PSA: The Amazon wishlist doxing threat is much greater and more immediate than folks might realize. Attack works like this:
Stalker who wants your address opens an Amazon seller account and lists themselves as a third party seller for any item on your public wishlist. Then, they order the item […]
Paged Out zine #8
pagedout.institute ->
Original->
You can grab the latest copy of our quarterly security research roundup at thinkst.com/ts ¹
For this issue, we selected work from over 1,370 talks & 1,200 blog posts.
Available as PDF, ePUB (or audio highlights)
__
¹ As always, completely free
What is happening in the United States is horrible. Half the Americans is in the right side, and it is the side that can restore and make the country sane again. Act now (without getting killed), do what you can to fix this mess. Get back your country.
We have exciting news to share. Compass folks made the Alpine car infotainment system to run arbitrary code and earn a 10‘000 USD. 🎉🎉🎉
Confirmed! Cyrill Bannwart, Emanuele Barbeno, Yves Bieri, Lukasz D., and Urs Mueller of Compass Security (@compasssecurity) exploited one exposed dangerous method/function bug on the Alpine iLX-F511, winning Round 2 for $10,000 USD and 2 Master of Pwn points. #Pwn2Own #P2OAuto
[RSS] wtf is NS_ERROR_INVALID_CONTENT_ENCODING? investigating shared dictionaries and ChatGPT breakage in Firefox
joshua.hu ->
Original->
Joint statement by 4 former officials in Democratic and Republican Administrations—including four NATO Ambassadors, 3 Assistant Secretaries of State for Europe, and 3 NSC Senior Directors.
Excellent opening in particular.
If Seatbelt Guidance Worked Like Cybersecurity Guidance
scribe.rip ->
Original->
Bloomberg's X account has more than 800k followers. Their most recent post was shared five times
It would basically come at close to zero cost for outlets like Bloomberg to delete their X accounts, and "We don't want to use a non-consensual deepfake abuse app as a comms platform" is a fine excuse
I hope the Danes and the other European forces are training in guerrilla warfare as that always works against the USA, especially on hostile territory (cf. Greenland).
Why do I have to read an Irish paper for a feature about this?
So, what did we achieve for 🇪🇺's cloud situation in 2025? It is now crystal clear our governments can't continue to run on 🇺🇸 clouds. Yet even now, neither buyers or sellers of cloud tech in 🇪🇺 sense the urgency. Below I elaborate & discuss an unorthodox way out of this mess: berthub.eu/articles/pos...
Our story in the GUARDIAN!!!
😎 😎
🎇 🎇 🎇
🔥🔥🔥🔥
www.theguardian.com/technology/2...
In a new video, Nicolò @rationalpsyche.bsky.social walks through how to fuzz with AFL++, how to pick targets, avoid common pitfalls, and boost effectiveness. Find performance tips, fuzzing theory, and AFL++ internals.
Watch here: youtu.be/L5Tin7m5sbE?...
#security #fuzzing #AFLplusplus #appsec
Super interesting and highly recommended.
There's so much to unpack that I bookmarked it for a second read.
NTLM relay works against HTTPS if channel binding is missing. Our new blog post explains why, shows how tooling evolved, and highlights defensive measures.
blog.compass-security.com/2025/11/ntlm...
We still need to get from a situation where Russia pretends to negotiate to a situation where they need to negotiate.
Extract from my press remarks following today’s informal Foreign Affairs Council ↓
#Finland will begin to #Russia - proof its rail network, integrate with EU train infrastructure.
The Finnish government has announced the conversion of its rail network from Russian gauge (1,524 mm) to European standard (1,435 mm).
www.trenvista.net/en/news/flas...
Burp’s command palette
Burp now has a command palette (similar to the one in VS Code) 🥳
portswigger.net/cms/images/4...
I Want You to Understand Chicago Politics Chicago 2025-11-08 I want you to understand what it is like to live in Chicago during this time. Every day my phone buzzes. It is a neighborhood group: four people were kidnapped at the corner drugstore. A friend a mile away sends a Slack message: she was at the scene when masked men assaulted and abducted two people on the street. A plumber working on my pipes is distraught, and I find out that two of his employees were kidnapped that morning. A week later it happens again. An email arrives. Agents with guns have chased a teacher into the school where she works. They did not have a warrant. They dragged her away, ignoring her and her colleagues’ pleas to show proof of her documentation. That evening I stand a few feet from the parents of Rayito de Sol and listen to them describe, with anguish, how good Ms. Diana was to their children. What it is like to have strangers with guns traumatize your kids. For a teacher to hide a three-year-old child for fear they might be killed. How their relatives will no longer leave the house. I hear the pain and fury in their voices, and I wonder who will be next. Understand what it is to pray in Chicago. On September 19th, Reverend David Black, lead pastor at First Presbyterian Church of Chicago, was praying outside the ICE detention center in Broadview when a DHS agent shot him in the head with pepper balls. Pepper balls are never supposed to be fired at the head because they can seriously injure, or even kill. “We could hear them laughing as they were shooting us from the roof,” Black recalled. He is not the only member of the clergy ICE has assaulted. Methodist pastor Hannah Kardon was violently arrested on October 17th, and Baptist pastor Michael Woolf was shot with pepper balls on November 1st. Understand what it is to sleep in Chicago. On the night of September 30th, federal agents rappelled from a Black Hawk helicopter to execute a raid on an apartment building on the South Sho…
Kyle Kingsbury is not a journalist. He is not an op-ed writer.
He is a computer safety researcher.
And he has written one of the most compelling, comprehensive accounts of the ongoing hell in Chicago that you could possibly imagine.
In under 1600 words.
aphyr.com/posts/397-i-...
It's important for Europeans, and others from visa-waiver countries, to understand they don't have freedom of speech rights when visiting the United States.
The Trump regime is still deporting visitors for critical comments made online, because they can.
Starting Monday LinkedIn will begin using data from your profiles/posts to train AI. If you live in EU/EEA/Switzerland/Canada/Hong Kong your data is subject to being used this way, but you can opt out. Go to Settings/Privacy/Data for Generative AI Improvement and toggle the switch to off
Day to day: the user experience of getting a direct answer for simple things compared to scrolling a bloated blog post, with ads and cookie banners. It would be better to solve the state of the web but hey, it's a workaround.
If you know who did this, or if you know how to set it back, the hotel kindly asks you to do so, respecting the fun achievement unlocked :)
https://infosec.exchange/@xme/115422139879568495
Great work guys!!
#Pentest of gRPC-Web apps is tricky due to the binary format. We are releasing bRPC-Web, a @portswigger.net @burpsuite.bsky.social extension developed by our @muukong.bsky.social that helps manipulate #gRPC-Web traffic, even in absence of #protobuf schemas. blog.compass-security.com/2025/10/brpc...
pagedout.institute ← we've just released Paged Out! zine Issue #7
pagedout.institute/download/Pag... ← direct link
lulu.com/search?page=... ← prints for zine collectors
pagedout.institute/download/Pag... ← issue wallpaper
Enjoy!
Please please please share to spread the news - thank you!
The @EUCommission would like to hear your views on the governance and sustainability of critical open source software. The survey closes October 5th.
https://ec.europa.eu/eusurvey/runner/FOSSEPS_Governance_and_Sustainability_Survey
#OpenSource #Governance #Sustainability
