#pope #meta #spotOn

@cynicalsecurity TBH I first learned about SSH certs from Facebook of all things:

https://engineering.fb.com/2016/09/12/security/scalable-and-secure-access-with-ssh/

@jpmens

Hungarian opposition leader Peter Magyar has accused the ruling government of using the Candiru spyware against his TISZA party

https://x.com/magyarpeterMP/status/2037113263238840702

@cynicalsecurity @jpmens My former company still uses SSH certs. From top of my head:

- auditable root access without su/sudo
- expiration (no left over access)
- user restrictions bound to certs (instead of server config)

+ human user priv keys were HW bound

https://github.com/silentsignal/zsca

Vibe Security Radar: Real CVEs where AI-generated code introduced the vulnerability.

https://vibe-radar-ten.vercel.app/

EDIT: forget that, it's slop:

> If the primary model fails, a Claude Agent SDK fallback with independent repository access retries the investigation.

sigh

We analyzed the Coruna exploit kit and found intriguing code overlaps with Operation Triangulation https://securelist.com/coruna-framework-updated-operation-triangulation-exploit/119228/

📱 1-click RCE in the YTDLnis Android app!

On Android, turning file writes into RCE is usually quite hard, but here the app had a nice gadget for us. Check out the details in our latest blog post:

https://www.sonarsource.com/blog/ytdlnis-argument-injection-rce?utm_medium=social&utm_source=mastodon&utm_campaign=research&utm_content=social-ytdlnis-rce-260324-&utm_term=---&s_category=Organic&s_source=Social%20Media&s_origin=social

#appsec #security #vulnerability

Sometimes I wonder… I come from two Milanese industrialist families who worked hard to keep their factories going (and failed in one case due to, literally, natural causes aka a dam disaster) and, reading the responses to my LinkedIn post about salary dumping in Ticino, I cannot reconcile it with anything I have ever heard from my parents or grandparents.

This bizarre concept that it is the workers and the international treaties which somehow "force" the companies to use cheap labour is spectacular.

Of course my families tried to run a profit but, in one case, literally financed one of the most skilled workers to set up their own shop and become a supplier with a guaranteed 5-yr 100% purchase cover before they could work alone (their family is still in business!), the other spent literally almost all their fortune to provide for the worker families hit by the disaster.

I should add that my grandfather's idea of "owner luxury" was going on holiday in Rimini for two weeks, having a large apartment in a new development towards Milan Linate airport, and driving an Alfa Romeo Alfetta, not "two yachts, three Ferrari, five villas." That might explain things...

Having said this I was brought up in a left-wing family and the only comment when I said I was an Ⓐ was "perhaps too much?" which is fair :)

There is currently an insane spy thriller running in #Hungary ICYMI:

https://www.direkt36.hu/en/titkosszolgalati-nyomasra-tortent-hazkutatas-a-tiszat-segito-informatikusoknal-aztan-kibukott-egy-gyanus-muvelet-a-part-ellen/

A 90min interview with the whistleblower was released too that reveals even more pieces of the puzzle. The whole thing screams for a movie (and long prison sentences).

okay I can finally show off these things- Sun SPOTs, weird little java on metal microcontrollers from 2005/2006!

http://nug.only9fans.com/penny/SunSPOTs/

[RSS] Quick notes on KERNSEAL

https://dustri.org/b/quick-notes-on-kernseal.html

#Linux #PaX

ALT https://effinbirds.com/post/812081909931884544

New Project Zero issue:

vpu driver open and close instance ioctls race causing UAF

https://project-zero.issues.chromium.org/issues/463672550

CVE-2026-0112

Who would win: the Balrog or Yoda?

Aww yiss another critical Citrix vuln.

https://www.bleepingcomputer.com/news/security/citrix-urges-admins-to-patch-netscaler-flaws-as-soon-as-possible/

Detection/remediation details here: https://docs.netscaler.com/en-us/netscaler-console-service/instance-advisory/remediate-vulnerabilities-cve-2026-3055

@mttaggart Plus the store-now-decrypt-later threat model is not really affected by the time of the first practical quantum attack (you just store more data). I think the original announcement is more about the good rate of pqc adoption rather than q-computing breakthroughs...

@lcamtuf May I recommend the best act of Steve Martin https://www.youtube.com/watch?v=YoWom0CCRKM

@james_inthe_box @campuscodi VPNs have that problem where they don't solve the problem that the people selling VPNs say they solve

[un]prompted 2026 conference videos

https://www.youtube.com/playlist?list=PLjmt1tu85IhAiVPugOjP-7Cy0Oemi3m7z

@freddy Not that I know of unfortunately. Your post reminded me of this one and took me a while to even find the video I watched a couple yrs back... It's concise, works by listening only and the seek should already be at the end of the ad segment :)