A politician investigating Pegasus spyware… had their phone hacked with Pegasus multiple times. The compromises came days ahead of key meetings of the spyware inquiry:
Apply all regulations to the last letter.
And after yesterday's post, here's one on the state of things in agentic identity: https://www.codon.org.uk/~mjg59/blog/p/securing-agentic-identity/
So. For the past few days I've been deep in a fun and very rewarding, but also extremely scary debugging saga. To cut a long git-bisecting story short:
Since Linux 6.9 (May 2024), the tool that locks the laptop's drive on suspend had been silently failing.
Like many of my friends, I use full-disk encryption (LUKS) to protect my data if my laptop is lost, seized or stolen. Highly recommended to everyone; in combination with tested and automated backups, it contributes greatly to peace of mind. (Under Windows, the canonical software to do that is VeraCrypt.)
Except that, for more than two years, the encryption key remained resident in memory across suspend, leaving it there for the taking by anyone who seized the still-powered laptop. (It still worked on a full shutdown, but a full shutdown is rare these days.)
There is something uniquely unsettling about trusting a security mechanism for years and learning it was never doing the thing. "A technical argument by a trusted author, which is hard to check and looks similar to arguments known to be correct, is hardly ever checked in detail." The same, it seems, is true for computer code.
The culprit was a sensible and useful refactoring, https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a28d893eb3270cf62c10dd8777af0d8452cdc072. But it had an unexpected long-range interaction with the encryption code. The fix is exactly one line long: https://lore.kernel.org/all/ajKwRtP8izwRsMmv@quasitopos/ And no, without formal proofs I cannot say whether my patch is correct and free of its own long-range interactions... At the very least, we now have an automated test to detect future regressions (https://github.com/NixOS/nixpkgs/pull/532499) and a patch to emit a warning instead of failing silently (https://gitlab.com/cryptsetup/cryptsetup/-/merge_requests/936).
This is so cool: 4 alternatieve Fields Medals for
Excellence in mathematics research by somebody who is currently over the age of 40.
Excellence in mathematics research with approaches that are not mathematically rigorous (construed broadly).
Excellence in leadership in the mathematics community (construed broadly).
Excellence in exposition of mathematics to a popular audience.
I found a device/bandwidth breakdown in some obscure page of the router's admin interface
the dishwasher's used 700+GB in the last howeverlong, my laptop using 43GB in the same time period
my partner got this dishwasher a few years ago after reading many reviews; I've never liked it much but I liked it even less after discovering you had to use the app – via the internet – to do a rinse cycle or a self-clean
I'm not sure how it could have become compromised; we keep all our stuff up-to-date, I don't let untrusted stuff on the network, and the only android device we have is an MP3 player / e-reader for the kid for which you can only install apps via sideloading APKs via miniSD
Then again, it's a dishwasher company writing software in the age of vibecoding, so who knows, maybe it self-compromised
If you run a peertube instance, you should have gotten an alert to update. Either way, it's time to update - there's a security fix out for a high severity vulnerability. Some operators got hit last time this happened. Don't let that happen to you. Patch your OS while you're at it. And drink some water. And then go for a walk. And call your mom.
Oh more #fedijobs at Mozilla
Senior Security Engineer (Add-ons) (https://www.mozilla.org/en-US/careers/position/gh/7583571/). This involves building code-review / malware detection pipelines for addons.mozilla.org - really cool team. The same team is also looking for an engineer to implement extension APIs within Firefox, a Senior Platform Engineer (https://www.mozilla.org/en-US/careers/position/gh/7921750/).
Reminder we're active looking for candidates from diverse backgrounds and with perspectives different from our own. Questions? Just ask me :)
‘Why Is Meta Destroying Its Engineering Organization?’
https://daringfireball.net/linked/2026/07/02/orosz-meta-engineering-culture
wow imagine being exposed to radio waves how will they ever recover
Given the LLM rubbish I just read, TempleOS isn't looking so bad
RE: https://infosec.exchange/@trailofbits/116850092020510927
If your goal is to provoke an over reaction in policy circles and further restrictions on defenders, keep framing llm advances from an attacker's perspective like this:
"The expertise barrier that kept bespoke fuzzing campaigns out of reach for most attackers is gone. "
KERNSEAL makes the linear page cache overflow in https://cyberstan.co.uk/fuse-readdir-oob/ deterministically unexploitable. Serial log below 👇