  Mystical
Embed this notice
buherator (buherator@infosec.place)'s status on Thursday, 15-May-2025 04:47:07 JST buherator
- buherator
"Are Pinky and the Brain still trying to take over the world? Because at this point I'm willing to hear them out."

In conversation about a year ago from infosec.place permalink

Before

Public

Notices by buherator (buherator@infosec.place)

User actions

Following 0

Followers 0

Groups 0

Statistics

Feeds