@opencollective is following @bagder's "summer of bliss" initiative: we are pausing our security bounty program for the summer.

We are also considering adding a rule when we come back to limit the number of paid reports per researcher per week: we'll only pay for the first 3 reports. We hope this will encourage people to prioritize meaningful reports and cut down on the sloppy stuff.

First, cookie banners are not "perceived as excessive EU regulation", but as bad and unenforcable (unenforced?) regulation. There is a difference!

"the tracking industry is so terrified of consumers being able to simply say ‘no’ that, after a bit of lobbying, everyone gives in." -> if you expect the corporations to behave irrationally (i.e. not lobbying for their interests), you are going to have a bad time - as demonstrated by cookie banners. Why not put pressure on those in the EU who were bought by Google and Meta?

@noybeu

RE: https://mastodon.social/@noybeu/116798116428582650

I'm sorry.

With about $180 of off-the-shelf hardware, HotWire https://sickcell6000.github.io/HotWire/ steals charging billed to victims, and drains an EV's batteries until they won't start - demonstrated on production cars and live public charging networks.
Paper and presentation at WOOT'26.
Preprint: https://sickcell6000.github.io/HotWire/2026_WOOT_paper_HotWire.pdf

OpenAI shipped a telemetry system that logs more than the actual work being done. Codex burning through SSDs at a rate of ~640 TB/year – one user hit 37 TB written in 21 days. On a consumer SSD
that’s full drive death in under a year. https://github.com/openai/codex/issues/28224

Every iPhone with an A12 or A13 chip - XS/XR, 11, 2020 SE - has an unpatchable SecureROM exploit. The root bug is in Synopsys’s USB controller, and is exploitable. Requires physical access. Solution: buy a new iPhone. https://ps.tc/pages/blog-usbliter8.html

In the last years, I wrote up some of the advice I often found myself giving to other founders, and a general list of lessons I learnt doing two companies, zynamics and optimyze. The full article - still work-in-progress - is here:

https://thomasdullien.github.io/guides/entrepreneurship/

New Cisco RCE was fixed https://ssd-disclosure.com/cisco-unified-communications-manager-arbitrary-file-write-to-rce/

[RSS] Apple Container Internal[s]

https://u1f383.github.io/container/2026/06/23/Apple-Container-Internal.html

System/38 blog post

A nice write up by one of the club members, who also takes very nice pictures of computers:

https://crusty.computer/?p=89

[RSS] Out of Shift: How a Shared State Bug in V8's AsmJS Parser Broke the Ubercage

https://blog.exodusintel.com/2026/06/22/out-of-shift-how-a-shared-state-bug-in-v8s-asmjs-parser-broke-the-ubercage/

I read a story about how Hungary's first semiconductor plant burned down, and how lucky the city population was as the dangerous chemicals (SiH2Cl2 was mentioned) were blown by the wind toward uninhibited areas.

https://telex.hu/g7/vallalat/2026/05/24/katasztrofa-tanulsagok-mikroelektronikai-vallalat-felvezetogyarto-uzem-40-ev

Completely unrelated to recent events I wonder if such chemicals are still in use in similar plants?

It's not a bug, it's a feature flag

About to put together a version of this for the 70s.
https://realhackhistory.org/2023/03/16/hackers-as-portrayed-in-80s-news-print-media/

This incredible illustration accompanied an article in The Columbus Ledge on November 19th, 1978 which discussed whether colleges and universities were helping to create computer criminals by giving students access to computers. Bit of a bizarre moral panic.

“free” bsd

look inside

jail

At REcon this year, I noticed that quite a few talks and workshops had signs of AI-generated content. It was especially concerning that some of the workshops with signs of AI-generated content did not seem to have been fully tested or rehearsed by the instructors, especially around the specific portions of the material that were AI-generated.

To be clear, I am not talking about fully hallucinated content - these were still instructors with a track record and with qualifications to deliver the content. And with workshops at conferences, you always get a mixed bag and sometimes unprepared instructors. But it felt to me like some experienced, qualified, and skilled instructors were much looser than they would normally would have been, trusted the AI more than they should have, and thereby caused the quality of the material to slip.

I killed time on my flight by playing "Hold 'Em Poker ©2008 Global Eagle" on the in-flight entertainment system. They start you with ¤5,000 in chips.

Eventually I figured out that I could set the tournament mode to increase the blinds (eventually adding antes) every 60 seconds, and then just raise aggressively and steal the pot ~90% of hands without having to show my hole cards.

Oddly, the AI players are much more prone to bluffing at lower stakes, so this game actually gets easier as it progresses.

I had about ¤15M when the system shut down.

Uploaded the slides of my talk "Ticket Please" in EuskalHack (it was a 101) https://github.com/X-C3LL/congresos-slides/blob/master/Ticket%20Please-EuskalHack2026.pdf