HackerTrans
TopNewTrendsCommentsPastAskShowJobs

gquere

no profile record

Submissions

VulnLLM-R: Specialized Reasoning LLM with Agent Scaffold for Vuln Detection

arxiv.org
1 points·by gquere·6 เดือนที่ผ่านมา·1 comments

[untitled]

1 points·by gquere·2 ปีที่แล้ว·0 comments

Breaking Down Multipart Parsers: File upload validation bypass

blog.sicuranext.com
1 points·by gquere·2 ปีที่แล้ว·0 comments

A case of missing bytes: bruteforcing your way through Jenkins' CVE-2024-23897

errno.fr
1 points·by gquere·2 ปีที่แล้ว·0 comments

comments

gquere
·4 เดือนที่ผ่านมา·discuss
RDP2 has been cracked by glitching. You first need to downgrade RDP2 to RDP1 then do the RDP1 bootloader glitch. It's not exactly easy but it's well documented and can be done given enough time. Though the STM32F4 targets do have a high chance of bricking during this attack.
gquere
·4 เดือนที่ผ่านมา·discuss
First I'd like to point out that "Decryptor" is an ill-chosen term: there's no encryption mechanism here, RDP is a software lock based on an internal flash state.

This dongle is very likely to be this original attack https://github.com/JohannesObermaier/f103-analysis/tree/mast... but now packaged. If you want to read more this repo has the best doc: https://github.com/CTXz/stm32f1-picopwner. It's a multi-step attack where a payload is executed from persisted SRAM (RDP1 means you can read/write to it) after a quick reset. The fact that they mention freezing the chip heavily weighs in that direction since it's needed for higher clock chips.
gquere
·6 เดือนที่ผ่านมา·discuss
I've tried this locally on a known-vulnerable piece of software using the hugginface Q8 model + llama. It did find the vuln when given the entrypoint in the lib and user-controlled buffer. Otherwise it produced false positives.
gquere
·9 เดือนที่ผ่านมา·discuss
AFAIK you don't need a credit card linked to the account, you can get in-store credit from selling the guaranteed drop items from playing a few matches, this is enough to get you started trading.
gquere
·9 เดือนที่ผ่านมา·discuss
Read up on the story, look at the influencers promoting it and the ecosystem that grew around it. Valve is willfully running a casino for underage and have bypassed local laws that protect against this using technicalities. It's frightening.
gquere
·9 เดือนที่ผ่านมา·discuss
I didn't downvote you (my account is low reputation) but your argument is weak: that some skins go for absurd amount of money says nothing of the rest of the ecosystem. There can both be children and drug dealers (ab)using the same "gaming" mechanics.
gquere
·9 เดือนที่ผ่านมา·discuss
They're running an online casino directed at children and have made specific adaptations to bypass legal regulations in several countries.
gquere
·9 เดือนที่ผ่านมา·discuss
They did this to take a bigger cut of the market because most trades happened off-platform. This new update ensures that they will sell more of their new items through their shop (contract cases) because it's going to be the only way to get the red items to fuses into "valuable" knives. They're rotten to the core.
gquere
·9 เดือนที่ผ่านมา·discuss
Look at the "meta-"game mechanics: you play a few games, you get a guaranteed case drop. This circa $3 case could contain anything, a $0.2 skin or a rare $2500 knife. When you open it a casino-like wheel goes over all the items and selects one randomly. There are hundreds of YT/twitch channels that open cases all day long and their target audience is children. It's gambling, and it's gambling for children.
gquere
·9 เดือนที่ผ่านมา·discuss
I doubt it's going to change anything, this manipulated market will adapt and continue to extract money from kids. The cynic in me could even say that this change was pushed by Valve to take a bigger cut of the skin market (most trades are supervised by 3d parties). Coffeezilla investigated one of the many casino sites, there's a lot more to it.
gquere
·9 เดือนที่ผ่านมา·discuss
It doesn't "feel" like gambling, it's straight 100% the exact same thing but it's designed in a way that bypasses the legal words.
gquere
·2 ปีที่แล้ว·discuss
On company laptops this isn't always true, for instance here's the spec sheet of the ThinkPad T14 (this seems to be true for all ThinkPad models): https://www.lenovo.com/fr/fr/p/laptops/thinkpad/thinkpadt/th...

Where it states: Module dTPM 2.0 (Discrete Trusted Platform Module)

Same for HP EliteBook and ProBooks: https://h20195.www2.hp.com/v2/GetPDF.aspx/c08049273.pdf
gquere
·2 ปีที่แล้ว·discuss
Technically bcrypt isn't a KDF.
gquere
·2 ปีที่แล้ว·discuss
There are already a bunch of studies showing that the ozempic causes massive muscle loss and lessens bone density. And before anyone remarks "just do resistance training", I doubt the people that take the easy solution will do it in conjunction.
gquere
·2 ปีที่แล้ว·discuss
On RHEL it's installed but it's not enabled by default.
gquere
·2 ปีที่แล้ว·discuss
The article advocates for even more market fragmentation? Even though that isn't the issue at all?
gquere
·2 ปีที่แล้ว·discuss
There's supposedly a fix being deployed (https://x.com/George_Kurtz/status/1814235001745027317). Since it's a channel update I'm assuming that it would be downloaded automatically? Has anyone received it yet? Does the garbage driver disappear or is it replaced?

Edit: got in touch with an admin:

C-00000291-00000000-00000029.sys SHA256 1A30..4B60 is the bad file (timestamp 0409 UTC)

C-00000291-00000000-00000030.sys SHA256 E693..6FAE is the fix (timestamp >= 0527 UTC)

Do not rely on the hashes too much as these might vary from org to org I've read.
gquere
·2 ปีที่แล้ว·discuss
Was there a way to not enable these channel updates? If so, would you still check all the mandatory security measures when being audited?
gquere
·2 ปีที่แล้ว·discuss
There totally is authenticated RCE, for instance a PHP page that contains a RCE but needs a prior authentication to access the resource.

All RCEs are classified in either unauthenticated or authenticated, the former being the worst (or best if you're a researcher/hacker).
gquere
·2 ปีที่แล้ว·discuss
This will never be accepted by the community.