From my (admittedly niche) point of view, 24.04 LTS is the latest good version of #ubuntu. I’m a neophile so it’s only natural that I installed the new 26.04 LTS, but it’s barely usable for me. Wayland/Sway is kinda broken on Arm and setup is annoying. In addition, all the upcoming AI stuff […]

GitHub Actions have consequences

Contrary to the implications of the (poor) vuln announcement and PoC, systems without suid binaries are NOT immune to https://copy.fail/ The vuln allows modifying anything in page cache, so an attacker can just modify the .text of any existing program running with privileges they shouldn't have.

Fun with Citrix: https://shittrix.moksha.dk/ #threatintel, #citrix

#bugs #rust Won't Catch https://corrode.dev/blog/bugs-rust-wont-catch/

Not world-shattering, but interesting nevertheless... #Anthropic secretly installs #spyware when you install #Claude Desktop https://www.thatprivacyguy.com/blog/anthropic-spyware/

#hacking the #meteo for fun and profit 🤣 https://xcancel.com/aaronjmars/status/2047017251270734309

We're already seeing a spike in AI-generated PRs making the ecosystem much more secure. Words cannot describe how grateful we are for all the contributions.

💚 #phrack

RE: https://ec.social-network.europa.eu/@EUCommission/116408720976324749 Doesn't work without a Google/Apple-tied device btw. There is absolutely no story for how this would work on a desktop, anything without a Google/Apple account, or open source OS at all either.

From the same author as BlueHammer we now have RedSun. This works 100% reliably to go from unprivileged user to `SYSTEM` against Windows 11 and Windows Server with April 2026 updates, as well as Windows 10.

pfsync(4) Packet Header Field Renamed to Avoid AI Bug Report Noise https://www.undeadly.org/cgi?action=article;sid=20260413055845 #openbsd #pfsync #networking #redundancy #carp #pf #packetfilter #development #libresoftware #freesoftware

Thank you to the company that owns the drivers license embedded into my cybernetic companion animal for emailing me on an address I haven't used since she was born to remind me that access to her identity chip has been sold to an insurance company and any […] [Original post on neuromatch.social]

OTD 1989: #sunmicrosystems announces the SPARCstation 1, aka Sun 4/60, aka "Campus". Also first use of SBus. https://theretroweb.com/motherboards/s/sun-sparcstation-1

This morning we got one of our pending #curl security flaws reported a **4th** time. Everyone is using (the same) AI tools now.

lol https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/

Getting e-mail to work shouldn't be rocket science...

If all you do in your tech career is: 1. When something is slow, you look carefully at the output of a profiler or a query plan & make measured suggestions about what to improve; 2. When something breaks badly, you gently but insistently ask what & why until you truly know, then the next time […]

I'd never seen this closing keynote by @haroonmeer and @sawaba from #VB2019 before: https://www.youtube.com/watch?v=GHuQC1qLnJ4 Its well worth your time, will probably be relevant forever and its along the lines of Haroon's old 'a market of lemons' blog post.

Iceland Air is running a search for the worst photographers in the world so they can fly them to Iceland to take photos of Iceland. https://reallybadphotographer.com

Good morning and a very happy Thatcher Day to you all! It's been 13 years today and she's still dead. 🎉

@badsectorlabs hey! Re: https://blog.badsectorlabs.com/taking-a-break-2026-04-06.html I just wanted to thank you for your precious work all these years. I’ve really enjoyed your weekly feed. Best of luck with Ludus! 🥂

https://www.openwall.com/lists/oss-security/2026/04/06/1 if you want to play along at home...

Warning to open source maintainers: the Axios supply chain attack started with some very sophisticated social engineering targeted at one of their developers https://simonwillison.net/2026/Apr/3/supply-chain-social-engineering/

Does anyone have a contact at pwn.ai? We would kinda like to have a conversation with them...

