@singe Right? I'm also glad we have oss-sec where these discussions can actually happen! I always recover some of my hope for humanity when Solar Designer enters even the most ridiculous thread in the most polite and level-headed way.

[RSS] Dead Ends, Red Herrings, and Failures In Our Time

https://www.hoyahaxa.com/2026/01/dead-ends-red-herrings-and-failures-in.html

(ColdFusion research #fail)

[RSS] Pwn2Own Automotive 2026 - Day Three Results and the Master of Pwn

https://www.thezdi.com/blog/2026/1/23/pwn2own-automotive-2026-day-three-results-and-the-master-of-pwn

90% of the time you don’t need a DevOps guy.

You need a C++ guy, a SQL guy, and one fat server with a lot of ram.

StackOverflow used to run on *one* SQL Server with a hot spare.

Peaked Alexa Rank #36, 10+ Million visits a day.

@mousey @jpm @Viss

@adamshostack This is the same "smell" I mention: it's likely not just Telnet, meaning that sniffing (which can absolutely happen, just not as often as e.g. admin:admin) is probably pretty low on the priority list. I've also seen higher prio bugs like this finally pushing teams to get rid of the nasty stuff altogether, but that's not always possible (vendor lock-in on critical systems yaay).

@adamshostack I've been hunting for unencrypted services (among other things) on LANs for 15+ years and Telnet is still there. Yet the only real-world incident involving network interception I can recall post-2010 is "SSL added and removed here" of Snowden fame (happy to hear about more!), while auth bypasses/RCEs are common culprits in breaches.

Telnet has an awful smell for sure, but when you sit on a smelly network, it's reasonable to ask: "would attackers actually exploit this?" A bypass like this changes the answer.

[LWN] Responses to gpg.fail

https://lwn.net/SubscriberLink/1054220/c6f98b90a009fca2/

Rust 1.93.0 now provides much more helpful error messages when associated types miss lifetimes:

Thanks again to @ekuber for picking up my original report:

https://github.com/mainmatter/100-exercises-to-learn-rust/issues/245

[RSS] Ticket to Shell: Exploiting PHP Filters and CNEXT in osTicket (CVE-2026-22200)

https://horizon3.ai/attack-research/attack-blogs/ticket-to-shell-exploiting-php-filters-and-cnext-in-osticket-cve-2026-22200/

@codewhitesec @mwulftange Thanks for the clarification, nice work!

@buherator Our @mwulftange found the two vulns (auth bypass and rce) weeks ago and we informed the vendor. Build 9511 on 2026-01-15 patched those vulns. We updated our vuln list today after all our clients had patched their systems. Anything else happened independently.

Rust 1.93.0 has been released! 🌈 🦀✨

This release includes a new musl version for the *-linux-musl targets, adds support for #​[cfg] inside asm!(), and adds [T]::as_array, VecDeque::{pop_front_if, pop_back_if}, Vec/String::into_raw_parts, fmt::form_fn, and more! ✨

Check out the blog post and release notes for all the details: https://blog.rust-lang.org/2026/01/22/Rust-1.93.0/

JWT {"alg": "let-me-innnnn"} vuln

https://pentesterlab.com/blog/cve-2026-23993-harbourjwt-unknown-alg-jwt-bypass

TEE security breaks down in predictable ways. In our December webinar, we showed exactly where.
Jules Drean from Tinfoil walked through their threat model, covering repositories, hardware configurations, and CVM images. Our security engineers, Paul Bottinelli and Tjaden Hess, dug into vulnerabilities they've found in production TEE deployments.

Watch the full recording: https://watch.getcontrast.io/register/trail-of-bits-top-tee-bugs-you-should-fix-before-your-audit?utm_source=socials

The latest entries on @codewhitesec 's vuln list seems to be a collision with @watchTowr 's SmarterMail publication:

https://code-white.com/public-vulnerability-list/#authenticationserviceforceresetpassword-missing-authentication-in-smartermail

I'm curious about the story here!

Why there’s no European Google?
And why it is a good thing!

My answer to the European Commission "call for evidence on Open Source."

https://ploum.net/2026-01-22-why-no-european-google.html

#geminiprotocol link: gemini://ploum.net/2026-01-22-why-no-european-google.gmi

Kagi is growing! We're seeking an experienced Product Designer to join our fully remote team. If you're passionate about our vision and meet the qualifications outlined below, we'd love to hear from you!

https://kagi.peopleforce.io/careers/v/178633-product-designer-uiux

#Kagi #Jobs #FediHire #Remote

CVE-2026-22200: Ticket to Shell in osTicket https://horizon3.ai/attack-research/attack-blogs/ticket-to-shell-exploiting-php-filters-and-cnext-in-osticket-cve-2026-22200/

We need legislation on sideloading ASAP. Yesterday, I learned the hard way that I’m not allowed to use my own personal, paid developer certificate to sign IPAs I want to install on my own personal device. Wow. 😬