FR/EN
Account dedicated to #Offsec/#Infosec/digital stuff
Involved in
#UnifiedPush #MollyIm
| Github | https://github.com/p1gp1g |
| Codeberg | https://codeberg.org/s1m/ |
| Liberapay | https://liberapay.com/S1m/ |
| Blog | https://s1m.fr |
In today's episode of "Can It Run Doom": DNS fucking TXT records.
Some absolute madlad (cough Adam Rice cough) compressed the entire shareware DOOM WAD, split it into around 1,964 chunks, shoved them into Cloudflare TXT records, and wrote a PowerShell script that reassembles and runs the whole goddamn game from DNS queries alone. Nothing touches disk. The DLLs are in DNS. THE FUCKING DLLS ARE IN DNS.
RFC 1035 was written in 1987. Those engineers are spinning in their graves fast enough to generate municipal power.
Bonus: this is a fully functional globally-distributed covert data exfil channel that your NGFW will never fucking see if you're not doing deep DNS inspection. Sleep well.
blog: https://blog.rice.is/post/doom-over-dns/
repo: https://github.com/resumex/doom-over-dns
Also lmao @ every blue team that has never once looked at their DNS query volume. How's that DLP policy working out for you.
It was always DNS.
Apps should only resort to this if they're forced to do it. Root-based attestation provides minimal security and is easy to bypass. It's inherently insecure due to trusting the weakest security systems. A leaked key from the TEE/SE on any device can be used to spoof attestations for any device.
Play Integrity permits a device with years of missing security patches. It isn't a legitimate security feature. It checks for a device in compliance with Google's Android business model, not security.
🎉 The critical amendment 34 (rejecting automated assessment of unknown photos and texts) PASSED by ONE vote, paving the way for the extension of Chat Control 1.0 to be overwhelmingly REJECTED!
Initial analysis by @echo_pbreyer : https://www.patrick-breyer.de/en/end-of-chat-control-eu-parliament-stops-mass-surveillance-in-voting-thriller-paving-the-way-for-genuine-child-protection/
You did it! 🥳
European Parliament just decided that Chat Control 1.0 must stop.
This means on April 6, 2026, Gmail, LinkedIn, Microsoft and other Big Techs must stop scanning your private messages in the EU. #PrivacyWins 💪
#Microsoft sent an email to everyone saying they're listening to people now and they will definitely not pushing AI to everything anymore.
Also Microsoft enabled #github to collect all your "inputs, outputs and associated context to train and improve AI models". This new tickbox is enabled by default, even if you explicitly disabled Copilot before.
Actions speak louder than words.
You can disable the option at https://github.com/settings/copilot/features
We are now officially using @forgejo! The Fedora Forge is ready for contributors to start migrating to. Cutoff for switching from Pagure is by Flock to Fedora 2026.
New chapter :)
➡️ https://communityblog.fedoraproject.org/the-forge-is-our-new-home/
Day 4. A response, finally. The usual clown message: Review failed. Well, the "clown message" is the one in the attached graphic: They don't know themselves. Something something link, but they don't know which. Or, in other words: "These URLs host malware or unwanted software downloads: None". 🤦♂️
If that's how reliable their services are, maybe they should NOT hold the keys to the entire Internet (and app stores)? 🤔
Team KeePassXC
k3ym𖺀
GrapheneOS
Fight Chat Control
Tuta
Harry Sintonen
Fedora Project
Izzy
LWN.net