Just when you think CVEs cannot get more ridiculous... 🤣

I would like this comic I drew in 2017 to stop being relevant pleeeaaaaase

Telegram: not an encrypted messaging app ;) blog.cryptographyengineering.com/2024/08/25/t...

Want to support security researchers from Dragon Sector in covering legal costs piling up after they went public with logic bombs in train firmware? IBAN for donations is available here: www.ccc.de/en/updates/2... Talks for context media.ccc.de/v/37c3-12142... streaming.media.ccc.de/38c3/relive/...

TIL about Chersterton's Fence fs.blog/chestertons-... - it puts a nice label to an intuition that I find very useful to apply in practice - from refactoring code, through process engineering. Understand first why the mess exists, in that form, before attempting to clean it up and revolutionize.

I don't often post about my work but bughunters.google.com/blog/6355265... is actually super cool thing my team is doing. These short term redteams focused on just stealing our passwords were always amazing to highlight how severely broken complex systems are. The internal writeups are so, so fun!

Pro tip for if you have XSS but you can only use upper case: aem1k.com/transliterat... transliterate.js by @aemkei.bsky.social works great!

There's no such thing as a "9.2" or "9.8" vulnerability. There's more science in Pitchfork's 0.0-10.0 album rating scale than in CVSS. I am completely serious. Pitchfork reviewers actually put their reviews in context with previous reviews by the artist. That's how bad CVSS is: worse than Pitchfork.

Modern solutions against cross-site attacks (frederikbraun.de/modern-solut...): An article about cross-site leak attacks and browser-based defenses. You will also learn why web security best practices is always opt-in and finally how YOU can get increased security controls.

Not sure how I missed that, but we now actually have Ken Thompson's C compiler backdoor code from the classic "Reflections on Trusting Trust". An excellent writeup by @swtch.com - research.swtch.com/nih.

Custom lists are super cool! I enjoy reading social posts, but want to make sure I never miss a quality writeup or technique. To achieve this, I'm building a 'high signal web security' list of topic-focused accounts, which you can pin next to 'Following' if you want :) bsky.app/profile/jame...

1..2..3 testing testing. Does BlueSky support UltraHDR images?

We're doing a cool online talk tomorrow btw – hexarcana.ch/workshops/cv...

This hit close to home.

Read this! Beautiful blog post, and so much to learn from it mizu.re/post/explori...

Time to make some smart introductory websec post here, no? I guess all I have is: Hello world, good bye XSS?

I'm in the process of creating a *web security* starter pack and need your help finding more webbies here. Please share and recommend folks passionate about web security in comments below so we can get this community started here 🙂 go.bsky.app/Uf8dZhz

Photos from a stroll through Atarazanas Food Market in #malaga - it turned out to be an extremely vibrant, colorful, lively place. #photography

If you're into web security take a look at my LocoMocoSec keynote slides from this summer about "Google's Recipe for Scaling (Web) Security": speakerdeck.com/lweichselbau...