Give Me Liberty or Linux, Badge Hacking Interview – Bryce Owen – PSW #901

Paul Asadoorian

1. Why I Stopped Hating Systemd

   "The author describes an initial resistance to systemd, driven by concerns over loss of control, simplicity, and adherence to Unix philosophy, but ultimately comes to appreciate its ability to manage complexity on modern Linux systems." - I still hate systemd, but maybe I need to give it another shot...

2. ASUS warns of critical auth bypass flaw in DSL series routers

   Digging into this one, there are indicators that an exploit exists, e.g. CISA Vulnrichment lists a PoC available; however, when I track it down, all I got was this: "Bypass: Use alternate auth path (details in ASUS advisory)" - There are no details in the ASUS advisory, which is an understatement. Time to patch diff and find the actual vulnerability! It is interesting that CISA indicates a PoC exists, but in their enrichment data, they do not provide any evidence. Are we just supposed to trust them?

3. If IRobot Falls, Hackers Are Ready To Wrangle Roombas

   "In short, folks like us have little to fear should the Roomba Apocalypse come to pass. Between the years of existing projects demonstrating how the older bots can be modified, and the current — and future — software being developed to control the newer Internet-aware Roombas over the local network, we’ve got pretty much all the bases covered." - Great guide to hacking the Roomba devices, sharing concerns that the company may fold and leave all of the devices in a state where they cannot connect to the cloud. This may spawn even more hacking of the devices, which makes me wonder how we can modify these devices to do more than just vacuum or mop the floor. What type of security-related projects could you think of for these devices? Have it run around the house and provide telemetry on Wifi and Bluetooth signals and devices? Wander around and look for Wifi or BT attacks?

4. Reverse Engineering Yaesu FT-70D Firmware Encryption

   Reversing firmware is hard. Reversing firmware that is embedded into a Windows installer binary can also be challenging. To make matters worse, the firmware was encrypted. Fortunately the author was able to get it sorted and distribute the code to decrypt the firmware on Github. I love it when security researchers win and share their findings, great article on reversing.

5. Critical Imunify360 Vulnerability Exposes Millions of Linux-Hosted Sites to RCE Attacks

   To answer your first question: "Imunify360 AV is a malware scanning system designed specifically for Linux web servers, widely used by web hosting providers and server administrators to detect and remove malware from servers. It serves as a security layer for server environments that host websites, providing automated malware detection, scanning, and reporting, and is commonly integrated into popular server control panels like cPanel, Plesk, and DirectAdmin." - Next, there was no CVE issued and the company quietly made a post about it on the support forum, not good. This is also not good: "When processing malicious files, the deobfuscator can invoke dangerous PHP functions, including system(), exec(), shell_exec(), passthru(), and eval(), enabling arbitrary command execution and a complete compromise of the hosting environment. Attackers can embed specially crafted obfuscated PHP code that triggers Imunify360 AV’s deobfuscation signatures." I have more bad news: "By default, the scanner runs as a service with root privileges". More details here: https://patchstack.com/articles/remote-code-execution-vulnerability-found-in-imunify360/

6. Researchers question Anthropic claim that AI-assisted attack was 90% autonomous

   Hey look how awesome Claude is, attackers used it to be 90% autonomous. After detecting a security event, this is the wrong time to market your company and products. Just stop that.

7. Viasat and the terrible, horrible, no good, very bad day

   This was a bad day: "on Feb. 24, 2022, just hours before Russia’s invasion of Ukraine, a cyber attack targeted Viasat’s KA-SAT satellite network. The attackers exploited a vulnerability in a VPN appliance, gaining access to the network’s management systems. They then deployed a wiper malware called AcidRain, which was designed to erase data on modems and routers across Europe. Satellite communications were disrupted for thousands of users in Ukraine, but surprisingly, beyond Ukraine’s borders, approximately 5,800 Enercon wind turbines in Germany lost connectivity for remote monitoring and control." - What is still frustrating with this security event, and so many others, is this: " I keep discovering that there are always gaps in the story. I didn’t get all my questions answered because companies guard details, official statements leave out key information, and sometimes, even years later, we’re still piecing things together. Being okay with that is a tall order for people who scour logs looking for a needle in a stack of needles. But when attacks are raining down, customers aren’t asking you to send a flawless analysis. They want to know what you'redoing to keep them safe." - Yes, very frustrating.

