jstnkndy
@jstnkndy.bsky.social
Infosec professional, beverage snob, and fantasy book consumer. Vice President @ Atredis Partners. Forever terrified of Kithicor.
Reposted by jstnkndy
We took WPScan's one-liner #security advisory for CVE-2025-9501 affecting the W3 Total Cache plugin for #WordPress, analysed its cache parsing internals and built a pre-auth RCE exploit for it 😎
www.rcesecurity.com/2025/11/expl...
#infosec
www.rcesecurity.com/2025/11/expl...
#infosec
Exploiting A Pre-Auth RCE in W3 Total Cache For WordPress (CVE-2025-9501) | RCE Security
www.rcesecurity.com
November 19, 2025 at 5:33 PM
We took WPScan's one-liner #security advisory for CVE-2025-9501 affecting the W3 Total Cache plugin for #WordPress, analysed its cache parsing internals and built a pre-auth RCE exploit for it 😎
www.rcesecurity.com/2025/11/expl...
#infosec
www.rcesecurity.com/2025/11/expl...
#infosec
Reposted by jstnkndy
We sold out of our GA tickets in 15 seconds 🤯
For students: Thanks to our community sponsors, our DistrictCon Scholars' Program application is open!
For anyone else passionate about DisCo: Volunteer with us!
You can also join our waitlist on Eventbrite! All info here:
www.districtcon.org/tickets
For students: Thanks to our community sponsors, our DistrictCon Scholars' Program application is open!
For anyone else passionate about DisCo: Volunteer with us!
You can also join our waitlist on Eventbrite! All info here:
www.districtcon.org/tickets
DistrictCon Tickets — DistrictCon
www.districtcon.org
November 17, 2025 at 4:41 PM
We sold out of our GA tickets in 15 seconds 🤯
For students: Thanks to our community sponsors, our DistrictCon Scholars' Program application is open!
For anyone else passionate about DisCo: Volunteer with us!
You can also join our waitlist on Eventbrite! All info here:
www.districtcon.org/tickets
For students: Thanks to our community sponsors, our DistrictCon Scholars' Program application is open!
For anyone else passionate about DisCo: Volunteer with us!
You can also join our waitlist on Eventbrite! All info here:
www.districtcon.org/tickets
Got mine! That was stressful 😅
Looking forward to seeing you all there!
Looking forward to seeing you all there!
November 16, 2025 at 5:03 PM
Got mine! That was stressful 😅
Looking forward to seeing you all there!
Looking forward to seeing you all there!
Reposted by jstnkndy
Looking good a good tutorial on debugging with ghidra. I want to set breakpoints, change flow, and modify memory values.
Is that possible?
Is that possible?
November 14, 2025 at 3:04 PM
Looking good a good tutorial on debugging with ghidra. I want to set breakpoints, change flow, and modify memory values.
Is that possible?
Is that possible?
Reposted by jstnkndy
Let's Hack Something Cute! A Reverse Engineering Journey into the Drawbot with Jessie www.atredis.com/blog/2025/9/...
Drawbot: Let’s Hack Something Cute! — Atredis Partners
The Target A few months ago I realized I was overdue for a fun, quirky hardware project. Every so often I like to see what new and interesting electronic children's toys are out there. When looking,…
www.atredis.com
November 13, 2025 at 8:40 PM
Let's Hack Something Cute! A Reverse Engineering Journey into the Drawbot with Jessie www.atredis.com/blog/2025/9/...
I've been following the @xbow.com stuff for a while now and have been really impressed by their blog posts and findings, so I'm extremely surprised/disappointed by the poor quality of their sample report on their new on-demand pentest offering at xbow.com/pentest for a lot of reasons.
Web Application Penetration Testing at AI Speed | XBOW
XBOW delivers web application penetration testing at AI speed; autonomous and validated with real exploit evidence in days.
xbow.com
November 13, 2025 at 6:25 PM
I've been following the @xbow.com stuff for a while now and have been really impressed by their blog posts and findings, so I'm extremely surprised/disappointed by the poor quality of their sample report on their new on-demand pentest offering at xbow.com/pentest for a lot of reasons.