* Claude code source "leaks" in a mapfile * people immediately use the code laundering machines to code launder the code laundering frontend * now open source knockoff in python and rust What's anthropic going to do, sue them? Insist in court that LLM recreating copyrighted code is a […]

Anyone knows anything more about this #tunnelblick #vulnerability? "CVE-2026-31893 describes a serious Tunnelblick vulnerability. This vulnerability is present in all versions of all Tunnelblick versions 3.3beta26 through 9.0beta01. Tunnelblick 8.0.1 and 9.0beta02 contain fixes for the […]

Finally got around to uploading my slides for Reflections on trusting Zero Trust (or why I have zero trust in Zero Trust) from BSides London 2021 […]

My original paper from 2013: https://labs.portcullis.co.uk/download/MSAOSVSM.pdf

In which I get shout outs from the grsec crew: https://x.com/spendergrsec/status/2037295088225636706 This piece of work remains one of my high water marks for security research. For all the bugs etc, doing something worthy of a grsec enhancement gives me a big smile. Cheers @grsecurity folks.

Physical security and cryptography can learn from each other, part 11367: Hotels wisely don't put the room number on guest keycards so if someone finds your card, they'd have to exhaustively search the hotel to find the room it opens. Some hotels now have elevators programmed to only let you […]

You can get a cheap Wi-Fi enabled camera intended for sticking in your ear for less than $5. You know what else it's good for? Reading tiny print on tiny chips. Here's a comparison of this device vs. an iPhone 16. You're welcome.

RE: https://infosec.exchange/@deepfield/116284754769568339 The operator built triple-layer crypto, fast-flux DNS across 30+ ASes, biweekly C2 rotation — then shipped an unstripped debug build on port 8090, a couple of ports over from production. 300+ symbols, project name, internal module names […]

RIP one of our favorite techniques to bypass #paloalto #cortex #xdr 🤷 https://labs.infoguard.ch/posts/decrypting-and-abusing_paloalto-cortex-xdr_behavioral-rules_biocs/

just learned that my colleagues rotate VS Code by 1 degree when you leave your laptop unattended

Fun find: with glibc, using the _GNU_SOURCE feature test macro now causes C23-style const-correctness macros to replace strchr, memchr, etc. even if you're using an older C standard profile (-std=gnu11 or even plain -std=c11). This looks like an oversight: their features.h has _GNU_SOURCE imply […]

7daed65802db525b55330bf80f6181cc305476bcdc02b842efc89f99b8b38546

For my #Rust projects, I’ve finally migrated from #RustRover to @zed. RR is a great IDE, but it feels much too bloated for me. #Zed, on the other hand, is a pleasure to use. So smooth! Here’s my current config including a beautiful theme based on […] [Original post on infosec.exchange]

RE: https://infosec.exchange/@quarkslab/116217078264534554 True OG hacker spirit here. Reverse engineering something just for the sake of undestanding how it works. No bounty, no cyberz, no monetization, just ask yourself "WTF?" and let your curiosity drive. This and the previous one it […]

Spread the word! @phrack.org CFP with demoscene cracktro is live. Turn up the volume and enjoy the awesome stylings of @PiotrBania with some hopefully inspiring text from phrack staff :) phrack.org

“Hacking is figuring it out yourself. It’s learning on your own.” — MB Absolutely fantastic video #interview by #wwsul https://youtu.be/PN2RQ_O2Cq0

Today is the perfect day to listen to some #undefinedbehavior #psytrance #music ht @buherator#undefinedbehavior#psytrance#musicttps://soundcloud.com/burninnoise/undefined-behavior-vs-altruism-perception-box

The perfect headline doesn’t exi… https://www.engadget.com/big-tech/google-pledges-roughly-three-hours-of-its-annual-profit-to-fight-climate-change-164808010.html

I have just updated this old #ida Plugin of mine: IDA Magic Strings. https://github.com/joxeankoret/idamagicstrings It now supports installation using hcli (https://hcli.docs.hex-rays.com/getting-started/installation/) #idamagicstrings

A few years ago I designed a way to detect bit-flips in Firefox crash reports and last year we deployed an actual memory tester that runs on user machines after the browser crashes. Today I was looking at the data that comes out of these tests and now I'm 100% positive that the heuristic is […]

[meta] I participated in under the legal age use of SunOS...

OTD 1986 (40 years!): #sunmicrosystems goes public. Scan of Red Herring with lots of facts and figures: https://drive.google.com/file/d/1MXh04jhmrqIO8hbCs7pRxlEZ-ql59s7R/view?usp=sharing

RE: https://infosec.exchange/@HexRaysSA/116166602065236744 Some promising tidbits here…

RIP FX - You are a legend

In the #Future All Food Will Be Cooked in a Microwave, and if You Can’t Deal With That Then You Need to Get Out of the Kitchen by @colincornaby#future[…]