8. $2000 Bug Bounty to Whoever Fixes the Lenovo Legion Pro 7 16IAX10H’s Speakers on Linux

   This is great, I love how bug bounties are being used today: "We are a bunch of Linux users with the Lenovo Legion Pro 7 (16IAX10H) and we are sick and tired of our speakers not working properly. We also suck at writing Linux kernel audio drivers, especially when weird things like "Awinic smart amplifiers" are involved. If you help us make sure that Linux has support for audio on our laptops, we will send you a lot of money." - What else can we crowdsource to gain some more freedoms?

9. Microsoft’s Windows Reckoning: AI Backlash Fuels Linux Exodus

   2026 will be the year of the Linux desktop. I am not joking this time either, here's why:

   • People want privacy - They don't want data being sent to Microsoft
   • People don't want AI features - It hurts performance, and the features are awful
   • People don't want forced upgrades - Upgrading hardware because the OS no longer supports it is a page right out of Apple's playbook
   • People don't want Ads, crapware, and a host of other features and software that come bundled with Windows
   • Gaming on Linux, thanks to Valve and Proton, is really awesome today
   • Apple Mac Pro computers are likely no more - Apple is all in on the Mac Studio, with no plans to refresh the Mac Pro line. People hated the trash can, but if you want the latest workstation-class hardware, don't look to Apple.

   Folks are already turning to Linux, for freedom, liberty, privacy, security, performance, and no links to giant corporations that make decisions based on profit, not user experience or health.

10. HackStar – An RP2040 or ESP32-S3-based USB hacking cable/dongle (Crowdfunding) – CNX Software

    "We’re told the HackStar will be 100% open-source and auditable with the firmware source code, libraries, STL file, and example code to be made available after completion of the campaign. It’s also a subscription-free device family without hidden fees. The description specifically mentions support for C, C++, Python, MicroPython…" - Pretty neat, bet we could build one ourselves.

11. Noooooooooo Touch!

    "how inexpensive "no touch" exit sensors, commonly used for access control systems, can be easily bypassed using an infrared (IR) LED device, allowing unauthorized entry. The author describes reverse-engineering these sensors, which use IR to detect hand movements and trigger door releases, and building a portable attack tool disguised as an IR flashlight. By replicating the IR signal pattern expected by the sensor—using bursts of IR modulated at the right frequency—a determined attacker can reliably trigger the exit mechanism from outside, sometimes even at several meters away, provided they can line up the IR beam or bounce it off a nearby surface."

12. Critics scoff after Microsoft warns AI feature can infect machines and pilfer data

    We're too far behind on LLM security to do this: "Microsoft’s recent warning about a new AI feature integrated into Windows, known as Copilot Actions or agentic AI, has drawn strong criticism from security experts who say the company is downplaying major security risks linked to this technology. The concern centers around the ability of these AI agents to autonomously perform actions on behalf of users, which could potentially lead to the installation of malware, exfiltration of sensitive data, and novel attack vectors—particularly through prompt injection or manipulation attacks"

13. 3.5B WhatsApp users’ info scooped through enumeration flaw
    • By exploiting WhatsApp's phone number lookup feature and using phone numbers generated with Google's libphonenumber, researchers confirmed 3.5 billion numbers were registered on WhatsApp, well above the official user count.
    • The process operated at a rate of over 100 million accounts per hour and did not trigger any blocking or meaningful rate limiting by WhatsApp at the time of testing.
    • Scraped info included phone numbers, names, and, when set, profile images and text. More than 57% of accounts had a profile picture, most included detectable human faces, and 29% had text in their profile.

Jeff Man

1. HOPE CONFERENCE BANNED BY ST. JOHN’S UNIVERSITY

   "We've received some disturbing news from the venue of our Hackers On Planet Earth conference. We have been told that "materials and messaging" at our most recent conference "were not in alignment with the mission, values, and reputation of St. John's University" and that we would no longer be able to host our events there."

2. Logitech confirms data breach

   One of several companies apparently recently compromised by the Cl0p cyber extortion gang and also apparently stemming back to the Oracle E-Business Suite (EBS) vulnerabilities reported last August.