This whole system is fucked.
November 10, 2025 at 2:39 PM
This whole system is fucked.
Reposted by jstnkndy
every AI ad is like
“hey gemini, what would i have for lunch?”
and then the phone is like
“sandwich”
and the guy is like
“wow”
“hey gemini, what would i have for lunch?”
and then the phone is like
“sandwich”
and the guy is like
“wow”
September 25, 2025 at 4:59 PM
every AI ad is like
“hey gemini, what would i have for lunch?”
and then the phone is like
“sandwich”
and the guy is like
“wow”
“hey gemini, what would i have for lunch?”
and then the phone is like
“sandwich”
and the guy is like
“wow”
Reposted by jstnkndy
I have a close friend who spent the last 15 years as an ETL developer and whose department was recently laid off (jobs were outsourced). If anyone has or knows of any openings, this guy is intelligent, personable, and overall a great person, and I'd love to put you in touch.
Reposts appreciated!
Reposts appreciated!
August 12, 2025 at 1:55 AM
I have a close friend who spent the last 15 years as an ETL developer and whose department was recently laid off (jobs were outsourced). If anyone has or knows of any openings, this guy is intelligent, personable, and overall a great person, and I'd love to put you in touch.
Reposts appreciated!
Reposts appreciated!
Reposted by jstnkndy
Y'all fantastic news! Save the date, @blackhoodie.bsky.social will be at @districtcon.bsky.social this year 😱 the fantastic crew has offered to host us for a day of Malware Reverse Engineering! @synapticrewrite.bsky.social and myself will be hosting a training for women by women on January 23rd!!
October 26, 2025 at 7:37 PM
Y'all fantastic news! Save the date, @blackhoodie.bsky.social will be at @districtcon.bsky.social this year 😱 the fantastic crew has offered to host us for a day of Malware Reverse Engineering! @synapticrewrite.bsky.social and myself will be hosting a training for women by women on January 23rd!!
Reposted by jstnkndy
Reposted by jstnkndy
October 25, 2025 at 1:08 PM
Reposted by jstnkndy
Day 2 of #Pwn2Own Ireland is in the books. So far, we've awarded $792,750 or 56 unique 0-days. Tomorrow could be even better with more Samsung, a Meta Quest entry and that big WhatsApp entry still lingering. Here's the current Master of Pwn leader board. See you tomorrow!
October 22, 2025 at 6:31 PM
Day 2 of #Pwn2Own Ireland is in the books. So far, we've awarded $792,750 or 56 unique 0-days. Tomorrow could be even better with more Samsung, a Meta Quest entry and that big WhatsApp entry still lingering. Here's the current Master of Pwn leader board. See you tomorrow!
Reposted by jstnkndy
HTTP is supposed to be stateless, but sometimes... it isn't! Some servers create invisible vulnerabilities by only validating the first request on each TCP/TLS connection. I've just published a Custom Action to help you detect & exploit this - here's a narrated demo:
youtu.be/BAZ-z2fA8E4
youtu.be/BAZ-z2fA8E4
HTTP is supposed to be stateless...
YouTube video by PortSwigger
youtu.be
October 22, 2025 at 2:06 PM
HTTP is supposed to be stateless, but sometimes... it isn't! Some servers create invisible vulnerabilities by only validating the first request on each TCP/TLS connection. I've just published a Custom Action to help you detect & exploit this - here's a narrated demo:
youtu.be/BAZ-z2fA8E4
youtu.be/BAZ-z2fA8E4
Pop a vendor website, replace their /.well-known/security.txt with your own rogue contact info, and wait for the bugs to roll in.
October 20, 2025 at 7:41 PM
Pop a vendor website, replace their /.well-known/security.txt with your own rogue contact info, and wait for the bugs to roll in.
Reposted by jstnkndy
Junkyard closes on Friday, Oct 24 at Midnight!!!
Submit here: www.districtcon.org/junkyard
Submit here: www.districtcon.org/junkyard
October 20, 2025 at 2:26 PM
Junkyard closes on Friday, Oct 24 at Midnight!!!
