Posts
4080
Following
730
Followers
1618
"I'm interested in all kinds of astronomy."
repeated

Critical vulnerabilities in Ivanti Sentry (CERT-EU Security Advisory 2026-008)

On 9 June 2026, Ivanti released a security advisory addressing two critical vulnerabilities in their Sentry products[1]. An attacker could exploit those flaws to achieve unauthenticated remote code execution on the vulnerable device.

https://www.cert.europa.eu/publications/security-advisories/2026-008/

0
2
0
repeated

Holy collisions batman:

0
1
0
@thezdi @TheDustinChilds What does the new XI column indicate in the MS patch table?
0
0
0
repeated

@harrysintonen
> any competing AI assistant would have to be granted the same deep system reach as Siri AI, including the ability to read and send messages, make purchases and act across apps.

wouldn't it be great to have that kind of API accessible from a scripting language, or from some GUI "connect the blocks" automation engine?

0
1
0
repeated

Typed `id` on a stock Ubuntu Server. Default user already in the `lxd` group, which is root-equivalent.

Host root on every LTS from 20.04 to 26.04, sudo never entered. Bonus: a free AppArmor hardening downgrade for the whole box.

Vendor: won't-fix.

https://starlabs.sg/blog/2026/06-old-wine-in-a-new-bottle-a-decade-old-lxd-group-root-re-armed/

0
6
0
repeated

Our intern Tevel Sho and his mentor @cursered spent some time poking at Cisco ISE. 40+ bugs reported. 4 dupes. This dupe is RCE as root:
https://starlabs.sg/advisories/26/26-20147/

0
3
0
@christopherkunz Ah thanks, I completely missed that! I think this disqualifies the bug from avpwn, will correct this soon!
1
0
0
@christopherkunz Thanks, that sounds relevant! Do you have a link to an attribution source that I could include?
1
0
0
repeated

David Chisnall (*Now with 50% more sarcasm!*)

I employ a two-pronged defence against phishing:

First, I am so behind on reading my email that, by the time a phishing message actually gets read, the original scammers have probably had their site taken down, or maybe died of old age.

Second, I don’t know any of my passwords and, if your domain doesn’t match, my password manager won’t fill them, and I’m much too lazy to fill them manually, so will probably just close the window. If it looks important, I’ll flag the email and come back to it eventually. Maybe.

2
5
0
[RSS] Regarding July 14th

https://deadeclipse666.blogspot.com/2026/06/regarding-july-14th.html

"I will be unable to mass disclose zerodays in July 14th"
0
0
0
repeated

I'm really curious what the CVE graphs will look like once companies have to start paying to secure their own software. I find it hard to believe that companies with 10-20 people looking for 0day will spend $1M+/mo on Claude once they stop getting low hanging fruit?

0
1
0
repeated

Like I kinda thought Mythos was gonna include a suite of tools to help find security bugs, and the model would be to sell that tooling + mythos to companies? But instead it's just another chat bot lmao. People are going to get wildly different results based on their tooling

1
1
0
Added some new entries to avpwn, including the CVE-2026-41091 Defender LPE from this Patch Tuesday:

https://github.com/v-p-b/avpwn
1
1
0
repeated

So here's the other thing that bothers me about all this. Regardless of the eventual results, this thing they're doing is *incredibly* resource intensive. They routinely spend billions of dollars on training these models, and billions more on operating them. It's not simple to parse out what fraction of that is directly attributable to the massive scale vuln finder/fabricator. But for the sake of argument lets just pick a plausible number, and call it 50-100 million dollars.

What could we have gotten for 50-100 million dollars of sponsorship for security audits? Prior to this, the largest single investment into FOSS security I'm aware of was the 2015 audit of openssl, after the heartbleed incident. It's hard to find precise costs for that, but I found a few sources estimating 1.2 million dollars, and that is arguably the most security critical piece of software in the world.

But suddenly there's 100x more resources available to do this work, now that producing the artifact can be done with stolen labor? Now that they can externalize the cost of false positives onto the already mostly unpaid maintainers of these projects? Even if their claims are true, which we have no reason to believe and very good reason not to, it's still a travesty

1
8
0
repeated

algernon the exhausted, first of his name

German ruling declares Google liable for false answers in AI Overviews

"AI" news are rarely good news, this one is. I hope this becomes an EU-wide thing eventually.

World-wide would be nicer, but I have no hope for the current US admin.

#algernonReviewsHackerNews

0
1
0
repeated

Nightmare Eclipse has released a new exploit: RoguePlanet

It's reportedly not 100% reliable, but it worked on the first attempt for me.

1
4
0
repeated

https://starlabs.sg/blog/2026/06-old-wine-in-a-new-bottle-a-decade-old-lxd-group-root-re-armed/ reminds me of the time I pointed out that /usr/local/* was writable by the staff group on Debian. Privesc by design.

0
3
0
[RSS] Ghost-Sender - Universal Email Spoofing against Exchange Online

https://labs.infoguard.ch/posts/ghost-sender/
0
0
1
[RSS] Extending LLVM's BOLT-based Binary Analyser to Validate Stack Variable Initialisation

http://blog.quarkslab.com/extending-llvms-bolt-based-binary-analyser-to-validate-stack-variable-initialisation.html
0
1
0
Show older