3. Washington Post confirms data on nearly 10,000 people stolen from its Oracle environment

   The newspaper said a “bad actor” contacted the company in late September, prompting an investigation that nearly a month later confirmed the extent of compromise.

4. DoorDash Confirms Data Breach After Hackers Access Users’ Personal Data

   DoorDash claims a single employee fell for a social engineering attack which led to the compromise of other personal information which might lead to other social engineering attacks.

5. Princeton University Hit by Data Breach Affecting Donor Records

   Princeton University has confirmed a cybersecurity incident that compromised part of its Advancement database containing details about alums, donors, and other members of the university community. The attack was detected by internal monitoring which noticed abnormal activity on the advancement database. Good job.

6. Everest Ransomware Group Allegedly Exposes 343 GB of Sensitive Data in Under Armour Breach

   The stolen records reportedly include customer transaction histories, user identification details, email addresses, physical addresses, phone numbers, passport information, gender data, and both professional and personal email contacts from employees across multiple countries. What is sensitive about sportswear? Transaction history? Maybe it's a PCI incident...

7. 10.5M records exposed: Conduent faces massive litigation over the 8th largest healthcare data breach in U.S. history

   Conduent is facing a growing wave of federal class action lawsuits after a massive data breach exposed the personal and health information of more than 10.5 million insurance customers — an incident that court filings say ranks as the eighth-largest healthcare data breach ever recorded.

8. Social media ban

   I learned about this from my son-in-law's sister who lives in Australia. She was talking online about how her kids and their friends are preparing to communicate with each other once the ban is in effect.

9. Cloudflare outage on November 18, 2025

   From the horse's mouth... "The issue was not caused, directly or indirectly, by a cyber attack or malicious activity of any kind. Instead, it was triggered by a change to one of our database systems' permissions which caused the database to output multiple entries into a “feature file” used by our Bot Management system. That feature file, in turn, doubled in size. The larger-than-expected feature file was then propagated to all the machines that make up our network."

Larry Pesce

1. A File Format Uncracked for 20 Years
2. US spy satellites built by SpaceX send signals in the “wrong direction”
3. (21) BleepingComputer on X: “Microsoft says the Aisuru botnet hit its Azure network with a 15.72 terabits per second (Tbps) DDoS attack, launched from over 500,000 IP addresses. https://t.co/4NQvUDu1a6” / X
4. Cloudflare outage on November 18, 2025
5. New Pixel update means your RCS messages might be visible to your boss

Lee Neely

1. Logitech confirms data breach

   Logitech has disclosed a cybersecurity incident that resulted in the exfiltration of data. In a filing with the US Securities and Exchange Commission (SEC) as well as an ad hoc announcement as required by law in Switzerland, the Lausanne, Switzerland-based company writes that it "believes that the unauthorized third party used a zero-day vulnerability in a third-party software platform and copied certain data from the internal IT system. The zero-day vulnerability was patched by Logitech following its release by the software platform vendor." The compromised data likely include employee, customer, and supplier information. While Logitech has not identified the third-party platform it says was breached, ransomware threat actors included Logitech on a list of organizations compromised through vulnerabilities in Oracle E-Business Suite.

   ERP exploits, weather Oracle EBS, SAP, or otherwise, are becoming popular. I know that your business units which rely on these systems are risk averse as these systems keep the wheels turning, your challenge is to find a way to keep them updated. You're going to not only understand their regression testing requirements, but also their business cycles. This can also be used to leverage the importance of other hygiene initiatives, MFA, WAF, monitoring, etc. But, you're going to have to build a track record and (trust) relationship with them first.

2. Amazon Inspector detects over 150,000 malicious packages linked to token farming campaign

   Amazon Inspector security researchers have identified and reported over 150,000 packages linked to a coordinated tea.xyz token farming campaign in the npm registry. This is one of the largest package flooding incidents in open source registry history, and represents a defining moment in supply chain security, far surpassing the initial 15,000 packages reported by Sonatype researchers in April 2024.

   So rather than adding malicious content, as was done in prior NPM campaigns, the attackers were exploiting the systems which reward developers for the their contribution to Open Source packages. Attackers also took advantage of the package.json file which is used to install dependencies to install added unneeded packages, resulting in scoring for those packages as well. Grab the Amazon Inspector to detect packages tied to this campaign, and audit your existing NPM packages, removing those which don't belong or are unused.

