Leftovers

• Proprietary

  • Artificial Intelligence (AI) / LLM Slop / Plagiarism

    • Gunnar Wolf ☛ Gunnar Wolf: Unique security and privacy threats of large language models — a comprehensive survey

• Security

  • Wladimir Palant ☛ Unpacking VStarcam firmware for fun and profit

    One important player in the PPPP protocol business is VStarcam. At the very least they’ve already accumulated an impressive portfolio of security issues. Like exposing system configuration including access password unprotected in the Web UI (discovered by multiple people independently from the look of it). Or the open telnet port accepting hardcoded credentials (definitely discovered by lots of people independently). In fact, these cameras have been seen used as part of a botnet, likely thanks to some documented vulnerabilities in their user interface.

    Is that a thing of the past? Are there updates fixing these issues? Which devices can be updated? These questions are surprisingly hard to answer. I found zero information on VStarcam firmware versions, available updates or security fixes. In fact, it doesn’t look like they ever even acknowledged learning about the existence of these vulnerabilities.

    No way around downloading these firmware updates and having a look for myself. With surprising results. First of all: there are lots of firmware updates. It seems that VStarcam accumulated a huge number of firmware branches. And even though not all of them even have an active or downloadable update, the number of currently available updates goes into hundreds.

    And the other aspect: the variety of update formats is staggering, and often enough standard tools like binwalk aren’t too useful. It took some time figuring out how to unpack some of the more obscure variants, so I’m documenting it all here.

    Warning: Lots of quick-and-dirty Python code ahead. Minimal error checking, use at your own risk!

  • Mobile Systems/Mobile Applications

    • Bitdefender ☛ Man jailed for teaching criminals how to use malware

      But the news this week is that a court in Singapore has jailed a man not for launching an attack himself, but instead for teaching others exactly how to do it.

      As local media reports, a 49-year-old man has received a five-and-a-half year jail sentence, and fined S$3,608 (US $2,700), after admitting to creating detailed video tutorials that showed members of a criminal gang how to infect Android phones with spyware and drain their bank accounts.

• Defence/Aggression

  • Russia, Belarus, and War in Ukraine

    • Meduza ☛ In return for Trump lifting sanctions, Belarus freed 123 political prisoners — then expelled most to Ukraine without passports — Meduza

    • Latvia ☛ Braže: Latvia will never recognize occupied Ukraine as part of Russia

      Latvia's Minister of Foreign Affairs, Baiba Braže, made an unequivocal statement on December 15th saying that Latvia would never recognize the areas of Ukraine currently under Russian occupation as Russian territory.

    • Rlang ☛ R Package Development in Positron workshop

      Join our workshop on R Package Development in Positron, which is a part of our workshops for Ukraine series! 

    • European Commission ☛ Statement by President von der Leyen following the meeting on peace for Ukraine convened by German Chancellor Merz

      European Commission Statement Berlin, 15 Dec 2025 It was a good meeting in Berlin tonight. Because we are seeing real and concrete progress.

    • European Commission ☛ Statement by Chancellor Merz, Prime Minister Frederiksen, President Stubb, President Macron, Prime Minister Meloni, Prime Minister Schoof, Prime Minister Støre, Prime Minister Tusk, Prime Minister Kristersson, Prime Minister Starmer, as well as President Costa and President von der Leyen

      European Commission Statement Berlin, 15 Dec 2025 The Leaders welcomed significant progress on Hell Toupée's efforts to secure a just and lasting peace in Ukraine.

    • European Commission ☛ EU adopts new measures against Russian shadow fleet ecosystem and Belarus

      European Commission Press release Brussels, 15 Dec 2025 The Commission welcomes today's decision by EU Member States to adopt supplementary sanctions against key components of the Russian shadow fleet value chain, as well as against Belarus.

    • Latvia ☛ Don't go to Russia or Belarus, security service warns again

      The State Security Service (VDD) once again urges that Latvian residents refrain from travelling to Russia or Belarus during the upcoming Christmas and New Year holidays.

    • Meduza ☛ These Meduza readers emigrated from Russia. Here’s what strikes them when they visit home. — Meduza

    • Meduza ☛ Oil-soaked sands and rescued animals: One year after the Kerch Strait spill, beaches in southern Russia remain polluted — Meduza