Submit here: www.districtcon.org/junkyard
Submit here: www.districtcon.org/junkyard
Wow the Nexpose user interface is horrible these days, eh? Absolutely fucking terrible.
October 14, 2025 at 7:48 PM
Wow the Nexpose user interface is horrible these days, eh? Absolutely fucking terrible.
Reposted by jstnkndy
y2038 progress retr0.id/stuff/2038/
October 13, 2025 at 11:12 PM
y2038 progress retr0.id/stuff/2038/
Reposted by jstnkndy
It has been about two decades since I last needed/used one, but is there any modern KVM switch that works with Mac’s properly? Lost faith in a wide screen Picture in Picture monitor so hope the KVM world is better
October 1, 2025 at 11:09 AM
It has been about two decades since I last needed/used one, but is there any modern KVM switch that works with Mac’s properly? Lost faith in a wide screen Picture in Picture monitor so hope the KVM world is better
Reposted by jstnkndy
Another day, another Remote Code Execution (and its 3 friends).
Pre-auth path traversal, hard-coded crypto key allowing cookie forgery, arbitrary file write, and PII disclosure in TRUfusion Enterprise (CVE-2025-27222 to CVE-2025-27225) #security
www.rcesecurity.com/2025/09/when...
Pre-auth path traversal, hard-coded crypto key allowing cookie forgery, arbitrary file write, and PII disclosure in TRUfusion Enterprise (CVE-2025-27222 to CVE-2025-27225) #security
www.rcesecurity.com/2025/09/when...
When Audits Fail: Four Critical Pre-Auth Vulnerabilities in TRUfusion Enterprise | RCE Security
www.rcesecurity.com
September 30, 2025 at 3:43 PM
Another day, another Remote Code Execution (and its 3 friends).
Pre-auth path traversal, hard-coded crypto key allowing cookie forgery, arbitrary file write, and PII disclosure in TRUfusion Enterprise (CVE-2025-27222 to CVE-2025-27225) #security
www.rcesecurity.com/2025/09/when...
Pre-auth path traversal, hard-coded crypto key allowing cookie forgery, arbitrary file write, and PII disclosure in TRUfusion Enterprise (CVE-2025-27222 to CVE-2025-27225) #security
www.rcesecurity.com/2025/09/when...
Reposted by jstnkndy
I'd have jumped on this before my Echo Show started showing ads I couldn't disable. Hope the revenue was worth the customer trust.
Amazon unveils the $220 Echo Studio, its high-end speaker for audiophiles, 8" and 11" Echo Show for $180 and $220, and the $100 Echo Dot Max, all with Alexa+ (Mark Gurman/Bloomberg)
Main Link | Techmeme Permalink
Main Link | Techmeme Permalink
September 30, 2025 at 3:17 PM
I'd have jumped on this before my Echo Show started showing ads I couldn't disable. Hope the revenue was worth the customer trust.
I'm at the point where I've seen first hand production platforms running AI generated code and have found critical vulnerabilities in those platforms. We're getting to the point where the number of emojis in the code will be telling of the number of bugs.
September 30, 2025 at 11:33 AM
I'm at the point where I've seen first hand production platforms running AI generated code and have found critical vulnerabilities in those platforms. We're getting to the point where the number of emojis in the code will be telling of the number of bugs.
Reposted by jstnkndy
You've got less than 12 hrs to submit to our CFP, which closes at midnight TODAY ⏰
sessionize.com/districtcon
sessionize.com/districtcon
DistrictCon Year 1: Call for Sessions
Empowering Hackers Across Industries to do Cool Shit. DistrictCon is a DC hacker con, focusing on hacking together and exchanging ideas over typical t...
sessionize.com
September 28, 2025 at 4:38 PM
You've got less than 12 hrs to submit to our CFP, which closes at midnight TODAY ⏰
sessionize.com/districtcon
sessionize.com/districtcon
Reposted by jstnkndy
"we take your privacy. seriously."
September 25, 2025 at 7:27 PM
"we take your privacy. seriously."