3. Ingress NGINX Retirement: What You Need to Know

   To prioritize the safety and security of the ecosystem, Kubernetes SIG Network and the Security Response Committee are announcing the upcoming retirement of Ingress NGINX. Best-effort maintenance will continue until March 2026. Afterward, there will be no further releases, no bugfixes, and no updates to resolve any security vulnerabilities that may be discovered. E

   While Ingress NGINX is not going to be deliberately broken, the maintenance stops in March 2026 and the project retired. That means no more bug fixes, releases or updates after that. You really need to start work to migrate to Gateway API, or other alternative from your vendors now so you have time for testing/roll-back - I always forget we lose a few weeks due to November, December and January holidays - suprisingly, many people actually take that time off.

4. CISA updates Akira Ransomware advisory

   Akira ransomware is the subject of an updated advisory published jointly by the FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), the Department of Defense Cyber Crime Center (DC3), the Department of Health and Human Services, Europol's European Cybercrime Centre (EC3), and partnered cybercrime and security authorities in France, Germany, and the Netherlands. The advisory details up-to-date indicators of compromise (IoCs) and tactics, techniques, and procedures (TTPs) to equip threat hunters against newly observed attack methods. Akira is known for targeting small and medium-sized businesses, but has also attacked larger organizations across manufacturing, education, IT, healthcare, financial services, and food and agriculture. Get the updated IoCs to your threat hunters, note the added CVE's which are being used for initial access - these are flaws in VMware, Windows, Veeam backup and SonicOS - which are from 2023 and 2024, verify patching those was aincent history and that these haven't been re-introduced.

5. Google, researchers see signs that Lighthouse text scammers disrupted after lawsuit

   The phishing kit Lighthouse, which has aided text scams like those soliciting victims to pay unpaid road tolls, appears to have been hampered shortly after Google filed a lawsuit aimed at its creators. Google said on Thursday that Lighthouse had been shut down.

   This was an unexpectedly rapid response to the lawsuit. It's nice to see consequences from TOS violations. Even so, remain vigilant, while the domains aren't resolving and telegram channels are gone, don't assume that these guys, also known as Smishing Triad, aren't looking for a new venue to launch from.

6. When The Impersonation Function Gets Used To Impersonate Users (Fortinet FortiWeb Auth. Bypass CVE-2025-64446)

   Fortinet has fixed a critical (CVSS 9.8) path traversal vulnerability (CVE-2025-64446) in multiple versions of Fortinet FortiWeb web application firewall. The flaw could be exploited "to execute administrative commands on the system via crafted HTTP or HTTPS requests." There have been reports of an actively exploited FortiWeb path traversal flaw for a month. Fortinet has now acknowledged observing active exploits of the vulnerability in the wild; the issue has fixed in FortiWeb 8.0.2.

   The flaw is being actively exploited and is in the KEV with a due date of 11/21.

   WatchTowr Labs has published a detction artifact generator you can use to see if your device is vulnerable to this authentication bypass flaw. It tries to create a known user, which you then have to remove if successful.

7. Eurofiber admits crooks swiped data from French unit

   Eurofiber is a B2B telcoo, e.g., private 5G, network infrastructure, orchestrationa and analysis, rather than a consumer facing service. Unlike the recent DDoS attack on B2B service provider ICUK, this attack focused on systems with customer data.  Note that Eurofiber has already notified affected customers, fixed the vulnerable sysetm and implemented enhanced security measures, which is pretty impressive as the attack occured November 13th.

8. Rust Adoption Drives Android Memory Safety Bugs Below 20% for First Time

   Google has disclosed that the company's continued adoption of the Rust programming language in Android has resulted in the number of memory safety vulnerabilities falling below 20% for the first time. "We adopted Rust for its security and are seeing a 1000x reduction in memory safety vulnerability density compared to Android's C and C++ code. But the biggest surprise was Rust's impact on software delivery. With Rust changes having a 4x lower rollback rate and spending 25% less time in code review, the safer path is now also the faster one.

