FR/EN
Account dedicated to #Offsec/#Infosec/digital stuff
Involved in
#UnifiedPush #MollyIm
| Github | https://github.com/p1gp1g |
| Codeberg | https://codeberg.org/s1m/ |
| Liberapay | https://liberapay.com/S1m/ |
| Blog | https://s1m.fr |
In today's episode of "Can It Run Doom": DNS fucking TXT records.
Some absolute madlad (cough Adam Rice cough) compressed the entire shareware DOOM WAD, split it into around 1,964 chunks, shoved them into Cloudflare TXT records, and wrote a PowerShell script that reassembles and runs the whole goddamn game from DNS queries alone. Nothing touches disk. The DLLs are in DNS. THE FUCKING DLLS ARE IN DNS.
RFC 1035 was written in 1987. Those engineers are spinning in their graves fast enough to generate municipal power.
Bonus: this is a fully functional globally-distributed covert data exfil channel that your NGFW will never fucking see if you're not doing deep DNS inspection. Sleep well.
blog: https://blog.rice.is/post/doom-over-dns/
repo: https://github.com/resumex/doom-over-dns
Also lmao @ every blue team that has never once looked at their DNS query volume. How's that DLP policy working out for you.
It was always DNS.
Apps should only resort to this if they're forced to do it. Root-based attestation provides minimal security and is easy to bypass. It's inherently insecure due to trusting the weakest security systems. A leaked key from the TEE/SE on any device can be used to spoof attestations for any device.
Play Integrity permits a device with years of missing security patches. It isn't a legitimate security feature. It checks for a device in compliance with Google's Android business model, not security.
馃帀 The critical amendment 34 (rejecting automated assessment of unknown photos and texts) PASSED by ONE vote, paving the way for the extension of Chat Control 1.0 to be overwhelmingly REJECTED!
Initial analysis by @echo_pbreyer : https://www.patrick-breyer.de/en/end-of-chat-control-eu-parliament-stops-mass-surveillance-in-voting-thriller-paving-the-way-for-genuine-child-protection/
You did it! 馃コ
European Parliament just decided that Chat Control 1.0 must stop.
This means on April 6, 2026, Gmail, LinkedIn, Microsoft and other Big Techs must stop scanning your private messages in the EU. #PrivacyWins 馃挭
#Microsoft sent an email to everyone saying they're listening to people now and they will definitely not pushing AI to everything anymore.
Also Microsoft enabled #github to collect all your "inputs, outputs and associated context to train and improve AI models". This new tickbox is enabled by default, even if you explicitly disabled Copilot before.
Actions speak louder than words.
You can disable the option at https://github.com/settings/copilot/features
C'est pourquoi il y a aussi des permissions par site web. Si on en a besoin, c'est bien de pouvoir le faire m锚me sur un OS libre des services Google. Mais rien n'oblige 脿 utiliser bien sur! Par exemple, je dev UnifiedPush mais d茅sactive souvent certaines notifs sur des applis
C'est possible que l'absence de param猫tre est l'origine du bug, l'option serait activ茅e par d茅faut m锚me si on n'a pas de service push
Team KeePassXC
k3ym饢簚
GrapheneOS
Fight Chat Control
Tuta
Harry Sintonen