I checked and it's been 2 years since my last blog post??? So anyway, here's a quick blog post about KDP pool - the latest KDP feature that will replace the secure pool in future Windows versions: https://windows-internals.com/goodbye-secure-pool-hello-kdp-pool/

Interesting links of the week:

Standards:

* https://github.com/OWASP/APTS - @owasp has a crack at defining autonomous testing standards
* https://cert.pl/en/posts/2026/04/annual-report-2025/ - .pl CERT gives us their annual update
* https://www.ncsc.gov.uk/news/apt28-exploit-routers-to-enable-dns-hijacking-operations - more on that Guardian story from a couple of weeks back about Russian hostmasters working for free
* https://arxiv.org/abs/2603.29545 - exploring how cyber crime's vibe will change
* https://gambit.security/blog-post/a-single-operator-two-ai-platforms-nine-government-agencies-the-full-technical-report - how .mx got popped
* https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a - .ir are planning a silent disco and all of US are invited

Threats:

* https://socket.dev/blog/bitwarden-cli-compromised - careful warden, I see you're managing a password
* https://krebsonsecurity.com/2026/04/germany-doxes-unkn-head-of-ru-ransomware-gangs-revil-gandcrab/ - .de doxes head of REvil
* https://www.ic3.gov/PSA/2026/PSA260407 - .ru completes sticker collection of logos from every major law enforcement agency
* https://www.lumen.com/blog/en-us/frostarmada-forest-blizzard-dns-hijacking - .ru... in your modem, stealing your DNS requests
* https://dti.domaintools.com/research/dprk-malware-modularity-diversity-and-functional-specialization - .kp IT skills continue to develop
* https://pushsecurity.com/blog/device-code-phishing - phishermen continue to catch phish, news at 10

Bugs:

* https://www.jamf.com/blog/darksword-ios-exploit-kit-three-lessons-mobile-security/ - breaking our on Safari
* https://blog.calif.io/p/we-asked-claude-to-audit-sagredos - Claude vs qmail but FFS, it shouldn't have taken that much effort to spot that one
* https://heyitsas.im/posts/cups/ - printing a new 0day

Exploitation:

* https://vulnbench.ghostsecurity.com/ - testing LLM efficacy on the work bench
* https://agentic-threat-modeling.github.io/MAESTRO/ - how to make friends with agents and influence them

Hard hacks:

* https://gpubreach.ca/ - another hammer, another pixel dead...

Hardening:

* https://lore.kernel.org/lkml/20260404133746.80914-1-zybo1000@gmail.com/ - an interesting new kernel driver for Linux

Cryptography:

* https://www.openssh.org/pq.html - #OpenBSD takes a stance on PQC

#security, #research

Effective security measures are easier to implement and maintain than to bypass #showerthoughts

a new zero-trust security appliance just dropped

Hister v0.13.0 is out with quite a few new features. Update your instances.

https://github.com/asciimoo/hister/releases/tag/v0.13.0

Hister is a general purpose web search engine providing automatic full-text indexing for visited websites.

#selfhosted #search #freesoftware

CVE-2026-33824: Remote Code Execution in Windows IKEv2 - the folks from TrendAI Research break down this wormable bug that was patched last week. The show root cause & offer detection guidance. Read the details as https://www.zerodayinitiative.com/blog/2026/4/22/cve-2026-33824-remote-code-execution-in-windows-ikev2

A 4-star admiral told Congress the U.S. military runs a Bitcoin node to “secure networks” and endorsed Bitcoin as a “power projection” capability. The cryptographic primitives he cited like proof or work aren’t exactly earth shuttering in 2026. https://gooden.house.gov/2026/4/gooden-reveals-historic-u-s-military-use-of-bitcoin-node

Micropatches released for Windows Telephony Service Elevation of Privilege Vulnerability (CVE-2026-20931)
https://blog.0patch.com/2026/04/micropatches-released-for-windows.html

The Dungeon of Dark Patterns

Sources and bonus timelapse: https://www.peppercarrot.com/en/miniFantasyTheater/049.html

#webcomic #krita #miniFantasyTheater

if the part before the main, is the "prequel" then why is the part after the main a "sequel" and not a "postquel"?

Today I learned a spell to TOAST A BAGEL. It is supposed to be a spell to REFORGE A RING but it does not check the ring’s MATERIAL, and if you cancel about a second into casting the bagel will NOT be DESTROYED.

I typically recommend people do not pick a Firefox fork because keeping up with security patches is a lot of work and being downstream of our code typically implies a delay.

But if you feel like you really have to use a Firefox fork, I suggest you find one that has the means to ship an update within a day.

From those I looked at, most did not bring an update based on 150 yet. (Special shout out to the Tor Browser. You're awesome!)