   Google announced the move to Rust about a year ago. They now have measurable shortened release times, increased stability and security which reinforce the value of using Rust for Android. Google is now moving to roll out the kernel, first-party applications and firmware implemented in Rust. Kernel 6.12 is the first version with Rust support, Google is collaborating with Arm on Rusted Firmware-A. First-party apps such as MLS implementing RCS messaging in Rust and Chromium improvements are due out soon. Google Blog: https://security.googleblog.com/2025/11/rust-in-android-move-fast-fix-things.html

Sam Bowne

1. Researchers find hole in AI guardrails by using strings like =coffee

   This attack targets model guardrails, which tend to be machine learning models deployed to protect other LLMs. Add enough unsafe LLMs together and you get more of the same. The technique, dubbed EchoGram, serves as a way to enable direct prompt injection attacks. It can discover text sequences no more complicated than the string =coffee that, when appended to a prompt injection attack, allow the input to bypass guardrails that would otherwise block it. EchoGram sends a list of benign and malicious words to the LLM, and scores sequences in the wordlist to determine when model "flips"--misclassifying the words.

2. A Chinese firm bought an insurer for CIA agents – part of Beijing’s trillion dollar spending spree

   In 2015, the insurer, Wright USA, had been quietly purchased by Fosun Group, a private company believed to have very close connections with China's leadership. US concerns became immediately clear: Wright USA was privy to the personal details of many of America's top secret service agents and intelligence officials. No one in the US knew who might have access to that information now the insurer and its parent, Ironshore, were Chinese-owned.

3. 3.5B WhatsApp users’ info scooped through enumeration flaw

   The messaging platform allows users to look up others' details by inputting their phone numbers. But there's no rate-limiting, so reseaarchers gathered user details at a rate of over 100 million accounts per hour. "To our surprise, neither our IP address nor our accounts have been blocked by WhatsApp. Moreover, we did not experience any prohibitive rate-limiting." After more than a year of nagging, Meta has apparently patched this flaw.

4. New ‘IndonesianFoods’ worm floods npm with 100,000 packages

   A self-spreading package published on npm spams the registry by spawning new packages every every seven seconds, creating large volumes of junk. “Amazon Inspector is flagging these packages through OSV advisories, triggering a massive wave of vulnerability reports. Sonatype’s database alone saw 72,000 new advisories in a single day.” The researcher commented that IndonesianFoods does not appear to focus on infiltrating developer machines, but rather to stress the ecosystem and disrupt the world’s largest software supply chain.

5. Windows 11 now supports 3rd-party apps for native passkey management

   Passwordless authentication is now easier on Windows 11 through native support for third-party passkey managers, the first ones supported being 1Password and Bitwarden.

6. Federal agencies not fully patching vulnerable Cisco devices amid ‘active exploitation,’ CISA warns

   Federal civilian agencies are not patching vulnerable Cisco devices sufficiently to protect themselves from an exploitation campaign that began in September, the Cybersecurity and Infrastructure Security Agency (CISA) warned Wednesday. Unit 42 attributed the targeting of Cisco ASA devices to Storm-1849 — a China-based threat group that Cisco previously said has been attacking the tools since 2024.

7. RCE flaw in ImunifyAV puts millions of Linux-hosted sites at risk.

   The ImunifyAV malware scanner for Linux servers, used by tens of millions of websites, is vulnerable to a remote code execution vulnerability that could be exploited to compromise the hosting environment. The root cause of the flaw is AI-bolit's deobfuscation logic, which executes attacker-controlled function names and data extracted from obfuscated PHP files when trying to unpack malware for scanning it. Patched versions are available.

8. All of My Employees Are AI Agents, and So Are My Executives

   As a test, he made a Potemkin company. The agents made up stories about taking hikes, fabricated technical details and tests, and argued among themselves. Ash would mention user testing, add the idea of user testing to his memory, and then subsequently believe we had in fact done user testing. Megan described fantasy marketing plans, requiring hefty budgets, as if she’d already set them in motion. Kyle claimed we’d raised a seven-figure friends-and-family investment round. If only, Kyle.

9. Power Companies Are Using AI To Build Nuclear Power Plants

   Microsoft and nuclear power company Westinghouse Nuclear want to use AI to speed up preparation of nuclear licensing documents, from "months to minutes." This could lead to disaster, since the documents will simply be written without anyone actually reasoning and understanding safety issues.