Okay, could someone explain something to me please?

Why did ANYONE ever think “guardrails” would work?

We all know that blocklisting is suboptimal because you can’t possibly enumerate all the badness (see also: antivirus). And anyone who has had to write a statement of work that includes application security requirements knows how impossible THAT is without adding a whole textbook as an appendix. (Or just writing “Don’t do stupid shit with the code,” which covers it pretty broadly.)

Don’t do that. Or that. Or that, either. And not like that. Oh, we didn’t know you could do that! Don’t do that.

Seriously, why??

#windows #graphics #design #ui

A bunch of GeoVision vulns just got published by @TalosSecurity

RE: https://infosec.place/objects/b8c930b2-f169-4211-98a5-a02661c15990

I have just published a new bug fixes minor release for #Diaphora, version 3.4.1.

https://github.com/joxeankoret/diaphora/releases/tag/3.4.1

UK government to make Mastodon compulsory for annoying children

The video of the Kernel-Hack-Drill Masterclass that I gave in Kuala Lumpur🌴

A lot of live demos of Linux kernel attacks and defenses🛠

https://www.youtube.com/watch?v=zXVqGaJY6iM

@pancake newspapers are media, so I think it does

Re: Social media bans

Does IRC count as social media?

Without the access I had to the internet I would be significantly lacking in terms of learning but also extremely isolated from any forms of socialisation outside of my immediate family. I cannot help but wonder what hope kids in my situation would fare like with this kind of policy in place.

2/2

As a teenager I was intensely isolated from my peers. I had been removed from education by a parent and, along with my siblings, spent all my time at home. I had little in the way of homeschooling.

The internet, and in particular social mediums, ended up giving me a lifeline. It was my connection to the outside world and gave me a way to socialise, as well as signpost me to subjects I could then look up and learn.

https://www.gov.uk/government/news/social-media-to-be-banned-for-under-16s-in-landmark-government-move-to-givekids-their-childhood-back

1/2

Last iOS27 optimizations are kind of a challenge for reversing tools. Thanks @codecolorist for the analysis. i'll do my best to handle all those new constructions in r2, if you have suggestions i'm all ears https://codecolor.ist/posts/2026-06-15-ios27-reworked-stub-islands/

Can't quotetoot the original but:

This is a VERY CLEAR attack on open source projects. Why would random people be registering domains en masse for popular open source projects that (currently) only redirect to the authoritative home?

Why? Because they're building search engine credibility. Once the attackers have gained enough credibility, they will pull the bait and swap to an attack payload at the domain.

Exercise EXTREME caution with your internet searches.

https://social.kernel.org/objects/bc6c59fe-a58c-47f7-9f1a-604d21b7f003

I am collecting material, sources on LLMs and vulns before and after the recent mythical moment in time.

The (searchable) list is here: https://tzafaar.codeberg.page/

Take a look and let me know if your favourite source, paper, blog post, repo is missing.

Would appreciate retoots

One thing I've noticed after tracking down so many cybercriminals is that it's super common for the person's first sales thread on a forum to include data stolen from an organization in the country where they live. This is more remarkable when the threat actor is outside the United States, because it very often tells you exactly which country they are from.

You might think that this would be a very dumb thing to do from a self-preservation perspective, but a lot of times they are eager to make a splash on the forums and the best data or access they have is their government's data or some company working with their country's govt. And if you consider that many young people get started in hacking by sticking it to the local authorities and trying to make them look like clowns, it makes a lot more sense.

See how a single race condition led to renderer RCE.

In our new article, we examine a high-severity TOCTOU bug between Blink and V8's WebAssembly compiler that allowed a benign module to pass validation while a malicious one was compiled. Because the Wasm JIT pipeline resides outside the V8 heap sandbox, this resulted in renderer RCE without requiring a V8 sandbox escape.
Read our full analysis: https://ssd-disclosure.com/readablestream-toctou-v8-sandbox-bypass-via-wasm-streaming/

strace(1) is cool btw

I usually take it for granted, but like, imagine how hard life would be if your OS didn't have a well-documented syscall layer, or if you couldn't snoop at it to see how a process interacts with the rest of the system.

I broke my Rust installation by deleting .cache (who stores anything important in .cache?!) and had to reinstall on a dirty FS.

Now I don’t know if it’s me, or it’s impossible to install @atuin from crates.io with rustc 1.85.0?

On the latest version the atuin-ai breaks - which I really don’t need in a shell history manager - this one worked:

cargo install atuin --no-default-features --features=client,check-update,daemon,pty-proxy

[RSS] The Click that shouldn't have worked: RCE via clickjacking in Internet Explorer

https://swarm.ptsecurity.com/the-click-that-shouldnt-have-worked-rce-via-clickjacking-in-internet-explorer/

[RSS] Hack the Elephant One Bite at a Time: JPEG-Related Memory-Safety Bugs in PHP

https://swarm.ptsecurity.com/hack-the-elephant-one-bite-at-a-time-jpeg-related-memory-safety-bugs-in-php/

Some of these should be merged into my tools for detecting memory disclosures, but I doubt I'll have the time to do that :(

https://blog.silentsignal.eu/2020/04/20/uninitialized-memory-disclosures-in-web-applications/

[RSS] Understanding the rationale behind a rule when trying to circumvent it

https://devblogs.microsoft.com/oldnewthing/20260611-00/?p=112415