The Tarlogic claim of backdoor functions in the ESP32 Bluetooth firmware seem overblown. The features they identified require privileged code execution and are helpful for improving open source software for these devices.
Useful resources:
- https://darkmentor.com/blog/esp32_non-backdoor/
- https://x.com/naehrdine/status/1898703255883886909
- https://esp32-open-mac.be/ (WiFi, not BT, but similar work)
Hanno Böck (of badkeys.info among other projects) posted an interesting article about OpenID Connect implementations that mix up their public and private keys: https://blog.hboeck.de/archives/909-Mixing-up-Public-and-Private-Keys-in-OpenID-Connect-deployments.html
It doesn't look like Chris Hadnagy's lawsuit against DEF CON is going well: https://www.reddit.com/r/Defcon/comments/1ivo7x0/hadnagy_vs_defcon_et_al_motion_for_summary
>Hadnagy complains that Def Con’s statements harmed his reputation. But a person earns their reputation, good or bad, through their actions.
Congratulations to Charles Blas for winning the runZero hacktop raffle at CruiseCon 2025! This is a GPD Pocket 3 running Ubuntu Mate, preloaded with a fully licensed, offline version of the runZero Platform. You can find pictures and Charle's take at: https://www.linkedin.com/posts/charlesblas_cruisecon2025-activity-7298351951610552320-TD4m/
The DeepSeek mobile app does some really silly things, like plain-text HTTP for the registration sequence. Great reverse-engineering and analysis by NowSecure! https://arstechnica.com/security/2025/02/deepseek-ios-app-sends-data-unencrypted-to-bytedance-controlled-servers/
This is still one of my favorite photos from DEF CON 9 (2001). It was taken with an actual film camera from behind the security desk (and about a foot from the staff) in the Imperial Palace. The "diskette" warning is about the Keno machine, the 3.5" floppy contained the random seed for the day. The alarm codes speak for themselves =D
The first episode of Where Warlocks Stay Up Late is out!
https://www.youtube.com/watch?v=7IHKRzGQeog
>Digital Jesus/o.0, aka Matt Harrigan, turned a telecommunication product release into a 0-day, tipped off drug dealers about government surveillance, and emerged as a cybersecurity founder and CEO.
Great update from Stefan Viehböck on VxWorks’ password hashing (and 6.x EoL): https://sec-consult.com/blog/detail/a-missed-opportunity-addressing-weak-password-hashing-in-vxworks/
Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel: https://samcurry.net/hacking-subaru (via @samwcyo )